Windows Analysis Report
hBB2KnTndI.exe

Overview

General Information

Sample Name: hBB2KnTndI.exe
Analysis ID: 635800
MD5: b413ff6e943c415afc26640ff535c724
SHA1: fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256: 7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
Tags: 32exetrojan
Infos:

Detection

Amadey
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Contains functionality to prevent local Windows debugging
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found evaded block containing many API calls
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: hBB2KnTndI.exe Virustotal: Detection: 39% Perma Link
Source: hBB2KnTndI.exe ReversingLabs: Detection: 39%
Uses 32bit PE files
Source: hBB2KnTndI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source: Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000000.265811134.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_0041E292 FindFirstFileExW, 5_2_0041E292
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 4x nop then sub esp, 1Ch 0_2_0042C470
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 4x nop then push ebx 0_2_004738B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0049A9C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 4x nop then jmp 0046E320h 0_2_00470A20
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 4x nop then jmp 00484510h 0_2_00486B40
Source: hBB2KnTndI.exe String found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00407090 CreateMutexW,GetLastError,GetFileAttributesA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 5_2_00407090
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00402150 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown, 5_2_00402150
Creates a DirectInput object (often for capturing keystrokes)
Source: hBB2KnTndI.exe, 00000000.00000000.265140513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: hBB2KnTndI.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
One or more processes crash
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148
Detected potential crypto function
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00468160 0_2_00468160
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004CD137 0_2_004CD137
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0041C250 0_2_0041C250
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004503C0 0_2_004503C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004593D0 0_2_004593D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00454440 0_2_00454440
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00466420 0_2_00466420
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00467430 0_2_00467430
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004BA540 0_2_004BA540
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0044B500 0_2_0044B500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00456500 0_2_00456500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0044D5E0 0_2_0044D5E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004416C0 0_2_004416C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004656F0 0_2_004656F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004D87F0 0_2_004D87F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0045A780 0_2_0045A780
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0041C8E0 0_2_0041C8E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004428E0 0_2_004428E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00457970 0_2_00457970
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004439D0 0_2_004439D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0044AA40 0_2_0044AA40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0041CA70 0_2_0041CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0044CA70 0_2_0044CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0044EA00 0_2_0044EA00
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00453A30 0_2_00453A30
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004DBB27 0_2_004DBB27
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004DBC47 0_2_004DBC47
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00420CD0 0_2_00420CD0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004D8C88 0_2_004D8C88
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00425D40 0_2_00425D40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00445DE0 0_2_00445DE0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00450DA0 0_2_00450DA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00444DB0 0_2_00444DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00459DB0 0_2_00459DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004DDE50 0_2_004DDE50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004DCE9D 0_2_004DCE9D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00452F60 0_2_00452F60
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00454F10 0_2_00454F10
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0041AFC0 0_2_0041AFC0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00414FF0 0_2_00414FF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0043DFF0 0_2_0043DFF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00449F90 0_2_00449F90
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0044BFB0 0_2_0044BFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00422868 5_2_00422868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00409877 5_2_00409877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00425827 5_2_00425827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00404120 5_2_00404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00426A7D 5_2_00426A7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00427A30 5_2_00427A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_004223D0 5_2_004223D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00416D17 5_2_00416D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00425707 5_2_00425707
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: String function: 004C9BD0 appears 34 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: String function: 0040146E appears 85 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: String function: 004A57E0 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: String function: 004123E0 appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: String function: 004137B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Code function: String function: 00DCFB02 appears 62 times
PE / OLE file has an invalid certificate
Source: hBB2KnTndI.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: hBB2KnTndI.exe Static PE information: Number of sections : 16 > 10
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5
Source: hBB2KnTndI.exe Virustotal: Detection: 39%
Source: hBB2KnTndI.exe ReversingLabs: Detection: 39%
Source: hBB2KnTndI.exe Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hBB2KnTndI.exe "C:\Users\user\Desktop\hBB2KnTndI.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f Jump to behavior
Source: classification engine Classification label: mal76.spyw.evad.winEXE@7/5@0/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: hBB2KnTndI.exe Static file information: File size 2476494 > 1048576
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source: Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000000.265811134.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004115A7 push eax; mov dword ptr [esp], ebx 0_2_004115AE
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0046A160 push eax; mov dword ptr [esp], ebx 0_2_0046A67B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0047D2D0 push eax; mov dword ptr [esp], ebx 0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0047C3C0 push eax; mov dword ptr [esp], ebx 0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00479530 push eax; mov dword ptr [esp], ebx 0_2_00479666
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0046A690 push eax; mov dword ptr [esp], ebx 0_2_0046ABAB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00479780 push eax; mov dword ptr [esp], ebx 0_2_004798B6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_0047D920 push eax; mov dword ptr [esp], ebx 0_2_0047DCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_004137F6 push ecx; ret 5_2_00413809
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Code function: 7_2_00DCF8E8 push ecx; ret 7_2_00DCFAB8
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Code function: 7_2_00DCFAD0 push ecx; ret 7_2_00DCFAE3
PE file contains sections with non-standard names
Source: hBB2KnTndI.exe Static PE information: section name: /4
Source: hBB2KnTndI.exe Static PE information: section name: /14
Source: hBB2KnTndI.exe Static PE information: section name: /29
Source: hBB2KnTndI.exe Static PE information: section name: /41
Source: hBB2KnTndI.exe Static PE information: section name: /55
Source: hBB2KnTndI.exe Static PE information: section name: /67
Source: hBB2KnTndI.exe Static PE information: section name: /80
Source: hBB2KnTndI.exe Static PE information: section name: /91
Source: hBB2KnTndI.exe Static PE information: section name: /102
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
PE file contains an invalid checksum
Source: hBB2KnTndI.exe Static PE information: real checksum: 0x2619f8 should be: 0x25f5ed
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Code function: 7_2_00DCD53A rdtsc 7_2_00DCD53A
Found evaded block containing many API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe API coverage: 8.1 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 5_2_00405230
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_0041E292 FindFirstFileExW, 5_2_0041E292
Source: C:\Users\user\Desktop\hBB2KnTndI.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00417C96
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00402C50 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree, 5_2_00402C50
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Code function: 7_2_00DCD53A rdtsc 7_2_00DCD53A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h] 0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h] 0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h] 0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004CF542 mov eax, dword ptr fs:[00000030h] 0_2_004CF542
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004CB7B1 mov eax, dword ptr fs:[00000030h] 0_2_004CB7B1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004EEBEC mov eax, dword ptr fs:[00000030h] 0_2_004EEBEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00419122 mov eax, dword ptr fs:[00000030h] 5_2_00419122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00415391 mov eax, dword ptr fs:[00000030h] 5_2_00415391
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004011A5 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,KiUserExceptionDispatcher,_cexit,ExitProcess, 0_2_004011A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00413738 SetUnhandledExceptionFilter, 5_2_00413738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00413983 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00413983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00417C96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_004135D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_004135D3
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Code function: 7_2_00DCF580 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter, 7_2_00DCF580

