Automated Malware Analysis Report for Ietabhelper.Exe

ID: 245775 Sample Name: ietabhelper.exe Cookbook: default.jbs Time: 20:26:27 Date: 15/07/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report ietabhelper.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Malware Analysis System Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 10 General 10 File Icon 10 Static PE Info 11 General 11 Authenticode Signature 11 Entrypoint Preview 11 Rich Headers 12 Data Directories 12 Sections 13 Resources 13 Imports 14 Version Infos 14 Possible Origin 15 Network Behavior 15 Code Manipulations 15 Statistics 15 System Behavior 15 Analysis Process: ietabhelper.exe PID: 3784 Parent PID: 5364 15 Copyright null 2020 Page 2 of 17 General 15 File Activities 15 File Created 15 File Written 16 File Read 17 Registry Activities 17 Key Created 17 Key Value Created 17 Disassembly 17 Code Analysis 17

Overview

General Information Detection Signatures Classification

Sample ietabhelper.exe Name: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccoomppaarrree uuss…

Ransomware

Analysis ID: 245775 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy fftfoorr r c rrroeemaaddp addraaettt aau sfff… Miner Spreading MD5: 98ae86f63a216f0… Contains functionality for read data f mmaallliiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy llfloocrc aarlelleeassd ii inndfffaootrrram f… malicious

Evader Phishing SHA1: sssuusssppiiiccciiioouusss 9992ec23f8f9350… suspicious CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy ttltoo c ccahhleescc kkin iiifff o aar m dd…

cccllleeaann SHA256: e79e51876ac4b5… clean CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk ttithfh eae pdp… Most interesting Screenshot: Exploiter Banker CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccrrhreeeaactttkee tgghuueaa prrr…

Spyware Trojan / Bot CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyryennaaatme iigiccuaaallllllyry… Adware

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo odopypenenan m aa i cppaoolrrlrtytt…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh oiiiccphhe mn aay yp boberet…

DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be Score: 28 Range: 0 - 100 DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function

Whitelisted: false EDExrxottteepnnsss PiiivvEee ufuilsseees oofff GeetttPPrrrooccAAddddrrreessss (((oo… Confidence: 80% FEFoxoutuennndds eievvveaa ussisiivveee o AAf PPGIII e ccthPhaarioiinnc (A((mdadayrye sstttsoo p(po…

FFoouunndd llelaavrrrgagesei vaaem AooPuunIn ttct ohofaff ninoo (nnm---eeaxxyee scctuuotttpeedd…

FFoouunndd plpaoortgtteeenn tattiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d Startup PFPEoEu fffniiilllede cpcoontnetttanaiitininassl sstttrrraiannnggg ede e rrrceerssyoopuutirrroccnee ss/ a

PPoEott eefinlnetti iacalol knkeetayyi nlloosgg sggterearr n ddgeeette erccettseeoddu ((rkkceeyys ss System is w10x64 PPoottteenntttiiiaalll kkeeyy lllooggggeerrr ddeettteeccttteedd (((kkeeyy ss…

ietabhelper.exe (PID: 3784 cmdline: 'C:\Users\user\Desktop\ietabhelper.exe' MD5: 98AE86UPUFsos6etee3ssnA ctc2ioao1dld 6ekeF e oo0ybb5 lfffo7uugAssgc2caea2trtt1i iiodoFnenE t tt0etee0ccctDhehn5dniBi iqq(2kuue4ey5ss 8 s((()… cleanup Uses code obfuscation techniques (

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary

Copyright null 2020 Page 4 of 17 • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection • Remote Access Functionality

Click to jump to signature section

Malware Analysis System Evasion:

Contains functionality to compare user and computer (likely to detect sandboxes)

