Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1524653
MD5: ed7e56bb217c2448ad3b61f5bfd83e16
SHA1: 92d994024ff61db1726d0ace38e6b4f22a8ef522
SHA256: 36214001aad5a561e3e8e17334adb7e507f937510978302c860df84ec647be2b
Tags: exeuser-Bitsight
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

.NET source code contains very large strings
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Source: file.exe, 00000000.00000000.1497159714.00007FF76BDEC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_40c172d8-c
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\BlackDropperCPP\BlackDropperCPP.pdb source: file.exe
Source: Binary string: /root/Builder/obj/Release/net8.0-windows/win-x64/Builder.pdb source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518674223.000002B9C5AE6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518705267.000002B9C58CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5AE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518693095.000002B9C5943000.00000004.00000020.00020000.00000000.sdmp, Builder.dll.0.dr
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp, Builder.dll.0.dr String found in binary or memory: http://72.5.42.222:8568/api/newLog
Source: file.exe String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: file.exe String found in binary or memory: https://curl.se/docs/hsts.html
Source: file.exe String found in binary or memory: https://curl.se/docs/http-cookies.html

System Summary
barindex
.NET source code contains very large strings
Source: Builder.dll.0.dr, Form1.cs Long String: Length: 21012
PE file does not import any functions
Source: Builder.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe
Source: file.exe, 00000000.00000003.1518674223.000002B9C5AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe
Source: file.exe, 00000000.00000003.1518705267.000002B9C58CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe
Source: file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe
Source: file.exe, 00000000.00000003.1518493109.000002B9C5AE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe
Source: file.exe, 00000000.00000003.1518693095.000002B9C5943000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe
Source: Builder.dll.0.dr, Form1.cs Base64 encoded string: 'KDU2CQgWHwQqLS8bBgQLDy4+OxEWGVQhCx8bOSQtHw0MAQ0SLTU8HRMeC0wlDQwD', 'KDU2CQgWHwQqLS8bBgQLDy4+OxEWGVQhCx8bOSQtHw0MAQ0SLTU8HRMeC0wlDQwD', 'LCQjGwoKBAoqLSEeERwdFiQ2IxoDAFM1Dw0KKy0gDhASAw4eMj0gCwsDBQQM', 'MDAkHQQAFh8CCBI/JS4MCg00PTwYDAJNMREZDC45MwAKBB0HFTIuKgkdBxcWHyU2MwUJDRoACw==', 'Ni4oDg0fHAICEQ00NiYcAQA1KyQYDBpUNRceGTQxMAgKDR8PEi4uLRMSSiIPEBc=', 'JDI6HAIGCR4ZExw4PTQXBgE1MjkLFBhYPAYCCCU3MxIBCRMWBzouNAAVGA5QLhEGDw8cBA0NUSQTFxsLCAQd'
Source: classification engine Classification label: mal56.spyw.evad.winEXE@2/2@0/1
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Music\vkiwdonilg Jump to behavior
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\MyMutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 2427392 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1dae00
Source: file.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\BlackDropperCPP\BlackDropperCPP.pdb source: file.exe
Source: Binary string: /root/Builder/obj/Release/net8.0-windows/win-x64/Builder.pdb source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518674223.000002B9C5AE6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518705267.000002B9C58CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5AE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518693095.000002B9C5943000.00000004.00000020.00020000.00000000.sdmp, Builder.dll.0.dr
Binary contains a suspicious time stamp
Source: Builder.dll.0.dr Static PE information: 0xDB953C61 [Fri Sep 27 18:43:45 2086 UTC]
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .00cfg
Source: file.exe Static PE information: section name: .fptable
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Music\vkiwdonilg\Builder.dll Jump to dropped file

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe Binary or memory string: : C:\WINDOWS\SYSTEM32\VBOXSERVICE.EXEC:\WINDOWS\SYSTEM32\VBOXTRAY.EXEC:\PROGRAM FILES\ORACLE\VIRTUALBOX GUEST ADDITIONS\VBOXSF.SYSC:\WINDOWS\SYSTEM32\DRIVERS\VBOXMOUSE.SYSC:\WINDOWS\SYSTEM32\VMTOOLSD.EXEC:\WINDOWS\SYSTEM32\DRIVERS\VMCI.SYSC:\WINDOWS\SYSTEM32\DRIVERS\VMXNET.SYSC:\PROGRAM FILES\SANDBOXIE\SBIECTRL.EXEC:\SANDBOX\C:\PROGRAM FILES\QEMU\QEMU-GA.EXEC:\VTROOT\C:\USERS\WDAGUTILITYACCOUNT\VBOXSERVICE.EXEVBOXTRAY.EXEVMTOOLSD.EXESBIECTRL.EXEQEMU-GA.EXE
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe File opened / queried: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxSF.sys Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: C:\Windows\system32\drivers\vmci.sys Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: C:\Windows\system32\vboxservice.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: C:\Windows\system32\vboxtray.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: C:\Windows\System32\drivers\VBoxMouse.sys Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: C:\Windows\system32\vmtoolsd.exe Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\Music\vkiwdonilg\Builder.dll Jump to dropped file
Source: file.exe Binary or memory string: : C:\Windows\system32\vboxservice.exeC:\Windows\system32\vboxtray.exeC:\Program Files\Oracle\VirtualBox Guest Additions\VBoxSF.sysC:\Windows\System32\drivers\VBoxMouse.sysC:\Windows\system32\vmtoolsd.exeC:\Windows\system32\drivers\vmci.sysC:\Windows\system32\drivers\vmxnet.sysC:\Program Files\Sandboxie\SbieCtrl.exeC:\Sandbox\C:\Program Files\qemu\qemu-ga.exeC:\VTRoot\C:\Users\WDAGUtilityAccount\vboxservice.exevboxtray.exevmtoolsd.exeSbieCtrl.exeqemu-ga.exe
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Stealing of Sensitive Information
barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum - Electrum
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Cash (Electron Cash) - ElectronCash
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty - com.liberty.jaxx
Source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus Web3 Wallet ||| aholpfdialjgjfhomihkjbmgjidlcdno
Source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Talisman - Ethereum and Polkadot Wallet ||| fijngjgcjhjmmpcmkeiomlglpeiijkld
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524653 Sample: file.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 56 17 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->17 19 .NET source code contains very large strings 2->19 21 AI detected suspicious sample 2->21 6 file.exe 5 2->6         started        process3 dnsIp4 15 72.5.42.222 UNASSIGNED United States 6->15 13 C:\Users\user\Music\vkiwdonilg\Builder.dll, PE32+ 6->13 dropped 23 Found many strings related to Crypto-Wallets (likely being stolen) 6->23 11 conhost.exe 6->11         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
72.5.42.222
 unknown United States
16769 UNASSIGNED false