Windows Analysis Report
Stub.exe

Overview

General Information

Sample name: Stub.exe
Analysis ID: 1502472
MD5: e50e5c919322ad54bd5ed6eefba01619
SHA1: 988a6155484ea1e07883a1dd97ff1d97083adc5a
SHA256: e4384cce1f9ea5e5c1e2fdb0af7ed8f25724c2618e462ae9fced298c24d7b095
Tags: asyncratexe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Stub.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\gang.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\gang.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\gang.exe Virustotal: Detection: 59% Perma Link
Multi AV Scanner detection for submitted file
Source: Stub.exe Virustotal: Detection: 59% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gang.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Stub.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Stub.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Stub.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: Stub.exe, type: SAMPLE
Source: Yara match File source: 0.0.Stub.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Stub.exe.2d03200.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\gang.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 147.185.221.22:26706
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.185.221.22 147.185.221.22
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: com-distinct.gl.at.ply.gg
Source: Stub.exe, 00000000.00000002.2035564774.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, gang.exe, 00000008.00000002.3218004845.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\Desktop\Stub.exe Process information set: 00 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: 01 00 00 00 Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\gang.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_01080774 NtQueryInformationProcess, 0_2_01080774
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_010807C4 NtQueryInformationProcess, 0_2_010807C4
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_01081792 NtQueryInformationProcess, 0_2_01081792
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_010807AA NtQueryInformationProcess, 0_2_010807AA
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_010823C0 NtQueryInformationProcess, 0_2_010823C0
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 8_2_01220774 NtQueryInformationProcess, 8_2_01220774
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 8_2_012223C8 NtQueryInformationProcess, 8_2_012223C8
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 8_2_01221791 NtQueryInformationProcess, 8_2_01221791
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 8_2_012223C0 NtQueryInformationProcess, 8_2_012223C0
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_028107C4 NtQueryInformationProcess, 9_2_028107C4
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02810774 NtQueryInformationProcess, 9_2_02810774
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02811797 NtQueryInformationProcess, 9_2_02811797
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02811D4F NtQueryInformationProcess, 9_2_02811D4F
Detected potential crypto function
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_010869A8 0_2_010869A8
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_01081848 0_2_01081848
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_01087278 0_2_01087278
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_01086660 0_2_01086660
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 8_2_012269A8 8_2_012269A8
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 8_2_01227278 8_2_01227278
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 8_2_01226660 8_2_01226660
Uses 32bit PE files
Source: Stub.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Stub.exe, OqYABVnrsXllVHT.cs Base64 encoded string: 'hCEGbre2T4CPo6tDQACWvyyw/2eLU2RmBA9qY3604i2IwuQB6y8pObjjxqJlysTQ1xxyrkmh/Td9R1jo3RAHVA==', 'NctAcy+9RoxPV8Hi1VUTEIboudoFizF6na+O+wGnbguyDaMPJRJL3tqCn7CM1WSvIUkBVr+W7rPH5f3ruSvqpA==', 'MrXZdogAHRvOg644WSQ1NehkZqueuRRzrvnToASlAqqiZH6amCsacgJS4kHTreI/DbNWCnNERXfOIM4Dipr+X9nBKGGc6l/NABWyAgY4RVw=', 'pIH2eXkWxzQmfDE7g+Tr3E8nkK14bp0M6D72TDzF6/ahfXLSaozGMihfrD2GNistccbRJm5hbN9xx0pImmM4k3hcObt1Zx/scHlQR/QYXCbK1TVJ2m6jUoT6b0S8UtrCe1eBzwResFiYX89+94s8/vaLQK2/D7wI3wkoY6jNxJpX394k1LqEyMIV1Nl8t25FNLsUR5jgd4pyMfbKcY7U3e+R9/2fDYgoNyHmda+uk41XJvnB/8VuDdSKbvzak+356ExiPgABoMPbKLtxGPfH2ydVmsRDGl1utdZLFzFowgOND4xZpQDFrh8rcdWlcoelR7Uz38qIKLK8MwCJZTouKICLKOXG0lJieQ4bLHtObn7R2gPv8fYiy2B+AvRGQqqhHtwmm9ObpOsuHhls5TgAav5x/t0pyKoacWbYFqkSAY1fU0s18zWDfOH/oVMlVTBuUy09IW/bgiXlBhJHQhHGcdx/LeNbsrmFJFCmhs8YFXdQHQfxhx2oNgufHN7xD4j3eJxVS8z1DAw1QLYFAheT+Ty05rwZGfW3o+GYQzSRi6s/HE1x6P7ZtY0v4rhWxm0FvsIEPV/jtiFiiMzE8xMivhfH42PgEf+2CaaSanKX94o5F6VFphnODEMl2E6wgZNaoCGZxP2AU7m4f9Uv53EYhNaMveFWGFcjkB6lDXYz/38K6i8yt6xp3pzBJX2kkMgONDODGbX8A9wActVreri47CryDVK/3GVJjz449sP8BeFMfpGuVHsRq9gK+zyvhvtKCDwGeQ+LN1FaVoqKzDjfH05oXLPIh8d1zVOFM8SdNlLBxbQey/uyiskWWpOozwIb1gNqskVy72FClPa9DAxtCCdsheJH433hpeQWqA/Ayrx5b8y0JIQnF/GJX3E1d3AzM3n4fM4IzqPe5p4nIMy2INR7dY2NXZqU4nhZvG/GqjaZsqR3KwSlmwocA0EeKQrx+ZbdRs7u80+fQ7YTpsa+8W5V/7RMsTgUUQEpLX2loydXvem0DZ75McR9Ui/9j9uH6GxNiRzCIggulZvxIS1ob8pde71XroFE9EnbacngZeBUg+QCHM2JiJpnNKA/cqlGVS9Uf2uqxDyyswEbEz1d2nwIS5EiCwZojq0TkGuJc7vd+hmPMmrGcj5euZwUicTrKtZ7Poo8DEKGOrHc6wbVFcdpLk1L25ngjY2vNIjNRUgyPPVqqsmPzfCvXd+XvUqMOT5IS45L6PcQpUKterBg2gAa9qTcojU6ayxYSEKIRt3C8Qw0OhOPwiyri7YZTQT1o8fRrnNepFXykAod5DxWEL4gC5NDmg11psRJO32DoSaKugExJ2viEHYWEgre8maY14JxomtdAPFHf1FX/kcX2qvWgAUVd54LfVM10MrlvBFJTf3HM/a9XbAqtv2+WXB3z9bSXfiyX6c9mNSpUfvPhK/l59pExAsBc2ZBjHAiZ3pTowDQib7XJ8THKy1XMZ6p8NtxD8Kh9qjJTYDDxuAyGf1/ExACs3AKSIIHCJgkzoE/7yQwshPL8+f8USM3PaBheKJPt/IvaP7bzxSGkmBYJ6SLnXv5MtIhhMKfZ/7ZA/4w766RZ+TXFuCWMAyM9bDppQ5LNMaugrH6w15q0lrx8qNYmbt6+OfQqFcrAWpIpt8DmKGJ76Stj+LCW+cdqsNnprm5WCQNcqX9z0vJcjF1+RRTXnabpTav+3sK5Y3ORAK2UAI2/9xRmS3BP82PGp+GIdgAc8K+3rPcW6sKoA+qN2nhIReAn9EqHWcSZlry2WHwtCyIC178iiXxDXNeV5foBFKjtq3sSh71KigfM3aey3zMjURLmZqN4l1lvEG96PaPrOuxaokqzI/4cs/SXRNRUTEHO9Pf3yBKbkWrBhMEN33J1/fTtOi8oUj6zk1Qwdqxo/lzBwpMBhD2/5ZAvlP0qE63DOizW2sN/JP/5cwkMD7dOmRZ0R5c4PlZCpODvro2opjJj4or2iVUxcrHu4JBfxSvKp55zEvYbg2RKJDYHnF3hlIDwQvB0MXw6JScEecvv7CXHa81zWuxhhcYWfUDHPj2B+tXlQn1KHOQwKskcK+L4016zILMO0C7tqjZcRjIQVQA9zEwIYmjFUTX/MBpZZdcjqQFdw8rfmTkCKC/0DYcDhm2uXToon8YxvE0vqU3YY2WITr30Z7BjG5zqFqt2pBCUp3Z/MzvvL/3XDfnvAyxGii9e0nGapJBLZZiCIM7cqlsYmNV4IOCXO7G9861rvJdeD70Jcin1RENFsu2OHzstLH8gq0CGVkwBi8IGOkBeoII6M49XqJdhnopJTI/a5vaF8o3YR2jZ3tfX/BmKlA9yl8FKkN7s2K8XI+k8lRVJDfNcLKk+qVCvyV+sz69', 'N6zOgxxNBXmwL0pQ+cmzGligw/7/Ma56DsC1ym0USeVA2yAcK23ryrXjcDHVdQS9l/RPi132zU/hc4pD1p89Nk9dCiIYXPnuHAXj8ZHay3Y106Zm3u9b77ddQAH2NepQaIuybvu6qKuBKS2c0213Go07L29rlXCPGVeTuoCS5hHwz4rL3ReMI5jkbX1MbUKDj3mPdLZTPja7J6AwPXRdthdBfYBg/1EoPBCDEyn846HG8LV5h7cjkJBHaHSBXPY6530fwbaJP+AywmkIGfTd12bQZXeqAZksyBPTKjALw2kgML22pXrIj8U3WrkkKanNIsdsIT5ol77
Source: gang.exe.0.dr, OqYABVnrsXllVHT.cs Base64 encoded string: 'hCEGbre2T4CPo6tDQACWvyyw/2eLU2RmBA9qY3604i2IwuQB6y8pObjjxqJlysTQ1xxyrkmh/Td9R1jo3RAHVA==', 'NctAcy+9RoxPV8Hi1VUTEIboudoFizF6na+O+wGnbguyDaMPJRJL3tqCn7CM1WSvIUkBVr+W7rPH5f3ruSvqpA==', 'MrXZdogAHRvOg644WSQ1NehkZqueuRRzrvnToASlAqqiZH6amCsacgJS4kHTreI/DbNWCnNERXfOIM4Dipr+X9nBKGGc6l/NABWyAgY4RVw=', 'pIH2eXkWxzQmfDE7g+Tr3E8nkK14bp0M6D72TDzF6/ahfXLSaozGMihfrD2GNistccbRJm5hbN9xx0pImmM4k3hcObt1Zx/scHlQR/QYXCbK1TVJ2m6jUoT6b0S8UtrCe1eBzwResFiYX89+94s8/vaLQK2/D7wI3wkoY6jNxJpX394k1LqEyMIV1Nl8t25FNLsUR5jgd4pyMfbKcY7U3e+R9/2fDYgoNyHmda+uk41XJvnB/8VuDdSKbvzak+356ExiPgABoMPbKLtxGPfH2ydVmsRDGl1utdZLFzFowgOND4xZpQDFrh8rcdWlcoelR7Uz38qIKLK8MwCJZTouKICLKOXG0lJieQ4bLHtObn7R2gPv8fYiy2B+AvRGQqqhHtwmm9ObpOsuHhls5TgAav5x/t0pyKoacWbYFqkSAY1fU0s18zWDfOH/oVMlVTBuUy09IW/bgiXlBhJHQhHGcdx/LeNbsrmFJFCmhs8YFXdQHQfxhx2oNgufHN7xD4j3eJxVS8z1DAw1QLYFAheT+Ty05rwZGfW3o+GYQzSRi6s/HE1x6P7ZtY0v4rhWxm0FvsIEPV/jtiFiiMzE8xMivhfH42PgEf+2CaaSanKX94o5F6VFphnODEMl2E6wgZNaoCGZxP2AU7m4f9Uv53EYhNaMveFWGFcjkB6lDXYz/38K6i8yt6xp3pzBJX2kkMgONDODGbX8A9wActVreri47CryDVK/3GVJjz449sP8BeFMfpGuVHsRq9gK+zyvhvtKCDwGeQ+LN1FaVoqKzDjfH05oXLPIh8d1zVOFM8SdNlLBxbQey/uyiskWWpOozwIb1gNqskVy72FClPa9DAxtCCdsheJH433hpeQWqA/Ayrx5b8y0JIQnF/GJX3E1d3AzM3n4fM4IzqPe5p4nIMy2INR7dY2NXZqU4nhZvG/GqjaZsqR3KwSlmwocA0EeKQrx+ZbdRs7u80+fQ7YTpsa+8W5V/7RMsTgUUQEpLX2loydXvem0DZ75McR9Ui/9j9uH6GxNiRzCIggulZvxIS1ob8pde71XroFE9EnbacngZeBUg+QCHM2JiJpnNKA/cqlGVS9Uf2uqxDyyswEbEz1d2nwIS5EiCwZojq0TkGuJc7vd+hmPMmrGcj5euZwUicTrKtZ7Poo8DEKGOrHc6wbVFcdpLk1L25ngjY2vNIjNRUgyPPVqqsmPzfCvXd+XvUqMOT5IS45L6PcQpUKterBg2gAa9qTcojU6ayxYSEKIRt3C8Qw0OhOPwiyri7YZTQT1o8fRrnNepFXykAod5DxWEL4gC5NDmg11psRJO32DoSaKugExJ2viEHYWEgre8maY14JxomtdAPFHf1FX/kcX2qvWgAUVd54LfVM10MrlvBFJTf3HM/a9XbAqtv2+WXB3z9bSXfiyX6c9mNSpUfvPhK/l59pExAsBc2ZBjHAiZ3pTowDQib7XJ8THKy1XMZ6p8NtxD8Kh9qjJTYDDxuAyGf1/ExACs3AKSIIHCJgkzoE/7yQwshPL8+f8USM3PaBheKJPt/IvaP7bzxSGkmBYJ6SLnXv5MtIhhMKfZ/7ZA/4w766RZ+TXFuCWMAyM9bDppQ5LNMaugrH6w15q0lrx8qNYmbt6+OfQqFcrAWpIpt8DmKGJ76Stj+LCW+cdqsNnprm5WCQNcqX9z0vJcjF1+RRTXnabpTav+3sK5Y3ORAK2UAI2/9xRmS3BP82PGp+GIdgAc8K+3rPcW6sKoA+qN2nhIReAn9EqHWcSZlry2WHwtCyIC178iiXxDXNeV5foBFKjtq3sSh71KigfM3aey3zMjURLmZqN4l1lvEG96PaPrOuxaokqzI/4cs/SXRNRUTEHO9Pf3yBKbkWrBhMEN33J1/fTtOi8oUj6zk1Qwdqxo/lzBwpMBhD2/5ZAvlP0qE63DOizW2sN/JP/5cwkMD7dOmRZ0R5c4PlZCpODvro2opjJj4or2iVUxcrHu4JBfxSvKp55zEvYbg2RKJDYHnF3hlIDwQvB0MXw6JScEecvv7CXHa81zWuxhhcYWfUDHPj2B+tXlQn1KHOQwKskcK+L4016zILMO0C7tqjZcRjIQVQA9zEwIYmjFUTX/MBpZZdcjqQFdw8rfmTkCKC/0DYcDhm2uXToon8YxvE0vqU3YY2WITr30Z7BjG5zqFqt2pBCUp3Z/MzvvL/3XDfnvAyxGii9e0nGapJBLZZiCIM7cqlsYmNV4IOCXO7G9861rvJdeD70Jcin1RENFsu2OHzstLH8gq0CGVkwBi8IGOkBeoII6M49XqJdhnopJTI/a5vaF8o3YR2jZ3tfX/BmKlA9yl8FKkN7s2K8XI+k8lRVJDfNcLKk+qVCvyV+sz69', 'N6zOgxxNBXmwL0pQ+cmzGligw/7/Ma56DsC1ym0USeVA2yAcK23ryrXjcDHVdQS9l/RPi132zU/hc4pD1p89Nk9dCiIYXPnuHAXj8ZHay3Y106Zm3u9b77ddQAH2NepQaIuybvu6qKuBKS2c0213Go07L29rlXCPGVeTuoCS5hHwz4rL3ReMI5jkbX1MbUKDj3mPdLZTPja7J6AwPXRdthdBfYBg/1EoPBCDEyn846HG8LV5h7cjkJBHaHSBXPY6530fwbaJP+AywmkIGfTd12bQZXeqAZksyBPTKjALw2kgML22pXrIj8U3WrkkKanNIsdsIT5ol77
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, OqYABVnrsXllVHT.cs Base64 encoded string: 'hCEGbre2T4CPo6tDQACWvyyw/2eLU2RmBA9qY3604i2IwuQB6y8pObjjxqJlysTQ1xxyrkmh/Td9R1jo3RAHVA==', 'NctAcy+9RoxPV8Hi1VUTEIboudoFizF6na+O+wGnbguyDaMPJRJL3tqCn7CM1WSvIUkBVr+W7rPH5f3ruSvqpA==', 'MrXZdogAHRvOg644WSQ1NehkZqueuRRzrvnToASlAqqiZH6amCsacgJS4kHTreI/DbNWCnNERXfOIM4Dipr+X9nBKGGc6l/NABWyAgY4RVw=', 'pIH2eXkWxzQmfDE7g+Tr3E8nkK14bp0M6D72TDzF6/ahfXLSaozGMihfrD2GNistccbRJm5hbN9xx0pImmM4k3hcObt1Zx/scHlQR/QYXCbK1TVJ2m6jUoT6b0S8UtrCe1eBzwResFiYX89+94s8/vaLQK2/D7wI3wkoY6jNxJpX394k1LqEyMIV1Nl8t25FNLsUR5jgd4pyMfbKcY7U3e+R9/2fDYgoNyHmda+uk41XJvnB/8VuDdSKbvzak+356ExiPgABoMPbKLtxGPfH2ydVmsRDGl1utdZLFzFowgOND4xZpQDFrh8rcdWlcoelR7Uz38qIKLK8MwCJZTouKICLKOXG0lJieQ4bLHtObn7R2gPv8fYiy2B+AvRGQqqhHtwmm9ObpOsuHhls5TgAav5x/t0pyKoacWbYFqkSAY1fU0s18zWDfOH/oVMlVTBuUy09IW/bgiXlBhJHQhHGcdx/LeNbsrmFJFCmhs8YFXdQHQfxhx2oNgufHN7xD4j3eJxVS8z1DAw1QLYFAheT+Ty05rwZGfW3o+GYQzSRi6s/HE1x6P7ZtY0v4rhWxm0FvsIEPV/jtiFiiMzE8xMivhfH42PgEf+2CaaSanKX94o5F6VFphnODEMl2E6wgZNaoCGZxP2AU7m4f9Uv53EYhNaMveFWGFcjkB6lDXYz/38K6i8yt6xp3pzBJX2kkMgONDODGbX8A9wActVreri47CryDVK/3GVJjz449sP8BeFMfpGuVHsRq9gK+zyvhvtKCDwGeQ+LN1FaVoqKzDjfH05oXLPIh8d1zVOFM8SdNlLBxbQey/uyiskWWpOozwIb1gNqskVy72FClPa9DAxtCCdsheJH433hpeQWqA/Ayrx5b8y0JIQnF/GJX3E1d3AzM3n4fM4IzqPe5p4nIMy2INR7dY2NXZqU4nhZvG/GqjaZsqR3KwSlmwocA0EeKQrx+ZbdRs7u80+fQ7YTpsa+8W5V/7RMsTgUUQEpLX2loydXvem0DZ75McR9Ui/9j9uH6GxNiRzCIggulZvxIS1ob8pde71XroFE9EnbacngZeBUg+QCHM2JiJpnNKA/cqlGVS9Uf2uqxDyyswEbEz1d2nwIS5EiCwZojq0TkGuJc7vd+hmPMmrGcj5euZwUicTrKtZ7Poo8DEKGOrHc6wbVFcdpLk1L25ngjY2vNIjNRUgyPPVqqsmPzfCvXd+XvUqMOT5IS45L6PcQpUKterBg2gAa9qTcojU6ayxYSEKIRt3C8Qw0OhOPwiyri7YZTQT1o8fRrnNepFXykAod5DxWEL4gC5NDmg11psRJO32DoSaKugExJ2viEHYWEgre8maY14JxomtdAPFHf1FX/kcX2qvWgAUVd54LfVM10MrlvBFJTf3HM/a9XbAqtv2+WXB3z9bSXfiyX6c9mNSpUfvPhK/l59pExAsBc2ZBjHAiZ3pTowDQib7XJ8THKy1XMZ6p8NtxD8Kh9qjJTYDDxuAyGf1/ExACs3AKSIIHCJgkzoE/7yQwshPL8+f8USM3PaBheKJPt/IvaP7bzxSGkmBYJ6SLnXv5MtIhhMKfZ/7ZA/4w766RZ+TXFuCWMAyM9bDppQ5LNMaugrH6w15q0lrx8qNYmbt6+OfQqFcrAWpIpt8DmKGJ76Stj+LCW+cdqsNnprm5WCQNcqX9z0vJcjF1+RRTXnabpTav+3sK5Y3ORAK2UAI2/9xRmS3BP82PGp+GIdgAc8K+3rPcW6sKoA+qN2nhIReAn9EqHWcSZlry2WHwtCyIC178iiXxDXNeV5foBFKjtq3sSh71KigfM3aey3zMjURLmZqN4l1lvEG96PaPrOuxaokqzI/4cs/SXRNRUTEHO9Pf3yBKbkWrBhMEN33J1/fTtOi8oUj6zk1Qwdqxo/lzBwpMBhD2/5ZAvlP0qE63DOizW2sN/JP/5cwkMD7dOmRZ0R5c4PlZCpODvro2opjJj4or2iVUxcrHu4JBfxSvKp55zEvYbg2RKJDYHnF3hlIDwQvB0MXw6JScEecvv7CXHa81zWuxhhcYWfUDHPj2B+tXlQn1KHOQwKskcK+L4016zILMO0C7tqjZcRjIQVQA9zEwIYmjFUTX/MBpZZdcjqQFdw8rfmTkCKC/0DYcDhm2uXToon8YxvE0vqU3YY2WITr30Z7BjG5zqFqt2pBCUp3Z/MzvvL/3XDfnvAyxGii9e0nGapJBLZZiCIM7cqlsYmNV4IOCXO7G9861rvJdeD70Jcin1RENFsu2OHzstLH8gq0CGVkwBi8IGOkBeoII6M49XqJdhnopJTI/a5vaF8o3YR2jZ3tfX/BmKlA9yl8FKkN7s2K8XI+k8lRVJDfNcLKk+qVCvyV+sz69', 'N6zOgxxNBXmwL0pQ+cmzGligw/7/Ma56DsC1ym0USeVA2yAcK23ryrXjcDHVdQS9l/RPi132zU/hc4pD1p89Nk9dCiIYXPnuHAXj8ZHay3Y106Zm3u9b77ddQAH2NepQaIuybvu6qKuBKS2c0213Go07L29rlXCPGVeTuoCS5hHwz4rL3ReMI5jkbX1MbUKDj3mPdLZTPja7J6AwPXRdthdBfYBg/1EoPBCDEyn846HG8LV5h7cjkJBHaHSBXPY6530fwbaJP+AywmkIGfTd12bQZXeqAZksyBPTKjALw2kgML22pXrIj8U3WrkkKanNIsdsIT5ol77
Source: gang.exe.0.dr, dfHxNbZDwC.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: gang.exe.0.dr, dfHxNbZDwC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, dfHxNbZDwC.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, dfHxNbZDwC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Stub.exe, dfHxNbZDwC.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Stub.exe, dfHxNbZDwC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/5@1/1
Source: C:\Users\user\Desktop\Stub.exe File created: C:\Users\user\AppData\Roaming\gang.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Users\user\AppData\Roaming\gang.exe Mutant created: \Sessions\1\BaseNamedObjects\SuperBoo_mtex_920393
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
Source: C:\Users\user\Desktop\Stub.exe File created: C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat""
Source: Stub.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Stub.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Stub.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Stub.exe Virustotal: Detection: 59%
Source: C:\Users\user\Desktop\Stub.exe File read: C:\Users\user\Desktop\Stub.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Stub.exe "C:\Users\user\Desktop\Stub.exe"
Source: C:\Users\user\Desktop\Stub.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Stub.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\gang.exe C:\Users\user\AppData\Roaming\gang.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\gang.exe "C:\Users\user\AppData\Roaming\gang.exe"
Source: C:\Users\user\Desktop\Stub.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\gang.exe "C:\Users\user\AppData\Roaming\gang.exe" Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Stub.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Stub.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Stub.exe, uooxPsfrCkDz.cs .Net Code: eMGTwYJKwJLOb
Source: gang.exe.0.dr, uooxPsfrCkDz.cs .Net Code: eMGTwYJKwJLOb
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, uooxPsfrCkDz.cs .Net Code: eMGTwYJKwJLOb
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02811AE0 push edx; retf 9_2_02811AEE
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02810812 push ecx; retf 9_2_02810813
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_0281081D push ecx; retf 9_2_0281081F
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02810844 push esp; retf 9_2_02810846
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02811848 push ecx; retf 9_2_02811856
Source: C:\Users\user\AppData\Roaming\gang.exe Code function: 9_2_02813D5D push esp; retf 9_2_02813D6E
Source: Stub.exe, DplwvdqGVLVF.cs High entropy of concatenated method names: 'NtQueryInformationProcess', 'GetParentProcess', 'GetParentProcess', 'GetParentProcess', 'GpdnDjALeJzNDZzDUhLZTFPvCjUrYSLSCSYoKpasUgwcIOBAnJeNaKgazHLtojNlYGkKakSEgsfMiNMOIudoOXRRMXOdEHdLskecDQzcRzHIFtSMUWLUfzxbOsYcwPZzouuXIKlRUaxopjmsfciIVjFTNcnkSwGbzitkZVdkKTZfbiLFgGXtGrDePAjGwbZxtvOhPctjYYXbjzREqIemzmuhEovyLwNJUCLGuDPemNvIuBVpJFpOXNYhaHDBGUyBlnhHOlkMTZZLRMNctgPfhYMhDEFManxspTwhuoBxvCUXNnpnUAhAfsumBZdjFxMFCHwYpFIfErKEdOtqorSAgXmWykFvkrSXQpvgRrYoRcVOIQiMFMVoEmzEuzzfanUnyMNOtmzXtEIdcyoIbSPywDtEQQMrSSnEiHpVcutsmXUZEwCWlQdhxwRVtjYCAi', 'GetParentProcess', 'CloseHandle', 'IsDebuggerPresent', 'OutputDebugString', 'Worker'
Source: Stub.exe, RvjpCZIkLLBwzlL.cs High entropy of concatenated method names: 'GLKpWNWDtTH', 'fczTPxGOAlKyGuu', 'aTPvtgkXZAx', 'HUZTyyIWnrhKCt', 'KUnRicCAGxWOC', 'JkjvQGlpiGztB', 'xKHXggCvIbuO', 'CygWsQLLyKZVNx', 'TiSILyePgsS', 'PpsPlKYiSrEI'
Source: gang.exe.0.dr, DplwvdqGVLVF.cs High entropy of concatenated method names: 'NtQueryInformationProcess', 'GetParentProcess', 'GetParentProcess', 'GetParentProcess', 'GpdnDjALeJzNDZzDUhLZTFPvCjUrYSLSCSYoKpasUgwcIOBAnJeNaKgazHLtojNlYGkKakSEgsfMiNMOIudoOXRRMXOdEHdLskecDQzcRzHIFtSMUWLUfzxbOsYcwPZzouuXIKlRUaxopjmsfciIVjFTNcnkSwGbzitkZVdkKTZfbiLFgGXtGrDePAjGwbZxtvOhPctjYYXbjzREqIemzmuhEovyLwNJUCLGuDPemNvIuBVpJFpOXNYhaHDBGUyBlnhHOlkMTZZLRMNctgPfhYMhDEFManxspTwhuoBxvCUXNnpnUAhAfsumBZdjFxMFCHwYpFIfErKEdOtqorSAgXmWykFvkrSXQpvgRrYoRcVOIQiMFMVoEmzEuzzfanUnyMNOtmzXtEIdcyoIbSPywDtEQQMrSSnEiHpVcutsmXUZEwCWlQdhxwRVtjYCAi', 'GetParentProcess', 'CloseHandle', 'IsDebuggerPresent', 'OutputDebugString', 'Worker'
Source: gang.exe.0.dr, RvjpCZIkLLBwzlL.cs High entropy of concatenated method names: 'GLKpWNWDtTH', 'fczTPxGOAlKyGuu', 'aTPvtgkXZAx', 'HUZTyyIWnrhKCt', 'KUnRicCAGxWOC', 'JkjvQGlpiGztB', 'xKHXggCvIbuO', 'CygWsQLLyKZVNx', 'TiSILyePgsS', 'PpsPlKYiSrEI'
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, DplwvdqGVLVF.cs High entropy of concatenated method names: 'NtQueryInformationProcess', 'GetParentProcess', 'GetParentProcess', 'GetParentProcess', 'GpdnDjALeJzNDZzDUhLZTFPvCjUrYSLSCSYoKpasUgwcIOBAnJeNaKgazHLtojNlYGkKakSEgsfMiNMOIudoOXRRMXOdEHdLskecDQzcRzHIFtSMUWLUfzxbOsYcwPZzouuXIKlRUaxopjmsfciIVjFTNcnkSwGbzitkZVdkKTZfbiLFgGXtGrDePAjGwbZxtvOhPctjYYXbjzREqIemzmuhEovyLwNJUCLGuDPemNvIuBVpJFpOXNYhaHDBGUyBlnhHOlkMTZZLRMNctgPfhYMhDEFManxspTwhuoBxvCUXNnpnUAhAfsumBZdjFxMFCHwYpFIfErKEdOtqorSAgXmWykFvkrSXQpvgRrYoRcVOIQiMFMVoEmzEuzzfanUnyMNOtmzXtEIdcyoIbSPywDtEQQMrSSnEiHpVcutsmXUZEwCWlQdhxwRVtjYCAi', 'GetParentProcess', 'CloseHandle', 'IsDebuggerPresent', 'OutputDebugString', 'Worker'
Source: 0.2.Stub.exe.2d03200.0.raw.unpack, RvjpCZIkLLBwzlL.cs High entropy of concatenated method names: 'GLKpWNWDtTH', 'fczTPxGOAlKyGuu', 'aTPvtgkXZAx', 'HUZTyyIWnrhKCt', 'KUnRicCAGxWOC', 'JkjvQGlpiGztB', 'xKHXggCvIbuO', 'CygWsQLLyKZVNx', 'TiSILyePgsS', 'PpsPlKYiSrEI'
Drops PE files
Source: C:\Users\user\Desktop\Stub.exe File created: C:\Users\user\AppData\Roaming\gang.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"'
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\AppData\Roaming\gang.exe Section loaded: OutputDebugStringW count: 1954
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Stub.exe, 00000000.00000002.2035564774.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, gang.exe, 00000008.00000002.3218004845.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Stub.exe Memory allocated: 1080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Memory allocated: 2BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Memory allocated: 2A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Memory allocated: 1220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Memory allocated: 2ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Memory allocated: 4ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Memory allocated: E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Memory allocated: 29B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Memory allocated: 2770000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Stub.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\gang.exe Window / User API: threadDelayed 4483 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Window / User API: threadDelayed 4607 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Window / User API: threadDelayed 427 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Stub.exe TID: 4984 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe TID: 5768 Thread sleep time: -4483000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe TID: 5756 Thread sleep time: -4607000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe TID: 6304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Stub.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\gang.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Stub.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: gang.exe, 00000008.00000002.3218004845.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: gang.exe, 00000008.00000002.3221641595.0000000005A7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Stub.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Stub.exe Code function: 0_2_010878B0 CheckRemoteDebuggerPresent, 0_2_010878B0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Stub.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Stub.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Stub.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD4A.tmp.bat"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gang" /tr '"C:\Users\user\AppData\Roaming\gang.exe"' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\gang.exe "C:\Users\user\AppData\Roaming\gang.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Stub.exe Queries volume information: C:\Users\user\Desktop\Stub.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Queries volume information: C:\Users\user\AppData\Roaming\gang.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gang.exe Queries volume information: C:\Users\user\AppData\Roaming\gang.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Stub.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502472 Sample: Stub.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 100 34 com-distinct.gl.at.ply.gg 2->34 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 .NET source code contains potential unpacker 2->42 44 5 other signatures 2->44 8 Stub.exe 7 2->8         started        12 gang.exe 2 2->12         started        signatures3 process4 dnsIp5 30 C:\Users\user\AppData\Roaming\gang.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\Stub.exe.log, ASCII 8->32 dropped 46 Protects its processes via BreakOnTermination flag 8->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->48 50 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->50 15 cmd.exe 1 8->15         started        18 cmd.exe 1 8->18         started        36 com-distinct.gl.at.ply.gg 147.185.221.22, 26706, 49704, 49711 SALSGIVERUS United States 12->36 52 Antivirus detection for dropped file 12->52 54 Multi AV Scanner detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 58 Tries to delay execution (extensive OutputDebugStringW loop) 12->58 file6 signatures7 process8 signatures9 60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 20 conhost.exe 15->20         started        22 schtasks.exe 1 15->22         started        24 gang.exe 3 18->24         started        26 conhost.exe 18->26         started        28 timeout.exe 1 18->28         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.185.221.22
 com-distinct.gl.at.ply.gg United States
12087 SALSGIVERUS false

Contacted Domains

Name IP Active
com-distinct.gl.at.ply.gg 147.185.221.22 true