Windows Analysis Report
IMG_3322101870451.exe

Overview

General Information

Sample name:	IMG_3322101870451.exe
Analysis ID:	1526378
MD5:	8290ab3945cfc9355b5f18d4c4262cee
SHA1:	f459dd7cdbc4881d6357c517c2b8026d3da77965
SHA256:	23382ffd9ce9a9b163ed1b6f0ef80242f16c5bc85b0d302fd81b7c4f5cd48acd
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IMG_3322101870451.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://185.167.61.13

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: IMG_3322101870451.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: IMG_3322101870451.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: IMG_3322101870451.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: IMG_3322101870451.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.167.61.13 185.167.61.13

Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13

Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive

Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000032C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13/aa/Ubeyvibl.vdf
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000344C000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13/aa/Ubeyvibl.vdfP
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000338A000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003366000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000335F000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003448000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13D
Source: IMG_3322101870451.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: IMG_3322101870451.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: IMG_3322101870451.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://s.symcd.com06
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: IMG_3322101870451.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: IMG_3322101870451.exe, type: SAMPLE	Matched rule: Detects a trojan used in Saudi Aramco Phishing Author: Florian Roth
Source: 0.0.IMG_3322101870451.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a trojan used in Saudi Aramco Phishing Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: IMG_3322101870451.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801C0A	0_2_01801C0A
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01805A5C	0_2_01805A5C
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01802554	0_2_01802554
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801C4C	0_2_01801C4C
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801704	0_2_01801704
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01805A96	0_2_01805A96

PE / OLE file has an invalid certificate

Source: IMG_3322101870451.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: IMG_3322101870451.exe, 00000000.00000002.3813828700.000000000147E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs IMG_3322101870451.exe
Source: IMG_3322101870451.exe, 00000000.00000000.1356903689.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTwihm.exeD vs IMG_3322101870451.exe
Source: IMG_3322101870451.exe	Binary or memory string: OriginalFilenameTwihm.exeD vs IMG_3322101870451.exe

Uses 32bit PE files

Source: IMG_3322101870451.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: IMG_3322101870451.exe, type: SAMPLE	Matched rule: Saudi_Phish_Trojan date = 2017-10-12, hash1 = 8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91, author = Florian Roth, description = Detects a trojan used in Saudi Aramco Phishing, reference = https://goo.gl/Z3JUAA, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.IMG_3322101870451.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Saudi_Phish_Trojan date = 2017-10-12, hash1 = 8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91, author = Florian Roth, description = Detects a trojan used in Saudi Aramco Phishing, reference = https://goo.gl/Z3JUAA, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: IMG_3322101870451.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IMG_3322101870451.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal88.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Mutant created: NULL

Source: IMG_3322101870451.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IMG_3322101870451.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IMG_3322101870451.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IMG_3322101870451.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IMG_3322101870451.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: IMG_3322101870451.exe, --.cs	.Net Code: _0003 System.Reflection.Assembly.Load(byte[])
Source: IMG_3322101870451.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Window / User API: threadDelayed 1632			Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Window / User API: threadDelayed 8213			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8144	Thread sleep count: 1632 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8144	Thread sleep count: 8213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99430s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99088s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98964s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98394s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98252s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96060s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95480s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95253s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94594s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99430	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99088	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98964	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98733	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98623	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98394	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98252	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97264	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97046	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96171	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96060	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95702	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95586	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95480	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95253	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95031	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94921	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94703	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94594	Jump to behavior

Source: IMG_3322101870451.exe, 00000000.00000002.3813828700.000000000151E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Queries volume information: C:\Users\user\Desktop\IMG_3322101870451.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.167.61.13	unknown	Turkey		197328	INETLTDTR	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.167.61.13/aa/Ubeyvibl.vdf	false		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IMG_3322101870451.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://185.167.61.13

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: IMG_3322101870451.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: IMG_3322101870451.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: IMG_3322101870451.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: IMG_3322101870451.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.167.61.13 185.167.61.13

Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13

Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive

Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000032C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13/aa/Ubeyvibl.vdf
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000344C000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13/aa/Ubeyvibl.vdfP
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000338A000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003366000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000335F000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003448000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13D
Source: IMG_3322101870451.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: IMG_3322101870451.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: IMG_3322101870451.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://s.symcd.com06
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: IMG_3322101870451.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: IMG_3322101870451.exe, type: SAMPLE	Matched rule: Detects a trojan used in Saudi Aramco Phishing Author: Florian Roth
Source: 0.0.IMG_3322101870451.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a trojan used in Saudi Aramco Phishing Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: IMG_3322101870451.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801C0A	0_2_01801C0A
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01805A5C	0_2_01805A5C
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01802554	0_2_01802554
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801C4C	0_2_01801C4C
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801704	0_2_01801704
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01805A96	0_2_01805A96

PE / OLE file has an invalid certificate

Source: IMG_3322101870451.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: IMG_3322101870451.exe, 00000000.00000002.3813828700.000000000147E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs IMG_3322101870451.exe
Source: IMG_3322101870451.exe, 00000000.00000000.1356903689.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTwihm.exeD vs IMG_3322101870451.exe
Source: IMG_3322101870451.exe	Binary or memory string: OriginalFilenameTwihm.exeD vs IMG_3322101870451.exe

Uses 32bit PE files

Source: IMG_3322101870451.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: IMG_3322101870451.exe, type: SAMPLE	Matched rule: Saudi_Phish_Trojan date = 2017-10-12, hash1 = 8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91, author = Florian Roth, description = Detects a trojan used in Saudi Aramco Phishing, reference = https://goo.gl/Z3JUAA, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.IMG_3322101870451.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Saudi_Phish_Trojan date = 2017-10-12, hash1 = 8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91, author = Florian Roth, description = Detects a trojan used in Saudi Aramco Phishing, reference = https://goo.gl/Z3JUAA, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: IMG_3322101870451.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IMG_3322101870451.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal88.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Mutant created: NULL

Source: IMG_3322101870451.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IMG_3322101870451.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IMG_3322101870451.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IMG_3322101870451.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IMG_3322101870451.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: IMG_3322101870451.exe, --.cs	.Net Code: _0003 System.Reflection.Assembly.Load(byte[])
Source: IMG_3322101870451.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Window / User API: threadDelayed 1632			Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Window / User API: threadDelayed 8213			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8144	Thread sleep count: 1632 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8144	Thread sleep count: 8213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99430s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99088s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98964s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98394s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98252s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96060s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95480s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95253s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94594s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99430	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99088	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98964	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98733	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98623	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98394	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98252	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97264	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97046	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96171	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96060	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95702	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95586	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95480	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95253	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95031	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94921	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94703	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94594	Jump to behavior

Source: IMG_3322101870451.exe, 00000000.00000002.3813828700.000000000151E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Queries volume information: C:\Users\user\Desktop\IMG_3322101870451.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1526378
Product:	CloudBasic
Start time:	14:36:13
Start date:	05.10.2024
Sample:	IMG_3322101870451.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8290ab3945cfc9355b5f18d4c4262cee
SHA1:	f459dd7cdbc4881d6357c517c2b8026d3da77965
SHA256:	23382ffd9ce9a9b163ed1b6f0ef80242f16c5bc85b0d302fd81b7c4f5cd48acd
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Windows Analysis Report
IMG_3322101870451.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report IMG_3322101870451.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
IMG_3322101870451.exe