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B1008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004EEC21 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread, 0_2_004EEC21
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe Code function: 7_2_00DC915E LoadLibraryExW,GetProcAddress,FreeLibrary,IsDebuggerPresent,DebugBreak, 7_2_00DC915E
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\hBB2KnTndI.exe Code function: 0_2_004C9813 cpuid 0_2_004C9813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00413811 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00413811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00421B1C _free,GetTimeZoneInformation,_free, 5_2_00421B1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 5_2_00405230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 5_2_0040F1D0 IsUserAnAdmin,GetUserNameW,GetComputerNameExW, 5_2_0040F1D0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.3.hBB2KnTndI.exe.8a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.hBB2KnTndI.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.hBB2KnTndI.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.hBB2KnTndI.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.262491711.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.264188526.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.264842182.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635800 Sample: hBB2KnTndI.exe Startdate: 29/05/2022 Architecture: WINDOWS Score: 76 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Amadeys stealer DLL 2->28 7 hBB2KnTndI.exe 1 2->7         started        process3 signatures4 30 Contains functionality to inject code into remote processes 7->30 32 Writes to foreign memory regions 7->32 34 Allocates memory in foreign processes 7->34 36 Injects a PE file into a foreign processes 7->36 10 AppLaunch.exe 3 7->10         started        13 WerFault.exe 23 9 7->13         started        15 conhost.exe 7->15         started        process5 file6 20 C:\Users\user\AppData\Local\...\orxds.exe, PE32 10->20 dropped 17 orxds.exe 10->17         started        22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->22 dropped process7 signatures8 24 Contains functionality to prevent local Windows debugging 17->24
No contacted IP infos