Mitre Att&ck Matrix

Privilege Credential Lateral Command Network Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Execution Application Application Masquerading 1 Input System Time Remote File Input Data Standard Eavesdrop on Accounts through API 2 Shimming 1 Shimming 1 Capture 1 Discovery 2 Copy 1 Capture 1 Encrypted 1 Cryptographic Insecure Protocol 1 Network Communication Replication Service Port Accessibility Disabling Security Network Virtualization/Sandbox Remote Clipboard Exfiltration Commonly Exploit SS7 to Through Execution Monitors Features Tools 1 Sniffing Evasion 1 Services Data 1 Over Other Used Port 1 Redirect Phone Removable Network Calls/SMS Media Medium External Windows Accessibility Path Virtualization/Sandbox Input Process Discovery 1 Windows Data from Automated Remote File Exploit SS7 to Remote Management Features Interception Evasion 1 Capture Remote Network Exfiltration Copy 1 Track Device Services Instrumentation Management Shared Location Drive Drive-by Scheduled System DLL Search Deobfuscate/Decode Credentials Security Software Logon Input Data Multiband SIM Card Compromise Task Firmware Order Files or Information 1 in Files Discovery 1 3 Scripts Capture Encrypted Communication Swap Hijacking Exploit Public- Command-Line Shortcut File System Obfuscated Files or Account File and Directory Shared Data Scheduled Standard Manipulate Facing Interface Modification Permissions Information 2 Manipulation Discovery 1 Webroot Staged Transfer Cryptographic Device Application Weakness Protocol Communication

Spearphishing Graphical User Modify New Service DLL Search Order Brute Force System Information Third-party Screen Data Commonly Jamming or Link Interface Existing Hijacking Discovery 1 4 Software Capture Transfer Used Port Denial of Service Size Limits Service

Behavior Graph

Copyright null 2020 Page 5 of 17 Hide Legend Legend: Process Signature Behavior Graph Created File ID: 245775 DNS/IP Info Sample: ietabhelper.exe Is Dropped

Startdate: 15/07/2020 Is Windows Process Architecture: WINDOWS Number of created Registry Values Score: 28 Number of created Files

Visual Basic started Delphi

Java ietabhelper.exe .Net C# or VB.NET

C, C++ or other language

2 11 Is malicious

Internet

dropped

C:\Users\user\AppData\...\ietabhelper.exe, PE32

Contains functionality to compare user and computer (likely to detect sandboxes)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link ietabhelper.exe 0% Virustotal Browse ietabhelper.exe 0% Metadefender Browse ietabhelper.exe 3% ReversingLabs

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe 0% Virustotal Browse C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe 0% Metadefender Browse C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe 3% ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation crl.godaddy.com/gdig2s5-5.crl0 ietabhelper.exe false high crl.godaddy.com/gdroot-g2.crl0F ietabhelper.exe false high https://certs.godaddy.com/repository/0 ietabhelper.exe false high certificates.godaddy.com/repository/gdig2.crt0 ietabhelper.exe false high certificates.godaddy.com/repository/0 ietabhelper.exe false high certs.godaddy.com/repository/1301 ietabhelper.exe false high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 245775 Start date: 15.07.2020 Start time: 20:26:27 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 46s Hypervisor based Inspection enabled: false Report type: light Sample file name: ietabhelper.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus28.evad.winEXE@1/3@0/0 EGA Information: Successful, ratio: 100% HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Copyright null 2020 Page 8 of 17 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe

Process: C:\Users\user\Desktop\ietabhelper.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 1015896 Entropy (8bit): 5.915947464896367 Encrypted: false MD5: 98AE86F63A216F057A221FE00D5B2458 SHA1: 9992EC23F8F93501216745CDEABA4B2B5986405F SHA-256: E79E51876AC4B56A40CE61AF4D5A622FB3BDEAFFBD7663F92E535FB264DA7DE5 SHA-512: 6412C4EA1736D5E16AB5EE749E7CB9844DB4295A3650E387E6C9EB6C3C8DA7804E27C6C9E4DB045093A025F61520C5979A5EEB23C7F56BB22C3C114DF4A1574 8 Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... C...-.-.-.'...-....-...... -...... -....-....-.,..-....-....-....-.Rich..-...... PE..L...... ^...... @...$...... c...... P....@...... @...... p...... h..X...... V...... 2..@...... P..L...... text....?...... @...... `.rdata..&....P...... D...... @[email protected]...... 0...... @....rsrc...p...... @[email protected]...... @..B......

