Windows Analysis Report
IXi8q1gF78.exe

Overview

General Information

Sample name: IXi8q1gF78.exe
renamed because original name is a hash value
Original sample name: 378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62.exe
Analysis ID: 1542346
MD5: 4a877b33da7992ee741897eb26ce07f1
SHA1: c951f9b852a6ee975f5e66ce6d9b3671fbffd989
SHA256: 378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62
Tags: 217-195-153-196exekoiloaderTMBackdooruser-JAMESWT_MHT
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Checks if the current process is being debugged
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: IXi8q1gF78.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: IXi8q1gF78.exe ReversingLabs: Detection: 100%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: IXi8q1gF78.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_005233E0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_005233E0
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0052285E CryptAcquireContextA,socket,gethostbyname,htons,htons,CryptGenRandom,CryptGenRandom,htons,memcpy,connect,send,closesocket,CryptReleaseContext,socket,gethostbyname,htons,connect,send,closesocket, 0_2_0052285E
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0052EBB0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_0052EBB0
Contains functionality to create an SMB header
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_00530A80
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: cmp dword ptr [edi+04h], 424D53FFh 0_2_0052EF90
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [edi], 424D53FFh 0_2_00527860
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_00530460
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_005324C0
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_0052F510
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_00530510
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_0052F100
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_00530590
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_0052F250
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_00530640
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_0052FB50
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_005323D0
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [edi], 424D53FFh 0_2_00527790
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: mov dword ptr [esi], 424D53FFh 0_2_0052F3B0

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Unpacked PE file: 0.2.IXi8q1gF78.exe.520000.1.unpack
Uses 32bit PE files
Source: IXi8q1gF78.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00522100 CoTaskMemAlloc,wsprintfA,FindFirstFileA,wsprintfA,Sleep,CharLowerA,lstrlenA,CoTaskMemAlloc,lstrcpyA,CreateThread,SetThreadPriority,WaitForSingleObject,CloseHandle,FindNextFileA,FindClose,CoTaskMemFree, 0_2_00522100
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00522040 GetLogicalDriveStringsA,GetDriveTypeA,CoTaskMemAlloc,lstrcpyA,CreateThread,CreateThread,SetThreadPriority,WaitForSingleObject,lstrlenA,Sleep, 0_2_00522040
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2003292 - Severity 1 - ET WORM Allaple ICMP Sweep Ping Outbound : 192.168.2.5:0 -> 130.195.71.161:0
Source: Network traffic Suricata IDS: 2003293 - Severity 1 - ET WORM Allaple ICMP Sweep Reply Inbound : 130.195.243.25:0 -> 192.168.2.5:0
Source: Network traffic Suricata IDS: 2003292 - Severity 1 - ET WORM Allaple ICMP Sweep Ping Outbound : 192.168.2.5:0 -> 130.195.19.157:0
Source: Network traffic Suricata IDS: 2003293 - Severity 1 - ET WORM Allaple ICMP Sweep Reply Inbound : 130.195.245.1:0 -> 192.168.2.5:0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 130.195.243.25:139
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 130.195.5.5:139
Source: global traffic TCP traffic: 192.168.2.5:49706 -> 130.195.196.194:139
Source: global traffic TCP traffic: 192.168.2.5:49711 -> 130.195.213.54:139
Source: global traffic TCP traffic: 192.168.2.5:49713 -> 130.195.244.10:139
Source: global traffic TCP traffic: 192.168.2.5:49717 -> 130.195.213.58:139
Source: global traffic TCP traffic: 192.168.2.5:49718 -> 130.195.213.23:139
Source: global traffic TCP traffic: 192.168.2.5:49797 -> 130.195.250.100:139
Source: global traffic TCP traffic: 192.168.2.5:49798 -> 130.195.240.22:139
Source: global traffic TCP traffic: 192.168.2.5:49807 -> 130.195.245.29:139
Source: global traffic TCP traffic: 192.168.2.5:49822 -> 130.195.5.24:139
Source: global traffic TCP traffic: 192.168.2.5:49856 -> 130.195.216.21:139
Source: global traffic TCP traffic: 192.168.2.5:49859 -> 130.195.245.14:139
Source: global traffic TCP traffic: 192.168.2.5:49873 -> 130.195.243.14:139
Source: global traffic TCP traffic: 192.168.2.5:49877 -> 130.195.213.9:139
Source: global traffic TCP traffic: 192.168.2.5:49955 -> 130.195.3.26:139
Source: global traffic TCP traffic: 192.168.2.5:49983 -> 130.195.216.10:139
Source: global traffic TCP traffic: 192.168.2.5:50021 -> 130.195.211.50:139
Source: global traffic TCP traffic: 192.168.2.5:50022 -> 130.195.60.1:139
Source: global traffic TCP traffic: 192.168.2.5:50072 -> 130.195.211.53:139
Source: global traffic TCP traffic: 192.168.2.5:50088 -> 130.195.241.20:139
Source: global traffic TCP traffic: 192.168.2.5:50104 -> 130.195.48.77:139
Source: global traffic TCP traffic: 192.168.2.5:50105 -> 130.195.218.45:139
Source: global traffic TCP traffic: 192.168.2.5:50107 -> 130.195.218.60:139
Source: global traffic TCP traffic: 192.168.2.5:50135 -> 130.195.249.17:139
Source: global traffic TCP traffic: 192.168.2.5:50143 -> 130.195.245.1:139
Source: global traffic TCP traffic: 192.168.2.5:50162 -> 130.195.217.8:139
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.244.10
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.244.10
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.243.25
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.58
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.23
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.58
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.23
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.244.10
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.196.194
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.54
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.23
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.213.58
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0052F6B0 inet_addr,socket,htons,ioctlsocket,setsockopt,connect,WSAGetLastError,select,send,select,recv,closesocket,socket,htons,ioctlsocket,setsockopt,connect,WSAGetLastError,select,shutdown,closesocket, 0_2_0052F6B0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.3.IXi8q1gF78.exe.500000.0.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c Author: unknown
Source: 0.3.IXi8q1gF78.exe.500000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c Author: unknown
Source: 0.2.IXi8q1gF78.exe.520000.1.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c Author: unknown
Source: 0.2.IXi8q1gF78.exe.520000.1.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c Author: unknown
Source: 00000000.00000002.2819002500.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Rbot_96625c8c Author: unknown
Source: 00000000.00000003.2077790126.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Rbot_96625c8c Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00401754 0_2_00401754
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_004017AA 0_2_004017AA
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00532640 0_2_00532640
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0052BA3C 0_2_0052BA3C
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0052B6F0 0_2_0052B6F0
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0052B6FF 0_2_0052B6FF
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_004017F7 0_2_004017F7
Uses 32bit PE files
Source: IXi8q1gF78.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.3.IXi8q1gF78.exe.500000.0.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c reference_sample = a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Rbot, fingerprint = 5dfabf693c87742ffa212573dded84a2c341628b79c7d11c16be493957c71a69, id = 96625c8c-897c-4bf0-97e7-0dc04595cb94, last_modified = 2021-09-16
Source: 0.3.IXi8q1gF78.exe.500000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c reference_sample = a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Rbot, fingerprint = 5dfabf693c87742ffa212573dded84a2c341628b79c7d11c16be493957c71a69, id = 96625c8c-897c-4bf0-97e7-0dc04595cb94, last_modified = 2021-09-16
Source: 0.2.IXi8q1gF78.exe.520000.1.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c reference_sample = a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Rbot, fingerprint = 5dfabf693c87742ffa212573dded84a2c341628b79c7d11c16be493957c71a69, id = 96625c8c-897c-4bf0-97e7-0dc04595cb94, last_modified = 2021-09-16
Source: 0.2.IXi8q1gF78.exe.520000.1.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Rbot_96625c8c reference_sample = a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Rbot, fingerprint = 5dfabf693c87742ffa212573dded84a2c341628b79c7d11c16be493957c71a69, id = 96625c8c-897c-4bf0-97e7-0dc04595cb94, last_modified = 2021-09-16
Source: 00000000.00000002.2819002500.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Rbot_96625c8c reference_sample = a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Rbot, fingerprint = 5dfabf693c87742ffa212573dded84a2c341628b79c7d11c16be493957c71a69, id = 96625c8c-897c-4bf0-97e7-0dc04595cb94, last_modified = 2021-09-16
Source: 00000000.00000003.2077790126.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Rbot_96625c8c reference_sample = a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Rbot, fingerprint = 5dfabf693c87742ffa212573dded84a2c341628b79c7d11c16be493957c71a69, id = 96625c8c-897c-4bf0-97e7-0dc04595cb94, last_modified = 2021-09-16
Source: IXi8q1gF78.exe Static PE information: Section: .data ZLIB complexity 0.9975120907738095
Source: classification engine Classification label: mal96.evad.winEXE@1/0@0/100
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Mutant created: \Sessions\1\BaseNamedObjects\jhdheruhfrthkgjhtjkghjk5trh
Source: IXi8q1gF78.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: IXi8q1gF78.exe ReversingLabs: Detection: 100%
Source: IXi8q1gF78.exe String found in binary or memory: /installservice
Source: IXi8q1gF78.exe String found in binary or memory: /stop
Source: IXi8q1gF78.exe String found in binary or memory: /stop
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: icmp.dll Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Section loaded: mswsock.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Unpacked PE file: 0.2.IXi8q1gF78.exe.520000.1.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00527FC0 GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,InitializeCriticalSection, 0_2_00527FC0
PE file contains sections with non-standard names
Source: IXi8q1gF78.exe Static PE information: section name: .rdatap
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_004041DB pushfd ; retf 0_2_004041E2
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_004041EF push edi; ret 0_2_004041F0
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00404074 push es; retf 0_2_00404084
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0053A648 push 12345678h; ret 0_2_0053A655
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0053A638 push 12345678h; ret 0_2_0053A655
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0053A620 push 12345678h; ret 0_2_0053A655
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_0053A620 push 12345678h; ret 0_2_0053A655
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Window / User API: threadDelayed 1325 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\IXi8q1gF78.exe TID: 6464 Thread sleep count: 1325 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Thread sleep count: Count: 1325 delay: -20 Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00522100 CoTaskMemAlloc,wsprintfA,FindFirstFileA,wsprintfA,Sleep,CharLowerA,lstrlenA,CoTaskMemAlloc,lstrcpyA,CreateThread,SetThreadPriority,WaitForSingleObject,CloseHandle,FindNextFileA,FindClose,CoTaskMemFree, 0_2_00522100
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00522040 GetLogicalDriveStringsA,GetDriveTypeA,CoTaskMemAlloc,lstrcpyA,CreateThread,CreateThread,SetThreadPriority,WaitForSingleObject,lstrlenA,Sleep, 0_2_00522040
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\IXi8q1gF78.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: IXi8q1gF78.exe, 00000000.00000003.2077790126.0000000000500000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: vmware
Source: IXi8q1gF78.exe, 00000000.00000003.2077790126.0000000000500000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: \lsarpc\\*SMBSERVER\IPC$Administratorpassword\\%skrbtgtSUPPORT_388945a0TelnetClientsHelpAssistantHelpServicesGroupTsInternetUserSQLDebuggerSQLServerSQLAgentCmdExecNetShowServicesASPNETVUSRILS_IIS_IUSR_IWAM_OWS_ASPNETDHCPWINS WEB POP3 SQL$??vmware-group-user Authors Admins Browsers Guests Users Developers Administrators
Source: IXi8q1gF78.exe, 00000000.00000002.2819286515.000000000063E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: C:\Users\user\Desktop\IXi8q1gF78.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IXi8q1gF78.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IXi8q1gF78.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IXi8q1gF78.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IXi8q1gF78.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00527FC0 GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,InitializeCriticalSection, 0_2_00527FC0
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Code function: 0_2_00527A10 EntryPoint,SetErrorMode,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,WSAStartup,GetVersionExA,CreateEventA,ExitProcess,CreateMutexA,GetLastError,CloseHandle,ExitProcess,CoTaskMemAlloc,CreateEventA,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,WaitForSingleObject,Sleep,ExitProcess,Sleep,CoTaskMemFree,WaitForSingleObject,ResumeThread,SuspendThread, 0_2_00527A10
