Edit tour

Windows Analysis Report
hf9tYzF.exe

Overview

General Information

Sample name:hf9tYzF.exe
Analysis ID:1627196
MD5:457cdb9354bb5f5de34e7a33c2d2bd2f
SHA1:080c211a693f57a78d3c73367231d87e145d5e14
SHA256:e2c1f8f1db1d2c47bbe60e2d4daf5422865639bcafca1933c9f807e353d98e5b
Tags:exeuser-aachum
Infos:

Detection

Salat Stealer
Score:76
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Salat Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • hf9tYzF.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\hf9tYzF.exe" MD5: 457CDB9354BB5F5DE34E7A33C2D2BD2F)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1764439188.00000000012CD000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_SalatStealerYara detected Salat StealerJoe Security
    00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: hf9tYzF.exe PID: 6668JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: hf9tYzF.exe PID: 6668JoeSecurity_SalatStealerYara detected Salat StealerJoe Security
          SourceRuleDescriptionAuthorStrings
          0.2.hf9tYzF.exe.ad0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.hf9tYzF.exe.ad0000.0.unpackJoeSecurity_SalatStealerYara detected Salat StealerJoe Security
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: hf9tYzF.exeAvira: detected
              Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
              Source: https://sa1at.ru/sa1at/Avira URL Cloud: Label: malware
              Source: hf9tYzF.exeVirustotal: Detection: 69%Perma Link
              Source: hf9tYzF.exeReversingLabs: Detection: 26%
              Source: hf9tYzF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: hf9tYzF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: unknownUDP traffic detected without corresponding DNS query: 172.67.191.102
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000204B000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000215A000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020EA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000216E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000023A1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000237A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002092000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000201E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002072000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1768229583.000000000242C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002016000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000205C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002016000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crthttp://crl3.digicert.com/DigiCertGlobalRootG2.cr
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002110000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl(c)
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002346000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000213A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002142000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000201E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002072000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1768229583.000000000242C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0H
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000201E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crlhttp://crl4.digicert.com/DigiCertG
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002016000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000205C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000201E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002072000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1768229583.000000000242C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002016000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000205C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl00
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000204B000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000215A000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020EA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt0-
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000216E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000023A1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crt0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002100000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crtGlobalSign
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002092000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yak
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002092000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yak0%
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crt
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002016000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000205C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002072000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1768229583.000000000242C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0Q
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002016000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comDigiCert
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002368000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002116000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002358000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002156000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002072000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1768229583.000000000242C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002148000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://1.1.1.1/dns-query?name=failed
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.00000000020AB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://1.1.1.1/dns-query?name=sa1at.ru
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.00000000020AB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://1.1.1.1/dns-query?name=sa1at.ru014430fad9d683816f9a2d1528909ec9c61b
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.0000000002358000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.00000000020A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/
              Source: hf9tYzF.exe, 00000000.00000002.1766384413.00000000020A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unsafe.Pointerreflect.Value.RCodeNameErrorResourceHeaderunreachable: Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODInstEmptyWidthmax-age=604800NO_VIABLE_PATHpacing limitedsqlite3_errstrsqlite3_errmsggo_commit_hookgo_update_hookgo_vtab_creatego_vtab_updatego_vtab_renamego_vtab_commitunixepoch_fracunixepoch_nano15:04:05Z07:00mime/multipartmutable-globalgo_sector_sizego_shm_barrierf32.demote_f64i32.extend16_si64.extend16_si64.extend32_sv128.load8x8_sv128.load8x8_uv128.bitselecti8x16.all_truei16x8.all_truei32x4.all_truei64x2.all_trueread block: %wfunc[%s.%s] %winvalid %s: %wunknown memoryalready closedI32WrapFromI64read value: %vsection %s: %vglobal[%d]: %wProcess32FirstWDispatchMessageSetWinEventHookHarmonyOutdatedchunk confirmedunzipping file winsta0\defaultgot dExec code:found tg:// urlActive window: Build Version: Browsers\Token_Network\Cookieszipinsecurepathrecord overflowbad certificatePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(client finishedserver finishedunknown versionmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandlenegative offsetGetMonitorInfoW476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWUnmapViewOfFileFailed to load Failed to find : cannot parse ,M3.2.0,M11.1.0general failuredata before FINbad close code ExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreatePopupMenuCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetRawInputDataInsertMenuItemWIsWindowEnabledIsWindowVisiblePostQuitMessageSetActiveWindowTrackMouseEventWindowFromPointDrawThemeTextExGetSecurityInfoImpersonateSelfOpenThreadTokenSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodetimeBeginPeriodNTSTATUS 0x%08xRegCreateKeyExWRegDeleteValueWx509usepoliciesNetworkSettingsRestartIntervalEvery other dayConsole Connectnothing to packIgnoring Retry.invalid boolean0601021504Z0700non-minimal tagunknown Go typeHanifi_RohingyaPsalter_Pahlavireflectlite.Set is unavailableallocmRInternalwrite heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockmalloc deadlockruntime error: elem size wrong with GC progmemstr_9513023b-4
              Source: hf9tYzF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: classification engineClassification label: mal76.troj.spyw.winEXE@1/0@0/2
              Source: C:\Users\user\Desktop\hf9tYzF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\WEBR_EEQ75ABMFV0U
              Source: C:\Users\user\Desktop\hf9tYzF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: hf9tYzF.exeVirustotal: Detection: 69%
              Source: hf9tYzF.exeReversingLabs: Detection: 26%
              Source: C:\Users\user\Desktop\hf9tYzF.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\hf9tYzF.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\hf9tYzF.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\hf9tYzF.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\hf9tYzF.exeSection loaded: mswsock.dllJump to behavior
              Source: hf9tYzF.exeStatic file information: File size 3272192 > 1048576
              Source: hf9tYzF.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x31ea00
              Source: hf9tYzF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: hf9tYzF.exeStatic PE information: section name: UPX2
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\hf9tYzF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: hf9tYzF.exe, 00000000.00000002.1766184162.00000000017AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\hf9tYzF.exeProcess information queried: ProcessInformationJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\hf9tYzF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 0.2.hf9tYzF.exe.ad0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1764439188.00000000012CD000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hf9tYzF.exe PID: 6668, type: MEMORYSTR
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type avx512finvaliduintptrChanDir using , type= Value>Convert::ffff:answersExpiresSubjectCONOUT$charsetInstAltInstNopalt -> nop -> any -> (empty)Not-ECTOPTIONSoptionsalt-svcpurpose%v: %#x2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9%s (%s)%s %#vquic ivquic hpquic kugo_funcgo_stepos/execruntime#interngo_opengo_readgo_syncgo_lockamxtileamxint8amxbf16osxsaveavxifmaavxvnnii32.eqzi64.eqzi32.clzi32.ctzi32.addi32.subi32.muli32.andi32.xori32.shli64.clzi64.ctzi64.addi64.subi64.muli64.andi64.xori64.shlf32.absf32.negf32.addf32.subf32.mulf32.divf32.minf32.maxf64.absf64.negf64.addf64.subf64.mulf64.divf64.minf64.maxv128.orfuncrefelementsuccessBrTableStore16Store32NearestRefFuncV128AddV128SubV128AndV128NotV128XorV128ShlV128ShrV128CmpV128MulV128DivV128NegV128AbsV128MinV128MaxV128Dot.returnWSAPolltelegramBytecoinbytecoinEthereumElectrumMyMoneroCoinbaseCrocobitMetamaskStarcoinWaterfoxK-MeleonCyberfoxBlackHawChromiumElementsCatalinaQIP Surfbinpath=${TEMP}/chunking-nostatsCapsLockPageDowncheckDOHatoi: %s$appdata
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: : ` %#xPUT103503*/*302403421425getackanyenvneti32i64f32f64nopu32u64s32s64EqzAddSubMulClzCtzDivRemAndXorShlShrAbsNegMinMaxBUG:%dstrJaxxCoreEverMathNamiTronUranEdgesent.zip-q:vtrue%s%cLAltRAltLWinRWinAppsDownLeftHomeNum0Num1Num2Num3Num4Num5Num6Num7Num8Num9Num*Num+Num-Num.Num/bibawinv.exedataOS: IP: .jpg.txtTRUEopen/PIDwmiccallPATH:443readnullbooljson'\''eEpPRGBAGrayCMYKjpeg
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:sse41sse42ssse3int16int32int64uint8slicekind= (at ClassRetryparseutf-8%s*%dtext/bad nmatchrune 0-RTT1-RTTclear15:04tableblockbr_if%d Ki%d Mi%d Gi%d TilabelLoad8StoreFloorTrunc%s %d%s %s%s.%s%s %fI8x16I16x8I32x4I64x2F32x4F64x2stdin%#x: Attr(ArmoryExodusGuardaBitappCoin98FewchaFinnieIconexKaikasOxygenPontemSaturnSolletWombatXMR.PTXinPayChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsc.execreatedeletestart $temp\chunk!audio=video=LShiftRShiftPageUpInsertDelete[AFK] 0.22.0 (x86)acceptAnswer GB
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type avx512finvaliduintptrChanDir using , type= Value>Convert::ffff:answersExpiresSubjectCONOUT$charsetInstAltInstNopalt -> nop -> any -> (empty)Not-ECTOPTIONSoptionsalt-svcpurpose%v: %#x2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9%s (%s)%s %#vquic ivquic hpquic kugo_funcgo_stepos/execruntime#interngo_opengo_readgo_syncgo_lockamxtileamxint8amxbf16osxsaveavxifmaavxvnnii32.eqzi64.eqzi32.clzi32.ctzi32.addi32.subi32.muli32.andi32.xori32.shli64.clzi64.ctzi64.addi64.subi64.muli64.andi64.xori64.shlf32.absf32.negf32.addf32.subf32.mulf32.divf32.minf32.maxf64.absf64.negf64.addf64.subf64.mulf64.divf64.minf64.maxv128.orfuncrefelementsuccessBrTableStore16Store32NearestRefFuncV128AddV128SubV128AndV128NotV128XorV128ShlV128ShrV128CmpV128MulV128DivV128NegV128AbsV128MinV128MaxV128Dot.returnWSAPolltelegramBytecoinbytecoinEthereumElectrumMyMoneroCoinbaseCrocobitMetamaskStarcoinWaterfoxK-MeleonCyberfoxBlackHawChromiumElementsCatalinaQIP Surfbinpath=${TEMP}/chunking-nostatsCapsLockPageDowncheckDOHatoi: %s$appdata
              Source: hf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: go_full_pathnameavx512vpclmulqdqi64.extend_i32_si64.extend_i32_uf32.convert_i64uv128.load8_splatv128.load32_zerov128.load64_zerov128.load16_lanev128.load32_lanev128.load64_lanev128.store8_lanei32.atomic.storei64.atomic.store%s invalid as %vinvalid drop: %vdecode int33: %wkind != func: %sresult too largeF32DemoteFromF64V128FloatPromoteargs invalid: %wread element: %wunaligned atomictoo many waitersWTSQueryUserTokenSetWindowsHookExAGetKeyboardLayoutD877F783D5D3EF8CsA7FDF864FBC10B77sF8806DD0C461824FsC2B05980D9127787s0CA814316818D8F6sCoSetProxyBlanketEthereum\keystoreinvalid file path\Telegram DesktopBrowsers\Cookies_taskkill /F /PID Write after Closedecryption failedhandshake failureillegal parametermissing extensionunrecognized namereflect.Value.Intin string literal0123456789ABCDEFX0123456789abcdefxillegal hex digitcan't scan type: invalid stream IDTransfer-EncodingHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIf-Modified-Sinceframe_ping_lengthtruncated headersif-modified-sincetransfer-encodingx-forwarded-protoX-Idempotency-KeyMoved PermanentlyFailed DependencyToo Many Requests
              Source: Yara matchFile source: 0.2.hf9tYzF.exe.ad0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hf9tYzF.exe PID: 6668, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 0.2.hf9tYzF.exe.ad0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1764439188.00000000012CD000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hf9tYzF.exe PID: 6668, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading
              1
              DLL Side-Loading
              1
              Software Packing
              11
              Input Capture
              1
              Security Software Discovery
              Remote Services11
              Input Capture
              Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              DLL Side-Loading
              LSASS Memory1
              Process Discovery
              Remote Desktop Protocol1
              Data from Local System
              Junk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information
              Security Account Manager2
              System Information Discovery
              SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1627196 Sample: hf9tYzF.exe Startdate: 01/03/2025 Architecture: WINDOWS Score: 76 13 Antivirus detection for URL or domain 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected Salat Stealer 2->19 5 hf9tYzF.exe 2->5         started        process3 dnsIp4 9 1.1.1.1, 443, 56870, 56871 CLOUDFLARENETUS Australia 5->9 11 172.67.191.102, 443, 56872 CLOUDFLARENETUS United States 5->11 21 Found many strings related to Crypto-Wallets (likely being stolen) 5->21 signatures5

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              hf9tYzF.exe69%VirustotalBrowse
              hf9tYzF.exe26%ReversingLabsWin32.Trojan.Generic
              hf9tYzF.exe100%AviraTR/Crypt.XPACK.Gen
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://1.1.1.1/dns-query?name=failed0%Avira URL Cloudsafe
              https://1.1.1.1/dns-query?name=sa1at.ru0%Avira URL Cloudsafe
              https://1.1.1.1/dns-query?name=sa1at.ru014430fad9d683816f9a2d1528909ec9c61b0%Avira URL Cloudsafe
              https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/100%Avira URL Cloudmalware
              https://sa1at.ru/sa1at/100%Avira URL Cloudmalware

              Download Network PCAP: filteredfull

              No contacted domains info
              NameSourceMaliciousAntivirus DetectionReputation
              https://1.1.1.1/dns-query?name=failedhf9tYzF.exe, 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://crl.chambersign.org/chambersroot.crl0hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmpfalse
                high
                http://o.pki.goog/s/we1/Yak0%hf9tYzF.exe, 00000000.00000002.1766384413.0000000002092000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpfalse
                  high
                  https://repository.luxtrust.lu0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002358000.00000004.00001000.00020000.00000000.sdmpfalse
                    high
                    http://cps.chambersign.org/cps/chambersroot.html0hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmpfalse
                      high
                      http://i.pki.goog/r4.crtGlobalSignhf9tYzF.exe, 00000000.00000002.1766384413.0000000002100000.00000004.00001000.00020000.00000000.sdmpfalse
                        high
                        http://i.pki.goog/we1.crt0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002092000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpfalse
                          high
                          http://c.pki.goog/r/gsr1.crl0hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000204B000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000215A000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020EA000.00000004.00001000.00020000.00000000.sdmpfalse
                            high
                            http://www.chambersign.org1hf9tYzF.exe, 00000000.00000002.1766384413.0000000002156000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmpfalse
                              high
                              https://sa1at.ru/sa1at/hf9tYzF.exe, 00000000.00000002.1766384413.00000000020A2000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              http://c.pki.goog/r/r4.crlhf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                high
                                http://repository.swisssign.com/0hf9tYzF.exe, 00000000.00000002.1766384413.000000000215C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002358000.00000004.00001000.00020000.00000000.sdmpfalse
                                  high
                                  http://c.pki.goog/we1/2DqfS24kcdI.crlhf9tYzF.exe, 00000000.00000002.1766384413.000000000237A000.00000004.00001000.00020000.00000000.sdmpfalse
                                    high
                                    http://i.pki.goog/gsr1.crthf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                      high
                                      http://crl.securetrust.com/STCA.crl0hf9tYzF.exe, 00000000.00000002.1766384413.000000000213A000.00000004.00001000.00020000.00000000.sdmpfalse
                                        high
                                        https://1.1.1.1/dns-query?name=sa1at.ruhf9tYzF.exe, 00000000.00000002.1766384413.00000000020AB000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.quovadisglobal.com/cps0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002148000.00000004.00001000.00020000.00000000.sdmpfalse
                                          high
                                          http://i.pki.goog/gsr1.crt0-hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000204B000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000215A000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020EA000.00000004.00001000.00020000.00000000.sdmpfalse
                                            high
                                            http://c.pki.goog/r/r4.crl0hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000216E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000023A1000.00000004.00001000.00020000.00000000.sdmpfalse
                                              high
                                              http://crl.xrampsecurity.com/XGCA.crl0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002142000.00000004.00001000.00020000.00000000.sdmpfalse
                                                high
                                                https://1.1.1.1/dns-query?name=sa1at.ru014430fad9d683816f9a2d1528909ec9c61bhf9tYzF.exe, 00000000.00000002.1766384413.00000000020AB000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://i.pki.goog/r4.crt0hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000216E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000023A1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  high
                                                  https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/hf9tYzF.exe, 00000000.00000002.1766384413.00000000020A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  unknown
                                                  http://www.quovadis.bm0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    high
                                                    http://c.pki.goog/r/gsr1.crlhf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      high
                                                      http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crlhf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        high
                                                        https://ocsp.quovadisoffshore.com0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          high
                                                          http://o.pki.goog/s/we1/Yakhf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            high
                                                            http://c.pki.goog/we1/2DqfS24kcdI.crl0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002092000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000236E000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.000000000200C000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002066000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              high
                                                              http://i.pki.goog/we1.crthf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                high
                                                                http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crthf9tYzF.exe, 00000000.00000002.1766384413.0000000002178000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://policy.camerfirma.com0hf9tYzF.exe, 00000000.00000002.1766384413.0000000002368000.00000004.00001000.00020000.00000000.sdmp, hf9tYzF.exe, 00000000.00000002.1766384413.0000000002116000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    high
                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs
                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    1.1.1.1
                                                                    unknownAustralia
                                                                    13335CLOUDFLARENETUSfalse
                                                                    172.67.191.102
                                                                    unknownUnited States
                                                                    13335CLOUDFLARENETUSfalse
                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                    Analysis ID:1627196
                                                                    Start date and time:2025-03-01 16:28:17 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 2m 0s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:1
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:hf9tYzF.exe
                                                                    Detection:MAL
                                                                    Classification:mal76.troj.spyw.winEXE@1/0@0/2
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Stop behavior analysis, all processes terminated
                                                                    No simulations
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    1.1.1.1watchdog.elfGet hashmaliciousXmrigBrowse
                                                                    • 1.1.1.1:8080/
                                                                    6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                    • 1.1.1.1/ctrl/playback.php
                                                                    PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                    • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                    AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                    • 1.1.1.1/
                                                                    172.67.191.102noytjhjsefsae.exeGet hashmaliciousUnknownBrowse
                                                                      flilphbvd.exeGet hashmaliciousUnknownBrowse
                                                                        No context
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUS1ZXaFij.exeGet hashmaliciousXmrigBrowse
                                                                        • 162.159.138.232
                                                                        MCxU5Fj.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.48.1
                                                                        Gidqgok.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.16.1
                                                                        random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                        • 188.114.97.3
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.200.156
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.48.1
                                                                        http://marketbestoffer.topGet hashmaliciousUnknownBrowse
                                                                        • 1.1.1.1
                                                                        aStydH147n.exeGet hashmaliciousStrela StealerBrowse
                                                                        • 172.67.150.221
                                                                        w26DFTmyjC.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 188.114.96.3
                                                                        PAYMENT INVOICE.vbsGet hashmaliciousFormBookBrowse
                                                                        • 172.67.207.50
                                                                        CLOUDFLARENETUS1ZXaFij.exeGet hashmaliciousXmrigBrowse
                                                                        • 162.159.138.232
                                                                        MCxU5Fj.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.48.1
                                                                        Gidqgok.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.16.1
                                                                        random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                        • 188.114.97.3
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.200.156
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.48.1
                                                                        http://marketbestoffer.topGet hashmaliciousUnknownBrowse
                                                                        • 1.1.1.1
                                                                        aStydH147n.exeGet hashmaliciousStrela StealerBrowse
                                                                        • 172.67.150.221
                                                                        w26DFTmyjC.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 188.114.96.3
                                                                        PAYMENT INVOICE.vbsGet hashmaliciousFormBookBrowse
                                                                        • 172.67.207.50
                                                                        No context
                                                                        No context
                                                                        No created / dropped files found
                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                        Entropy (8bit):7.999897554619177
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                        • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:hf9tYzF.exe
                                                                        File size:3'272'192 bytes
                                                                        MD5:457cdb9354bb5f5de34e7a33c2d2bd2f
                                                                        SHA1:080c211a693f57a78d3c73367231d87e145d5e14
                                                                        SHA256:e2c1f8f1db1d2c47bbe60e2d4daf5422865639bcafca1933c9f807e353d98e5b
                                                                        SHA512:a8fff68e5e34fce01883ec44ff139bd3d67d22c4925027eedc36d32f12a695dcb0e853c1149b87b1a41baf32894574ba72cc59c9eee4719287f1a6949bc9d6a4
                                                                        SSDEEP:49152:RVI+EB8uMSjePg9oVtLUUSDPG3cGI9fOEbcVDyo5UgSTIvsejyxlM:RVI+WSWEtL3S3GmncVDyAT
                                                                        TLSH:E4E5330C5D840AA3E1A166B3E971488D3C4FE1352F0BFA924F948DBE83356C79459FE2
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................1..........|............@.......................................@................................
                                                                        Icon Hash:90cececece8e8eb0
                                                                        Entrypoint:0xf77ca0
                                                                        Entrypoint Section:UPX1
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:1
                                                                        File Version Major:6
                                                                        File Version Minor:1
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:1
                                                                        Import Hash:6ed4f5f04d62b18d96b26d6db7c18840
                                                                        Instruction
                                                                        pushad
                                                                        mov esi, 00C5A015h
                                                                        lea edi, dword ptr [esi-00859015h]
                                                                        push edi
                                                                        mov ebp, esp
                                                                        lea ebx, dword ptr [esp-00003E80h]
                                                                        xor eax, eax
                                                                        push eax
                                                                        cmp esp, ebx
                                                                        jne 00007F5A20E37CADh
                                                                        inc esi
                                                                        inc esi
                                                                        push ebx
                                                                        push 00B758AAh
                                                                        push edi
                                                                        add ebx, 04h
                                                                        push ebx
                                                                        push 0031DC86h
                                                                        push esi
                                                                        add ebx, 04h
                                                                        push ebx
                                                                        push eax
                                                                        mov dword ptr [ebx], 00020003h
                                                                        push ebp
                                                                        push edi
                                                                        push esi
                                                                        push ebx
                                                                        sub esp, 7Ch
                                                                        mov edx, dword ptr [esp+00000090h]
                                                                        mov dword ptr [esp+74h], 00000000h
                                                                        mov byte ptr [esp+73h], 00000000h
                                                                        mov ebp, dword ptr [esp+0000009Ch]
                                                                        lea eax, dword ptr [edx+04h]
                                                                        mov dword ptr [esp+78h], eax
                                                                        mov eax, 00000001h
                                                                        movzx ecx, byte ptr [edx+02h]
                                                                        mov ebx, eax
                                                                        shl ebx, cl
                                                                        mov ecx, ebx
                                                                        dec ecx
                                                                        mov dword ptr [esp+6Ch], ecx
                                                                        movzx ecx, byte ptr [edx+01h]
                                                                        shl eax, cl
                                                                        dec eax
                                                                        mov dword ptr [esp+68h], eax
                                                                        mov eax, dword ptr [esp+000000A8h]
                                                                        movzx esi, byte ptr [edx]
                                                                        mov dword ptr [ebp+00h], 00000000h
                                                                        mov dword ptr [esp+60h], 00000000h
                                                                        mov dword ptr [eax], 00000000h
                                                                        mov eax, 00000300h
                                                                        mov dword ptr [esp+64h], esi
                                                                        mov dword ptr [esp+5Ch], 00000001h
                                                                        mov dword ptr [esp+58h], 00000001h
                                                                        mov dword ptr [esp+54h], 00000001h
                                                                        mov dword ptr [esp+50h], 00000001h
                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb790000x88UPX2
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb790880xcUPX2
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        UPX00x10000x8590000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        UPX10x85a0000x31f0000x31ea0062d34df1d85a920d46413e4b9ff4c19dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        UPX20xb790000x10000x200e351114d373558e96a4731b6f3d282f9False0.21484375data1.4696334998218852IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        DLLImport
                                                                        KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

                                                                        Download Network PCAP: filteredfull

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 1, 2025 16:29:15.960244894 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.164395094 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.164432049 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.420792103 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.420804024 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.442492008 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.442568064 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.442589998 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.442596912 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.459778070 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.459806919 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.464103937 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.464205980 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.464315891 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.560982943 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.560996056 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.561000109 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.561008930 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.561106920 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.561351061 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.561427116 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.562752962 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.594564915 CET56870443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.655720949 CET443568701.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:16.766602993 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:16.766791105 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.010202885 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.010240078 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.010251999 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.010257959 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.010266066 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.010272980 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.014854908 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.014945984 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.017246962 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.017632008 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.017678022 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.112910986 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.112921000 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.112931967 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.112936020 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.113604069 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.133328915 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.133378983 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.229027987 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.387859106 CET443568711.1.1.1192.168.2.4
                                                                        Mar 1, 2025 16:29:17.436950922 CET56871443192.168.2.41.1.1.1
                                                                        Mar 1, 2025 16:29:17.437174082 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:17.642241955 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:17.642328978 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:17.880196095 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:17.880207062 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:17.882622004 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:17.882944107 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:17.883090973 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:17.883097887 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:17.897592068 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:17.897651911 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:17.920116901 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:17.920875072 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:18.014111996 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:18.014142036 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:18.014147043 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:18.014156103 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:18.014786959 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:18.014890909 CET56872443192.168.2.4172.67.191.102
                                                                        Mar 1, 2025 16:29:18.015197039 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:18.108644962 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:18.334420919 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:18.596998930 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:19.132304907 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:19.132314920 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:20.168654919 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:20.168669939 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:22.260087967 CET44356872172.67.191.102192.168.2.4
                                                                        Mar 1, 2025 16:29:22.260108948 CET44356872172.67.191.102192.168.2.4
                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                        Mar 1, 2025 16:29:19.132404089 CET192.168.2.4172.67.191.102e3c8(Port unreachable)Destination Unreachable
                                                                        Mar 1, 2025 16:29:20.168796062 CET192.168.2.4172.67.191.102eb9(Port unreachable)Destination Unreachable
                                                                        Mar 1, 2025 16:29:22.260227919 CET192.168.2.4172.67.191.1029cc4(Port unreachable)Destination Unreachable
                                                                        02468s020406080100

                                                                        Click to jump to process

                                                                        02468s0.005101520MB

                                                                        Click to jump to process

                                                                        • File
                                                                        • Registry
                                                                        • Network

                                                                        Click to dive into process behavior distribution

                                                                        Target ID:0
                                                                        Start time:10:29:14
                                                                        Start date:01/03/2025
                                                                        Path:C:\Users\user\Desktop\hf9tYzF.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\hf9tYzF.exe"
                                                                        Imagebase:0xad0000
                                                                        File size:3'272'192 bytes
                                                                        MD5 hash:457CDB9354BB5F5DE34E7A33C2D2BD2F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000000.00000002.1764439188.00000000012CD000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1764439188.0000000000AD1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        No disassembly