Copyright null 2020 Page 9 of 17 C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe:Zone.Identifier Process: C:\Users\user\Desktop\ietabhelper.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 26 Entropy (8bit): 3.95006375643621 Encrypted: false MD5: 187F488E27DB4AF347237FE461A079AD SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64 SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E Malicious: false Reputation: high, very likely benign file Preview: [ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\IE Tab\ietab_nm_manifest.json Process: C:\Users\user\Desktop\ietabhelper.exe File Type: ASCII text, with very long lines Size (bytes): 537 Entropy (8bit): 5.004826238571606 Encrypted: false MD5: EF631BF34592DE42DE583F3E047EBE0F SHA1: F902D1D962F5D72E16159C883CC9085225DF880A SHA-256: 9950D44EC316A4C7B4DF05F9ADFA4DC6D00A06B76AB754B549AB9A6E37E890CE SHA-512: 027D0251D427F394C25AE1FA8F9798F3B917764755E47B05E6E0266DE5887BDCF8DFD66CE659A5F22F8441786B8F5DDE0D39DB89D62CABCA2141BAE7931EC677 Malicious: false Reputation: low Preview: {.."name": "net.ietab.ietabhelper.peruser",.."description": "IE Tab Helper",.."path": "C:\\Users\\user\\AppData\\Local\\IE Tab\\13.5.27.1\\ietabhelper.exe",.."type": "stdio",.."all owed_origins": [ "chrome-extension://bjndombghfcohmonofdcfnhjldidnmhd/", "chrome-extension://knnoopddfdgdabjanjmeodpkmlhapkkl/", "chrome-extension://hehijbfgiek mjfkfjpbkbammjbdenadd/", "chrome-extension://ncdgipmkgkhennagnfmnlkflidilhbdi/", "chrome-extension://npjkkakdacjaihjaoeliacmecofghagh/", "chrome-extension://alm ljgkjodjgoldenkijomojnejpkcjk/" ].}.

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 5.915947464896367 TrID: Win32 Executable (generic) a (10002005/4) 98.39% Windows ActiveX control (116523/4) 1.15% InstallShield setup (43055/19) 0.42% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: ietabhelper.exe File size: 1015896 MD5: 98ae86f63a216f057a221fe00d5b2458 SHA1: 9992ec23f8f93501216745cdeaba4b2b5986405f SHA256: e79e51876ac4b56a40ce61af4d5a622fb3bdeaffbd7663f9 2e535fb264da7de5 SHA512: 6412c4ea1736d5e16ab5ee749e7cb9844db4295a3650e3 87e6c9eb6c3c8da7804e27c6c9e4db045093a025f61520 c5979a5eeb23c7f56bb22c3c114df4a15748 SSDEEP: 12288:qmC7c1HF61gV58xA/qZmf8iIrdNUisDYAtVvprnu jFVDg+CQHRcRSfyFi/YRILR5:S7c1HECV6GIGVgcRSf yM/Yu9cuF4 File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... C...-...- ...-.'.....-...... -...... -...... -...... -...... -...,...-...... -...... -...... -. Rich..-......

File Icon

Icon Hash: 9a8a808292808000

General Entrypoint: 0x4763e2 Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE Time Stamp: 0x5ECEF2E8 [Wed May 27 23:08:24 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: ec4a33a74ac0e5fc89dd2bb1219a17f7

Authenticode Signature

Signature Valid: true Signature Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 2/19/2020 3:26:00 AM 4/19/2021 9:59:01 AM Subject Chain CN="Blackfish Software, LLC", O="Blackfish Software, LLC", L=Redmond, S=Washington, C=US Version: 3 Thumbprint MD5: 862F823E45D3CA6795056644D42E2AFF Thumbprint SHA-1: 2419F7B65225B324887EAF00F75BB6DAC2339FB3 Thumbprint SHA-256: 08DDA64DD01D963273BB87221D095F786081B85D13190E302DFBB5BB3BC48755 Serial: 00FA9819698F9A7ED9

