Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1521588
MD5: de030225e0b09c45241b8169a8a96155
SHA1: bf568cfc34b708da4e740b13e91058d3a241fdd9
SHA256: 85d96a1ba8fa7426e48bcf430d305c6e4764db53fb86abbe53d9b80c5e474e72
Tags: exex64user-jstrosch
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633416A0 CryptUnprotectData,LocalFree, 0_2_00007FF7633416A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763307C80 CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn, 0_2_00007FF763307C80
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338BA38 FindClose,FindFirstFileExW,GetLastError, 0_2_00007FF76338BA38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338BAE8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_00007FF76338BAE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335A4B0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76335A4B0
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.7:49704 -> 176.124.204.206:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.7:49704 -> 176.124.204.206:15666
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.7:49704 -> 176.124.204.206:15666
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49704 -> 176.124.204.206:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.124.204.206 176.124.204.206
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GULFSTREAMUA GULFSTREAMUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763358400 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task, 0_2_00007FF763358400
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: file.exe, 00000000.00000003.1369057073.000001EA4B82D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2599494351.000001EA4B7EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: file.exe, 00000000.00000003.1368512194.000001EA4DFB1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2600221699.000001EA4DFC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsoft.t/Regi
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: file.exe, 00000000.00000002.2599494351.000001EA4B7AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: file.exe, 00000000.00000003.1369125819.000001EA4B7C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2599494351.000001EA4B7AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/~
Source: file.exe, 00000000.00000003.1387286065.000001EA4E0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: file.exe, 00000000.00000003.1387286065.000001EA4E0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: file.exe, 00000000.00000003.1374444105.000001EA4E0F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1386227021.000001EA4E280000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1387286065.000001EA4E107000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1387286065.000001EA4E0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000003.1387286065.000001EA4E0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1387286065.000001EA4E0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: file.exe, 00000000.00000003.1381574540.000001EA4D643000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D570000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1383468297.000001EA4E5D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D578000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D64B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1386227021.000001EA4E18D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: file.exe, 00000000.00000003.1381574540.000001EA4D57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1381574540.000001EA4D57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: file.exe, 00000000.00000003.1387286065.000001EA4E0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: file.exe, 00000000.00000003.1387286065.000001EA4E0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: file.exe, 00000000.00000003.1381574540.000001EA4D643000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D570000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1383468297.000001EA4E5D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D578000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D64B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1386227021.000001EA4E18D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000003.1381574540.000001EA4D57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: file.exe, 00000000.00000003.1381574540.000001EA4D57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: file.exe, 00000000.00000003.1381574540.000001EA4D653000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1383468297.000001EA4E5D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: file.exe, 00000000.00000003.1381574540.000001EA4D57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1381574540.000001EA4D653000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1383468297.000001EA4E5D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1381574540.000001EA4D57F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49705 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763358CC0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,GetObjectW,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,DeleteObject,EnterCriticalSection,EnterCriticalSection,GdiplusShutdown,LeaveCriticalSection,LeaveCriticalSection,_invalid_parameter_noinfo_noreturn, 0_2_00007FF763358CC0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335D700 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_00007FF76335D700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335CFC0 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76335CFC0
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763360440 0_2_00007FF763360440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76332E4E0 0_2_00007FF76332E4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330D510 0_2_00007FF76330D510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763358400 0_2_00007FF763358400
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335B410 0_2_00007FF76335B410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633012C0 0_2_00007FF7633012C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633471A0 0_2_00007FF7633471A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633518D0 0_2_00007FF7633518D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335A760 0_2_00007FF76335A760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633796B8 0_2_00007FF7633796B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330E5A0 0_2_00007FF76330E5A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330EC50 0_2_00007FF76330EC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763352D10 0_2_00007FF763352D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763358CC0 0_2_00007FF763358CC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763300BD0 0_2_00007FF763300BD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763357BC0 0_2_00007FF763357BC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335FA58 0_2_00007FF76335FA58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763331A80 0_2_00007FF763331A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338BAE8 0_2_00007FF76338BAE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76332BAF0 0_2_00007FF76332BAF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763361B00 0_2_00007FF763361B00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763359960 0_2_00007FF763359960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330C9C0 0_2_00007FF76330C9C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633140B0 0_2_00007FF7633140B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763375EB4 0_2_00007FF763375EB4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763301D4E 0_2_00007FF763301D4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336D474 0_2_00007FF76336D474
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76331E419 0_2_00007FF76331E419
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632D6480 0_2_00007FF7632D6480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76331C4E0 0_2_00007FF76331C4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338E500 0_2_00007FF76338E500
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633714C4 0_2_00007FF7633714C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76334F370 0_2_00007FF76334F370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336E354 0_2_00007FF76336E354
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333D260 0_2_00007FF76333D260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336D28C 0_2_00007FF76336D28C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763335220 0_2_00007FF763335220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763340180 0_2_00007FF763340180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763356123 0_2_00007FF763356123
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763356133 0_2_00007FF763356133
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763380824 0_2_00007FF763380824
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333F820 0_2_00007FF76333F820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633448A0 0_2_00007FF7633448A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632D6900 0_2_00007FF7632D6900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333D8B0 0_2_00007FF76333D8B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633018F0 0_2_00007FF7633018F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763346720 0_2_00007FF763346720
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632F6770 0_2_00007FF7632F6770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632F9760 0_2_00007FF7632F9760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632F77B0 0_2_00007FF7632F77B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336B7B0 0_2_00007FF76336B7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76337765C 0_2_00007FF76337765C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763343670 0_2_00007FF763343670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335D700 0_2_00007FF76335D700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763393570 0_2_00007FF763393570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333D590 0_2_00007FF76333D590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633785DC 0_2_00007FF7633785DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763339600 0_2_00007FF763339600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763347C20 0_2_00007FF763347C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632FACA0 0_2_00007FF7632FACA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763350CA0 0_2_00007FF763350CA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76331CB90 0_2_00007FF76331CB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763376B2C 0_2_00007FF763376B2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333DBD0 0_2_00007FF76333DBD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763309A59 0_2_00007FF763309A59
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335DA50 0_2_00007FF76335DA50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336DABC 0_2_00007FF76336DABC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338E980 0_2_00007FF76338E980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763348980 0_2_00007FF763348980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763379934 0_2_00007FF763379934
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763346080 0_2_00007FF763346080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632D60C0 0_2_00007FF7632D60C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633200ED 0_2_00007FF7633200ED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763352100 0_2_00007FF763352100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336D0A4 0_2_00007FF76336D0A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CF60 0_2_00007FF76333CF60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763326F70 0_2_00007FF763326F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763353F80 0_2_00007FF763353F80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763376FDC 0_2_00007FF763376FDC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7632D7010 0_2_00007FF7632D7010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76334EFD0 0_2_00007FF76334EFD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336DE4C 0_2_00007FF76336DE4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333FE50 0_2_00007FF76333FE50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763307ED0 0_2_00007FF763307ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330BEE0 0_2_00007FF76330BEE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333DF00 0_2_00007FF76333DF00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76332AF00 0_2_00007FF76332AF00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763379EBC 0_2_00007FF763379EBC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763377D88 0_2_00007FF763377D88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330AE00 0_2_00007FF76330AE00
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF763301D20 appears 84 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF7632FD510 appears 63 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF763306990 appears 41 times
Source: classification engine Classification label: mal96.troj.spyw.winEXE@1/0@2/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330E5A0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76330E5A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333F820 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76333F820
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963E1BD36C7
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 36%
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: ipportgrabber_max_sizeextensionslinksbuild_nameself_destructtype must be boolean, but is type must be number, but is 0123456789ABCDEFntdll.dllFile DownloaderabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'runasopen bad variant accessfalsetrueBad any_cast[VAR... , [default: [required][nargs: or more] ..[nargs= to or more provided. argument(s) expected. : required.: no value provided.-=--help-hshows help message and exits--version-vprints version information and exitsNo such argument:
Source: file.exe String found in binary or memory: ipportgrabber_max_sizeextensionslinksbuild_nameself_destructtype must be boolean, but is type must be number, but is 0123456789ABCDEFntdll.dllFile DownloaderabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'runasopen bad variant accessfalsetrueBad any_cast[VAR... , [default: [required][nargs: or more] ..[nargs= to or more provided. argument(s) expected. : required.: no value provided.-=--help-hshows help message and exits--version-vprints version information and exitsNo such argument:
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 1116160 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330D510 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76330D510
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CBAC push rsp; retf 0_2_00007FF76333CBAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CBB0 push rsp; retf 0_2_00007FF76333CBB1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CBB4 push rsp; retf 0_2_00007FF76333CBB5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CBB8 push rsp; retf 0_2_00007FF76333CBB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CBBC push rsp; retf 0_2_00007FF76333CBBD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CBC0 push rsp; retf 0_2_00007FF76333CBC1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CBC4 push rsp; retf 0_2_00007FF76333CBC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76333CB00 push rsp; retf 0_2_00007FF76333CBA1
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633471A0 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,ExitProcess,ExitProcess,OpenMutexA,ExitProcess,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7633471A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338BA38 FindClose,FindFirstFileExW,GetLastError, 0_2_00007FF76338BA38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338BAE8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_00007FF76338BAE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335A4B0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76335A4B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76336FBD0 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 0_2_00007FF76336FBD0
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: file.exe, 00000000.00000003.1369125819.000001EA4B7C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2599494351.000001EA4B7AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: file.exe, 00000000.00000003.1369125819.000001EA4B7C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2599494351.000001EA4B7AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW^
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp(~K
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: file.exe, 00000000.00000003.1376275414.000001EA4E1F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335D700 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_00007FF76335D700
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633683E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7633683E8
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76338DC60 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF76338DC60
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76330D510 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76330D510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7633683E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7633683E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763385220 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF763385220
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00007FF76337F494
Source: C:\Users\user\Desktop\file.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF76337F148
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_00007FF76338B634
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00007FF76337F564
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00007FF763374518
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF76337FB7C
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00007FF763374A5C
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF76337F9A0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763385CD8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF763385CD8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF763359410 GetUserNameW, 0_2_00007FF763359410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF76335A760 GetTimeZoneInformation, 0_2_00007FF76335A760

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: file.exe, 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 00000000.00000002.2599494351.000001EA4B76A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2064, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521588 Sample: file.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 96 10 time.windows.com 2->10 12 api.ipify.org 2->12 18 Suricata IDS alerts for network traffic 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected CredGrabber 2->22 24 3 other signatures 2->24 6 file.exe 6 2->6         started        signatures3 process4 dnsIp5 14 176.124.204.206, 15666, 49704 GULFSTREAMUA Russian Federation 6->14 16 api.ipify.org 104.26.13.205, 443, 49705 CLOUDFLARENETUS United States 6->16 26 Tries to steal Mail credentials (via file / registry access) 6->26 28 Found many strings related to Crypto-Wallets (likely being stolen) 6->28 30 Tries to harvest and steal browser information (history, passwords, etc) 6->30 32 Tries to harvest and steal Bitcoin Wallet information 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.124.204.206
 unknown Russian Federation
59652 GULFSTREAMUA true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown