Windows Analysis Report
wrong bank details.exe

Overview

General Information

Sample name: wrong bank details.exe
Analysis ID: 1528126
MD5: 67a9a9b047b1e4f4d70930d8fd2142ad
SHA1: 269a60f8300a7b449c9cdc54a1470eefc0e192fb
SHA256: a750777345fce604f483adfbe40e5f0d4c0582e5536c273675d7fd1002e84c5d
Tags: exeMassLogger
Infos:

Detection

MassLogger RAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: wrong bank details.exe.616.4.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8012948610:AAH4T2bfY_PPyXgKFGVw8rmhjBzj3nREYAE/sendMessage"}
Multi AV Scanner detection for submitted file
Source: wrong bank details.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: wrong bank details.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: wrong bank details.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: wrong bank details.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mGVh.pdb source: wrong bank details.exe
Source: Binary string: mGVh.pdbSHA256 source: wrong bank details.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 00DA5782h 4_2_00DA5358
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 00DA51B9h 4_2_00DA4F08
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 00DA5782h 4_2_00DA56AF
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F41935h 4_2_04F415F8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4E778h 4_2_04F4E4D0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F40741h 4_2_04F40498
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4BF28h 4_2_04F4BC80
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F43EF8h 4_2_04F43C50
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4DEC8h 4_2_04F4DC20
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4D088h 4_2_04F4CDE0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4F028h 4_2_04F4ED80
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F40FF1h 4_2_04F40D48
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4C7D8h 4_2_04F4C530
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4A970h 4_2_04F4A6C8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4D93Ah 4_2_04F4D690
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4F8D8h 4_2_04F4F630
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4A0C0h 4_2_04F49E18
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F43AA0h 4_2_04F437F8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4B220h 4_2_04F4AF78
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F431F0h 4_2_04F42F48
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F40B99h 4_2_04F408F0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4C380h 4_2_04F4C0D8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F44350h 4_2_04F440A8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4E320h 4_2_04F4E078
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F402E9h 4_2_04F40040
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4BAD0h 4_2_04F4B828
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4F480h 4_2_04F4F1D8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F41449h 4_2_04F411A0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4CC30h 4_2_04F4C988
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4EBD0h 4_2_04F4E928
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F42D98h 4_2_04F42AF0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4FD30h 4_2_04F4FA88
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4A518h 4_2_04F4A270
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4D4E0h 4_2_04F4D238
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4B678h 4_2_04F4B3D0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F43648h 4_2_04F433A0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4x nop then jmp 04F4ADC8h 4_2_04F4AB20

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49712 -> 132.226.8.169:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.orgd
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.comd
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/d
Source: wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgd
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.godaddy.com/gdig2s1-19134.crl0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.godaddy.com/0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.godaddy.com/02
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.godaddy.com/05
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.orgd
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8012948610:AAH4T2bfY_PPyXgKFGVw8rmhjBzj3nREYAE/sendDocument?chat_id=4039
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://certs.godaddy.com/repository/0
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33d
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33l
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, UltraSpeed.cs .Net Code: VKCodeToUnicode
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, UltraSpeed.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\wrong bank details.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_023CD55C 0_2_023CD55C
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA8DF0 0_2_06CA8DF0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA4720 0_2_06CA4720
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA3078 0_2_06CA3078
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA4F90 0_2_06CA4F90
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA4F7F 0_2_06CA4F7F
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA2C40 0_2_06CA2C40
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA4B58 0_2_06CA4B58
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DAC168 4_2_00DAC168
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DA27B9 4_2_00DA27B9
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DACAB0 4_2_00DACAB0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DA2DD1 4_2_00DA2DD1
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DA7E68 4_2_00DA7E68
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DA4F08 4_2_00DA4F08
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DAB9E0 4_2_00DAB9E0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DACAAF 4_2_00DACAAF
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DA4EF8 4_2_00DA4EF8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DA7E67 4_2_00DA7E67
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F41C58 4_2_04F41C58
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F415F8 4_2_04F415F8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F44500 4_2_04F44500
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F47770 4_2_04F47770
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F46998 4_2_04F46998
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4E4D0 4_2_04F4E4D0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4E4C0 4_2_04F4E4C0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F49C90 4_2_04F49C90
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F40498 4_2_04F40498
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4BC80 4_2_04F4BC80
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F40489 4_2_04F40489
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4BC71 4_2_04F4BC71
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F43C50 4_2_04F43C50
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F43C42 4_2_04F43C42
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4DC20 4_2_04F4DC20
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4DC11 4_2_04F4DC11
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4CDE0 4_2_04F4CDE0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F415EA 4_2_04F415EA
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4CDD0 4_2_04F4CDD0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4ED80 4_2_04F4ED80
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4ED70 4_2_04F4ED70
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F40D48 4_2_04F40D48
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4C530 4_2_04F4C530
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F40D39 4_2_04F40D39
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4C520 4_2_04F4C520
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4A6C8 4_2_04F4A6C8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4A6B9 4_2_04F4A6B9
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4D690 4_2_04F4D690
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4D681 4_2_04F4D681
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4F630 4_2_04F4F630
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4F620 4_2_04F4F620
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F49E18 4_2_04F49E18
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F437F8 4_2_04F437F8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F437E8 4_2_04F437E8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4AF78 4_2_04F4AF78
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4AF68 4_2_04F4AF68
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F42F48 4_2_04F42F48
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F42F38 4_2_04F42F38
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F408F0 4_2_04F408F0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F408DF 4_2_04F408DF
