Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.8% probability |
Source: file.exe, 00000000.00000000.1497159714.00007FF76BDEC000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
memstr_40c172d8-c |
Source: file.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: E:\BlackDropperCPP\BlackDropperCPP.pdb source: file.exe |
Source: |
Binary string: /root/Builder/obj/Release/net8.0-windows/win-x64/Builder.pdb source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518674223.000002B9C5AE6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518705267.000002B9C58CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5AE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518693095.000002B9C5943000.00000004.00000020.00020000.00000000.sdmp, Builder.dll.0.dr |
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp, Builder.dll.0.dr |
String found in binary or memory: http://72.5.42.222:8568/api/newLog |
Source: file.exe |
String found in binary or memory: https://curl.se/docs/alt-svc.html |
Source: file.exe |
String found in binary or memory: https://curl.se/docs/hsts.html |
Source: file.exe |
String found in binary or memory: https://curl.se/docs/http-cookies.html |
Source: Builder.dll.0.dr, Form1.cs |
Long String: Length: 21012 |
Source: Builder.dll.0.dr |
Static PE information: No import functions for PE file found |
Source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe |
Source: file.exe, 00000000.00000003.1518674223.000002B9C5AE6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe |
Source: file.exe, 00000000.00000003.1518705267.000002B9C58CB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe |
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe |
Source: file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe |
Source: file.exe, 00000000.00000003.1518493109.000002B9C5AE5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe |
Source: file.exe, 00000000.00000003.1518693095.000002B9C5943000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuilder.dll0 vs file.exe |
Source: Builder.dll.0.dr, Form1.cs |
Base64 encoded string: 'KDU2CQgWHwQqLS8bBgQLDy4+OxEWGVQhCx8bOSQtHw0MAQ0SLTU8HRMeC0wlDQwD', 'KDU2CQgWHwQqLS8bBgQLDy4+OxEWGVQhCx8bOSQtHw0MAQ0SLTU8HRMeC0wlDQwD', 'LCQjGwoKBAoqLSEeERwdFiQ2IxoDAFM1Dw0KKy0gDhASAw4eMj0gCwsDBQQM', 'MDAkHQQAFh8CCBI/JS4MCg00PTwYDAJNMREZDC45MwAKBB0HFTIuKgkdBxcWHyU2MwUJDRoACw==', 'Ni4oDg0fHAICEQ00NiYcAQA1KyQYDBpUNRceGTQxMAgKDR8PEi4uLRMSSiIPEBc=', 'JDI6HAIGCR4ZExw4PTQXBgE1MjkLFBhYPAYCCCU3MxIBCRMWBzouNAAVGA5QLhEGDw8cBA0NUSQTFxsLCAQd' |
Source: classification engine |
Classification label: mal56.spyw.evad.winEXE@2/2@0/1 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\Music\vkiwdonilg |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Mutant created: \Sessions\1\BaseNamedObjects\MyMutex |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03 |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: file.exe |
String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: file.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: file.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: file.exe |
Static file information: File size 2427392 > 1048576 |
Source: file.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1dae00 |
Source: file.exe |
Static PE information: More than 200 imports for KERNEL32.dll |
Source: file.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: E:\BlackDropperCPP\BlackDropperCPP.pdb source: file.exe |
Source: |
Binary string: /root/Builder/obj/Release/net8.0-windows/win-x64/Builder.pdb source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518674223.000002B9C5AE6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518705267.000002B9C58CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518453934.000002B9C5BE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518493109.000002B9C5AE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1518693095.000002B9C5943000.00000004.00000020.00020000.00000000.sdmp, Builder.dll.0.dr |
Source: Builder.dll.0.dr |
Static PE information: 0xDB953C61 [Fri Sep 27 18:43:45 2086 UTC] |
Source: file.exe |
Static PE information: section name: .00cfg |
Source: file.exe |
Static PE information: section name: .fptable |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\Music\vkiwdonilg\Builder.dll |
Jump to dropped file |
Source: file.exe |
Binary or memory string: : C:\WINDOWS\SYSTEM32\VBOXSERVICE.EXEC:\WINDOWS\SYSTEM32\VBOXTRAY.EXEC:\PROGRAM FILES\ORACLE\VIRTUALBOX GUEST ADDITIONS\VBOXSF.SYSC:\WINDOWS\SYSTEM32\DRIVERS\VBOXMOUSE.SYSC:\WINDOWS\SYSTEM32\VMTOOLSD.EXEC:\WINDOWS\SYSTEM32\DRIVERS\VMCI.SYSC:\WINDOWS\SYSTEM32\DRIVERS\VMXNET.SYSC:\PROGRAM FILES\SANDBOXIE\SBIECTRL.EXEC:\SANDBOX\C:\PROGRAM FILES\QEMU\QEMU-GA.EXEC:\VTROOT\C:\USERS\WDAGUTILITYACCOUNT\VBOXSERVICE.EXEVBOXTRAY.EXEVMTOOLSD.EXESBIECTRL.EXEQEMU-GA.EXE |
Source: C:\Users\user\Desktop\file.exe |
File opened / queried: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxSF.sys |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened / queried: C:\Windows\system32\drivers\vmci.sys |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened / queried: C:\Windows\system32\vboxservice.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened / queried: C:\Windows\system32\vboxtray.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened / queried: C:\Windows\System32\drivers\VBoxMouse.sys |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened / queried: C:\Windows\system32\vmtoolsd.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Dropped PE file which has not been started: C:\Users\user\Music\vkiwdonilg\Builder.dll |
Jump to dropped file |
Source: file.exe |
Binary or memory string: : C:\Windows\system32\vboxservice.exeC:\Windows\system32\vboxtray.exeC:\Program Files\Oracle\VirtualBox Guest Additions\VBoxSF.sysC:\Windows\System32\drivers\VBoxMouse.sysC:\Windows\system32\vmtoolsd.exeC:\Windows\system32\drivers\vmci.sysC:\Windows\system32\drivers\vmxnet.sysC:\Program Files\Sandboxie\SbieCtrl.exeC:\Sandbox\C:\Program Files\qemu\qemu-ga.exeC:\VTRoot\C:\Users\WDAGUtilityAccount\vboxservice.exevboxtray.exevmtoolsd.exeSbieCtrl.exeqemu-ga.exe |
Source: C:\Users\user\Desktop\file.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: Electrum - Electrum |
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: Bitcoin Cash (Electron Cash) - ElectronCash |
Source: file.exe, 00000000.00000003.1518493109.000002B9C5A11000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: Jaxx Liberty - com.liberty.jaxx |
Source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: Exodus Web3 Wallet ||| aholpfdialjgjfhomihkjbmgjidlcdno |
Source: file.exe, 00000000.00000003.1518576683.000002B9C5B11000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: Talisman - Ethereum and Polkadot Wallet ||| fijngjgcjhjmmpcmkeiomlglpeiijkld |