Windows Analysis Report
Gxm6KI51wl.exe

Overview

General Information

Sample name: Gxm6KI51wl.exe
renamed because original name is a hash value
Original sample name: 1a1debc631daab24c955c28aa18e909b.exe
Analysis ID: 1501289
MD5: 1a1debc631daab24c955c28aa18e909b
SHA1: 55e9a22c7d5d1eceffdc9657e78da59ec471f90e
SHA256: e09370c9adc09c15eb8d05301bd3c74ef76e98b8a2fa2089df9c4ec5d7b4e047
Tags: exeRedLineStealer
Infos:

Detection

PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Reads the System eventlog
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9x.dll ReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: Gxm6KI51wl.exe ReversingLabs: Detection: 66%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9x.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Gxm6KI51wl.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Gxm6KI51wl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Gxm6KI51wl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D85C4A8 FindFirstFileExW, 0_2_6D85C4A8
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the System eventlog
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D848DA0 GetModuleHandleW,NtQueryInformationProcess, 0_2_6D848DA0
Detected potential crypto function
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D848DA0 0_2_6D848DA0
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D8411D0 0_2_6D8411D0
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D8485C0 0_2_6D8485C0
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D862A45 0_2_6D862A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00F85FB9 3_2_00F85FB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00F8EB98 3_2_00F8EB98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00F8EB88 3_2_00F8EB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00F8CC54 3_2_00F8CC54
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Security Jump to behavior
Sample file is different than original file name gathered from version info
Source: Gxm6KI51wl.exe, 00000000.00000000.1232983026.00000000002C2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIrisKevin186Wendy.mscL vs Gxm6KI51wl.exe
Source: Gxm6KI51wl.exe, 00000000.00000002.1247140436.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Gxm6KI51wl.exe
Source: Gxm6KI51wl.exe, 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenameCricketer.exe" vs Gxm6KI51wl.exe
Source: Gxm6KI51wl.exe Binary or memory string: OriginalFilenameIrisKevin186Wendy.mscL vs Gxm6KI51wl.exe
Uses 32bit PE files
Source: Gxm6KI51wl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: Gxm6KI51wl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, daD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, daD.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, y7p.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, Strings.cs Base64 encoded string: 'GwIERx07GzAFKSEpHCoDKR03NR8GKgM2LF8hPh1cNgkcKAM5BSwHPgcoOgkaOCVHGiciBSldQh0dO0NO'
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/3@1/0
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe File created: C:\Users\user\AppData\Roaming\d3d9x.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: Gxm6KI51wl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Gxm6KI51wl.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Gxm6KI51wl.exe ReversingLabs: Detection: 66%
Source: unknown Process created: C:\Users\user\Desktop\Gxm6KI51wl.exe "C:\Users\user\Desktop\Gxm6KI51wl.exe"
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: textshaping.dll Jump to behavior
Source: Gxm6KI51wl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Gxm6KI51wl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, y7p.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, FPZ.cs .Net Code: NTS
PE file contains sections with non-standard names
Source: d3d9x.dll.0.dr Static PE information: section name: .Jpc
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D863174 push ecx; ret 0_2_6D863187
Source: Gxm6KI51wl.exe Static PE information: section name: .text entropy: 7.165136221561172
Source: d3d9x.dll.0.dr Static PE information: section name: .text entropy: 6.871072071474358
Drops PE files
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe File created: C:\Users\user\AppData\Roaming\d3d9x.dll Jump to dropped file
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: 26B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: 25E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: 4D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: 5D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: 5E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: 6E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2800000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 25C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9x.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe API coverage: 9.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe TID: 6532 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5376 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D85C4A8 FindFirstFileExW, 0_2_6D85C4A8
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D85BDF7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D85BDF7
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D857981 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D857981
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D85BDF7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D85BDF7
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D857E5A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D857E5A
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000 Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 802000 Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 85E000 Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 87E000 Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6AF008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D858018 cpuid 0_2_6D858018
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Queries volume information: C:\Users\user\Desktop\Gxm6KI51wl.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe Code function: 0_2_6D857AA3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6D857AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1241589726.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1241589726.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501289 Sample: Gxm6KI51wl.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 20 time.windows.com 2->20 22 bg.microsoft.map.fastly.net 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 8 other signatures 2->30 7 Gxm6KI51wl.exe 3 2->7         started        signatures3 process4 file5 16 C:\Users\user\AppData\Roaming\d3d9x.dll, PE32 7->16 dropped 18 C:\Users\user\AppData\...behaviorgraphxm6KI51wl.exe.log, ASCII 7->18 dropped 32 Writes to foreign memory regions 7->32 34 Allocates memory in foreign processes 7->34 36 Injects a PE file into a foreign processes 7->36 11 MSBuild.exe 3 7->11         started        14 conhost.exe 7->14         started        signatures6 process7 signatures8 38 Reads the System eventlog 11->38
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
time.windows.com unknown unknown