Source: C:\Users\user\Desktop\IXi8q1gF78.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542346 Sample: IXi8q1gF78.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 96 15 Suricata IDS alerts for network traffic 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 21 4 other signatures 2->21 5 IXi8q1gF78.exe 2 2->5         started        process3 dnsIp4 9 130.195.0.70 VUW-AS-APVictoriaUniversityofWellingtonNZ New Zealand 5->9 11 130.195.101.203 VUW-AS-APVictoriaUniversityofWellingtonNZ New Zealand 5->11 13 98 other IPs or domains 5->13 23 Detected unpacking (creates a PE file in dynamic memory) 5->23 25 Found evasive API chain (may stop execution after checking mutex) 5->25 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
130.195.21.41
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.56.182
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.110.242
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.89.70
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.126.159
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.148.219
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.63.134
 unknown New Zealand
207957 A2-CUSA2-CustomerNL false
130.195.196.126
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.110.244
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.223.153
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.89.73
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.223.156
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.110.249
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.31.221
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.180.24
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.189.176
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.173.250
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.101.203
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.148.229
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.230.118
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.63.146
 unknown New Zealand
207957 A2-CUSA2-CustomerNL false
130.195.179.20
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.117.106
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.31.236
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.154.5
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.154.1
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.167.38
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.90.59
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.229.213
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.0.70
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.167.42
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.207.158
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.148.212
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.117.133
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.117.135
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.90.80
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.21.20
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.63.112
 unknown New Zealand
207957 A2-CUSA2-CustomerNL false
130.195.89.94
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.223.172
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.94.220
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.31.243
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.230.137
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.232.189
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.201.33
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.252.2
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.249.17
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.21.29
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.249.13
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.131.87
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.213.23
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.119.190
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.143.76
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.232.196
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.201.47
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.230.121
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.180.205
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.90.74
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.245.235
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.111.22
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.94.208
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.131.97
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.131.55
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.180.67
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.110.201
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.155.20
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.213.78
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.81.184
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.72.135
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.143.44
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.72.142
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.171.216
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.118.82
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.133.153
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.142.194
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.187.124
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.47.179
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.38.128
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.198.163
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.110.7
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.38.125
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.126.127
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.24.249
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.87.235
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.110.4
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.56.129
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.143.55
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.5.5
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.171.205
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.56.126
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.198.164
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.213.54
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.180.88
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.180.86
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.189.9
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.175.91
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.213.58
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.175.97
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.24.255
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false
130.195.175.98
 unknown New Zealand
23905 VUW-AS-APVictoriaUniversityofWellingtonNZ false