Windows Analysis Report
USD 510,800.bat.exe

Source: USD 510,800.bat.exe, 00000000.00000002.2114514628.0000000004262000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2114514628.0000000004262000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOomiack.exe" vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2113675143.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000000.2101129830.0000000000BFA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKhac.exeB vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2114514628.0000000004095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOomiack.exe" vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2114514628.0000000004095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2117064513.0000000005990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2113675143.000000000305B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2118392579.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000000.00000002.2111567531.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe, 00000003.00000002.2119724895.0000000000456000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOomiack.exe" vs USD 510,800.bat.exe
Source: USD 510,800.bat.exe	Binary or memory string: OriginalFilenameKhac.exeB vs USD 510,800.bat.exe

Source: USD 510,800.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.USD 510,800.bat.exe.4283568.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 3.2.USD 510,800.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: USD 510,800.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, A2H1lUZ15GsIooGy4G.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, A2H1lUZ15GsIooGy4G.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, Strings.cs	Base64 encoded string: 'LTw5FwspQj0ZLBEuIycNLzlTBTUkCAgHNQUuRx5JPgAnJCF9HTMNBzpBej8tNicZJCE2MywAVAoYLERc'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, Strings.cs	Base64 encoded string: 'LTw5FwspQj0ZLBEuIycNLzlTBTUkCAgHNQUuRx5JPgAnJCF9HTMNBzpBej8tNicZJCE2MywAVAoYLERc'

Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, tQ7q88JIySVyKBimab.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, iQ03tcc2OTqPJfAISw.cs	Security API names: _0020.SetAccessControl
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, iQ03tcc2OTqPJfAISw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, iQ03tcc2OTqPJfAISw.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/4@0/0

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USD 510,800.bat.exe.log

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03

Source: USD 510,800.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: USD 510,800.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: USD 510,800.bat.exe

Virustotal: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\USD 510,800.bat.exe "C:\Users\user\Desktop\USD 510,800.bat.exe"
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process created: C:\Users\user\Desktop\USD 510,800.bat.exe "C:\Users\user\Desktop\USD 510,800.bat.exe"
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process created: C:\Users\user\Desktop\USD 510,800.bat.exe "C:\Users\user\Desktop\USD 510,800.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: umpdc.dll	Jump to behavior

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: USD 510,800.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: USD 510,800.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, A2H1lUZ15GsIooGy4G.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: USD 510,800.bat.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.USD 510,800.bat.exe.5990000.5.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.USD 510,800.bat.exe.3038978.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, iQ03tcc2OTqPJfAISw.cs	.Net Code: hLqftC88FO System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Code function: 0_2_0133EDE0 push eax; retf	0_2_0133EDE1
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Code function: 0_2_054876E2 pushfd ; retf	0_2_054876E9
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Code function: 0_2_05487686 pushfd ; retf	0_2_0548768D
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Code function: 0_2_054876B6 pushfd ; retf	0_2_054876B7
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Code function: 0_2_05551B78 pushfd ; ret	0_2_05551B81
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Code function: 3_2_031201A5 push esp; iretd	3_2_031201B3

Source: USD 510,800.bat.exe

Static PE information: section name: .text entropy: 7.988437033653444

Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, UserExt.cs	High entropy of concatenated method names: '_003CDomainExists_003Eb__2', 'uGZ3AARU2kaRZCSD349', 'vWjZ1DRWbXNe65HHpQe', 'DomainExists', 'PreCheck', 'ripQSKpjIhEqlMk7vJr', 'r650OrpVX87t9m91xXF', 'crBPB9pceZZsReUclGg', 'seSbVTpnwVS9Ie3T1ot', 'mcCr0rp2Miv4A55EKWQ'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, SystemInfoHelper.cs	High entropy of concatenated method names: '_003CCloseBrowser_003Eb__1', 'WUQsKHR3RTIx8k4UfWJ', 'j0JLoCRvSewWjI5U271', 'WjlP1dRy5O9eqKCqwYb', 'ShowMessage', 'CloseBrowser', 'Add', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, FieldRootRoot.cs	High entropy of concatenated method names: 'Field1', 'J7orWnXHYZc3Olrr5iY', 'C2qGIvXmKFwT5QNGx2L', 'i9MBE6XRH5t6ll1JfTQ', 'dsrkmBXABYCcXYO0xop', 'qIirJrXL2Nyokbp5dLX', 'qabHUrX4D9R9dE0M78Q', 'nSvU3RXDs21VC7Vw3dR', 'oqjsXAXlILK1vkN0cI8', 'b65G9vXCyKDhQb8vmWk'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, CryptoHelper.cs	High entropy of concatenated method names: 'GetDecoded', 'DecryptBlob', 'cryptUnprotectData', 'GetMd5Hash', 'GetHexString', 'c0VUeFpoBTZ1YjTKOYk', 'HPgwO4pMLi2Ijmb9v2u', 'hqEGxmpKioL8tsdhBYN', 'V7S5QKpJsX6waaV4wtT', 'UZ9iWZpGQuSHt7GV85x'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, BerkeleyDB.cs	High entropy of concatenated method names: 'Extract', 'YPGXHApO1ZkXLYnqRLC', 'fxQdebp3q82H18WBUmT', 'aiMXtQpvmRVijB4xOVk', 'qMaqXlpyfNgnvmmd6uJ', 'bRpJ6Ip5LBgxuWyO2Wu', 'cNkZQqpIlpN4dZsY742'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, TripleDes.cs	High entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'Ja1O4Glu6mnZ3xW7YIw', 'mUDfPklEDDJoSvxrde3', 'i7PNwalaj9Y2j7B13JB', 'kEmSR6lPHOhhLgWMxTT', 'UJ6Ru8l1shO84oY6evZ', 'JEjWrQl81QCVFOXQKSK'
Source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, A2H1lUZ15GsIooGy4G.cs	High entropy of concatenated method names: 'QgSfOIAomjlahH9eGMo', 'KANouAAJy7Yb7rBOoh9', 'LtQPyoxJn7', 'HE4qJIAufHBgctr1G6O', 'QVwfErAELsKNTyrOsSo', 'g38PJ8K3c0', 'AZCPHbxqQi', 'kjCPpoa2Hi', 'zssPO0JXVk', 'wmTPVkxu9Y'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, b9vZDQ2CShfWG9amQb.cs	High entropy of concatenated method names: 'C9bHyKkga2', 'G0SHIdMMLo', 'ieWHfK7Wi2', 'b22HOUhEmU', 'zUXHsBdgvC', 'UhHHB9lyrW', 'xKYHKiIGEH', 'zeeZwgKHnF', 'd5dZD8xYc7', 'AfkZ5Axj0G'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, afeKGa7bO0AALoofVb.cs	High entropy of concatenated method names: 'QrBx9puJQX', 'gykxj3F8EL', 'ToString', 'ab6xO1bkY5', 'hQ4xsfHIwW', 'c1NxuRHXjJ', 'dJ9xBdeAY8', 'cyrxKUkHmc', 'FNUxGXfbds', 'Aomxc0HWbN'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, iQ03tcc2OTqPJfAISw.cs	High entropy of concatenated method names: 'aWwIQk2Gm7', 'BBgIOOTNWg', 'YIWIscZtLi', 'WWuIu85CXO', 'KEvIBYdW1x', 'ckYIKpUEfM', 'JVOIGeKSwX', 'NPgIcDpHgY', 'NXNIA1PjTO', 'uM6I9A3vTk'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, tf234IFyMtim8Ca4lE.cs	High entropy of concatenated method names: 'CCEGOYVHJ6', 'rd6Gu4bAPb', 'g8aGKlpg0f', 'PL2K2ILipE', 's9fKzrsOy3', 'wX4GrVrnFj', 'SqcGyvunBr', 'iYwGeSC2Km', 'nrDGI6s1S7', 'Hp1GfIGp21'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, jYK3Cfvh0ECfW80pCW.cs	High entropy of concatenated method names: 'fQK4JmpCwQ', 'LvJ40QsS3U', 'y5L4VrmDg6', 'caB4EoPbw0', 'mVf4U1iNXU', 'Ulb41ePxyX', 'vvq4FXkQ7P', 'MEc4Skp0hg', 'ccN4NYxCKF', 'bc74YDQCsE'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, Xxxx2hn4ru4MW6ARb8.cs	High entropy of concatenated method names: 'P6iB3kCmun', 'X04B8ucrlX', 'zHiuoZwTJV', 'BleuUP1DID', 'muju16F6qC', 'KwpuqZZvRO', 'WHMuFgdWpt', 'URcuSsL2xM', 'PASuTmcgOM', 'qpsuN4kNDF'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, numrEW5ikObhr6piXJ.cs	High entropy of concatenated method names: 'YoRZVK5vqF', 'CmIZExWOO5', 'KyoZo59Pon', 'leHZU8lSMJ', 'xInZpjd5Lb', 'of5Z1EDcHW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, cUsw8I0YsSq9m1Zqdl.cs	High entropy of concatenated method names: 'yEwugQ0Ddg', 'wEEuheUaUj', 'IyDuJchck2', 'jWJu02mBaw', 'manuR7Ym50', 'TRguMOgWGr', 'zZnuxXbr5c', 'W5HuZqWYFa', 'FFouHCslcn', 'CU0u6y2B0k'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, o0dWdvff6sxgt8XkmW.cs	High entropy of concatenated method names: 'subyGQ7q88', 'dySycVyKBi', 'cYsy9Sq9m1', 'qqdyjl5xxx', 'sARyRb8IwY', 'wUgyMPLnOR', 'UB0GPJnK53hvqN4Ndb', 'FTXkVy5PT83tCRO05M', 'qgSyyV18ET', 'vLoyIeu5Pq'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, lA455Vzxc0349hpxS3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zCnH4oUGyI', 'FDtHRmKMPh', 'mWWHMWLiTv', 'vYqHxYDq6P', 'it9HZ22UgB', 'HK9HHxUWmk', 'ByJH63XK5R'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, IFtJ1NDcklb9r2DMAb.cs	High entropy of concatenated method names: 'voAZOQnhm6', 'CRZZsh905f', 'LMNZufuhMp', 'EL3ZB3NM08', 'iv5ZKcriyn', 'tA7ZGcwuNv', 'TjwZcAZ23s', 'aejZAP2Hjv', 'j6EZ9P4qyn', 'RpBZjG2yLP'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, B7Q61NexYpHCCnP8bj.cs	High entropy of concatenated method names: 'tPTtUd92v', 'GeXgK9L3X', 'DIbhsnVyv', 'hXD8MWqjm', 'dKl0NC4M4', 'MAAnui4cB', 'GDQNhqKtmr2xJTowxP', 'It5QT8Vql27tpgAJtk', 'ug5Z7w8xj', 'WBj6KMQre'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, tQ7q88JIySVyKBimab.cs	High entropy of concatenated method names: 'Efgspq68JS', 'jLNsdOhpsB', 'dpXsaCLRH0', 'KLXs7EDyYo', 'iA9smBfFRl', 'GmcsiHlhnH', 'oCUswYIDAd', 'KVLsDU0inl', 'EMOs5HQFan', 'Yibs2QCpL2'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, hMhkXFTCIP2GfpRM1D.cs	High entropy of concatenated method names: 'PZZGWyjWHy', 'GsUGPY3B6R', 'SehGt3I9W9', 'im4GgMgy5a', 'jpPG3dau9m', 'pjnGh70efS', 'givG8l8oND', 'ONsGJXWiTM', 'TxvG0B9FfF', 'DyuGnkXZtg'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, AO8wsHyIATntVSU2icM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c8X6p44SD7', 'C9a6dqQE6O', 'Pr96a886n4', 'nrk67snTmI', 'W2I6mIXFmv', 'Tpn6iNdC2s', 'ojw6wvRal9'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, qfDQJ1yrgG4rKJAQJTV.cs	High entropy of concatenated method names: 'Wi8HWnvH18', 'xOuHP0Y09C', 'chVHt6WqPV', 'bfMHgRHELc', 'EMgH3xC9aD', 'eNHHh1HnuL', 'LQHH8rUB11', 'e1rHJkTQLd', 'eAkH04CKhn', 'cDFHncURMb'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, dCTlrHpr6AlWHx5h33.cs	High entropy of concatenated method names: 'JxvRNPGSDJ', 'HvDRXfySUV', 'eYpRpZlxab', 'qJCRdjPuhd', 'vYmREY2cjT', 'FEWRo3v0oD', 'TM9RUk7vi6', 'zC2R1DSlLb', 'TRlRqMow63', 'hwlRFxjrnw'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, hbekMmyyvyogqb11gpV.cs	High entropy of concatenated method names: 'ToString', 'qlK6Ibr7ZH', 'SZP6f8gkxX', 'REQ6QAKeqj', 'YKf6O0cIpb', 'uZS6sZxCbe', 'IPK6uXXOFR', 'rZa6Bc5a40', 'Fc4XuCwXbkLu38y0kq7', 'IBXg4LwuRFA3pHwhD5q'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, NrbT3ZaqHXIsvpic3D.cs	High entropy of concatenated method names: 'ToString', 'xNhMYGmPVd', 'NyMMEJf9Di', 'uP6MoyDQii', 'OtSMUmsGcJ', 'PakM1XeZBk', 'VOyMqhJOxL', 'KOfMFf6YfP', 'w6ZMSD04Pp', 'HobMTCmteZ'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, cwYkUgVPLnORDZnXTp.cs	High entropy of concatenated method names: 'p8iKQl9f1v', 'BEmKsqYAOs', 'LxSKBSUWJ2', 'M6TKGIZWux', 'HZxKclITJI', 'cRQBmwrc8Y', 'poTBiQ0734', 'POgBwW737x', 'oeTBDU86S4', 'nD3B55voif'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, BftyFHs0yNvrIK9Uu2.cs	High entropy of concatenated method names: 'Dispose', 'KkYy5pwPcx', 'g62eEfS9DY', 'iMVOOI9pBg', 'aUFy2tJ1Nc', 'vlbyz9r2DM', 'ProcessDialogKey', 'lb4erumrEW', 'UkOeybhr6p', 'VXJeee9vZD'
Source: 0.2.USD 510,800.bat.exe.5a50000.6.raw.unpack, WlOS2giiHwnAjKU64u.cs	High entropy of concatenated method names: 'tKLxD1gtKa', 'go4x2AQAMB', 'Hs8ZrmhYIy', 's3OZyZvMn9', 'kT7xYRMARW', 'SJbxXHIavX', 'lRjxvhqDxF', 'l9TxpMm9Cx', 'NcaxdPfsJ8', 'CH3xaS65tH'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, UserExt.cs	High entropy of concatenated method names: '_003CDomainExists_003Eb__2', 'uGZ3AARU2kaRZCSD349', 'vWjZ1DRWbXNe65HHpQe', 'DomainExists', 'PreCheck', 'ripQSKpjIhEqlMk7vJr', 'r650OrpVX87t9m91xXF', 'crBPB9pceZZsReUclGg', 'seSbVTpnwVS9Ie3T1ot', 'mcCr0rp2Miv4A55EKWQ'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, SystemInfoHelper.cs	High entropy of concatenated method names: '_003CCloseBrowser_003Eb__1', 'WUQsKHR3RTIx8k4UfWJ', 'j0JLoCRvSewWjI5U271', 'WjlP1dRy5O9eqKCqwYb', 'ShowMessage', 'CloseBrowser', 'Add', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, FieldRootRoot.cs	High entropy of concatenated method names: 'Field1', 'J7orWnXHYZc3Olrr5iY', 'C2qGIvXmKFwT5QNGx2L', 'i9MBE6XRH5t6ll1JfTQ', 'dsrkmBXABYCcXYO0xop', 'qIirJrXL2Nyokbp5dLX', 'qabHUrX4D9R9dE0M78Q', 'nSvU3RXDs21VC7Vw3dR', 'oqjsXAXlILK1vkN0cI8', 'b65G9vXCyKDhQb8vmWk'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, CryptoHelper.cs	High entropy of concatenated method names: 'GetDecoded', 'DecryptBlob', 'cryptUnprotectData', 'GetMd5Hash', 'GetHexString', 'c0VUeFpoBTZ1YjTKOYk', 'HPgwO4pMLi2Ijmb9v2u', 'hqEGxmpKioL8tsdhBYN', 'V7S5QKpJsX6waaV4wtT', 'UZ9iWZpGQuSHt7GV85x'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, BerkeleyDB.cs	High entropy of concatenated method names: 'Extract', 'YPGXHApO1ZkXLYnqRLC', 'fxQdebp3q82H18WBUmT', 'aiMXtQpvmRVijB4xOVk', 'qMaqXlpyfNgnvmmd6uJ', 'bRpJ6Ip5LBgxuWyO2Wu', 'cNkZQqpIlpN4dZsY742'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, TripleDes.cs	High entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'Ja1O4Glu6mnZ3xW7YIw', 'mUDfPklEDDJoSvxrde3', 'i7PNwalaj9Y2j7B13JB', 'kEmSR6lPHOhhLgWMxTT', 'UJ6Ru8l1shO84oY6evZ', 'JEjWrQl81QCVFOXQKSK'
Source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, A2H1lUZ15GsIooGy4G.cs	High entropy of concatenated method names: 'QgSfOIAomjlahH9eGMo', 'KANouAAJy7Yb7rBOoh9', 'LtQPyoxJn7', 'HE4qJIAufHBgctr1G6O', 'QVwfErAELsKNTyrOsSo', 'g38PJ8K3c0', 'AZCPHbxqQi', 'kjCPpoa2Hi', 'zssPO0JXVk', 'wmTPVkxu9Y'

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: USD 510,800.bat.exe PID: 5720, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,
Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 7EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 7510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 8EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 9EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\USD 510,800.bat.exe TID: 6500	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe TID: 7072	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\dllhost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,
Source: WebCacheV01.dat.7.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

Process created: C:\Users\user\Desktop\USD 510,800.bat.exe "C:\Users\user\Desktop\USD 510,800.bat.exe"

Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003565000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003565000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Users\user\Desktop\USD 510,800.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Users\user\Desktop\USD 510,800.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\USD 510,800.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\USD 510,800.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected PureLog Stealer

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.USD 510,800.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2119724895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114514628.0000000004262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114514628.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114514628.0000000004095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: USD 510,800.bat.exe PID: 6400, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.USD 510,800.bat.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.USD 510,800.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2119724895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114514628.0000000004262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114514628.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114514628.0000000004095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: USD 510,800.bat.exe PID: 6400, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4283568.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.USD 510,800.bat.exe.4032ec8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.USD 510,800.bat.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	1 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
USD 510,800.bat.exe	35%	Virustotal		Browse
USD 510,800.bat.exe	100%	Avira	TR/Dropper.MSIL.Gen
USD 510,800.bat.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingaot	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	URL Reputation	safe
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	0%	URL Reputation	safe
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=wsb	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingrms	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingrms	0%	URL Reputation	safe
https://api.ip.s	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingaotak	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL	0%	Virustotal		Browse
https://www.office.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	WebCacheV01.dat.7.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/ip	USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003373000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL	WebCacheV01.dat.7.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaot	WebCacheV01.dat.7.dr	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	WebCacheV01.dat.7.dr	false	URL Reputation: safe	unknown
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	WebCacheV01.dat.7.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://discord.com/api/v9/users/	USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003440000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=wsb	WebCacheV01.dat.7.dr	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingrms	WebCacheV01.dat.7.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.ip.s	USD 510,800.bat.exe, 00000003.00000002.2121646623.0000000003373000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaotak	WebCacheV01.dat.7.dr	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	WebCacheV01.dat.7.dr	false	URL Reputation: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	WebCacheV01.dat.7.dr, V01.log.7.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&	WebCacheV01.dat.7.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500269
Start date and time:	2024-08-28 06:56:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	USD 510,800.bat.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 107 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:56:54	API Interceptor	1x Sleep call for process: USD 510,800.bat.exe modified
00:57:11	API Interceptor	1x Sleep call for process: dllhost.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USD 510,800.bat.exe.log

Process:	C:\Users\user\Desktop\USD 510,800.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

Process:	C:\Windows\System32\dllhost.exe
File Type:	data
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	2.2888371872859294
Encrypted:	false
SSDEEP:	1536:jG5pG9g1Ui91X2dQlp6gOnrJOnoeOQ2fQdDQX2khHB1eO5o4QOGSvi1Gk:jG5qg1Ui91X2M6tnrQnvu1R5Lfvi
MD5:	D9B7602B98FEEE4DCCF89D797CF0088C
SHA1:	87E0BDB591297C898CCE516C04601F9E3C424C8B
SHA-256:	E96A19E577D59BD1FD07A1BA2D42C071D0735896DF0871FF1A1804590A63EEBE
SHA-512:	F0492511D6D1D26353C3EEE53F13CCDEA6A6460D5E8F53F57713A09B155D35F3EE29DD61B57B0C830627ADD17C726E6AB10E372A62687D5D15A14F5CE6DD304B
Malicious:	false
Reputation:	low
Preview:	...............+...{o..!...{..........<...T.;....{..................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..........................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\...........................................................................................................................................................................................................0u.............................................y..............Tz+.#......... ..........Y.......h.z.......x.......gN;....{..................C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t......................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Process:	C:\Windows\System32\dllhost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x79636fb0, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	17301504
Entropy (8bit):	1.0266757776583522
Encrypted:	false
SSDEEP:	6144:bvQPYV7AyUO+xBGA611GJxBGA611Gv0M6JWX3XX35X3khTAzhTA/hTATX3t8nqkw:QyUZ3F0TcT0TAitKxK/U5/C4Ago
MD5:	CDC6627C97FB059D2CEFB8D4C7688353
SHA1:	F85132AE772E29282D29843FC1DBA7E17138E274
SHA-256:	4FF32CFF450BB543699A4CFC5F9BC67EBFE856ECC26BB993209D848A21DB94C3
SHA-512:	242AB6955A53C49D3FA1D1F37A9D3486C6A7BF68CE7A61AEF14DC767FE00FC93C317A68C952B63A75D4C2E3FB4271769504DECBA4E7C95AE2B2928C0EA2FC44D
Malicious:	false
Reputation:	low
Preview:	yco.... .......4.........gN;....{........................&....../...{5..9...\|..h.(.........................T.;....{..............................................................................................Y...........eJ......n........................................................................................................... ........+...{o..............................................................................................................................................................................................!...{..................................Gl;..9...\|......................9...\|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Process:	C:\Windows\System32\dllhost.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.13360064485721254
Encrypted:	false
SSDEEP:	6:uXy/uucTr8Z/qyi5+xL9wjXlFkFRFlYC0p23nGC:b/uucUZ/qyi5+ULlePFlYC1
MD5:	C01B83BBB140AE8F06550B72E0B9BACC
SHA1:	B2BE4254D09D673B45AA664BD0C995D37230FA25
SHA-256:	D018753801BF2E6BC4CC74DBDFA79DC26A231B0D1ECAF7957AF660CD143B8A56
SHA-512:	34832FDEC93656286652C8862E887C25BCBADC5FD410A92674EF59A516DB933D3CA9A50C5B5D08AC8B8477C36095F772E64A4B2EF014317EEA4677429497F831
Malicious:	false
Reputation:	low
Preview:	.4......................................;....{...9...\|.../...{5..........9...\|.../...{5.Gl;..9...\|...................p..9...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.982566078244851
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	USD 510,800.bat.exe
File size:	958'464 bytes
MD5:	6699b6a704f40c24f206f25c3eb801ab
SHA1:	25a718491615845ed1529a22799a60b880b62ebc
SHA256:	6e16b45647ffa0f8bdf7e97662b51be911fb4470176cbac1b07bd5464cb940ef
SHA512:	35636d99ae479a97f6ff85c12decc2ddda8237168cee599c14814c27e0469393ea69711afd72651937027c733585a0697f5561f32ba1d2c185aaf75509a9973e
SSDEEP:	12288:B6ETVlXcXDudfTASE7gNsOJQE37c+9eJrv+ojkbHWbZMPWOuJgDQTHlDlA9Ohmie:FMX6u8NsOJj9WdjwHlPW7JkQta9vjNA
TLSH:	2915230A766997F0E03CCE7498A0965A2272E01B7DD3D7BF8CCB2214AF78B585015D6F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..f.................l...2........... ........@.. ....................................@................................

File Icon


Icon Hash:	0733a129e9597117

Static PE Info

General

Entrypoint:	0x4e8a0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CE9A29 [Wed Aug 28 03:31:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe89b8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xea000	0x3000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe6a14	0xe6c00	19a81d6f5d7c2a4336273ad586da6957	False	0.9852489335048754	data	7.988437033653444	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xea000	0x3000	0x3000	24e40ed6d7b3b5b0f2e9e37d0e5085a3	False	0.8290201822916666	data	7.196477814433287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0xc	0x200	303d5ff1a7c74a7fb6653ee6d0ba34bd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xea100	0x2490	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9995726495726496
RT_GROUP_ICON	0xec5a0	0x14	data	1.05
RT_VERSION	0xec5c4	0x348	data	0.42142857142857143
RT_MANIFEST	0xec91c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 06:57:13.372917891 CEST	53	57891	1.1.1.1	192.168.2.6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: USD 510,800.bat.exePID: 5720, Parent PID: 4004

General

Target ID:	0
Start time:	00:56:54
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\USD 510,800.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\USD 510,800.bat.exe"
Imagebase:	0xb10000
File size:	958'464 bytes
MD5 hash:	6699B6A704F40C24F206F25C3EB801AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2114514628.0000000004262000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2114514628.0000000004019000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2114514628.0000000004095000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Chronological Activities

Analysis Process: USD 510,800.bat.exePID: 6400, Parent PID: 5720

General

Target ID:	3
Start time:	00:56:55
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\USD 510,800.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\USD 510,800.bat.exe"
Imagebase:	0xee0000
File size:	958'464 bytes
MD5 hash:	6699B6A704F40C24F206F25C3EB801AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2119724895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Chronological Activities

Analysis Process: conhost.exePID: 6008, Parent PID: 6400

General

Target ID:	4
Start time:	00:56:55
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: dllhost.exePID: 6400, Parent PID: 752

General

Target ID:	7
Start time:	00:57:11
Start date:	28/08/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Imagebase:	0x7ff642ec0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false