Windows Analysis Report
40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Overview

General Information

Sample name: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Analysis ID: 1525119
MD5: 07dd73909e1a74b92498058afc918ede
SHA1: 2f3f9ab4f17ccd2dfe0c4aada522b00c580c454d
SHA256: 40122c3fc307277bbcb516dce390f74f27e2f798cb351a692f820ba7d3ffd735
Tags: exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PE file has a writeable .text section
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Found malware configuration
Source: 1.2.cmd.exe.5bd00c8.8.raw.unpack Malware Configuration Extractor: StealC {"C2 url": "http://5.188.87.43/29087f1d398f0eec.php", "Botnet": "meowsterioland29"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bvhk ReversingLabs: Detection: 87%
Multi AV Scanner detection for submitted file
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe ReversingLabs: Detection: 54%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bvhk Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0040EF10 CryptAcquireContextA, 0_2_0040EF10
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0040E0F0 CryptAcquireContextA, 0_2_0040E0F0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00421430 CryptAcquireContextA,CryptAcquireContextA, 0_2_00421430
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0041F900 CryptBinaryToStringA, 0_2_0041F900
Uses 32bit PE files
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\FastCopy\src\install\Obj\ReleaseInst\setup.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: Binary string: wntdll.pdbUGP source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0044F978 FindFirstFileExA, 0_2_0044F978

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://5.188.87.43/29087f1d398f0eec.php
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c0rl.m%L
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.c
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.00000000034CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.0000000005613000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://fastcopy.jp
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issues
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issuesVThis
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://fastcopy.jp/help/fastcopy.htm
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://fastcopy.jp/help/fastcopy_cn.htm
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://fastcopy.jp/pro/
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://fastcopy.jpF
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: https://sectigo.com/CPS0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0

System Summary
barindex
PE file has a writeable .text section
Source: bvhk.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004136B0 NtQuerySystemInformation, 0_2_004136B0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004136B0 NtQuerySystemInformation, 0_2_004136B0
Detected potential crypto function
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00401000 0_2_00401000
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0043F004 0_2_0043F004
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00433010 0_2_00433010
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0040D0A0 0_2_0040D0A0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00439100 0_2_00439100
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0045A100 0_2_0045A100
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0044E1F9 0_2_0044E1F9
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00407189 0_2_00407189
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00418300 0_2_00418300
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0045A310 0_2_0045A310
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00453527 0_2_00453527
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00429650 0_2_00429650
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00421660 0_2_00421660
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004216E0 0_2_004216E0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00458690 0_2_00458690
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0042F730 0_2_0042F730
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00438800 0_2_00438800
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004288C0 0_2_004288C0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004588D0 0_2_004588D0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0042C8F0 0_2_0042C8F0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00459940 0_2_00459940
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00444952 0_2_00444952
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00421910 0_2_00421910
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0044DAE8 0_2_0044DAE8
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00432A80 0_2_00432A80
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00428BC0 0_2_00428BC0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00444B81 0_2_00444B81
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0040CC40 0_2_0040CC40
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00439C70 0_2_00439C70
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00458CF0 0_2_00458CF0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00435D40 0_2_00435D40
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00444DDE 0_2_00444DDE
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0040CE90 0_2_0040CE90
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00428F40 0_2_00428F40
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00458F50 0_2_00458F50
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0040DF70 0_2_0040DF70
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00424F30 0_2_00424F30
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00445FF0 0_2_00445FF0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0042CFA0 0_2_0042CFA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: String function: 0043D610 appears 36 times
PE / OLE file has an invalid certificate
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003F14000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesetup.exe2 vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Binary or memory string: OriginalFilenamesetup.exe2 vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Uses 32bit PE files
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/2@0/0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0041E410 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 0_2_0041E410
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe File created: C:\Users\user\AppData\Local\Temp\16f361f8 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe ReversingLabs: Detection: 54%
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe String found in binary or memory: FastCopy.exeInstallFastCopy.exeopenFastCopy.lnk\%sSoftware\Microsoft\Windows\CurrentVersion\UninstallFastCopy.exeFastCopyDisplayIconFastCopyFastCopyDisplayNamesetup.exe /rUninstallStringDisplayIconDisplayVersionH.Shirouzu & FastCopy Lab, LLC.PublisherEstimatedSizeHelpLinkURLUpdateInfoURLInfoAboutpub-setup@fastcopy.jpCommentsHSToolsFastCopyPathReRegisterSparsePackageFastEx11.dll"%s\%s",%srundll32.exe/UPDATEDopen/INSTALLopenFastCopy.iniFastCopy.iniFastCopy.inito_OldDir(VirtualStore).lnk%s.obsolete%s.obsoleteto_ExeDir.lnk^(%s|%s\..+)$*...setup.exeLogmsixDocFastCopySetup path not found
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe File read: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe "C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe"
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Static file information: File size 5883824 > 1048576
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\FastCopy\src\install\Obj\ReleaseInst\setup.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: Binary string: wntdll.pdbUGP source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: bvhk.1.dr Static PE information: section name: xnyuv
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00416075 push edi; retf 0_2_00416076
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00416079 push edi; retf 0_2_0041607A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0041607D push edi; retf 0_2_0041607E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00416089 push edi; retf 0_2_0041608A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0041608D push edi; retf 0_2_0041608E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00416091 push edi; retf 0_2_00416092
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0043D2C9 push ecx; ret 0_2_0043D2DC
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0043D656 push ecx; ret 0_2_0043D669
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004158CD push cs; iretd 0_2_004158E0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415EF5 push edi; retf 0_2_00415EF6
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415EF9 push edi; retf 0_2_00415EFA
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415EFD push edi; retf 0_2_00415EFE
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415F01 push edi; retf 0_2_00415F02
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415F05 push edi; retf 0_2_00415F06
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415F09 push edi; retf 0_2_00415F0A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415F0D push edi; retf 0_2_00415F0E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00415F11 push edi; retf 0_2_00415F12
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Static PE information: section name: .text entropy: 6.809024001288572
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bvhk Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bvhk Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\cmd.exe File deleted: c:\users\user\desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Jump to behavior
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BVHK

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe API/Special instruction interceptor: Address: 6CF17C44
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe API/Special instruction interceptor: Address: 6CF17945
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6CF13B54
Source: C:\Windows\SysWOW64\explorer.exe API/Special instruction interceptor: Address: BDA317
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004018C0 rdtsc 0_2_004018C0
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0041E410 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 0_2_0041E410
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bvhk Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe TID: 6248 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0044F978 FindFirstFileExA, 0_2_0044F978
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0043AFAB VirtualQuery,GetSystemInfo, 0_2_0043AFAB
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware,
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Binary or memory string: NGDELLVMwareVirtualUsbNcmMicrosoftParallelsOracle
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00401A90 0_2_00401A90
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00401B00 0_2_00401B00
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004018C0 rdtsc 0_2_004018C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004432E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004432E4
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0041E410 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 0_2_0041E410
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004532D3 mov eax, dword ptr fs:[00000030h] 0_2_004532D3
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00447AC0 mov eax, dword ptr fs:[00000030h] 0_2_00447AC0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_00413D80 mov eax, dword ptr fs:[00000030h] 0_2_00413D80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004533B6 ExitProcess,GetProcessHeap,RtlAllocateHeap,VirtualProtect,VirtualProtect, 0_2_004533B6
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004432E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004432E4
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0043D428 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0043D428
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0043CB59 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043CB59

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2536, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bvhk, type: DROPPED
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe NtSetInformationThread: Direct from: 0x414A21 Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe NtProtectVirtualMemory: Direct from: 0x6CED4389 Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe NtQuerySystemInformation: Direct from: 0x4534DD Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 2536 base: BD79C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 2536 base: 610000 value: 00 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: BD79C0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 610000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_004016C0 cpuid 0_2_004016C0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: EnumSystemLocalesW, 0_2_0044C265
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_004522AA
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: EnumSystemLocalesW, 0_2_0045256D
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: EnumSystemLocalesW, 0_2_00452522
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: EnumSystemLocalesW, 0_2_00452608
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: GetLocaleInfoW, 0_2_0044C60A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452695
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: GetLocaleInfoW, 0_2_004528E5
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00452A0E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: GetLocaleInfoW, 0_2_00452B15
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452BE2
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Code function: 0_2_0040F620 GetLocalTime, 0_2_0040F620
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 1.2.cmd.exe.5bd00c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.5bd00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1874605322.0000000000611000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1875254375.0000000005BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bvhk, type: DROPPED

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 1.2.cmd.exe.5bd00c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.5bd00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1874605322.0000000000611000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1875254375.0000000005BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bvhk, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1525119 Sample: 40122c3fc307277bbcb516dce39... Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 21 Found malware configuration 2->21 23 Multi AV Scanner detection for dropped file 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 6 other signatures 2->27 7 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe 10 2->7         started        process3 signatures4 29 Query firmware table information (likely to detect VMs) 7->29 31 Maps a DLL or memory area into another process 7->31 33 Switches to a custom stack to bypass stack traces 7->33 35 2 other signatures 7->35 10 cmd.exe 2 7->10         started        process5 file6 19 C:\Users\user\AppData\Local\Temp\bvhk, PE32 10->19 dropped 37 Injects code into the Windows Explorer (explorer.exe) 10->37 39 Deletes itself after installation 10->39 41 Writes to foreign memory regions 10->41 43 2 other signatures 10->43 14 explorer.exe 10->14         started        17 conhost.exe 10->17         started        signatures7 process8 signatures9 45 Switches to a custom stack to bypass stack traces 14->45
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://5.188.87.43/29087f1d398f0eec.php true
    		unknown