Edit tour

Windows Analysis Report
kde.exe

Overview

General Information

Sample Name:kde.exe
Analysis ID:578630
MD5:2a597d25bbecfca9550df0d6f48bcafb
SHA1:5aa68ba69c391a3bcc93e88378a4e4818a2a9181
SHA256:532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28
Tags:exe
Infos:

Detection

DanaBot
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains strange resources
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • kde.exe (PID: 4768 cmdline: "C:\Users\user\Desktop\kde.exe" MD5: 2A597D25BBECFCA9550DF0D6F48BCAFB)
    • WerFault.exe (PID: 1880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
    00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
      00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
        00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
          00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
            Click to see the 2 entries
            SourceRuleDescriptionAuthorStrings
            0.2.kde.exe.400000.0.unpackJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
              0.2.kde.exe.400000.0.raw.unpackJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
                0.3.kde.exe.4bc0000.0.unpackJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
                  0.0.kde.exe.400000.1.raw.unpackJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
                    0.0.kde.exe.400000.2.raw.unpackJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security
                      Click to see the 3 entries
                      No Sigma rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: kde.exeReversingLabs: Detection: 53%
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: kde.exeJoe Sandbox ML: detected
                      Source: kde.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\kde.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: Binary string: C:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe
                      Source: Binary string: lBC:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040D390 FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_00411D32 FindFirstFileW,
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040CDC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
                      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                      Source: kde.exe, 00000000.00000000.301852075.0000000002E78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: kde.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: kde.exe, 00000000.00000000.305465579.0000000004E18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs kde.exe
                      Source: kde.exe, 00000000.00000003.332897633.0000000004E18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs kde.exe
                      Source: C:\Users\user\Desktop\kde.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388
                      Source: kde.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: kde.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_00615DA0
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040B920
                      Source: kde.exeReversingLabs: Detection: 53%
                      Source: kde.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\kde.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\kde.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\Desktop\kde.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: unknownProcess created: C:\Users\user\Desktop\kde.exe "C:\Users\user\Desktop\kde.exe"
                      Source: C:\Users\user\Desktop\kde.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4768
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3AD.tmpJump to behavior
                      Source: classification engineClassification label: mal60.troj.winEXE@2/6@0/0
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_00411D8A GetDiskFreeSpaceW,
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: kde.exeStatic file information: File size 1235968 > 1048576
                      Source: C:\Users\user\Desktop\kde.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: kde.exeStatic PE information: More than 200 imports for KERNEL32.dll
                      Source: kde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: kde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: kde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: kde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: kde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: kde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: kde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe
                      Source: Binary string: lBC:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F848 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0042081C push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F830 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F83C push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F8D6 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F88E push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F8B4 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F9C8 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F9E0 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0048B188 push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_004879A8 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F218 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_00407284 push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0060AD53 push eax; retn 0000h
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040FF84 push 00410007h; ret
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_048C3557 push 00000000h; iretd
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_04882808 pushad ; iretd
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F008 GetSystemInfo,
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040D390 FindFirstFileW,FindClose,
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_00411D32 FindFirstFileW,
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040CDC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
                      Source: Amcache.hve.5.drBinary or memory string: VMware
                      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.5.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.5.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_048810A3 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\kde.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\kde.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\kde.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\kde.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\kde.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\kde.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_00407A14 cpuid
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_0040F01C GetVersion,
                      Source: C:\Users\user\Desktop\kde.exeCode function: 0_2_00411DCA GetLocalTime,
                      Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.drBinary or memory string: procexp.exe

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath Interception1
                      Process Injection
                      1
                      Virtualization/Sandbox Evasion
                      1
                      Input Capture
                      1
                      System Time Discovery
                      Remote Services1
                      Input Capture
                      Exfiltration Over Other Network Medium1
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Process Injection
                      LSASS Memory21
                      Security Software Discovery
                      Remote Desktop Protocol1
                      Archive Collected Data
                      Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                      Obfuscated Files or Information
                      Security Account Manager1
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
                      File and Directory Discovery
                      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets25
                      System Information Discovery
                      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                      Remote System Discovery
                      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 578630 Sample: kde.exe Startdate: 25/02/2022 Architecture: WINDOWS Score: 60 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected DanaBot stealer dll 2->15 17 Machine Learning detection for sample 2->17 6 kde.exe 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 8->11 dropped

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      kde.exe53%ReversingLabsWin32.Trojan.Azorult
                      kde.exe100%Joe Sandbox ML
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      No contacted domains info
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.5.drfalse
                        high
                        No contacted IP infos
                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:578630
                        Start date:25.02.2022
                        Start time:04:01:32
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 3s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:kde.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:21
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal60.troj.winEXE@2/6@0/0
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 84% (good quality ratio 75%)
                        • Quality average: 78.2%
                        • Quality standard deviation: 32.6%
                        HCA Information:
                        • Successful, ratio: 72%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.168.117.173
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                        • Not all processes where analyzed, report is missing behavior information
                        • VT rate limit hit for: kde.exe
                        TimeTypeDescription
                        04:02:41API Interceptor1x Sleep call for process: WerFault.exe modified
                        No context
                        No context
                        No context
                        No context
                        No context
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.766489995190086
                        Encrypted:false
                        SSDEEP:96:MF9F2NSxKbueJTJvhV97Y91pXIQcQ+c63fcE7cw3Y1S+HbHg/8BRTf3Oy1EISWb4:MnsNbXTyHQTfB01bju7/u7snS274ItU
                        MD5:B504A0E5BA4C3648778CB5F5A446987D
                        SHA1:2E107E0759BE7669EB152933A331AAD34AA09E51
                        SHA-256:EAF109DEB7BED7A68113126C9200C99D5C54B09689D51AC1A2DA4CBCBCDF5E17
                        SHA-512:E4D84541FCA39BB3319E781D3F1B2C2590216B64938BAB11BE47957ECC7F0F00099DE4F5F23D01BDE39FE3B6733B850777EE2FFADD4B848DE7BF62278076E513
                        Malicious:true
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.0.2.6.4.1.5.8.3.6.5.9.5.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.0.2.6.4.1.6.0.4.5.9.6.5.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.4.4.8.9.c.e.-.1.4.9.b.-.4.0.f.e.-.a.d.9.b.-.1.b.b.0.1.9.a.1.4.2.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.e.3.a.4.0.e.-.d.b.9.2.-.4.3.2.5.-.8.3.4.7.-.9.f.3.3.b.b.5.6.6.4.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.d.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.a.0.-.0.0.0.1.-.0.0.1.c.-.2.2.f.c.-.5.5.8.f.3.f.2.a.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.e.3.f.b.f.e.b.e.7.5.d.5.4.8.2.3.e.d.d.d.7.a.e.0.4.3.7.0.a.6.f.0.0.0.0.f.f.f.f.!.0.0.0.0.5.a.a.6.8.b.a.6.9.c.3.9.1.a.3.b.c.c.9.3.e.8.8.3.7.8.a.4.e.4.8.1.8.a.2.a.9.1.8.1.!.k.d.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.2././.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Fri Feb 25 12:02:38 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):58470
                        Entropy (8bit):2.318560026717585
                        Encrypted:false
                        SSDEEP:384:718fOpfimJOVjucepyH+DaUjPchpGx9SuD1d:7mf0JONeMujPM4xUm
                        MD5:C989337E214D9026BFB380D7F9EFA4F9
                        SHA1:95B38FB53212A31943B7FE3CBC1F7ED53CBBCB36
                        SHA-256:2677337E95A02CB7B5F5E2DB1A6DA99410B3E1D13744982F297E692D84F26B4A
                        SHA-512:B75E80D80F27A066CD456D045BF920016371634A73FDC4524736AAEC0DE9EC97B1A8B81D245603BA8E30718F4E294B10515DFA1C11841C777247A76D1251DD26
                        Malicious:false
                        Reputation:low
                        Preview:MDMP....... .......^..b....................................t...@#..........T.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T...........T..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8270
                        Entropy (8bit):3.6896176509862144
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNiejU6IaGKS6YF2SUwCgmfiS5B1dCprc89b4Rrsf+aBm:RrlsNiwU6Iae6Y0SUwCgmfiS5js4RwfC
                        MD5:5A91703779555E7BDA1B2E7493AC2FB0
                        SHA1:47C2E7581A89201B26F6E5B12DA689A02CC4684C
                        SHA-256:A5BF80E412D12495D3BE2BF09F143C5E752AC6FDE543440439A432860F7BDACB
                        SHA-512:B7A5BF2BA63E511C3DC200B33E6B919D7B315680B2D08FF7AF691AAAFFC797D7AF0B6AEE2ED151FD195C38D532F20B4116616E8D91D8E89F36B0B63ADF0A6018
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.6.8.<./.P.i.d.>.......
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4514
                        Entropy (8bit):4.419469536377917
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsArJgtWI9lxWSC8Bc8fm8M4JkXhxDwwFvx+q8tdtPVgZUW2ZVYydd:uITfAFCgSN3J0TwYxaxVo9sYydd
                        MD5:8F4B2B65EA60534050B42307F6EEAAA9
                        SHA1:F70CEA732847771465AAA04C5218B54C45A130CF
                        SHA-256:3DE319F62760575062A56CF9D70583F574E244907719958030D0DB65BE56FE2B
                        SHA-512:CE62994FC342157853628F0122D79C7463C4AEB96BECF4F16D70DA3ADC0C3858823117127CFFC31BE5BB96DD959EC329BF56A7494054F9642DCE6CDF52B56173
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1402393" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.274596008094446
                        Encrypted:false
                        SSDEEP:12288:1YC4PxHBCmuwj1aT1sYwceCDn4DHiprV1dIS84f/NmKMl1nmubD0D:2C4PxHBCmuwj1ajZ
                        MD5:00A78A5AFE0DB01E1C6D7E6AC51E5B74
                        SHA1:E16626A217A447B1B3BDBC0D788BB8B41A6D500A
                        SHA-256:42440531FA4C8549679B141DC88035F17320503CC2F8ED741A7BDF7652273794
                        SHA-512:FAB2BAFFB41612C49D7D02AA1103C08FF2930CE0DE5C2D925AE8E4C2098EC33B42F32B349A200A679FC568AC2114A30C7976FED1F4EBAF03B458342D28D8A1E0
                        Malicious:false
                        Reputation:low
                        Preview:regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...?*.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):24576
                        Entropy (8bit):3.9795377567477153
                        Encrypted:false
                        SSDEEP:384:N+HW75Rftx14PJ4XbsBFn07kHPBqXISeq5QMVyiC+/5l4Lk4EZd1DoXzObImQac:uWFRftx1+J4X4BF07QBqXbeq5QMVyiCO
                        MD5:C9FA501851BD93D9322BB96A5BBDDB65
                        SHA1:9611146D66CCA69CD57844AEE695B1874F00F36D
                        SHA-256:6BEFC25A01428E1414A54CAD4F38A65302155C9603ABE57E475F7DE07A630042
                        SHA-512:E2B30A91B81C41E1B6321721246797ECDE2AB39C1BB9649A4AF457FD3A5A5F7F0E45098F7E983D6A4EEF760ED138A95A7A6FEDEB8B2E2877C59D05B1D0EA8886
                        Malicious:false
                        Reputation:low
                        Preview:regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...?*.................................................................................................................................................................................................................................................................................................................................................HvLE.^......Y...........{.l7..Yx...5dc.6.........0................... ..hbin................p.\..,..........nk,..z.?*......h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..z.?*...... ........................... .......Z.......................Root........lf......Root....nk ..z.?*...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.635715788071644
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:kde.exe
                        File size:1235968
                        MD5:2a597d25bbecfca9550df0d6f48bcafb
                        SHA1:5aa68ba69c391a3bcc93e88378a4e4818a2a9181
                        SHA256:532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28
                        SHA512:e5b2799fab9f63de7162d665ea5e8356d54c3ca368f58b4679211cd87521db4d9f80bf2c8104b32e3f3c4d712af2a971cff92406ad22a38295928376fa25b3b1
                        SSDEEP:24576:XPT/TXZ/ngay5PIhCPgI65AzwWK1fraAhdDRjH2Msfwpu:TTpgICiuGfrn7DRjWMVu
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............VB......VT......................VS......VC......VF.....Rich............................PE..L...._._...........
                        Icon Hash:c8d0d8e0f8e0f4e8
                        Entrypoint:0x40abe0
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                        Time Stamp:0x5FEE5FF6 [Thu Dec 31 23:34:14 2020 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:bb691abe2029e4024abbec6edd66f52e
                        Instruction
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        call 00007F1320C1BC5Bh
                        call 00007F1320C16786h
                        pop ebp
                        ret
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        push FFFFFFFEh
                        push 00424348h
                        push 0040DEE0h
                        mov eax, dword ptr fs:[00000000h]
                        push eax
                        add esp, FFFFFF94h
                        push ebx
                        push esi
                        push edi
                        mov eax, dword ptr [00510C94h]
                        xor dword ptr [ebp-08h], eax
                        xor eax, ebp
                        push eax
                        lea eax, dword ptr [ebp-10h]
                        mov dword ptr fs:[00000000h], eax
                        mov dword ptr [ebp-18h], esp
                        mov dword ptr [ebp-70h], 00000000h
                        mov dword ptr [ebp-04h], 00000000h
                        lea eax, dword ptr [ebp-60h]
                        push eax
                        call dword ptr [004012A4h]
                        mov dword ptr [ebp-04h], FFFFFFFEh
                        jmp 00007F1320C16798h
                        mov eax, 00000001h
                        ret
                        mov esp, dword ptr [ebp-18h]
                        mov dword ptr [ebp-78h], 000000FFh
                        mov dword ptr [ebp-04h], FFFFFFFEh
                        mov eax, dword ptr [ebp-78h]
                        jmp 00007F1320C168C8h
                        mov dword ptr [ebp-04h], FFFFFFFEh
                        call 00007F1320C16904h
                        mov dword ptr [ebp-6Ch], eax
                        push 00000001h
                        call 00007F1320C1C87Ah
                        add esp, 04h
                        test eax, eax
                        jne 00007F1320C1677Ch
                        push 0000001Ch
                        call 00007F1320C168BCh
                        add esp, 04h
                        call 00007F1320C1A994h
                        test eax, eax
                        jne 00007F1320C1677Ch
                        push 00000010h
                        Programming Language:
                        • [ C ] VS2008 build 21022
                        • [IMP] VS2005 build 50727
                        • [ASM] VS2008 build 21022
                        • [LNK] VS2008 build 21022
                        • [RES] VS2008 build 21022
                        • [C++] VS2008 build 21022
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24a4c0x3c.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x27da0000x89b0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x27e30000x196c.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x13d00x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x80b80x18.text
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x80700x40.text
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x37c.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x24f860x25000False0.428176467483data6.26658613282IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .data0x260000x27b36c40xebc00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x27da0000x89b00x8a00False0.603374094203data5.73223003631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x27e30000x140580x14200False0.0694026591615data0.903465809032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountry
                        RT_CURSOR0x27e06800x130data
                        RT_CURSOR0x27e07b00xf0data
                        RT_CURSOR0x27e08a00x10a8dBase III DBT, version number 0, next free block index 40
                        RT_CURSOR0x27e19780x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
                        RT_ICON0x27da4b00x6c8data
                        RT_ICON0x27dab780x568GLS_BINARY_LSB_FIRST
                        RT_ICON0x27db0e00x10a8data
                        RT_ICON0x27dc1880x988dBase III DBT, version number 0, next free block index 40
                        RT_ICON0x27dcb100x468GLS_BINARY_LSB_FIRST
                        RT_ICON0x27dcfc80x25a8data
                        RT_ICON0x27df5700x10a8data
                        RT_STRING0x27e23680x1acdata
                        RT_STRING0x27e25180x36cdata
                        RT_STRING0x27e28880x128data
                        RT_ACCELERATOR0x27e06600x20data
                        RT_ACCELERATOR0x27e06400x20data
                        RT_GROUP_CURSOR0x27e19480x30data
                        RT_GROUP_CURSOR0x27e22200x14data
                        RT_GROUP_ICON0x27dcf780x4cdata
                        RT_GROUP_ICON0x27e06180x22data
                        RT_VERSION0x27e22380x130data
                        DLLImport
                        KERNEL32.dllLoadLibraryA, GetComputerNameExA, WriteProfileSectionA, GetNumaProcessorNode, FindFirstVolumeA, SetConsoleCursorInfo, HeapUnlock, FindFirstChangeNotificationA, WaitForSingleObject, GetNamedPipeHandleStateW, FileTimeToDosDateTime, EnumResourceTypesA, EnumResourceNamesW, ExitProcess, TerminateProcess, ActivateActCtx, GetVersionExW, VerifyVersionInfoW, SetConsoleOutputCP, ResetEvent, FindNextFileW, GetCompressedFileSizeA, CopyFileExA, ReadConsoleOutputCharacterA, GetDefaultCommConfigW, VerLanguageNameA, _hread, GetCommConfig, WritePrivateProfileStructA, FreeEnvironmentStringsW, CreateTimerQueue, FindVolumeClose, LeaveCriticalSection, WriteConsoleInputA, CancelWaitableTimer, SetComputerNameExW, FindAtomW, ReleaseMutex, LocalUnlock, CallNamedPipeW, BuildCommDCBAndTimeoutsA, VirtualProtect, LocalAlloc, TlsSetValue, GetCommandLineA, InterlockedIncrement, CopyFileA, AddRefActCtx, OutputDebugStringW, FormatMessageA, GetPriorityClass, WritePrivateProfileStringW, GetSystemDefaultLangID, TerminateThread, GlobalUnfix, HeapValidate, _hwrite, GetWindowsDirectoryA, GetStartupInfoW, CreatePipe, GetCPInfoExW, GetSystemWindowsDirectoryA, GetSystemWow64DirectoryA, GetLastError, GetCalendarInfoW, DebugBreak, GetConsoleCursorInfo, GetTickCount, DeleteVolumeMountPointA, OpenFileMappingW, ContinueDebugEvent, GetSystemWindowsDirectoryW, CopyFileW, SetMailslotInfo, AddConsoleAliasA, GetPrivateProfileIntW, ReadConsoleInputW, OutputDebugStringA, InterlockedDecrement, DefineDosDeviceA, SetVolumeMountPointA, SetThreadAffinityMask, SetConsoleActiveScreenBuffer, SetProcessAffinityMask, EnumResourceNamesA, GetThreadContext, GetLongPathNameW, SetConsoleTextAttribute, LoadLibraryW, EndUpdateResourceW, WaitForDebugEvent, ReadConsoleA, WriteConsoleA, InterlockedFlushSList, WritePrivateProfileSectionA, GetPrivateProfileStructA, DeleteCriticalSection, GetPrivateProfileSectionNamesA, GetDriveTypeW, GetFileAttributesExA, LocalFileTimeToFileTime, GetVolumePathNameA, GetConsoleMode, HeapSetInformation, GetComputerNameA, ProcessIdToSessionId, ReadProcessMemory, MoveFileExW, DisableThreadLibraryCalls, GlobalFix, WriteConsoleInputW, GlobalDeleteAtom, GetEnvironmentStrings, InterlockedExchangeAdd, WaitNamedPipeW, GetPrivateProfileStructW, GetExitCodeProcess, GetSystemTimeAsFileTime, GetLocalTime, EnumCalendarInfoExA, FreeEnvironmentStringsA, CreateIoCompletionPort, OpenSemaphoreA, GetMailslotInfo, GetCommModemStatus, lstrcpyA, HeapWalk, LockFile, EndUpdateResourceA, VerSetConditionMask, GetConsoleCP, GetConsoleAliasW, GetNumberOfConsoleInputEvents, GetProfileStringA, GetQueuedCompletionStatus, AllocConsole, GetNumaNodeProcessorMask, CreateMailslotW, EnumDateFormatsW, SetCommState, FileTimeToLocalFileTime, IsDebuggerPresent, GetSystemTimeAdjustment, _lread, GetConsoleAliasExesLengthA, GetWriteWatch, GetModuleHandleA, GetPrivateProfileStringA, ReadConsoleOutputAttribute, GetFileInformationByHandle, GetProfileStringW, MoveFileA, CreateActCtxW, SetCommMask, SetMessageWaitingIndicator, SetFileApisToANSI, OpenWaitableTimerW, GetProcessShutdownParameters, PeekNamedPipe, FillConsoleOutputCharacterW, FindNextVolumeMountPointA, GetThreadPriority, DeleteAtom, AddAtomW, WriteConsoleOutputCharacterW, QueryDosDeviceA, GetConsoleAliasExesW, GetBinaryTypeA, RaiseException, GetStartupInfoA, IsBadReadPtr, EnterCriticalSection, GetModuleFileNameW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, GetProcAddress, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, SetLastError, SetHandleCount, GetStdHandle, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetModuleFileNameA, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, HeapFree, VirtualFree, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleW, SetFilePointer, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA
                        USER32.dllOemToCharW
                        DescriptionData
                        Translations0x0025 0x023e
                        No network behavior found

                        Click to jump to process

                        Target ID:0
                        Start time:04:02:28
                        Start date:25/02/2022
                        Path:C:\Users\user\Desktop\kde.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\kde.exe"
                        Imagebase:0x400000
                        File size:1235968 bytes
                        MD5 hash:2A597D25BBECFCA9550DF0D6F48BCAFB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Target ID:5
                        Start time:04:02:37
                        Start date:25/02/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388
                        Imagebase:0x300000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        No disassembly