Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name: Set-up.exe
Analysis ID: 1525762
MD5: aa8809ce5384175be7c0efb2604787f6
SHA1: 4cfdea7c7b47f16e767901d733be97a6635fd455
SHA256: 78e8980aa18bea446cd21ba2c19fa7a3f79fafb3d713e03376d691900bf9d24e
Tags: exeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Found malware configuration
Source: Set-up.exe.6244.0.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["fiftvx15pt.top", "analforeverlovyu.top"]}
Multi AV Scanner detection for submitted file
Source: Set-up.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_001E15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7614B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_6C7614B0
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 4_2_001E81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C7DAC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C7DAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C7DAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C802EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C77AF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C83F960h 4_2_6C77E8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 4_2_6C8004E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C7804F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C78E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C78E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C780610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C78A720
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C78A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C78A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C780010
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C83D014h] 4_2_6C834110
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C784203
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C78C2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C808250
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C78A330
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C78A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C78A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C7DBDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C7DBF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 4_2_6C7B9F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C7B9910
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C819900
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C79B98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C79B987
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C7DBAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C7D7AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C83DFF4h 4_2_6C7D3440
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 4_2_6C78D424
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C7D35F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 4_2_6C78D5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 4_2_6C78D724
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C78D050
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C7F7100
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C78D2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C7DB280
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_6C7D93B0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49747 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49775 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49802 -> 185.244.181.140:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: fiftvx15pt.top
Source: Malware configuration extractor URLs: analforeverlovyu.top
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.244.181.140 185.244.181.140
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BELCLOUDBG BELCLOUDBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46584377User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: fiftvx15pt.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary38382003User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 91197Host: fiftvx15pt.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary27285830User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30096Host: fiftvx15pt.top
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: fiftvx15pt.top
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46584377User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: fiftvx15pt.top
Source: Set-up.exe, 00000000.00000003.2336556663.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2336684023.000000000176A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fiftvx15pt.top/v1/u/
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HwYuaUvXqdEkCixuJard.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C779B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, 4_2_6C779B99
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C779BD7 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_6C779BD7

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\Set-up.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E51B0 4_2_001E51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E3E20 4_2_001E3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C76CD00 4_2_6C76CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C824E80 4_2_6C824E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C76EE50 4_2_6C76EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C770FC0 4_2_6C770FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B0870 4_2_6C7B0870
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A2A7E 4_2_6C7A2A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7744F0 4_2_6C7744F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A4490 4_2_6C7A4490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C798570 4_2_6C798570
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A0580 4_2_6C7A0580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C792110 4_2_6C792110
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A1E40 4_2_6C7A1E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7AFE10 4_2_6C7AFE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C775880 4_2_6C775880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7AD99E 4_2_6C7AD99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7BDA20 4_2_6C7BDA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C78F510 4_2_6C78F510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7996A0 4_2_6C7996A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A77D0 4_2_6C7A77D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C763000 4_2_6C763000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7770C0 4_2_6C7770C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A11BE 4_2_6C7A11BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B12C0 4_2_6C7B12C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7AF3C0 4_2_6C7AF3C0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C835980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C8338D0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C833310 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C835A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C82AB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C833490 appears 45 times
Sample file is different than original file name gathered from version info
Source: Set-up.exe, 00000000.00000002.2843692223.0000000001775000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@2/1
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\YfymcGAlvL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\quJYrdQFgygDuzOLcwxa
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_03
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: Set-up.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Set-up.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Set-up.exe, 00000000.00000003.2378388009.000000000393E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Set-up.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: hwyuauvxqdekcixujard.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: hwyuauvxqdekcixujard.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: hwyuauvxqdekcixujard.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Set-up.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Set-up.exe Static file information: File size 9979904 > 1048576
Source: Set-up.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c1c00
Source: Set-up.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x670c00
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_001E8230
PE file contains sections with non-standard names
Source: Set-up.exe Static PE information: section name: .eh_fram
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: HwYuaUvXqdEkCixuJard.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001EA499 push es; iretd 4_2_001EA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A8C2A push edx; mov dword ptr [esp], ebx 4_2_6C7A8C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B4DC1 push eax; mov dword ptr [esp], ebx 4_2_6C7B4DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7D4DB0 push eax; mov dword ptr [esp], ebx 4_2_6C7D5018
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A6E03 push edx; mov dword ptr [esp], ebx 4_2_6C7A6E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B4FA1 push eax; mov dword ptr [esp], ebx 4_2_6C7B4FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7DE860 push eax; mov dword ptr [esp], ebx 4_2_6C7DE98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B285C push edx; mov dword ptr [esp], ebx 4_2_6C7B2870
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B0852 push eax; mov dword ptr [esp], ebx 4_2_6C7B0866
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7C8850 push eax; mov dword ptr [esp], ebx 4_2_6C7C8E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C8109E0 push eax; mov dword ptr [esp], edi 4_2_6C810B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7E29A0 push eax; mov dword ptr [esp], ebx 4_2_6C7E2CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7E29A0 push edx; mov dword ptr [esp], ebx 4_2_6C7E2CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7DEAC0 push eax; mov dword ptr [esp], ebx 4_2_6C7DEBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B4BE1 push eax; mov dword ptr [esp], ebx 4_2_6C7B4BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7F0460 push eax; mov dword ptr [esp], ebx 4_2_6C7F07FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A0452 push eax; mov dword ptr [esp], ebx 4_2_6C7A048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B8451 push 890005EAh; ret 4_2_6C7B8459
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A04BE push eax; mov dword ptr [esp], ebx 4_2_6C7A048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A04AD push eax; mov dword ptr [esp], ebx 4_2_6C7A048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A64A3 push edx; mov dword ptr [esp], ebx 4_2_6C7A64B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7AA527 push eax; mov dword ptr [esp], ebx 4_2_6C7AA53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C781AAA push eax; mov dword ptr [esp], ebx 4_2_6C836622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C781AAA push eax; mov dword ptr [esp], ebx 4_2_6C836622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7AA6F7 push eax; mov dword ptr [esp], ebx 4_2_6C7AA70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C786003 push eax; mov dword ptr [esp], ebx 4_2_6C836AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C786003 push edx; mov dword ptr [esp], edi 4_2_6C836B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7B40D5 push ecx; mov dword ptr [esp], ebx 4_2_6C7B40E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C786098 push eax; mov dword ptr [esp], ebx 4_2_6C836622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A81E5 push edx; mov dword ptr [esp], ebx 4_2_6C7A81F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7A023B push eax; mov dword ptr [esp], ebx 4_2_6C7A0251
Drops PE files
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\HwYuaUvXqdEkCixuJard.dll Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Set-up.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 819 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Set-up.exe TID: 2084 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5648 Thread sleep count: 819 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5648 Thread sleep time: -81900s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Set-up.exe Binary or memory string: VMware
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: Set-up.exe Binary or memory string: 7libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infofactorBlizzard.txtSystem Profile.kdbDualSenseXSunSilhouette AmericaJxBrowsersdkLibraryVisual Studio SetupbackupsDaumworkspace-storageXiaomiExodus EdenGIMPbfnaelmomeimhlpmgjnjophhpkkoljpaLocal StoreSketchUpDownloaded Installations.jpeglocalization-cacheUniSDKContinuous MigrationSteam\BitTorrenttonseeedwindowParams.jsonViberEpicGamesLauncherAuthgameThinkBuzanStorageRestor.thinkorswimpocoProgramDataBeamNG.drivecodepeubandlab-assistantStreamingVideoProvider\PerfLogs...microAppsnavigationSpoonholdlinknowwodlSUPERAntiSpywareUARJaxxcarddumpsdoge3uToolsAdvinstAnalyticsbtcTerminal Server Client.jpgProgram Filesuser_data#2.VirtualBoxcitizenfxfnjhmkhhmkbjkkabndcnnogagogbneecaholpfdialjgjfhomihkjbmgjidlcdnoVaultlibrariesusdcom.adobe.dunamisViberPCmonnaietdummymentalmentorElevatedDiagnosticsWindowsA7FDF864FBC10B77emojiAvid.pwd.dochodlCodeTwoWinRARApplicationInsightsticketDRPSuJetBrainsNewTekWindows Live.rtfPackage CacheRAV Endpoint ProtectionTeraBoxTransferSupportRazer\Amazon MusicbhhhlbepdkbapadjdnnojkbgioiodbicSpellingDriverPack Cloud2FAHiSuitedlcobpjiigpikoobohmabehhmhfoodbbFACEIT\tronWebTorrentstremioTSMonitoraccountZXPInstaller\MacromediaCiscoSparkHewlett-PackardToolbarcartiTop PDFpayCode\NoxeurRealwebviewScreenadspower_globalTencentSnapshotsUI LauncherCLR_v4.0.pdfClassicShellltc.pngF8806DD0C461824Fuser_data#5CLR_v2.0_32.openshot_qtD877F783D5D3EF8CDoremidaiDropboxarduino-ideCreativeFiveM\.xlsSamsung MagicianokxNVIDIA Corporation\ReasonSaferWebIdentityCachecomponentsWhatsApp\FacebookLlaveuser_data#4TokenBrokerJDownloader 2.0Valve Corporationexodus.walletVirtualStoreWondershareCode - Insiders\DiscoveryLibreOfficeklnaejjgbibmhlephnhpmaofohgkpgkdZomboidCrashReportClientJavaScriptLedger Live\Rocket LeagueARMDropboxElectronNavegadorSeguroCENEVALSidify Music Converterbluestacks-servicesIK Product ManagerSony CorporationAdawareCredentialsVS Revo Groupuser_dataMiniTool Video ConverterOneNoteOverwolf\EasyAntiCheatDataFolderimportdeemix MusicLavasoftVMwareDATAparkPublicSlackPreSonusRealNetworksRealPlayercom.liberty.jaxxMcAfee_IncTreexyAndroid Open Source Project\Program Files (x86)Riot Games\ContactsXpomBlack Sea Studiosassets.arduinoIDEMicrosoft GamesAdobeSearchesGuest ProfileSpeechQRmainWindows StoreJackbox GamesNotionPunkBusterHabbo Launchernodobs-studio\ljfoeinjpaedjfecbmggjgodbgkmjkjkindexpipCrystal DynamicsPowerISOEOS Webcam UtilityVirtualBoxBlendEdgeUpdateUTC--2masterSystemCertificatessourcePicWishCLR_v2.0.minecraftGMEGLOBALuser_data#3AIMPhakuneko-desktopWebStoragevisa/home/anal/bot/zip_include/miniz.hpArray->m_element_sized->m_huff_code_sizes[0][s_tdefl_len_sym[match_len]]bits <= ((1U << len) - 1U)d->m_huff_code_sizes[1][sym]d->m_huff_code_sizes[0][lit]after create bufferbefore create buffererror 4104error 5105106107101103102100code < TDEFL_MAX_HUFF_SYMBOLS_2
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Set-up.exe, 00000000.00000003.2336684023.0000000001775000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2843692223.0000000001775000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Set-up.exe, 00000000.00000002.2843692223.000000000172E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp<x
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Set-up.exe, 00000000.00000000.2222222678.0000000001464000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infofactorBlizzard.txtSystem Profile.kdbDualSenseXSunSilhouette AmericaJxBrowsersdkLibraryVisual Studio SetupbackupsDaumworkspace-storageXiaomiExodus EdenGIMPbfnaelmomeimhlpmgjnjophhpkkoljpaLocal StoreSketchUpDownloaded Installations.jpeglocalization-cacheUniSDKContinuous MigrationSteam\BitTorrenttonseeedwindowParams.jsonViberEpicGamesLauncherAuthgameThinkBuzanStorageRestor.thinkorswimpocoProgramDataBeamNG.drivecodepeubandlab-assistantStreamingVideoProvider\PerfLogs...microAppsnavigationSpoonholdlinknowwodlSUPERAntiSpywareUARJaxxcarddumpsdoge3uToolsAdvinstAnalyticsbtcTerminal Server Client.jpgProgram Filesuser_data#2.VirtualBoxcitizenfxfnjhmkhhmkbjkkabndcnnogagogbneecaholpfdialjgjfhomihkjbmgjidlcdnoVaultlibrariesusdcom.adobe.dunamisViberPCmonnaietdummymentalmentorElevatedDiagnosticsWindowsA7FDF864FBC10B77emojiAvid.pwd.dochodlCodeTwoWinRARApplicationInsightsticketDRPSuJetBrainsNewTekWindows Live.rtfPackage CacheRAV Endpoint ProtectionTeraBoxTransferSupportRazer\Amazon MusicbhhhlbepdkbapadjdnnojkbgioiodbicSpellingDriverPack Cloud2FAHiSuitedlcobpjiigpikoobohmabehhmhfoodbbFACEIT\tronWebTorrentstremioTSMonitoraccountZXPInstaller\MacromediaCiscoSparkHewlett-PackardToolbarcartiTop PDFpayCode\NoxeurRealwebviewScreenadspower_globalTencentSnapshotsUI LauncherCLR_v4.0.pdfClassicShellltc.pngF8806DD0C461824Fuser_data#5CLR_v2.0_32.openshot_qtD877F783D5D3EF8CDoremidaiDropboxarduino-ideCreativeFiveM\.xlsSamsung MagicianokxNVIDIA Corporation\ReasonSaferWebIdentityCachecomponentsWhatsApp\FacebookLlaveuser_data#4TokenBrokerJDownloader 2.0Valve Corporationexodus.walletVirtualStoreWondershareCode - Insiders\DiscoveryLibreOfficeklnaejjgbibmhlephnhpmaofohgkpgkdZomboidCrashReportClientJavaScriptLedger Live\Rocket LeagueARMDropboxElectronNavegadorSeguroCENEVALSidify Music Converterbluestacks-servicesIK Product ManagerSony CorporationAdawareCredentialsVS Revo Groupuser_dataMiniTool Video ConverterOneNoteOverwolf\EasyAntiCheatDataFolderimportdeemix MusicLavasoftVMwareDATAparkPublicSlackPreSonusRealNetworksRealPlayercom.liberty.jaxxMcAfee_IncTreexyAndroid Open Source Project\Program Files (x86)Riot Games\ContactsXpomBlack Sea Studiosassets.arduinoIDEMicrosoft GamesAdobeSearchesGuest ProfileSpeechQRmainWindows StoreJackbox GamesNotionPunkBusterHabbo Launchernodobs-studio\ljfoeinjpaedjfecbmggjgodbgkmjkjkindexpipCrystal DynamicsPowerISOEOS Webcam UtilityVirtualBoxBlendEdgeUpdateUTC--2masterSystemCertificatessourcePicWishCLR_v2.0.minecraftGMEGLOBALuser_data#3AIMPhakuneko-desktopWebStoragevisa/home/anal/bot/zip_include/miniz.hpArray->m_element_sized->m_huff_code_sizes[0][s_tdefl_len_sym[match_len]]bits <= ((1U << len) - 1U)d->m_huff_code_sizes[1][sym]d->m_huff_code_sizes[0][lit]after create bufferbefore create buffererror 4104error 5105106107101103102100code < TDEFL_MAX_HUFF_SYMBOLS_2
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_001E8230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 4_2_001E116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_001E1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_001E11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_001E13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 4_2_001E13C9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C7E8280 cpuid 4_2_6C7E8280
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Set-up.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 4.2.service123.exe.6c760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2825437842.000000000445D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: service123.exe PID: 5608, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Set-up.exe String found in binary or memory: \Electrum-btcp\wallets
Source: Set-up.exe String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000000.2222222678.0000000001464000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Windows 8.1 %wSWindows Server 2012 R2 %wSWindows 11 %wSWindows 10 %wSWindows Server 2016 or higher %wSWindows %wS %wSE:I:F:G:H:D:C:NitroOxygen - Atomic Crypto WalletYoroiPolkadot{.js} extensionSolflare WalletSui WalletBitwarden - Free Password ManagerLastPass - Free Password ManagerEnkrypt - Multichain Crypto WalletRabby WalletAuthyCrypto.com - Wallet ExtensionZilPayExodus Web3 WalletTrust WalletMartian Aptos & Sui Wallet ExtensionOKX WalletAuthenticatorBackpackXverse WalletUniSat WalletTonkeeper - wallet for TONSafePal Extension WalletKeplrTemple - Tezos WalletMEW CXJaxx LibertyGuarda WalletSollet WalletTrezor Password ManagerUnknown Walletdragon.exeAvastBrowser.exechrome.exeAVGBrowser.exebrowser.exebrave.exe360ChromeX.exeslimjet.exevivaldi.exeCCleanerBrowser.execatsxp.exeopera.exemsedge.exeBrowserskey3.dbsignons.sqliteoptimization_guide_model_storeWeb ApplicationsSegmentation Platformnot initializedinvalid entry nameentry not foundinvalid zip modeinvalid compression levelno zip 64 supportmemset errorcannot write data to entrycannot initialize tdefl compressorinvalid indexheader not foundcannot flush tdefl buffercannot write entry headercannot create entry headercannot write to central dircannot open fileinvalid entry typeextracting data using no memory allocationfile not foundno permissionout of memoryinvalid zip archive namemake dir errorsymlink errorclose archive errorcapacity size too smallfseek errorfread errorfwrite errorcannot initialize readercannot initialize writercannot initialize writer from readerstream endneed dictionaryfile errorstream errordata errorout of memorybuf errorversion errorparameter errorbefore addDatAndEthFilesbefore addCryptoWallets\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)HP_Easy_StartBaiduBrowserCache\Opera Software\\User Data\\Desktop\Profiles\no errorundefined errortoo many filesfile too largeunsupported methodunsupported encryptionunsupported featurefailed finding central directorynot a ZIP archiveinvalid header or archive is corruptedunsupported multidisk archivedecompression failed or archive is corruptedcompression failedunexpected decompressed sizeCRC-32 check failedunsupported central directory sizeallocation failedfile open failedfile create failedfile write failedfile read failedfile close failedfile seek failedfile stat failedinvalid parameterinvalid filenamebuffer too smallinternal errorfile not foundarchive is too largevalidation failedwrite callback failedtotal errors
Source: Set-up.exe String found in binary or memory: com.liberty.jaxx
Source: Set-up.exe String found in binary or memory: \Exodus\backup
Source: Set-up.exe String found in binary or memory: \exodus.wallet
Source: Set-up.exe String found in binary or memory: Ethereum (UTC)
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 6244, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525762 Sample: Set-up.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 28 fiftvx15pt.top 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 8 Set-up.exe 4 2->8         started        13 service123.exe 2->13         started        15 service123.exe 2->15         started        signatures3 process4 dnsIp5 30 fiftvx15pt.top 185.244.181.140, 49747, 49775, 49802 BELCLOUDBG Russian Federation 8->30 24 C:\Users\user\AppData\...\service123.exe, PE32 8->24 dropped 26 C:\Users\user\...\HwYuaUvXqdEkCixuJard.dll, PE32 8->26 dropped 44 Found many strings related to Crypto-Wallets (likely being stolen) 8->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 8->46 48 Tries to harvest and steal browser information (history, passwords, etc) 8->48 50 Drops large PE files 8->50 17 service123.exe 8->17         started        20 schtasks.exe 1 8->20         started        file6 signatures7 process8 signatures9 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Found stalling execution ending in API Sleep call 17->34 22 conhost.exe 20->22         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.181.140
 fiftvx15pt.top Russian Federation
44901 BELCLOUDBG true

Contacted Domains

Name IP Active
fiftvx15pt.top 185.244.181.140 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
analforeverlovyu.top true
  • URL Reputation: safe
 unknown
fiftvx15pt.top true
    		unknown