Windows Analysis Report
xLauncher.exe

ID:	1561476
Product:	CloudBasic
Start time:	14:26:53
Start date:	23.11.2024
Sample:	xLauncher.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ceaca4a19229c3283007e714466f51f8
SHA1:	e70dfeeea1cdfeae4da1e97d602867436062550d
SHA256:	e6e0f35cd360401b1973626cb35b635e86bd272b115852f07e434ac3fea0977a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: 00000000.00000002.2049629011.0000000002A82000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["fumblingactor.cyou"]}

Source: xLauncher.exe

ReversingLabs: Detection: 47%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Source: xLauncher.exe

Joe Sandbox ML: detected

Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fumblingactor.cyou
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Compliance

Source: xLauncher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: xLauncher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005EC72A FindFirstFileExW,		0_2_005EC72A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005EC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_005EC7DB
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005EC72A FindFirstFileExW,		3_2_005EC72A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005EC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,		3_2_005EC7DB

Software Vulnerabilities

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ebx, ecx		3_2_00439390
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000001E8h]		3_2_0040CC6D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-50CB154Bh]		3_2_00409E30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h		3_2_00440F30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [eax], cx		3_2_00419040
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6FE6A972h]		3_2_004098F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax		3_2_004098F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]		3_2_0042B8F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi-499E0CD7h]		3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-499E0CD7h]		3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h		3_2_004410B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx+1079369Fh]		3_2_0041C15D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov byte ptr [edx], cl		3_2_0042E97E
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov dword ptr [esi], ebx		3_2_0042F112
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 4F699CD4h		3_2_00441920
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov edi, ecx		3_2_0041C1F8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-3E194A8Ah]		3_2_0041C1F8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00428240
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov edi, dword ptr [ebp-2Ch]		3_2_0042A210
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 40915FE0h		3_2_00441220
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, dword ptr [00448860h]		3_2_0042EAD3
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, ebp		3_2_00405A80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, ebp		3_2_00405A80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, bx		3_2_00425B05
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_0042830C
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then push 00000000h		3_2_0040B320
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h		3_2_00423BE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi-499E0CD7h]		3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-499E0CD7h]		3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-0Ah]		3_2_0041E3A6
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [esi], cx		3_2_0041E3A6
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then inc eax		3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov byte ptr [ebx], al		3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+6B288C58h]		3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, edx		3_2_0042E452
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00440430
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-5A036C71h]		3_2_0042F4CC
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov byte ptr [edx], cl		3_2_0042F4CC
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, ebx		3_2_00409480
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3B55F564h]		3_2_00440CB0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]		3_2_00408D40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [esi], cx		3_2_00429D4A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2BD892BAh]		3_2_00427D60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movsx ecx, byte ptr [eax+edx]		3_2_0040AD70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-00000081h]		3_2_0040AD70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, ebx		3_2_00419DCA
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 9C142CDAh		3_2_00440E60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000001BCh]		3_2_0040D674
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 484CE391h		3_2_00441620
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]		3_2_00436630
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi+25h]		3_2_00403E80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi-000000D1h]		3_2_00419E93
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, dword ptr [edx+eax]		3_2_00428E9A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 4C697C35h		3_2_0040EEB8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esi]		3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov edi, dword ptr [esp+2Ch]		3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]		3_2_00402760
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h		3_2_0042BF00
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [esi], cx		3_2_00429FD0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi-499E0CD7h]		3_2_0043FFE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-499E0CD7h]		3_2_0043FFE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax		3_2_0043FFE0

Networking

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.155.47:443

Source: Malware configuration extractor

URLs: fumblingactor.cyou

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.155.47:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: fumblingactor.cyou
Source: global traffic	DNS traffic detected: DNS query: frogs-severz.sbs

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs

Source: xLauncher.exe, 00000003.00000003.2090719242.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microx
Source: xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/
Source: xLauncher.exe, 00000003.00000003.2090439029.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api
Source: xLauncher.exe, 00000003.00000003.2090784874.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092435196.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api6C
Source: xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apil
Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/api
Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/apibcryptPrimitives.dll
Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou:443/apiS

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_00434730 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00434730

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_00434730 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00434730

System Summary

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DF4D0		0_2_005DF4D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E34D0		0_2_005E34D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DF980		0_2_005DF980
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E15A0		0_2_005E15A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DCE70		0_2_005DCE70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005D86C0		0_2_005D86C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005F1FD2		0_2_005F1FD2
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DD7F0		0_2_005DD7F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00408A40		3_2_00408A40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00439390		3_2_00439390
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040CC6D		3_2_0040CC6D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00419040		3_2_00419040
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00404860		3_2_00404860
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00438860		3_2_00438860
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00439010		3_2_00439010
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041E8DE		3_2_0041E8DE
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040D8EB		3_2_0040D8EB
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004098F0		3_2_004098F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004400A0		3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040517E		3_2_0040517E
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042F112		3_2_0042F112
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00441920		3_2_00441920
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004259E0		3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041C1F8		3_2_0041C1F8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042E180		3_2_0042E180
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00428240		3_2_00428240
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042A210		3_2_0042A210
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042CACE		3_2_0042CACE
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00405A80		3_2_00405A80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00402AA0		3_2_00402AA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004212B0		3_2_004212B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042EB6D		3_2_0042EB6D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042830C		3_2_0042830C
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040B320		3_2_0040B320
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00425B30		3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004273C0		3_2_004273C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00439BC0		3_2_00439BC0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041A3D7		3_2_0041A3D7
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00423380		3_2_00423380
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043FBA0		3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041ABA4		3_2_0041ABA4
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004203B0		3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00441C40		3_2_00441C40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00421450		3_2_00421450
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042EC59		3_2_0042EC59
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00406C20		3_2_00406C20
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042D424		3_2_0042D424
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00440430		3_2_00440430
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004034C0		3_2_004034C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043C4F0		3_2_0043C4F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00409480		3_2_00409480
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043CC90		3_2_0043CC90
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042EC98		3_2_0042EC98
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00428CA8		3_2_00428CA8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042ECA8		3_2_0042ECA8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00408D40		3_2_00408D40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00429D4A		3_2_00429D4A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00427D60		3_2_00427D60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043BD60		3_2_0043BD60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040AD70		3_2_0040AD70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041D500		3_2_0041D500
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042CD16		3_2_0042CD16
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042C5F0		3_2_0042C5F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00408580		3_2_00408580
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00423E40		3_2_00423E40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00406670		3_2_00406670
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00438600		3_2_00438600
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041FE10		3_2_0041FE10
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00441620		3_2_00441620
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00403E80		3_2_00403E80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00419E93		3_2_00419E93
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042CE91		3_2_0042CE91
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00425740		3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042AF60		3_2_0042AF60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041F770		3_2_0041F770
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00407730		3_2_00407730
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042C7C0		3_2_0042C7C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00429FD0		3_2_00429FD0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043FFE0		3_2_0043FFE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00405FA0		3_2_00405FA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DF4D0		3_2_005DF4D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E34D0		3_2_005E34D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DF980		3_2_005DF980
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E15A0		3_2_005E15A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DCE70		3_2_005DCE70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005D86C0		3_2_005D86C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005F1FD2		3_2_005F1FD2
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DD7F0		3_2_005DD7F0

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: String function: 00408390 appears 41 times
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: String function: 005E55C0 appears 66 times
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: String function: 005E8178 appears 36 times

Source: xLauncher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xLauncher.exe

Static PE information: Section: .coS ZLIB complexity 1.0003360896915585

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@2/1

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_00439390 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00439390

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3140:120:WilError_03

Source: xLauncher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xLauncher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xLauncher.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\xLauncher.exe

File read: C:\Users\user\Desktop\xLauncher.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"
Source: C:\Users\user\Desktop\xLauncher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xLauncher.exe	Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"
Source: C:\Users\user\Desktop\xLauncher.exe	Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"			Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior

Source: xLauncher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: xLauncher.exe	Static PE information: section name: .00cfg
Source: xLauncher.exe	Static PE information: section name: .coS

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E4BC5 push ecx; ret		0_2_005E4BD8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E4BC5 push ecx; ret		3_2_005E4BD8

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E4CA2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005E4CA2

Source: C:\Users\user\Desktop\xLauncher.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\xLauncher.exe

API coverage: 7.5 %

Source: C:\Users\user\Desktop\xLauncher.exe TID: 2448	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe TID: 2448	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005EC72A FindFirstFileExW,		0_2_005EC72A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005EC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_005EC7DB
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005EC72A FindFirstFileExW,		3_2_005EC72A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005EC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,		3_2_005EC7DB

Source: xLauncher.exe, 00000003.00000002.2092435196.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090877079.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW@!

Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092435196.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090877079.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_0043E410 LdrInitializeThunk,

3_2_0043E410

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005E5444

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DCD10 mov eax, dword ptr fs:[00000030h]		0_2_005DCD10
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005FB18D mov edi, dword ptr fs:[00000030h]		0_2_005FB18D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DBD50 mov edi, dword ptr fs:[00000030h]		0_2_005DBD50
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DBD50 mov edi, dword ptr fs:[00000030h]		3_2_005DBD50
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DCD10 mov eax, dword ptr fs:[00000030h]		3_2_005DCD10

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E9F90 GetProcessHeap,

0_2_005E9F90

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005E5444
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E5438 SetUnhandledExceptionFilter,		0_2_005E5438
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005E7DCA
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_005E4AD9
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_005E5444
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E5438 SetUnhandledExceptionFilter,		3_2_005E5438
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_005E7DCA
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_005E4AD9

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005FB18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_005FB18D

Source: C:\Users\user\Desktop\xLauncher.exe

Memory written: C:\Users\user\Desktop\xLauncher.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E5200 cpuid

0_2_005E5200

Source: C:\Users\user\Desktop\xLauncher.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E58C5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005E58C5

Source: C:\Users\user\Desktop\xLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049629011.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049629011.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY