Windows Analysis Report
cANdLlHS4N

Overview

General Information

Sample Name: cANdLlHS4N (renamed file extension from none to exe)
Analysis ID: 586425
MD5: b3139b26a2dabb9b6e728884d8fa8b33
SHA1: de5672c7940e4fad3c8145ce9e8a5fcb1da0fcee
SHA256: 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Submitted sample is a known malware sample
Writes to foreign memory regions
Contains functionality to start reverse TCP shell (cmd.exe)
Connects to many ports of the same IP (likely port scanning)
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Potential key logger detected (key state polling based)
Detected non-DNS traffic on DNS port
Queries keyboard layouts
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to detect sandboxes (mouse cursor move detection)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: cANdLlHS4N.exe Virustotal: Detection: 77% Perma Link
Source: cANdLlHS4N.exe Metadefender: Detection: 64% Perma Link
Source: cANdLlHS4N.exe ReversingLabs: Detection: 84%
Antivirus / Scanner detection for submitted sample
Source: cANdLlHS4N.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll Avira: detection malicious, Label: HEUR/AGEN.1226539
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.cANdLlHS4N.exe.2880000.3.unpack Avira: Label: TR/ATRAPS.Gen
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4B9B9 CredEnumerateA,WideCharToMultiByte,GetACP,WideCharToMultiByte,CryptUnprotectData,GetACP,WideCharToMultiByte,CredFree, 2_2_04B4B9B9
Uses 32bit PE files
Source: cANdLlHS4N.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cANdLlHS4N.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009C8B98 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s, 0_2_009C8B98
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 1_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_00405F34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4B33C FindFirstFileW,FindClose, 2_2_04B4B33C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 3_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00405F34
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024173 ET TROJAN Red Leaves magic packet detected (APT10 implant) 192.168.2.4:49764 -> 67.205.132.17:80
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 67.205.132.17 ports 3,443,4,995,80,53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global traffic HTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49757 -> 67.205.132.17:995
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 67.205.132.17:53
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknown TCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknown TCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknown TCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknown TCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknown TCP traffic detected without corresponding DNS query: 144.168.45.116
Source: iexplore.exe, 00000002.00000002.500224676.0000000004C70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://67.205.132.17:443
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: cANdLlHS4N.exe, 00000000.00000002.246215033.0000000002880000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmp, obedience.exe, 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe, 00000003.00000000.262529824.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe.0.dr String found in binary or memory: http://www.audio-tool.net
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://www.globalsign.net/repository/0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://www.globalsign.net/repository/03
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr String found in binary or memory: http://www.globalsign.net/repository09
Source: unknown HTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B43A47 recv,recv, 2_2_04B43A47
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00429A00 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 1_2_00429A00
Contains functionality to record screenshots
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B55315 GetDesktopWindow,GetDC,GetDC,GetDC,CreateCompatibleDC,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,GetClientRect,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,StretchBlt,DeleteObject,DeleteObject,CreateCompatibleBitmap,SelectObject,BitBlt,GetObjectW,GlobalAlloc,GlobalFix,GetDIBits,VirtualAlloc,GlobalUnWire,GlobalFree,VirtualFree,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC, 2_2_04B55315
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009AD29D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_009AD29D
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009A7B6A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA, 0_2_009A7B6A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00445BB4 GetKeyboardState, 1_2_00445BB4
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0043D32C OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 1_2_0043D32C

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: cANdLlHS4N.exe, type: SAMPLE Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect RedLeaves in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPED Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Submitted sample is a known malware sample
Source: cANdLlHS4N.exe Initial file: MD5: b3139b26a2dabb9b6e728884d8fa8b33 Family: APT10 Alias: Stone Panda, APT 10, menuPass, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, APT10 Description: APT10 is the name given to a group of Chinese hackers first identified by FireEye. The group is said to have taken gigabytes of sensitive data from firms involved in the fields of aviation, space and satellite, manufacturing, pharmaceuticals, oil and gas exploration, communications, computer processor and maritime. References: https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Uses 32bit PE files
Source: cANdLlHS4N.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: cANdLlHS4N.exe, type: SAMPLE Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaves hash1 = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481, author = JPCERT/CC Incident Response Group, description = detect RedLeaves in memory, rule_usage = memory block scan, reference = https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPED Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPED Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00A539D2 0_2_00A539D2
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AADB4F 0_2_00AADB4F
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00ABECDC 0_2_00ABECDC
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00482618 1_2_00482618
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004847E4 1_2_004847E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0045893C 1_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0043AC9C 1_2_0043AC9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00477074 1_2_00477074
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0045DB80 1_2_0045DB80
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_6EDA0F49 1_2_6EDA0F49
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_6EDA0B77 1_2_6EDA0B77
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_6EDA07D9 1_2_6EDA07D9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_03029246 2_2_03029246
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0302D2F5 2_2_0302D2F5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0300312C 2_2_0300312C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0300B053 2_2_0300B053
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_03019774 2_2_03019774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0302962E 2_2_0302962E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_03028641 2_2_03028641
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0300E6C7 2_2_0300E6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0300E4BC 2_2_0300E4BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_03028AD6 2_2_03028AD6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0302D846 2_2_0302D846
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0302FE65 2_2_0302FE65
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_03028E74 2_2_03028E74
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0302CDA4 2_2_0302CDA4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_03022DC8 2_2_03022DC8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_0302EC5B 2_2_0302EC5B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4E428 2_2_04B4E428
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B685AD 2_2_04B685AD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B6959A 2_2_04B6959A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B68DE0 2_2_04B68DE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B6FDD1 2_2_04B6FDD1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B62D34 2_2_04B62D34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B6CD10 2_2_04B6CD10
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B596E0 2_2_04B596E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4E633 2_2_04B4E633
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B6D7B2 2_2_04B6D7B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4AFBF 2_2_04B4AFBF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B43098 2_2_04B43098
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B691B2 2_2_04B691B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B6D261 2_2_04B6D261
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B68A42 2_2_04B68A42
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B6EBC7 2_2_04B6EBC7
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00482618 3_2_00482618
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_004847E4 3_2_004847E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0045893C 3_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0043AC9C 3_2_0043AC9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00477074 3_2_00477074
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0045DB80 3_2_0045DB80
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_6EE60F49 3_2_6EE60F49
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_6EE60B77 3_2_6EE60B77
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_6EE607D9 3_2_6EE607D9
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_6EE60344 3_2_6EE60344
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 00403FD0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 00404A64 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 0047FD7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 00404A40 appears 183 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 00403BF0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 004070D0 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 004104E4 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 0040F294 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: String function: 0040A164 appears 106 times
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: String function: 00AAD340 appears 37 times
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: String function: 00AAD232 appears 122 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 030240C4 appears 39 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 04B64030 appears 39 times
Contains functionality to launch a process as a different user
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4F8FF DuplicateTokenEx,Wow64DisableWow64FsRedirection,CreateProcessAsUserW,GetLastError,Wow64RevertWow64FsRedirection,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 2_2_04B4F8FF
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004637A8 NtdllDefWindowProc_A, 1_2_004637A8
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0045893C GetSubMenu,SaveDC,RestoreDC,73BEB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 1_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00448B44 NtdllDefWindowProc_A,GetCapture, 1_2_00448B44
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0043AFAC NtdllDefWindowProc_A, 1_2_0043AFAC
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_00463FFC
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_004637A8 NtdllDefWindowProc_A, 3_2_004637A8
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0045893C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 3_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00448B44 NtdllDefWindowProc_A,GetCapture, 3_2_00448B44
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0043AFAC NtdllDefWindowProc_A, 3_2_0043AFAC
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 3_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 3_2_00463FFC
PE file contains strange resources
Source: cANdLlHS4N.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exe Virustotal: Detection: 77%
Source: cANdLlHS4N.exe Metadefender: Detection: 64%
Source: cANdLlHS4N.exe ReversingLabs: Detection: 84%
Source: cANdLlHS4N.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cANdLlHS4N.exe "C:\Users\user\Desktop\cANdLlHS4N.exe"
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Process created: C:\Users\user\AppData\Local\Temp\obedience.exe C:\Users\user\AppData\Local\Temp\obedience.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\obedience.exe "C:\Users\user\AppData\Local\Temp\obedience.exe"
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Process created: C:\Users\user\AppData\Local\Temp\obedience.exe C:\Users\user\AppData\Local\Temp\obedience.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk Jump to behavior
Source: C:\Users\user\Desktop\cANdLlHS4N.exe File created: C:\Users\user\AppData\Local\Temp\obedience.exe Jump to behavior
Source: obedience.exe.0.dr Binary string: \Device\
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/4@0/3
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009A13B0 _memset,_memset,_memset,_memset,_memset,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,SHGetSpecialFolderPathA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,_strrchr,lstrcpyA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,Sleep, 0_2_009A13B0
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004099C2 GetDiskFreeSpaceA, 1_2_004099C2
Source: obedience.exe, 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, obedience.exe, 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%";
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00426E50 GetLastError,FormatMessageA, 1_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009A12C0 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification, 0_2_009A12C0
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Mutant created: \Sessions\1\BaseNamedObjects\cplusplus_me
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009B508E FindResourceA,LoadResource,FreeResource, 0_2_009B508E
Source: Window Recorder Window detected: More than 3 window changes detected
Source: cANdLlHS4N.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: cANdLlHS4N.exe Static file information: File size 3804160 > 1048576
Source: cANdLlHS4N.exe Static PE information: section name: RT_CURSOR
Source: cANdLlHS4N.exe Static PE information: section name: RT_BITMAP
Source: cANdLlHS4N.exe Static PE information: section name: RT_ICON
Source: cANdLlHS4N.exe Static PE information: section name: RT_MENU
Source: cANdLlHS4N.exe Static PE information: section name: RT_DIALOG
Source: cANdLlHS4N.exe Static PE information: section name: RT_STRING
Source: cANdLlHS4N.exe Static PE information: section name: RT_ACCELERATOR
Source: cANdLlHS4N.exe Static PE information: section name: RT_GROUP_ICON
Source: cANdLlHS4N.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x134a00
Source: cANdLlHS4N.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1f0200
Source: cANdLlHS4N.exe Static PE information: More than 200 imports for USER32.dll
Source: cANdLlHS4N.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: cANdLlHS4N.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cANdLlHS4N.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cANdLlHS4N.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cANdLlHS4N.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cANdLlHS4N.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AAD385 push ecx; ret 0_2_00AAD398
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AAD30A push ecx; ret 0_2_00AAD31D
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00450214 push 004502A1h; ret 1_2_00450299
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0048A028 push 0048A054h; ret 1_2_0048A04C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004660E8 push 00466114h; ret 1_2_0046610C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0043E0F8 push 0043E124h; ret 1_2_0043E11C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00482094 push ecx; mov dword ptr [esp], edx 1_2_00482099
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00486158 push 00486184h; ret 1_2_0048617C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00466120 push 0046614Ch; ret 1_2_00466144
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0043018C push 004301B8h; ret 1_2_004301B0
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004501AC push 00450212h; ret 1_2_0045020A
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00488254 push 00488280h; ret 1_2_00488278
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0043E260 push 0043E28Ch; ret 1_2_0043E284
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0048821C push 00488248h; ret 1_2_00488240
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0048A310 push 0048A33Ch; ret 1_2_0048A334
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004205FC push ecx; mov dword ptr [esp], edx 1_2_004205FE
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0048A5A4 push 0048A5D0h; ret 1_2_0048A5C8
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0041867C push ecx; mov dword ptr [esp], eax 1_2_0041867D
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00466714 push 00466757h; ret 1_2_0046674F
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004188E0 push ecx; mov dword ptr [esp], edx 1_2_004188E5
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0041C968 push ecx; mov dword ptr [esp], edx 1_2_0041C96A
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0048A9C0 push 0048A9ECh; ret 1_2_0048A9E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0042CA4C push 0042CB1Ch; ret 1_2_0042CB14
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0048CA34 push 0048CA60h; ret 1_2_0048CA58
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00466B78 push 00466BA4h; ret 1_2_00466B9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00406B08 push 00406B59h; ret 1_2_00406B51
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00418B08 push ecx; mov dword ptr [esp], edx 1_2_00418B0D
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00430B10 push 00430B5Fh; ret 1_2_00430B57
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00416BD4 push 00416C21h; ret 1_2_00416C19
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00466BE8 push 00466C14h; ret 1_2_00466C0C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00466BB0 push 00466BDCh; ret 1_2_00466BD4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AC046C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00AC046C
PE file contains an invalid checksum
Source: StarBurn.dll.0.dr Static PE information: real checksum: 0x29839 should be: 0x293b5
Drops PE files
Source: C:\Users\user\Desktop\cANdLlHS4N.exe File created: C:\Users\user\AppData\Local\Temp\obedience.exe Jump to dropped file
Source: C:\Users\user\Desktop\cANdLlHS4N.exe File created: C:\Users\user\AppData\Local\Temp\StarBurn.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon2060.png
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009A836B IsWindowVisible,IsIconic, 0_2_009A836B
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00463830
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0044A290 IsIconic,GetCapture, 1_2_0044A290
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00460740
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_0044AB44
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_0044B468
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_0042D738
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_00463FFC
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 3_2_00463830
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0044A290 IsIconic,GetCapture, 3_2_0044A290
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 3_2_00460740
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 3_2_0044AB44
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 3_2_0044B468
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_0042D738
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 3_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 3_2_00463FFC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00430384 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00430384
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_0043EDE4 1_2_0043EDE4
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0043EDE4 3_2_0043EDE4
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409 Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 1_2_00462D8C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 3_2_00462D8C
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\obedience.exe API coverage: 6.2 %
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\obedience.exe API coverage: 6.0 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_0043EDE4 3_2_0043EDE4
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_004273EC GetSystemInfo, 1_2_004273EC
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_009C8B98 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s, 0_2_009C8B98
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 1_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_00405F34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4B33C FindFirstFileW,FindClose, 2_2_04B4B33C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 3_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00405F34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AAB46A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00AAB46A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AC046C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00AC046C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B4BC1E GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree, 2_2_04B4BC1E
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_03000019 mov eax, dword ptr fs:[00000030h] 2_2_03000019
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AAB46A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00AAB46A
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AB4A12 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00AB4A12
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_6ED9862C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6ED9862C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B605A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_04B605A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B58E89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_04B58E89
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 3_2_6EE5862C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EE5862C

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3000000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 923650 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3000000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2D00000 protect: page execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00AC2663
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: GetLocaleInfoA, 0_2_00AB0970
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00AC2AEB
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 0_2_009B1AD1
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 0_2_00AC2B8E
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00AC2B52
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_0040610C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_00406217
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA, 1_2_0040C46C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA, 1_2_0040C420
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA, 1_2_00406A94
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA,GetACP, 1_2_0040DB00
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_6ED9CB7A
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_6ED9C88C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 2_2_0301C300
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free, 2_2_03027750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_03026AF4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_0302C81E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free, 2_2_03024E41
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_04B64DAD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte, 2_2_04B6C6B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_04B67E91
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoA, 2_2_04B5D7AC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoA, 2_2_04B67F86
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 2_2_04B68088
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoW, 2_2_04B6802D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoA, 2_2_04B68259
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 2_2_04B683BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: EnumSystemLocalesA, 2_2_04B68380
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: GetLocaleInfoA, 2_2_04B6CBDB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: EnumSystemLocalesA, 2_2_04B68319
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_0040610C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_00406217
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA, 3_2_0040C46C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA, 3_2_0040C420
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA, 3_2_00406A94
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: GetLocaleInfoA,GetACP, 3_2_0040DB00
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 3_2_6EE5CB7A
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 3_2_6EE5C88C
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_6EE600B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B50396 CreateMutexW,GetLastError,CreateNamedPipeW,CloseHandle,CreateEventW,ResetEvent,ResetEvent,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ResetEvent,AllocConsole,GetConsoleWindow,ShowWindow,SetConsoleCtrlHandler,CreateConsoleScreenBuffer,SetConsoleScreenBufferSize,SetConsoleActiveScreenBuffer,GetStdHandle,SHGetSpecialFolderPathW,CreateProcessW,FreeLibrary,CreateThread,CreateThread,CreateThread,FreeLibrary, 2_2_04B50396
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00AB6E0F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00AB6E0F
Source: C:\Users\user\Desktop\cANdLlHS4N.exe Code function: 0_2_00ABBE8D __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_00ABBE8D
Source: C:\Users\user\AppData\Local\Temp\obedience.exe Code function: 1_2_00450214 GetVersion, 1_2_00450214

Remote Access Functionality
barindex
Contains functionality to start reverse TCP shell (cmd.exe)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B50396 CreateMutexW,GetLastError,CreateNamedPipeW,CloseHandle,CreateEventW,ResetEvent,ResetEvent,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ResetEvent,AllocConsole,GetConsoleWindow,ShowWindow,SetConsoleCtrlHandler,CreateConsoleScreenBuffer,SetConsoleScreenBufferSize,SetConsoleActiveScreenBuffer,GetStdHandle,SHGetSpecialFolderPathW,CreateProcessW,FreeLibrary,CreateThread,CreateThread,CreateThread,FreeLibrary, string: cmd.exe 2_2_04B50396
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 2_2_04B5623C htons,htons,socket,getpeername,socket,socket,htons,htonl,bind, 2_2_04B5623C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 586425 Sample: cANdLlHS4N Startdate: 10/03/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for dropped file 2->35 37 6 other signatures 2->37 7 cANdLlHS4N.exe 3 2->7         started        10 obedience.exe 1 2->10         started        process3 file4 21 C:\Users\user\AppData\Local\...\obedience.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\...\StarBurn.dll, PE32 7->23 dropped 13 obedience.exe 2 7->13         started        39 Allocates memory in foreign processes 10->39 16 iexplore.exe 10->16         started        signatures5 process6 signatures7 41 Writes to foreign memory regions 13->41 43 Allocates memory in foreign processes 13->43 45 Contains functionality to detect sleep reduction / modifications 13->45 18 iexplore.exe 2 13->18         started        process8 dnsIp9 25 67.205.132.17, 443, 49736, 49737 DIGITALOCEAN-ASNUS United States 18->25 27 144.168.45.116, 443, 49743, 49756 INCERO-HVVCUS United States 18->27 29 192.168.2.1 unknown unknown 18->29
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
144.168.45.116
 unknown United States
54540 INCERO-HVVCUS false
67.205.132.17
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Private

IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://67.205.132.17:443/23I9/index.php true
  • Avira URL Cloud: safe
 unknown
https://67.205.132.17:443/NEZTl2/index.php true
  • Avira URL Cloud: safe
 unknown
https://67.205.132.17:443/hvnqlRD8z/index.php true
  • Avira URL Cloud: safe
 unknown
https://67.205.132.17:443/M2c1Nb/index.php true
  • Avira URL Cloud: safe
 unknown
https://67.205.132.17:443/3T3t/index.php true
  • Avira URL Cloud: safe
 unknown