Windows Analysis Report
Setup_v1.29.exe

Overview

General Information

Sample name: Setup_v1.29.exe
Analysis ID: 1541475
MD5: e38b4faeaf253cd6652941a56d542487
SHA1: 92611ecf179b54c5763b12ba4b2f582ee6016024
SHA256: 3e3e1c5b65b0141c99f48942ea0090c89524dffe5ae9e24ae783c53500145ec0
Tags: exeuser-aachum
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://95.217.125.57/2f571d994666c8cb.php", "Botnet": "36495972654"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\msvcp110.dll ReversingLabs: Detection: 79%
Multi AV Scanner detection for submitted file
Source: Setup_v1.29.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\msvcp110.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Setup_v1.29.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Setup_v1.29.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Setup_v1.29.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup_v1.29.exe.log Jump to behavior
Source: Setup_v1.29.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFB5DC4 FindFirstFileExW, 0_2_6CFB5DC4

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://95.217.125.57/2f571d994666c8cb.php
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown DNS traffic detected: query: 200.163.202.172.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.217.125.57
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.000000000363C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.217.125.57/
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.000000000363C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.217.125.57/4Q
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net

System Summary
barindex
PE file has nameless sections
Source: Setup_v1.29.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF91870 GetModuleHandleW,NtQueryInformationProcess, 0_2_6CF91870
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF95900 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,CreateProcessW,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory, 0_2_6CF95900
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF8F7B0 0_2_6CF8F7B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF91870 0_2_6CF91870
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF95900 0_2_6CF95900
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAE4D0 0_2_6CFAE4D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9ECB0 0_2_6CF9ECB0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9F4B0 0_2_6CF9F4B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAA470 0_2_6CFAA470
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA8440 0_2_6CFA8440
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9DC10 0_2_6CF9DC10
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA4400 0_2_6CFA4400
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9CD60 0_2_6CF9CD60
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA1D50 0_2_6CFA1D50
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF90EC0 0_2_6CF90EC0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9BEC0 0_2_6CF9BEC0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA4EB0 0_2_6CFA4EB0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAEEB0 0_2_6CFAEEB0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA2E70 0_2_6CFA2E70
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAAE40 0_2_6CFAAE40
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA0E00 0_2_6CFA0E00
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9B7E0 0_2_6CF9B7E0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA57D0 0_2_6CFA57D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9E7B0 0_2_6CF9E7B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA77B0 0_2_6CFA77B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA7F70 0_2_6CFA7F70
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAB700 0_2_6CFAB700
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAA0D0 0_2_6CFAA0D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9E070 0_2_6CF9E070
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAD050 0_2_6CFAD050
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAD850 0_2_6CFAD850
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA0040 0_2_6CFA0040
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9C820 0_2_6CF9C820
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA9820 0_2_6CFA9820
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9D800 0_2_6CF9D800
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAD1F0 0_2_6CFAD1F0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA9180 0_2_6CFA9180
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAB150 0_2_6CFAB150
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF8E130 0_2_6CF8E130
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF93130 0_2_6CF93130
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA1AF0 0_2_6CFA1AF0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9D2B0 0_2_6CF9D2B0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFADA70 0_2_6CFADA70
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9EA50 0_2_6CF9EA50
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA3A50 0_2_6CFA3A50
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFBC235 0_2_6CFBC235
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF9FA10 0_2_6CF9FA10
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA33E0 0_2_6CFA33E0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA63D0 0_2_6CFA63D0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF93BA0 0_2_6CF93BA0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA2B80 0_2_6CFA2B80
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CF86350 0_2_6CF86350
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAC350 0_2_6CFAC350
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAB340 0_2_6CFAB340
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFA8B20 0_2_6CFA8B20
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: String function: 6CFAFF00 appears 34 times
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1280
Sample file is different than original file name gathered from version info
Source: Setup_v1.29.exe, 00000000.00000000.2059251717.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUlyssesYvonne.cGdP vs Setup_v1.29.exe
Source: Setup_v1.29.exe, 00000000.00000002.2074903630.000000000164E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Setup_v1.29.exe
Source: Setup_v1.29.exe Binary or memory string: OriginalFilenameUlyssesYvonne.cGdP vs Setup_v1.29.exe
Uses 32bit PE files
Source: Setup_v1.29.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Setup_v1.29.exe Static PE information: Section: w.Aif ZLIB complexity 1.0003296675955413
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/7@2/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03118680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_03118680
Source: C:\Users\user\Desktop\Setup_v1.29.exe File created: C:\Users\user\AppData\Roaming\msvcp110.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\106ddd24-d855-4c70-8f42-8f94d4e2117d Jump to behavior
Source: Setup_v1.29.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Setup_v1.29.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup_v1.29.exe ReversingLabs: Detection: 50%
Source: unknown Process created: C:\Users\user\Desktop\Setup_v1.29.exe "C:\Users\user\Desktop\Setup_v1.29.exe"
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1280
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Setup_v1.29.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Setup_v1.29.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Unpacked PE file: 0.2.Setup_v1.29.exe.ea0000.0.unpack w.Aif:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
PE file contains sections with non-standard names
Source: Setup_v1.29.exe Static PE information: section name: w.Aif
Source: Setup_v1.29.exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFBC941 push ecx; ret 0_2_6CFBC954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0311B035 push ecx; ret 3_2_0311B048
Source: Setup_v1.29.exe Static PE information: section name: w.Aif entropy: 7.999509079649383
Drops PE files
Source: C:\Users\user\Desktop\Setup_v1.29.exe File created: C:\Users\user\AppData\Roaming\msvcp110.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup_v1.29.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup_v1.29.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Setup_v1.29.exe PID: 2792, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 1850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 31B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 51B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 5830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 6830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 6960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 7960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 7CF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: 8CF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Setup_v1.29.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Setup_v1.29.exe TID: 2472 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFB5DC4 FindFirstFileExW, 0_2_6CFB5DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03117ED0 GetSystemInfo, 3_2_03117ED0
Source: C:\Users\user\Desktop\Setup_v1.29.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.0000000003652000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.0000000003625000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: aspnet_regiis.exe, 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAFDD7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CFAFDD7
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_031045C0 VirtualProtect ?,00000004,00000100,00000000 3_2_031045C0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03119750 mov eax, dword ptr fs:[00000030h] 3_2_03119750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFB74EA GetProcessHeap, 0_2_6CFB74EA
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAFDD7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CFAFDD7
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFB3D1D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CFB3D1D
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAFAD1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CFAFAD1
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: Setup_v1.29.exe PID: 2792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 764, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3100000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3100000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3100000 Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3101000 Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 311E000 Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 312B000 Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 335C000 Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2FB7008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAFBF3 cpuid 0_2_6CFAFBF3
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: GetLocaleInfoA, 3_2_03117B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Setup_v1.29.exe Queries volume information: C:\Users\user\Desktop\Setup_v1.29.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup_v1.29.exe Code function: 0_2_6CFAFF9A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6CFAFF9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03117850 GetUserNameA, 3_2_03117850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03117A30 GetTimeZoneInformation, 3_2_03117A30
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 3.2.aspnet_regiis.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.aspnet_regiis.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup_v1.29.exe.6cfc5000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup_v1.29.exe.6cfc5000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup_v1.29.exe.6cf80000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2543941524.000000000319A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 764, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 3.2.aspnet_regiis.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.aspnet_regiis.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup_v1.29.exe.6cfc5000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup_v1.29.exe.6cfc5000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup_v1.29.exe.6cf80000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2543891438.0000000003100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2544451166.00000000035F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2081993922.000000006CFC5000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2543941524.000000000319A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 764, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541475 Sample: Setup_v1.29.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 23 200.163.202.172.in-addr.arpa 2->23 25 15.164.165.52.in-addr.arpa 2->25 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 8 other signatures 2->35 8 Setup_v1.29.exe 3 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Roaming\msvcp110.dll, PE32 8->19 dropped 21 C:\Users\user\AppData\...\Setup_v1.29.exe.log, ASCII 8->21 dropped 37 Detected unpacking (changes PE section rights) 8->37 39 Writes to foreign memory regions 8->39 41 Allocates memory in foreign processes 8->41 43 Injects a PE file into a foreign processes 8->43 12 aspnet_regiis.exe 12 8->12         started        15 conhost.exe 8->15         started        signatures6 process7 dnsIp8 27 95.217.125.57, 49704, 80 HETZNER-ASDE Germany 12->27 17 WerFault.exe 20 16 12->17         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.217.125.57
 unknown Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
15.164.165.52.in-addr.arpa unknown unknown
200.163.202.172.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://95.217.125.57/ true
    		unknown
    http://95.217.125.57/2f571d994666c8cb.php true
      		unknown