Source: Yara match |
File source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: eFvQTTtxej.exe PID: 5812, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: Client.exe PID: 2616, type: MEMORYSTR |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49704 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49704 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49704 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:49704 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49712 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49712 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49712 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:49712 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49713 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49710 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49710 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49710 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49713 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:49710 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49713 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49714 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49714 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49714 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49715 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49715 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49715 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49716 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49716 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49716 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:49716 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49717 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49717 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49717 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49718 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49718 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49718 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49719 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49719 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2025136 - Severity 1 - ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin : 192.168.2.5:49719 -> 147.185.221.22:57731 |
Source: Network traffic |
Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.5:49719 -> 147.185.221.22:57731 |
Source: Client.exe, 00000002.00000002.4465435000.0000000000A81000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://go.microsoft. |
Source: Client.exe, 00000002.00000002.4465435000.0000000000A81000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://go.microsoft.LinkId=42127 |
Source: eFvQTTtxej.exe, 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.youtube.com/watch?v=Ji9IwPId5UkPThis |
Source: Yara match |
File source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: eFvQTTtxej.exe PID: 5812, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: Client.exe PID: 2616, type: MEMORYSTR |
Source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: eFvQTTtxej.exe, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: eFvQTTtxej.exe, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: eFvQTTtxej.exe, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: eFvQTTtxej.exe, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: Client.exe.0.dr, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: Client.exe.0.dr, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: Client.exe.0.dr, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: Client.exe.0.dr, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: eFvQTTtxej.exe, EFLjYhk2nbESXG6TnU.cs |
.Net Code: Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777277)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777255)),Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777250))}) |
Source: Client.exe.0.dr, EFLjYhk2nbESXG6TnU.cs |
.Net Code: Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777277)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777255)),Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777250))}) |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
.Net Code: Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777277)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777255)),Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777250))}) |
Source: 0.2.eFvQTTtxej.exe.3d36df0.1.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
.Net Code: Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777277)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777255)),Type.GetTypeFromHandle(M1cke3sM7T8Ac7yv7f.NEbFY5SXtUlDe(16777250))}) |
Source: eFvQTTtxej.exe, EFLjYhk2nbESXG6TnU.cs |
High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'QqhZoExK7J', 'lXXFY51SFQcsa', 'rcHnrbkUfB', 'p7Bnw8m3nT', 'tLnnYHXYWG', 'nAUnPJW9oi', 'oqcn2XnYcS', 'p1jnfblfmu', 'rxEnOZk1QB' |
Source: eFvQTTtxej.exe, nHmG8pf21aEDIX7Kxi.cs |
High entropy of concatenated method names: 'FYPHJjVIx', 't7htwZDDV', 'RCO5JaG5Y', 'mAAbkVr89', 'TqHQdoSvD', 'Ba3kCTipM', 'DSY3HmG8p', 'p1a9EDIX7', 'YxiGotfyN', 'z6RVyYAMC' |
Source: eFvQTTtxej.exe, I6JOl8ohtHlPP6bL5w.cs |
High entropy of concatenated method names: 'JbMSKuEyoR', 'HXdSzaeun9', 'EpeSeW7uBF', 'CbLSoUE7e5', 'MruSIlDZxj', 'cK0Sd49Vuv', 'xoJSU8Li6Y', 'B6USckHU9W', 'EtUS1xa5xo', 'l0JSq1KSJE' |
Source: Client.exe.0.dr, EFLjYhk2nbESXG6TnU.cs |
High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'QqhZoExK7J', 'lXXFY51SFQcsa', 'rcHnrbkUfB', 'p7Bnw8m3nT', 'tLnnYHXYWG', 'nAUnPJW9oi', 'oqcn2XnYcS', 'p1jnfblfmu', 'rxEnOZk1QB' |
Source: Client.exe.0.dr, nHmG8pf21aEDIX7Kxi.cs |
High entropy of concatenated method names: 'FYPHJjVIx', 't7htwZDDV', 'RCO5JaG5Y', 'mAAbkVr89', 'TqHQdoSvD', 'Ba3kCTipM', 'DSY3HmG8p', 'p1a9EDIX7', 'YxiGotfyN', 'z6RVyYAMC' |
Source: Client.exe.0.dr, I6JOl8ohtHlPP6bL5w.cs |
High entropy of concatenated method names: 'JbMSKuEyoR', 'HXdSzaeun9', 'EpeSeW7uBF', 'CbLSoUE7e5', 'MruSIlDZxj', 'cK0Sd49Vuv', 'xoJSU8Li6Y', 'B6USckHU9W', 'EtUS1xa5xo', 'l0JSq1KSJE' |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'QqhZoExK7J', 'lXXFY51SFQcsa', 'rcHnrbkUfB', 'p7Bnw8m3nT', 'tLnnYHXYWG', 'nAUnPJW9oi', 'oqcn2XnYcS', 'p1jnfblfmu', 'rxEnOZk1QB' |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, nHmG8pf21aEDIX7Kxi.cs |
High entropy of concatenated method names: 'FYPHJjVIx', 't7htwZDDV', 'RCO5JaG5Y', 'mAAbkVr89', 'TqHQdoSvD', 'Ba3kCTipM', 'DSY3HmG8p', 'p1a9EDIX7', 'YxiGotfyN', 'z6RVyYAMC' |
Source: 0.2.eFvQTTtxej.exe.3d60610.0.raw.unpack, I6JOl8ohtHlPP6bL5w.cs |
High entropy of concatenated method names: 'JbMSKuEyoR', 'HXdSzaeun9', 'EpeSeW7uBF', 'CbLSoUE7e5', 'MruSIlDZxj', 'cK0Sd49Vuv', 'xoJSU8Li6Y', 'B6USckHU9W', 'EtUS1xa5xo', 'l0JSq1KSJE' |
Source: 0.2.eFvQTTtxej.exe.3d36df0.1.raw.unpack, EFLjYhk2nbESXG6TnU.cs |
High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'QqhZoExK7J', 'lXXFY51SFQcsa', 'rcHnrbkUfB', 'p7Bnw8m3nT', 'tLnnYHXYWG', 'nAUnPJW9oi', 'oqcn2XnYcS', 'p1jnfblfmu', 'rxEnOZk1QB' |
Source: 0.2.eFvQTTtxej.exe.3d36df0.1.raw.unpack, nHmG8pf21aEDIX7Kxi.cs |
High entropy of concatenated method names: 'FYPHJjVIx', 't7htwZDDV', 'RCO5JaG5Y', 'mAAbkVr89', 'TqHQdoSvD', 'Ba3kCTipM', 'DSY3HmG8p', 'p1a9EDIX7', 'YxiGotfyN', 'z6RVyYAMC' |
Source: 0.2.eFvQTTtxej.exe.3d36df0.1.raw.unpack, I6JOl8ohtHlPP6bL5w.cs |
High entropy of concatenated method names: 'JbMSKuEyoR', 'HXdSzaeun9', 'EpeSeW7uBF', 'CbLSoUE7e5', 'MruSIlDZxj', 'cK0Sd49Vuv', 'xoJSU8Li6Y', 'B6USckHU9W', 'EtUS1xa5xo', 'l0JSq1KSJE' |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Memory allocated: 10F0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Memory allocated: 2D30000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe |
Memory allocated: 4D30000 memory commit | memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Memory allocated: F00000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Memory allocated: 2C00000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Memory allocated: F70000 memory commit | memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\eFvQTTtxej.exe TID: 2680 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 5456 |
Thread sleep count: 844 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 5456 |
Thread sleep time: -844000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 760 |
Thread sleep count: 3744 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 5456 |
Thread sleep count: 4933 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 5456 |
Thread sleep time: -4933000s >= -30000s |
Jump to behavior |
Source: Client.exe, 00000002.00000002.4465435000.0000000000A81000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx |
Source: Client.exe, 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VBoxServicevAntiProcess: VirtrualBox was detected! Reconnect after 5min"Sandboxie Control\AntiProcess: Sandboxie was detected and killed |
Source: Client.exe, 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VGAuthServicelAntiProcess: VMware was detected! Reconnect after 5min |
Source: Client.exe, 00000002.00000002.4466199974.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: eFvQTTtxej.exe, 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Shell_traywnd~TaskManagerDisbale: Lime's Stub is not running as administrator |
Source: Client.exe, 00000002.00000002.4466199974.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@9 |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: Client.exe, 00000002.00000002.4465435000.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: iles%\Windows Defender\MsMpeng.exe |
Source: Client.exe, 00000002.00000002.4465435000.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000002.00000002.4465435000.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000002.00000002.4465435000.0000000000A81000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Users\user\AppData\Local\Temp\Client.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: Yara match |
File source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: eFvQTTtxej.exe PID: 5812, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: Client.exe PID: 2616, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: eFvQTTtxej.exe PID: 5812, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: Client.exe PID: 2616, type: MEMORYSTR |