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4C0D8 4_2_04F4C0D8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4C0CA 4_2_04F4C0CA
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F440A8 4_2_04F440A8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F44098 4_2_04F44098
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4E078 4_2_04F4E078
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4E068 4_2_04F4E068
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F40040 4_2_04F40040
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4B828 4_2_04F4B828
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4001F 4_2_04F4001F
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4B818 4_2_04F4B818
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4F1D8 4_2_04F4F1D8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4F1C8 4_2_04F4F1C8
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F411A0 4_2_04F411A0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4118F 4_2_04F4118F
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4C988 4_2_04F4C988
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4C97A 4_2_04F4C97A
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4E922 4_2_04F4E922
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4E928 4_2_04F4E928
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F42AF0 4_2_04F42AF0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F42AE0 4_2_04F42AE0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4FA88 4_2_04F4FA88
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4A270 4_2_04F4A270
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4FA78 4_2_04F4FA78
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4A261 4_2_04F4A261
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4D238 4_2_04F4D238
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4D22A 4_2_04F4D22A
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4B3D0 4_2_04F4B3D0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4B3C1 4_2_04F4B3C1
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F433A0 4_2_04F433A0
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F43391 4_2_04F43391
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F41B4A 4_2_04F41B4A
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4AB20 4_2_04F4AB20
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_04F4AB10 4_2_04F4AB10
Sample file is different than original file name gathered from version info
Source: wrong bank details.exe, 00000000.00000002.2146705585.0000000006C00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000000.2103680319.000000000025C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemGVh.exe8 vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2142441399.00000000007DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2143846738.00000000025DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs wrong bank details.exe
Source: wrong bank details.exe, 00000004.00000002.4550376269.000000000041A000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs wrong bank details.exe
Source: wrong bank details.exe, 00000004.00000002.4550578170.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs wrong bank details.exe
Source: wrong bank details.exe Binary or memory string: OriginalFilenamemGVh.exe8 vs wrong bank details.exe
Uses 32bit PE files
Source: wrong bank details.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: wrong bank details.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, UltraSpeed.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, COVIDPickers.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, UltraSpeed.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, COVIDPickers.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs Security API names: _0020.SetAccessControl
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs Security API names: _0020.AddAccessRule
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs Security API names: _0020.SetAccessControl
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs Security API names: _0020.AddAccessRule
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, OFYmxUvYUEi1tHs4m2.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, OFYmxUvYUEi1tHs4m2.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, OFYmxUvYUEi1tHs4m2.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, OFYmxUvYUEi1tHs4m2.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/3
Source: C:\Users\user\Desktop\wrong bank details.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wrong bank details.exe.log Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Mutant created: NULL
Source: C:\Users\user\Desktop\wrong bank details.exe Mutant created: \Sessions\1\BaseNamedObjects\GALWlSTgPdbAZdxHULqK
Source: wrong bank details.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wrong bank details.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\wrong bank details.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4552916694.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wrong bank details.exe ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"
Source: C:\Users\user\Desktop\wrong bank details.exe Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"
Source: C:\Users\user\Desktop\wrong bank details.exe Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"
Source: C:\Users\user\Desktop\wrong bank details.exe Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe" Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe" Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: wrong bank details.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: wrong bank details.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: wrong bank details.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mGVh.pdb source: wrong bank details.exe
Source: Binary string: mGVh.pdbSHA256 source: wrong bank details.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: wrong bank details.exe, Form1.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs .Net Code: AFCSnSjktJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.wrong bank details.exe.25b4924.0.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs .Net Code: AFCSnSjktJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.wrong bank details.exe.7310000.5.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_023CF530 pushfd ; iretd 0_2_023CF531
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 0_2_06CA9A88 push es; ret 0_2_06CA9A94
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DAF273 push ebp; retf 4_2_00DAF281
Source: wrong bank details.exe Static PE information: section name: .text entropy: 7.983800868512996
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, FCqjw3DuGTe57JV7o2.cs High entropy of concatenated method names: 'vWonCjkyZ', 'iauGJCLLa', 'gPS3ptrIL', 'o1aahSaZm', 'FgCfwSfxR', 'KwmRMtUSF', 'WKr7usgKtalTtZBv9r', 'XGsNngx173ARwHDe2C', 'GhCIL6HES', 'XvqO5quiG'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, G3WmFiEX3cpCgE1upC.cs High entropy of concatenated method names: 'eKto91fcgC', 'zqaojJreAG', 'HEQonxb1k4', 'VIpoGvKOy8', 'MO8o3tckt4', 'WdCoawOAJ3', 'IwBofk20Jf', 'RbSoRMoVrp', 'ci8hZYtwxqZ3A3FG7nZ', 'juZLUUtWvkV6nVB75S2'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, iXnLdLW7CcvgHiapVT1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bG1OClAMZs', 'NCeOdrXaQc', 'ibGOK3CK0w', 'GhNOZJAX88', 'LfFOgeXx4J', 'ibxObWFqas', 'WxbOciFSYW'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, prGmTPNv2QCHHgMW6l.cs High entropy of concatenated method names: 'yM1hjE8hSO', 'I5RhrRyAPo', 'j0yhnFlcRf', 'w4PhGWk9rH', 'vixhitXftj', 'Y8nh3yUtuZ', 'LkZha8mdOB', 'IylhvklJYq', 'eTThfVSD6V', 'vZmhRkcmIh'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, T0dkFJeDVXcxq2Gt99.cs High entropy of concatenated method names: 'hDh4Waw6n7', 'Fjk47CydyT', 'YXv4SYDoR3', 'Mla4lifw6v', 'l6M4QMeUWS', 'zQo4pN1N3X', 'KlU4oZvI0g', 'LpKIcleGXL', 'x4qIsUcGGs', 'bHiIVFEa1F'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, XbdTaBRH6qOnTxoik4.cs High entropy of concatenated method names: 'TSOpisbLac', 'jahpavJ86y', 'D2g12ViFIS', 'StC1E7WS6K', 'zU71XpfEUv', 'vwp15XHurb', 'gRp1moohJE', 'aSs1YdrykY', 'xDA1NnfTC4', 'max1JwWxdD'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, ppqoTmVfKVPplix4TV.cs High entropy of concatenated method names: 'scYIFo6lvZ', 'oikIqPVuSw', 'iUHI2Y8psd', 'dhHIE5SRH8', 'lwSICHxcPy', 'inJIXPAvUs', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, dX3VNQZgEhPrW2sijw.cs High entropy of concatenated method names: 'LHdx6ENZed', 'YfJxwvfpwN', 'ToString', 'rp7xl2n0cQ', 'T2FxQgoUKC', 'tDWx1kE1NX', 'Abfxp1n2SQ', 'iqoxovKpVS', 'WPbxhUWCjw', 'mKDxyUD8yG'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, jnga2ebRKnaelFULRW.cs High entropy of concatenated method names: 'L1CxsPyc3a', 's7jxeluoHx', 'xtwIPQn25B', 'TqxIWJUj3g', 'kfRx0voqRj', 'csrxL9DhJ8', 'iRXxUiZJlU', 'FEZxCHeGe4', 'DPJxdHG17I', 'YwPxKvdX77'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, XK3khbUj96ZQnftMaD.cs High entropy of concatenated method names: 'f5I8vy14aj', 'DfZ8fnDOlM', 'bg08FPhr6E', 'RP08qk9cMG', 'BtE8EI6YMC', 'HE98Xr58pM', 'MJ18mHBEPH', 'GUL8YouRuO', 'MFM8JxccBT', 'bC48053SBG'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, juXfEuWPXpwx3Zh8Pp2.cs High entropy of concatenated method names: 'h5V4jiYGRN', 'f7v4r5HP7p', 'CKg4no94bt', 'iZW4GHfutQ', 'ETX4itf216', 'lI843nCUA3', 'dml4akHTrq', 'ct04v4xg1a', 'Xsu4fIbp99', 'Rwa4Rg9JUf'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bAqFSIsBuZUb5q20YZ.cs High entropy of concatenated method names: 'hJMIl3poHu', 'SswIQHdhTI', 'hLdI1cCW98', 'S3mIpmsBlA', 'Xu6IoBOdHQ', 'YcSIhsy1w0', 'XknIydWExA', 'ypwIMUN3QN', 'pVhI67f24s', 'kVfIwoQ6D3'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, waLIt8zE22aqy7b4jc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Mpi48uYbDJ', 'E1D4BcjFDL', 'DuF4HkfQXQ', 'yec4x78ae7', 'UJ34I2NKuP', 'oUr44TIJFd', 'zhc4OKUwV3'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, r6CW5PF3YwoVTIIo2o.cs High entropy of concatenated method names: 'FnRotmC7Nl', 'GlCoQm2jTI', 'T8SopBgp0x', 'eVjohimVP2', 'r8aoymbXhr', 'VX7pgpPeJq', 'N1xpb6DCYC', 'Y9wpcLtlbB', 'lI0ps2NxQC', 'fRSpVH375U'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, JShcRmmsjlsvFAs170.cs High entropy of concatenated method names: 'NPPhlqWFHJ', 'RlHh198bnL', 'akLho7hrnR', 'SKMoeGQ1LQ', 'AlZoz2IASc', 'lX3hPK3vXi', 'mguhWRnyVF', 'SxrhDBnati', 'VIAh79HXfU', 'sLghSixDMg'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, Ytu2QfSYmXelK4IS1S.cs High entropy of concatenated method names: 'kx0WhFYmxU', 'MUEWyi1tHs', 'vkmW6B9KDV', 'gBGWwfVbdT', 'qoiWBk446C', 'b5PWH3YwoV', 'uYvsdjjXMTZsD2QDwJ', 'doAHoXOMttJBKiZHpW', 'PqWKHcuyHxDvOPIbEn', 'LgmWW3RZf0'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, VqGKaRWD0ybbyhTZIEb.cs High entropy of concatenated method names: 'QCiOjiEQi0', 'evYOr1GbpS', 'gICOnM04g9', 'aiBKdjb5UEI2LW7XwRo', 'McrjlJbL5mgJlCxx83d', 'ncS03wbBUYiwkYmVJ2x', 'O37s8nbzcFV9WYyekOI', 'e7kv18DeQt0xuXCYVxF'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, hlvhouQiIC1cE3H005.cs High entropy of concatenated method names: 'Dispose', 't7bWVPT2YJ', 'IG3DqLII6K', 'xn5ssaJYoY', 'qWAWeqFSIB', 'wZUWzb5q20', 'ProcessDialogKey', 'LZHDPpqoTm', 'EKVDWPplix', 'rTVDDK0dkF'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, OFYmxUvYUEi1tHs4m2.cs High entropy of concatenated method names: 'dcFQCl8k0N', 'HnlQd5Sdp5', 'PgvQKeMav5', 'aodQZV17eE', 'SpEQgDggyq', 'zknQbN2ulp', 'MSlQc5Cwui', 'FRMQsIuJB8', 'ReWQViWfHf', 'u6bQelUR1O'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs High entropy of concatenated method names: 'MZV7twfIZt', 'Tpd7laAamE', 'KbG7QMx4aZ', 'ytV71C4YwC', 'cYD7pVbNYn', 'udj7oNjwdq', 'z7t7hV5CKf', 'wZU7yFgTO3', 'kgQ7Ma1m3E', 'VRH763mBxC'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, D6XisAfkmB9KDVQBGf.cs High entropy of concatenated method names: 'MYy1Gjc7yV', 'cRI13mXfZG', 't6F1vumBCs', 'gWk1fbCk3B', 'pFi1B4denc', 'ROc1Hkifmy', 'kI21xXo9fn', 'rQH1IM9hg6', 'QHF14uExrQ', 'i871OgMXCL'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, vgdJJ0COQaS2onvOO3.cs High entropy of concatenated method names: 'RNvBJXZoWk', 'REBBLp6KKc', 'tdHBCu9vE1', 'icOBdokLCh', 'LkQBqcTdXb', 'AD4B2FwS3e', 'DVBBEI7JxT', 'LgxBX2FtbB', 'vJLB598TdX', 'oaOBmfvhA1'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, FCqjw3DuGTe57JV7o2.cs High entropy of concatenated method names: 'vWonCjkyZ', 'iauGJCLLa', 'gPS3ptrIL', 'o1aahSaZm', 'FgCfwSfxR', 'KwmRMtUSF', 'WKr7usgKtalTtZBv9r', 'XGsNngx173ARwHDe2C', 'GhCIL6HES', 'XvqO5quiG'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, G3WmFiEX3cpCgE1upC.cs High entropy of concatenated method names: 'eKto91fcgC', 'zqaojJreAG', 'HEQonxb1k4', 'VIpoGvKOy8', 'MO8o3tckt4', 'WdCoawOAJ3', 'IwBofk20Jf', 'RbSoRMoVrp', 'ci8hZYtwxqZ3A3FG7nZ', 'juZLUUtWvkV6nVB75S2'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, iXnLdLW7CcvgHiapVT1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bG1OClAMZs', 'NCeOdrXaQc', 'ibGOK3CK0w', 'GhNOZJAX88', 'LfFOgeXx4J', 'ibxObWFqas', 'WxbOciFSYW'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, prGmTPNv2QCHHgMW6l.cs High entropy of concatenated method names: 'yM1hjE8hSO', 'I5RhrRyAPo', 'j0yhnFlcRf', 'w4PhGWk9rH', 'vixhitXftj', 'Y8nh3yUtuZ', 'LkZha8mdOB', 'IylhvklJYq', 'eTThfVSD6V', 'vZmhRkcmIh'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, T0dkFJeDVXcxq2Gt99.cs High entropy of concatenated method names: 'hDh4Waw6n7', 'Fjk47CydyT', 'YXv4SYDoR3', 'Mla4lifw6v', 'l6M4QMeUWS', 'zQo4pN1N3X', 'KlU4oZvI0g', 'LpKIcleGXL', 'x4qIsUcGGs', 'bHiIVFEa1F'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, XbdTaBRH6qOnTxoik4.cs High entropy of concatenated method names: 'TSOpisbLac', 'jahpavJ86y', 'D2g12ViFIS', 'StC1E7WS6K', 'zU71XpfEUv', 'vwp15XHurb', 'gRp1moohJE', 'aSs1YdrykY', 'xDA1NnfTC4', 'max1JwWxdD'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, ppqoTmVfKVPplix4TV.cs High entropy of concatenated method names: 'scYIFo6lvZ', 'oikIqPVuSw', 'iUHI2Y8psd', 'dhHIE5SRH8', 'lwSICHxcPy', 'inJIXPAvUs', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, dX3VNQZgEhPrW2sijw.cs High entropy of concatenated method names: 'LHdx6ENZed', 'YfJxwvfpwN', 'ToString', 'rp7xl2n0cQ', 'T2FxQgoUKC', 'tDWx1kE1NX', 'Abfxp1n2SQ', 'iqoxovKpVS', 'WPbxhUWCjw', 'mKDxyUD8yG'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, jnga2ebRKnaelFULRW.cs High entropy of concatenated method names: 'L1CxsPyc3a', 's7jxeluoHx', 'xtwIPQn25B', 'TqxIWJUj3g', 'kfRx0voqRj', 'csrxL9DhJ8', 'iRXxUiZJlU', 'FEZxCHeGe4', 'DPJxdHG17I', 'YwPxKvdX77'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, XK3khbUj96ZQnftMaD.cs High entropy of concatenated method names: 'f5I8vy14aj', 'DfZ8fnDOlM', 'bg08FPhr6E', 'RP08qk9cMG', 'BtE8EI6YMC', 'HE98Xr58pM', 'MJ18mHBEPH', 'GUL8YouRuO', 'MFM8JxccBT', 'bC48053SBG'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, juXfEuWPXpwx3Zh8Pp2.cs High entropy of concatenated method names: 'h5V4jiYGRN', 'f7v4r5HP7p', 'CKg4no94bt', 'iZW4GHfutQ', 'ETX4itf216', 'lI843nCUA3', 'dml4akHTrq', 'ct04v4xg1a', 'Xsu4fIbp99', 'Rwa4Rg9JUf'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bAqFSIsBuZUb5q20YZ.cs High entropy of concatenated method names: 'hJMIl3poHu', 'SswIQHdhTI', 'hLdI1cCW98', 'S3mIpmsBlA', 'Xu6IoBOdHQ', 'YcSIhsy1w0', 'XknIydWExA', 'ypwIMUN3QN', 'pVhI67f24s', 'kVfIwoQ6D3'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, waLIt8zE22aqy7b4jc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Mpi48uYbDJ', 'E1D4BcjFDL', 'DuF4HkfQXQ', 'yec4x78ae7', 'UJ34I2NKuP', 'oUr44TIJFd', 'zhc4OKUwV3'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, r6CW5PF3YwoVTIIo2o.cs High entropy of concatenated method names: 'FnRotmC7Nl', 'GlCoQm2jTI', 'T8SopBgp0x', 'eVjohimVP2', 'r8aoymbXhr', 'VX7pgpPeJq', 'N1xpb6DCYC', 'Y9wpcLtlbB', 'lI0ps2NxQC', 'fRSpVH375U'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, JShcRmmsjlsvFAs170.cs High entropy of concatenated method names: 'NPPhlqWFHJ', 'RlHh198bnL', 'akLho7hrnR', 'SKMoeGQ1LQ', 'AlZoz2IASc', 'lX3hPK3vXi', 'mguhWRnyVF', 'SxrhDBnati', 'VIAh79HXfU', 'sLghSixDMg'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, Ytu2QfSYmXelK4IS1S.cs High entropy of concatenated method names: 'kx0WhFYmxU', 'MUEWyi1tHs', 'vkmW6B9KDV', 'gBGWwfVbdT', 'qoiWBk446C', 'b5PWH3YwoV', 'uYvsdjjXMTZsD2QDwJ', 'doAHoXOMttJBKiZHpW', 'PqWKHcuyHxDvOPIbEn', 'LgmWW3RZf0'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, VqGKaRWD0ybbyhTZIEb.cs High entropy of concatenated method names: 'QCiOjiEQi0', 'evYOr1GbpS', 'gICOnM04g9', 'aiBKdjb5UEI2LW7XwRo', 'McrjlJbL5mgJlCxx83d', 'ncS03wbBUYiwkYmVJ2x', 'O37s8nbzcFV9WYyekOI', 'e7kv18DeQt0xuXCYVxF'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, hlvhouQiIC1cE3H005.cs High entropy of concatenated method names: 'Dispose', 't7bWVPT2YJ', 'IG3DqLII6K', 'xn5ssaJYoY', 'qWAWeqFSIB', 'wZUWzb5q20', 'ProcessDialogKey', 'LZHDPpqoTm', 'EKVDWPplix', 'rTVDDK0dkF'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, OFYmxUvYUEi1tHs4m2.cs High entropy of concatenated method names: 'dcFQCl8k0N', 'HnlQd5Sdp5', 'PgvQKeMav5', 'aodQZV17eE', 'SpEQgDggyq', 'zknQbN2ulp', 'MSlQc5Cwui', 'FRMQsIuJB8', 'ReWQViWfHf', 'u6bQelUR1O'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs High entropy of concatenated method names: 'MZV7twfIZt', 'Tpd7laAamE', 'KbG7QMx4aZ', 'ytV71C4YwC', 'cYD7pVbNYn', 'udj7oNjwdq', 'z7t7hV5CKf', 'wZU7yFgTO3', 'kgQ7Ma1m3E', 'VRH763mBxC'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, D6XisAfkmB9KDVQBGf.cs High entropy of concatenated method names: 'MYy1Gjc7yV', 'cRI13mXfZG', 't6F1vumBCs', 'gWk1fbCk3B', 'pFi1B4denc', 'ROc1Hkifmy', 'kI21xXo9fn', 'rQH1IM9hg6', 'QHF14uExrQ', 'i871OgMXCL'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, vgdJJ0COQaS2onvOO3.cs High entropy of concatenated method names: 'RNvBJXZoWk', 'REBBLp6KKc', 'tdHBCu9vE1', 'icOBdokLCh', 'LkQBqcTdXb', 'AD4B2FwS3e', 'DVBBEI7JxT', 'LgxBX2FtbB', 'vJLB598TdX', 'oaOBmfvhA1'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\wrong bank details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 2380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 2580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 4580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 7440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 6F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 8440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 9440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 2A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: 2860000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599653 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597014 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596796 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596249 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596030 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595921 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595811 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595593 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595265 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595043 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594609 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\wrong bank details.exe Window / User API: threadDelayed 1774 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Window / User API: threadDelayed 8090 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 3992 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 2548 Thread sleep count: 1774 > 30 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 2548 Thread sleep count: 8090 > 30 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -597014s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596249s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -596030s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595811s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -595043s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -594937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -594718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480 Thread sleep time: -594609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599653 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 597014 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596796 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596249 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 596030 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595921 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595811 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595593 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595265 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 595043 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Thread delayed: delay time: 594609 Jump to behavior
Source: wrong bank details.exe, 00000004.00000002.4550726878.0000000000B67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\wrong bank details.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\wrong bank details.exe Code function: 4_2_00DAC168 LdrInitializeThunk,LdrInitializeThunk, 4_2_00DAC168
Enables debug privileges
Source: C:\Users\user\Desktop\wrong bank details.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, UltraSpeed.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\wrong bank details.exe Memory written: C:\Users\user\Desktop\wrong bank details.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wrong bank details.exe Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe" Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Users\user\Desktop\wrong bank details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Users\user\Desktop\wrong bank details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\wrong bank details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\wrong bank details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528126 Sample: wrong bank details.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 19 reallyfreegeoip.org 2->19 21 api.telegram.org 2->21 23 2 other IPs or domains 2->23 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 41 8 other signatures 2->41 7 wrong bank details.exe 3 2->7         started        signatures3 37 Tries to detect the country of the analysis system (by using the IP) 19->37 39 Uses the Telegram API (likely for C&C communication) 21->39 process4 file5 17 C:\Users\user\...\wrong bank details.exe.log, ASCII 7->17 dropped 43 Injects a PE file into a foreign processes 7->43 11 wrong bank details.exe 15 2 7->11         started        15 wrong bank details.exe 7->15         started        signatures6 process7 dnsIp8 25 api.telegram.org 149.154.167.220, 443, 49719 TELEGRAMRU United Kingdom 11->25 27 reallyfreegeoip.org 188.114.96.3, 443, 49713 CLOUDFLARENETUS European Union 11->27 29 checkip.dyndns.com 132.226.8.169, 49712, 80 UTMEMUS United States 11->29 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown