Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1562759
MD5: 472277a6072a8cfa733117ff1597c8da
SHA1: 83e570c6eca17446ac0b8418f11fa25b9c5c10a7
SHA256: 709d4a2c6b1307768277cbcafa383579d5ef81eeb0845532a1f1b01168e6ea10
Tags: exeuser-Bitsight
Infos:

Detection

Poverty Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Poverty Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to query CPU information (cpuid)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: 0.0.file.exe.bf0000.0.unpack Malware Configuration Extractor: Poverty Stealer {"C2 url": "85.244.212.106:2227"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF1D21 CryptUnprotectData,CryptProtectData, 0_2_00BF1D21
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ntkrnlmp.pdbo source: file.exe, 00000000.00000002.1804928662.000000000A7AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbkD source: file.exe, 00000000.00000002.1886039128.000000000D557000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbr source: file.exe, 00000000.00000002.1840251068.000000000BE1A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1827638294.000000000B625000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791505154.0000000009C0A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1804928662.000000000A7B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1920109162.000000000E4CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935143545.000000000EC7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbt source: file.exe, 00000000.00000002.1935143545.000000000EC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbz source: file.exe, 00000000.00000002.1900265086.000000000DD3C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbt source: file.exe, 00000000.00000002.1796538723.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbA source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbu source: file.exe, 00000000.00000002.1935143545.000000000EC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb~Z source: file.exe, 00000000.00000002.1828149453.000000000B64F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbp source: file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbL source: file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbm source: file.exe, 00000000.00000002.1804928662.000000000A7AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbcT(/+ source: file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx, source: file.exe, 00000000.00000002.1796538723.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1827638294.000000000B625000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791505154.0000000009C0A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1804928662.000000000A7B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1920109162.000000000E4CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1792549362.0000000009D8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935143545.000000000EC7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb}P source: file.exe, 00000000.00000002.1828149453.000000000B64F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb[ source: file.exe, 00000000.00000002.1792549362.0000000009D8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: file.exe, 00000000.00000002.1789802750.000000000140E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbZ source: file.exe, 00000000.00000002.1920109162.000000000E494000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb[ source: file.exe, 00000000.00000002.1920109162.000000000E494000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb~t&+) source: file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb] source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbX source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbI source: file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbJ source: file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbM source: file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 0_2_00BF4EB2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF1DC9 FindFirstFileW,FindNextFileW, 0_2_00BF1DC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 0_2_00BF1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3F87 FindFirstFileW,FindNextFileW, 0_2_00BF3F87
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4145 FindFirstFileW,FindNextFileW, 0_2_00BF4145
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048736 - Severity 1 - ET MALWARE LUMAR Stealer Exfiltration M2 : 192.168.2.4:49730 -> 185.244.212.106:2227
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.244.212.106:2227
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 185.244.212.106:2227
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4C2D GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC, 0_2_00BF4C2D
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\085f229d-d27d-4fc1-9dc1-8958125ccbd9
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ntkrnlmp.pdbo source: file.exe, 00000000.00000002.1804928662.000000000A7AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbkD source: file.exe, 00000000.00000002.1886039128.000000000D557000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbr source: file.exe, 00000000.00000002.1840251068.000000000BE1A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1827638294.000000000B625000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791505154.0000000009C0A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1804928662.000000000A7B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1920109162.000000000E4CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935143545.000000000EC7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbt source: file.exe, 00000000.00000002.1935143545.000000000EC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbz source: file.exe, 00000000.00000002.1900265086.000000000DD3C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbt source: file.exe, 00000000.00000002.1796538723.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbA source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbu source: file.exe, 00000000.00000002.1935143545.000000000EC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb~Z source: file.exe, 00000000.00000002.1828149453.000000000B64F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbp source: file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbL source: file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbm source: file.exe, 00000000.00000002.1804928662.000000000A7AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbcT(/+ source: file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx, source: file.exe, 00000000.00000002.1796538723.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1827638294.000000000B625000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791505154.0000000009C0A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1804928662.000000000A7B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1920109162.000000000E4CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1792549362.0000000009D8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935143545.000000000EC7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb}P source: file.exe, 00000000.00000002.1828149453.000000000B64F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb[ source: file.exe, 00000000.00000002.1792549362.0000000009D8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: file.exe, 00000000.00000002.1789802750.000000000140E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbZ source: file.exe, 00000000.00000002.1920109162.000000000E494000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb[ source: file.exe, 00000000.00000002.1920109162.000000000E494000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb~t&+) source: file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb] source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbX source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbI source: file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbJ source: file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbM source: file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 0_2_00BF4EB2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF1DC9 FindFirstFileW,FindNextFileW, 0_2_00BF1DC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 0_2_00BF1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3F87 FindFirstFileW,FindNextFileW, 0_2_00BF3F87
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4145 FindFirstFileW,FindNextFileW, 0_2_00BF4145
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF20E1 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_00BF20E1
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies Jump to behavior
Source: file.exe, 00000000.00000002.1790615976.0000000009A04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3595 EnterCriticalSection,GetProcessHeap,RtlAllocateHeap,LeaveCriticalSection, 0_2_00BF3595
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF20E1 cpuid 0_2_00BF20E1

Stealing of Sensitive Information
barindex
Yara detected Poverty Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1664708303.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3236, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Yara detected Poverty Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1664708303.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3236, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562759 Sample: file.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 5 other signatures 2->17 5 file.exe 2->5         started        process3 dnsIp4 9 185.244.212.106, 2227, 49730 M247GB Romania 5->9 19 Found evasive API chain (may stop execution after checking mutex) 5->19 21 Tries to harvest and steal browser information (history, passwords, etc) 5->21 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.212.106
 unknown Romania
9009 M247GB true

Contacted URLs

Name Malicious Antivirus Detection Reputation
85.244.212.106:2227 true
  • Avira URL Cloud: safe
 unknown