Windows Analysis Report
WhaleInstall.exe

Overview

General Information

Sample name: WhaleInstall.exe
Analysis ID: 1502261
MD5: 5a5561786e2e4c8c92cad6456fc31c95
SHA1: b7bd1dc72a2a4e2549ed729e941823af7e9caa03
SHA256: 4243144d5f46c335811d13d712cf53070d3add5876395253df7520903551d138
Tags: exe
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe Avira URL Cloud: Label: malware
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/ Avira URL Cloud: Label: malware
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/k Avira URL Cloud: Label: malware
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe1 Avira URL Cloud: Label: malware
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe0 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe Avira: detection malicious, Label: HEUR/AGEN.1342520
Source: C:\Users\user\Desktop\record_hit.exe Avira: detection malicious, Label: HEUR/AGEN.1342520
Multi AV Scanner detection for domain / URL
Source: www.kenesrakishevinfo.com Virustotal: Detection: 11% Perma Link
Source: https://www.kenesrakishevinfo.com Virustotal: Detection: 7% Perma Link
Source: https://www.kenesrakishevinfo.com/ Virustotal: Detection: 7% Perma Link
Source: https://www.kenesrakishevinfo.com/api/census/RecordHitsuccess://record_hit.exerunas(X Virustotal: Detection: 12% Perma Link
Source: https://www.kenesrakishevinfo.com/api/census/RecordHit Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe Virustotal: Detection: 63% Perma Link
Source: C:\Users\user\Desktop\record_hit.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\record_hit.exe Virustotal: Detection: 63% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\record_hit.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 198.185.159.144:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 159.75.57.69:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: WhaleInstall.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00419AF7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError, 3_2_00419AF7
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00417689 InternetOpenA,wm_SpaceBin,InternetConnectA,FtpFindFirstFileA,FtpOpenFileA,wm_Open,wm_IsFileExist,wm_Open,wm_Open,wm_SeekToEnd,InternetSetFilePointer,wm_GetTickCount,InternetReadFile,wm_Close,wm_BinLeft,wm_WriteBin,wm_GetTickCount,CallWindowProcA,wm_Close,InternetCloseHandle, 3_2_00417689
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then lea rdx, qword ptr [rbp-31h] 0_2_00007FF772B2A3D0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then push rbp 0_2_00007FF772A8B170
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then push rbp 0_2_00007FF772AD87D0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then mov rax, qword ptr [rcx+10h] 0_2_00007FF772A86519
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then push rbp 0_2_00007FF772A8B630
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then sub rsp, 58h 0_2_00007FF772A6DBB0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then push r15 0_2_00007FF772A97B30
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then push r15 0_2_00007FF772AA8950
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then push rbx 0_2_00007FF772A6DF53
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 4x nop then push rsi 0_2_00007FF772B27D20
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.185.159.144 198.185.159.144
Source: Joe Sandbox View IP Address: 198.185.159.144 198.185.159.144
Source: Joe Sandbox View IP Address: 159.75.57.69 159.75.57.69
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A6216A InternetOpenA,InternetOpenA,InternetCrackUrlA,InternetCloseHandle,InternetConnectA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,strlen,HttpSendRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00007FF772A6216A
Source: global traffic HTTP traffic detected: GET /store_app/guardservice.exe HTTP/1.1User-Agent: UserAgentHost: sgz-1302338321.cos.ap-guangzhou.myqcloud.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.kenesrakishevinfo.com
Source: global traffic DNS traffic detected: DNS query: sgz-1302338321.cos.ap-guangzhou.myqcloud.com
Source: unknown HTTP traffic detected: POST /api/census/RecordHit HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.9Origin: https://www.kenesrakishevinfo.comReferer: https://www.kenesrakishevinfo.com/User-Agent: UserAgentHost: www.kenesrakishevinfo.comContent-Length: 819Cache-Control: no-cache
Source: record_hit.exe, record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr String found in binary or memory: http://127.0.0.1:8888/test
Source: record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr String found in binary or memory: http://127.0.0.1:8888/testtestMozilla/5.0
Source: WhaleInstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: WhaleInstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WhaleInstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WhaleInstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WhaleInstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WhaleInstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WhaleInstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: WhaleInstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WhaleInstall.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: WhaleInstall.exe String found in binary or memory: http://ocsp.digicert.com0
Source: WhaleInstall.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: WhaleInstall.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: WhaleInstall.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: WhaleInstall.exe String found in binary or memory: http://whale.naver.com0
Source: WhaleInstall.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: record_hit.exe, 00000003.00000002.3249816865.0000000000444000.00000002.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: record_hit.exe, record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr String found in binary or memory: https://file.znhds.com.cn/pd/update/Update.exe
Source: record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr String found in binary or memory: https://file.znhds.com.cn/pd/update/Update.exeD:
Source: WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/
Source: WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/k
Source: WhaleInstall.exe, 00000000.00000002.3249989939.000002AA26D16000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26C9B000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe0
Source: WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26C9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe1
Source: WhaleInstall.exe String found in binary or memory: https://www.kenesrakishevinfo.com
Source: WhaleInstall.exe String found in binary or memory: https://www.kenesrakishevinfo.com/
Source: WhaleInstall.exe String found in binary or memory: https://www.kenesrakishevinfo.com/api/census/RecordHit
Source: WhaleInstall.exe String found in binary or memory: https://www.kenesrakishevinfo.com/api/census/RecordHitsuccess://record_hit.exerunas(X
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.kenesrakishevinfo.com/f
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.kenesrakishevinfo.com/l
Source: WhaleInstall.exe String found in binary or memory: https://www.kenesrakishevinfo.comReferer:
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 198.185.159.144:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 159.75.57.69:443 -> 192.168.2.5:49706 version: TLS 1.2
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00426A84 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_00426A84
Contains functionality to call native functions
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00409F47 GetCurrentProcess,OpenProcess,LocalAlloc,NtQueryInformationProcess,LocalFree,CloseHandle, 3_2_00409F47
Contains functionality to delete services
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0040AFF1 OpenSCManagerA,wm_BOr,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle, 3_2_0040AFF1
Detected potential crypto function
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AAC340 0_2_00007FF772AAC340
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A65370 0_2_00007FF772A65370
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AAB430 0_2_00007FF772AAB430
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AE9490 0_2_00007FF772AE9490
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AAE210 0_2_00007FF772AAE210
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A932A0 0_2_00007FF772A932A0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AAD270 0_2_00007FF772AAD270
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A6C750 0_2_00007FF772A6C750
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A74770 0_2_00007FF772A74770
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A9F8F8 0_2_00007FF772A9F8F8
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A81900 0_2_00007FF772A81900
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A878E0 0_2_00007FF772A878E0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AA95D0 0_2_00007FF772AA95D0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772B0B5C0 0_2_00007FF772B0B5C0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AAA520 0_2_00007FF772AAA520
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A73570 0_2_00007FF772A73570
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A946A0 0_2_00007FF772A946A0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A996E0 0_2_00007FF772A996E0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A956E0 0_2_00007FF772A956E0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A6FBD0 0_2_00007FF772A6FBD0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A97B30 0_2_00007FF772A97B30
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A9DCB0 0_2_00007FF772A9DCB0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AA0C38 0_2_00007FF772AA0C38
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A8D9D0 0_2_00007FF772A8D9D0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A9A960 0_2_00007FF772A9A960
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A9FAC0 0_2_00007FF772A9FAC0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A8CAB0 0_2_00007FF772A8CAB0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A9BAA0 0_2_00007FF772A9BAA0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A78B00 0_2_00007FF772A78B00
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A700C0 0_2_00007FF772A700C0
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A8D080 0_2_00007FF772A8D080
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772AA0E00 0_2_00007FF772AA0E00
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A75F00 0_2_00007FF772A75F00
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A65E50 0_2_00007FF772A65E50
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A7EE60 0_2_00007FF772A7EE60
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0042229B 3_2_0042229B
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0041ED64 3_2_0041ED64
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00425ECE 3_2_00425ECE
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0041B770 3_2_0041B770
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: String function: 00007FF772A6EB80 appears 33 times
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: String function: 00007FF772B2CDD0 appears 50 times
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: String function: 00007FF772B336D0 appears 86 times
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: String function: 00007FF772B335E0 appears 78 times
Source: C:\Users\user\Desktop\record_hit.exe Code function: String function: 0041BC40 appears 43 times
Source: C:\Users\user\Desktop\record_hit.exe Code function: String function: 0041A652 appears 34 times
PE / OLE file has an invalid certificate
Source: WhaleInstall.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: WhaleInstall.exe Static PE information: Number of sections : 20 > 10
Sample file is different than original file name gathered from version info
Source: WhaleInstall.exe Binary or memory string: OriginalFilename vs WhaleInstall.exe
Source: WhaleInstall.exe, 00000000.00000000.1999421791.00007FF772B72000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWhaleSetup.exeL vs WhaleInstall.exe
Source: WhaleInstall.exe Binary or memory string: OriginalFilenameWhaleSetup.exeL vs WhaleInstall.exe
Source: classification engine Classification label: mal76.winEXE@4/3@2/2
Source: C:\Users\user\Desktop\record_hit.exe Code function: OpenSCManagerA,wm_BOr,wm_Chr,CreateServiceA,CloseServiceHandle,CloseServiceHandle, 3_2_0040ADF0
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0040997E CreateToolhelp32Snapshot,Process32First,wm_Str,wm_StrComp,CloseHandle,Process32Next,CloseHandle, 3_2_0040997E
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_004193E0 CoCreateInstance,MultiByteToWideChar, 3_2_004193E0
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0040C0A9 OpenSCManagerA,OpenServiceA,wm_Chr,wm_Chr,wm_Chr,wm_Chr,wm_Chr,ChangeServiceConfigA,CloseServiceHandle,CloseServiceHandle, 3_2_0040C0A9
Source: C:\Users\user\Desktop\WhaleInstall.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_03
Source: WhaleInstall.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WhaleInstall.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\WhaleInstall.exe "C:\Users\user\Desktop\WhaleInstall.exe"
Source: C:\Users\user\Desktop\WhaleInstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WhaleInstall.exe Process created: C:\Users\user\Desktop\record_hit.exe "C:\Users\user\Desktop\record_hit.exe"
Source: C:\Users\user\Desktop\WhaleInstall.exe Process created: C:\Users\user\Desktop\record_hit.exe "C:\Users\user\Desktop\record_hit.exe" Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\record_hit.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\record_hit.exe Section loaded: odbc32.dll Jump to behavior
Source: C:\Users\user\Desktop\record_hit.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\record_hit.exe Section loaded: wmvert.dll Jump to behavior
Source: C:\Users\user\Desktop\record_hit.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: WhaleInstall.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: WhaleInstall.exe Static file information: File size 3441498 > 1048576
Source: WhaleInstall.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A77DE0 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 0_2_00007FF772A77DE0
PE file contains an invalid checksum
Source: WhaleInstall.exe Static PE information: real checksum: 0x34d876 should be: 0x34a518
Source: guardservice[1].exe.0.dr Static PE information: real checksum: 0x0 should be: 0x58c53
Source: record_hit.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x58c53
PE file contains sections with non-standard names
Source: WhaleInstall.exe Static PE information: section name: .xdata
Source: WhaleInstall.exe Static PE information: section name: /4
Source: WhaleInstall.exe Static PE information: section name: /19
Source: WhaleInstall.exe Static PE information: section name: /31
Source: WhaleInstall.exe Static PE information: section name: /45
Source: WhaleInstall.exe Static PE information: section name: /57
Source: WhaleInstall.exe Static PE information: section name: /70
Source: WhaleInstall.exe Static PE information: section name: /81
Source: WhaleInstall.exe Static PE information: section name: /97
Source: WhaleInstall.exe Static PE information: section name: /113
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0041BC40 push eax; ret 3_2_0041BC5E
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0041AC90 push eax; ret 3_2_0041ACBE
Drops PE files
Source: C:\Users\user\Desktop\WhaleInstall.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\WhaleInstall.exe File created: C:\Users\user\Desktop\record_hit.exe Jump to dropped file
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0040B163 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 3_2_0040B163
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0041A199 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_0041A199
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\WhaleInstall.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\record_hit.exe Code function: wm_ZeroAry,OpenSCManagerA,EnumServicesStatusA,GetProcessHeap,HeapAlloc,EnumServicesStatusA,wm_pbin,RtlMoveMemory,wm_pstr,wm_pstr,OpenServiceA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,RtlMoveMemory,wm_UCase,wm_UCase,wm_InStr,wm_UCase,wm_InStr,wm_UCase,wm_InStr,GetProcessHeap,HeapFree,CloseServiceHandle,wm_DoEvents,GetProcessHeap,HeapFree,CloseServiceHandle, 3_2_0040C827
Source: C:\Users\user\Desktop\record_hit.exe Code function: wm_ZeroAry,OpenSCManagerA,wm_Chr,EnumServicesStatusExA,GlobalAlloc,wm_Chr,EnumServicesStatusExA,wm_pbin,RtlMoveMemory,wm_pstr,wm_pstr,wm_pstr,OpenServiceA,QueryServiceConfigA,GlobalAlloc,QueryServiceConfigA,RtlMoveMemory,wm_pstr,wm_pstr,wm_pstr,wm_UCase,wm_UCase,wm_InStr,wm_UCase,wm_InStr,wm_UCase,wm_InStr,GlobalFree,CloseServiceHandle,GlobalFree,CloseServiceHandle, 3_2_0040E292
Source: C:\Users\user\Desktop\record_hit.exe Code function: OpenSCManagerA,EnumServicesStatusA,GlobalAlloc,EnumServicesStatusA,GlobalFree,CloseServiceHandle, 3_2_0040DBE8
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\WhaleInstall.exe API coverage: 2.8 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00419AF7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError, 3_2_00419AF7
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00417689 InternetOpenA,wm_SpaceBin,InternetConnectA,FtpFindFirstFileA,FtpOpenFileA,wm_Open,wm_IsFileExist,wm_Open,wm_Open,wm_SeekToEnd,InternetSetFilePointer,wm_GetTickCount,InternetReadFile,wm_Close,wm_BinLeft,wm_WriteBin,wm_GetTickCount,CallWindowProcA,wm_Close,InternetCloseHandle, 3_2_00417689
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWQ
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C8C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A7CDC0 free,IsDebuggerPresent,RaiseException, 0_2_00007FF772A7CDC0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A77DE0 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 0_2_00007FF772A77DE0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0040C827 wm_ZeroAry,OpenSCManagerA,EnumServicesStatusA,GetProcessHeap,HeapAlloc,EnumServicesStatusA,wm_pbin,RtlMoveMemory,wm_pstr,wm_pstr,OpenServiceA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,RtlMoveMemory,wm_UCase,wm_UCase,wm_InStr,wm_UCase,wm_InStr,wm_UCase,wm_InStr,GetProcessHeap,HeapFree,CloseServiceHandle,wm_DoEvents,GetProcessHeap,HeapFree,CloseServiceHandle, 3_2_0040C827
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A61180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF772A61180
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772B6E710 SetUnhandledExceptionFilter, 0_2_00007FF772B6E710
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A78639 SetUnhandledExceptionFilter, 0_2_00007FF772A78639
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00420106 SetUnhandledExceptionFilter, 3_2_00420106
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00420118 SetUnhandledExceptionFilter, 3_2_00420118
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A62793 ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,CloseHandle, 0_2_00007FF772A62793
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\WhaleInstall.exe Process created: C:\Users\user\Desktop\record_hit.exe "C:\Users\user\Desktop\record_hit.exe" Jump to behavior
Source: C:\Users\user\Desktop\WhaleInstall.exe Code function: 0_2_00007FF772A7D3B0 GetSystemTimeAsFileTime,QueryPerformanceFrequency,GetSystemTimeAdjustment,_errno, 0_2_00007FF772A7D3B0
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_004209A2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,strlen, 3_2_004209A2
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0041D8BD GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA, 3_2_0041D8BD
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00415040 wm_BinLen,wm_SpaceBin,sprintf,wm_GetBinData, 3_2_00415040
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_004121F8 wm_BinLen,SQLBindParameter, 3_2_004121F8
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_004032F1 wm_GetBinData, 3_2_004032F1
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_0040A363 OpenSCManagerA,OpenServiceA,QueryServiceConfigA,GlobalAlloc,QueryServiceConfigA,wm_pbin,wm_GetBinData,GlobalFree,CloseServiceHandle,CloseServiceHandle, 3_2_0040A363
Source: C:\Users\user\Desktop\record_hit.exe Code function: 3_2_00411605 SQLAllocHandle,SQLPrepare,SQLFreeHandle,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,SQLExecute,SQLRowCount,SQLFreeHandle, 3_2_00411605
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502261 Sample: WhaleInstall.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 76 20 www.kenesrakishevinfo.com 2->20 22 sgz-1302338321.cos.ap-guangzhou.myqcloud.com 2->22 24 2 other IPs or domains 2->24 30 Multi AV Scanner detection for domain / URL 2->30 32 Antivirus detection for URL or domain 2->32 34 Antivirus detection for dropped file 2->34 36 2 other signatures 2->36 7 WhaleInstall.exe 16 2->7         started        signatures3 process4 dnsIp5 26 gz.file.myqcloud.com 159.75.57.69, 443, 49706 TELE2EU China 7->26 28 ext-sq.squarespace.com 198.185.159.144, 443, 49705 SQUARESPACEUS United States 7->28 16 C:\Users\user\Desktop\record_hit.exe, PE32 7->16 dropped 18 C:\Users\user\AppData\...\guardservice[1].exe, PE32 7->18 dropped 11 record_hit.exe 7->11         started        14 conhost.exe 7->14         started        file6 process7 signatures8 38 Antivirus detection for dropped file 11->38 40 Multi AV Scanner detection for dropped file 11->40 42 Machine Learning detection for dropped file 11->42
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.185.159.144
 ext-sq.squarespace.com United States
53831 SQUARESPACEUS false
159.75.57.69
 gz.file.myqcloud.com China
1257 TELE2EU false

Contacted Domains

Name IP Active
ext-sq.squarespace.com 198.185.159.144 true
gz.file.myqcloud.com 159.75.57.69 true
www.kenesrakishevinfo.com unknown unknown
sgz-1302338321.cos.ap-guangzhou.myqcloud.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://www.kenesrakishevinfo.com/api/census/RecordHit true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown