Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
AV Detection: |
|
---|
Antivirus detection for dropped file |
Source: |
Avira: |
||
Source: |
Avira: |
||
Source: |
Avira: |
Multi AV Scanner detection for dropped file |
Source: |
Metadefender: |
Perma Link | ||
Source: |
ReversingLabs: |
|||
Source: |
Metadefender: |
Perma Link | ||
Source: |
ReversingLabs: |
|||
Source: |
Metadefender: |
Perma Link | ||
Source: |
ReversingLabs: |
|||
Source: |
Metadefender: |
Perma Link | ||
Source: |
ReversingLabs: |
Source: |
Directory created: |
Jump to behavior | ||
Source: |
Directory created: |
Jump to behavior | ||
Source: |
Directory created: |
Jump to behavior |
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
Source: |
Code function: |
10_2_004092D8 | |
Source: |
Code function: |
10_2_0040F73C | |
Source: |
Code function: |
10_2_00408EB9 |
Source: |
Code function: |
10_2_0043CF60 |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
|
---|
Creates a DirectInput object (often for capturing keystrokes) |
Source: |
Binary or memory string: |
System Summary: |
|
---|
Detected potential crypto function |
Source: |
Code function: |
10_2_0040360C |
Found potential string decryption / allocating functions |
PE file contains strange resources |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Spawns drivers |
Source: |
Driver loaded: |
Source: |
Classification label: |
Source: |
Code function: |
10_2_0043BF00 |
Source: |
Code function: |
10_2_0040FAE8 |
Source: |
Code function: |
10_2_0043DC64 |
Source: |
Code function: |
10_2_0043B1A8 |
Source: |
File created: |
Jump to behavior |
Source: |
File created: |
Jump to behavior |
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Source: |
Process created: |
Source: |
Key opened: |
Jump to behavior | ||
Source: |
Key opened: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
File read: |
Jump to behavior | ||
Source: |
File read: |
Jump to behavior | ||
Source: |
File read: |
Jump to behavior | ||
Source: |
File read: |
Jump to behavior |
Source: |
String found in binary or memory: |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Source: |
File written: |
Jump to behavior |
Source: |
Window detected: |
Source: |
Directory created: |
Jump to behavior | ||
Source: |
Directory created: |
Jump to behavior | ||
Source: |
Directory created: |
Jump to behavior |
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
Data Obfuscation: |
|
---|
PE file contains sections with non-standard names |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
2_2_009F1D1A | |
Source: |
Code function: |
10_2_00443159 | |
Source: |
Code function: |
10_2_00439675 | |
Source: |
Code function: |
10_2_004201D2 | |
Source: |
Code function: |
10_2_0040A1DF | |
Source: |
Code function: |
10_2_004371F9 | |
Source: |
Code function: |
10_2_00443228 | |
Source: |
Code function: |
10_2_0043421E | |
Source: |
Code function: |
10_2_004432BF | |
Source: |
Code function: |
10_2_00437326 | |
Source: |
Code function: |
10_2_004373A5 | |
Source: |
Code function: |
10_2_0043A448 | |
Source: |
Code function: |
10_2_00417871 | |
Source: |
Code function: |
10_2_004219DD | |
Source: |
Code function: |
10_2_0042AA75 | |
Source: |
Code function: |
10_2_0040CA11 | |
Source: |
Code function: |
10_2_0042AAB9 | |
Source: |
Code function: |
10_2_00415C5D | |
Source: |
Code function: |
10_2_0040EC85 | |
Source: |
Code function: |
10_2_00404E48 | |
Source: |
Code function: |
10_2_0043FED8 |
Persistence and Installation Behavior: |
|
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Boot Survival: |
|
---|
Creates or modifies windows services |
Source: |
Registry key created: |
Jump to behavior |
Modifies existing windows services |
Source: |
Registry key value modified: |
Jump to behavior |
Source: |
Code function: |
10_2_0043B58C |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
|
---|
Contains functionality to enumerate running services |
Source: |
Code function: |
10_2_0043B7D4 |
Found dropped PE file which has not been started or loaded |
Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
Source: |
Dropped PE file which has not been started: |
Jump to dropped file |
Sample execution stops while process was sleeping (likely an evasion) |
Source: |
Last function: |
||
Source: |
Last function: |
Source: |
Code function: |
10_2_004092D8 | |
Source: |
Code function: |
10_2_0040F73C | |
Source: |
Code function: |
10_2_00408EB9 |
Source: |
Code function: |
10_2_00409D02 |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Source: |
System information queried: |
Jump to behavior |
Anti Debugging: |
|
---|
Enables debug privileges |
Source: |
Process token adjusted: |
Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
|
---|
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Language, Device and Operating System Detection: |
|
---|
Contains functionality to query locales information (e.g. system language) |
Source: |
Code function: |
10_2_004093C0 | |
Source: |
Code function: |
10_2_00408908 | |
Source: |
Code function: |
10_2_00412C4A | |
Source: |
Code function: |
10_2_00412C4C | |
Source: |
Code function: |
10_2_00412C98 |
Queries the volume information (name, serial number etc) of a device |
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior | ||
Source: |
Queries volume information: |
Jump to behavior |
Source: |
Code function: |
10_2_00411154 |
Source: |
Code function: |
10_2_00414698 |
Source: |
Key value queried: |
Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings: |
|
---|
Modifies the windows firewall |
Source: |
Process created: |
Uses netsh to modify the Windows network and firewall settings |
Source: |
Process created: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
140.82.121.3 | github.com | United States | 36459 | GITHUBUS | false | |
185.199.111.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false | |
185.199.111.154 | github-releases.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false |
Name | IP | Active |
---|---|---|
github.com | 140.82.121.3 | true |
raw.githubusercontent.com | 185.199.111.133 | true |
github-releases.githubusercontent.com | 185.199.111.154 | true |