Entrypoint Preview

Instruction call 00007F96605EADDEh jmp 00007F96605DCABEh mov edi, edi push ebp mov ebp, esp sub esp, 20h mov eax, dword ptr [ebp+08h] push esi push edi push 00000008h pop ecx mov esi, 00495C74h lea edi, dword ptr [ebp-20h] rep movsd mov dword ptr [ebp-08h], eax mov eax, dword ptr [ebp+0Ch] pop edi mov dword ptr [ebp-04h], eax pop esi test eax, eax je 00007F96605DCC3Eh test byte ptr [eax], 00000008h je 00007F96605DCC39h mov dword ptr [ebp-0Ch], 01994000h lea eax, dword ptr [ebp-0Ch] push eax

Copyright null 2020 Page 11 of 17 Instruction push dword ptr [ebp-10h] push dword ptr [ebp-1Ch] push dword ptr [ebp-20h] call dword ptr [004950A0h] leave retn 0008h mov edi, edi push ebp mov ebp, esp push ecx push ebx mov eax, dword ptr [ebp+0Ch] add eax, 0Ch mov dword ptr [ebp-04h], eax mov ebx, dword ptr fs:[00000000h] mov eax, dword ptr [ebx] mov dword ptr fs:[00000000h], eax mov eax, dword ptr [ebp+08h] mov ebx, dword ptr [ebp+0Ch] mov ebp, dword ptr [ebp-04h] mov esp, dword ptr [ebx-04h] jmp eax pop ebx leave retn 0008h pop eax pop ecx xchg dword ptr [esp], eax jmp eax mov edi, edi push ebp mov ebp, esp push ecx push ecx push ebx push esi push edi mov esi, dword ptr fs:[00000000h] mov dword ptr [ebp-04h], esi mov dword ptr [ebp-08h], 0047649Ch push 00000000h push dword ptr [ebp+0Ch] push dword ptr [ebp-08h] push dword ptr [ebp+08h] call 00007F96605F2853h mov eax, dword ptr [ebp+0Ch] mov eax, dword ptr [eax+04h] and eax, FFFFFFFDh mov ecx, dword ptr [ebp+0Ch] mov dword ptr [ecx+00h], eax

Rich Headers

Programming Language: [ C ] VS2008 SP1 build 30729 [ASM] VS2010 build 30319 [ C ] VS2010 build 30319 [C++] VS2010 build 30319 [RES] VS2010 build 30319 [IMP] VS2008 SP1 build 30729 [LNK] VS2010 build 30319

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xb0b9c 0xf0 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0xe0000 0xf370 .rsrc Copyright null 2020 Page 12 of 17 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0xf6800 0x1858 .reloc IMAGE_DIRECTORY_ENTRY_BASERELOC 0xf0000 0x9220 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x956b0 0x1c .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0xa32a8 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x95000 0x54c .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x93fcf 0x94000 False 0.496968037373 data 6.61324094201 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x95000 0x1d826 0x1da00 False 0.320666864451 data 4.72069253398 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0xb3000 0x2cc04 0x2a200 False 0.0775860070475 data 1.75004563075 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0xe0000 0xf370 0xf400 False 0.185771004098 data 4.68268867383 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0xf0000 0xb37a 0xb400 False 0.526432291667 data 5.96665114728 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country FILE 0xe071c 0xa1 ASCII text English United States FILE 0xe07c0 0x437 ASCII text, with CRLF line terminators English United States TYPELIB 0xe0bf8 0x14ec data English United States RT_ICON 0xe20e4 0x2e8 data English United States RT_ICON 0xe23cc 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xe24f4 0xea8 data English United States RT_ICON 0xe339c 0x8a8 data English United States RT_ICON 0xe3c44 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xe41ac 0x25a8 dBase III DBT, version number 0, next free block English United States index 40 RT_ICON 0xe6754 0x10a8 data English United States RT_ICON 0xe77fc 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xe7c64 0x2e8 data English United States RT_ICON 0xe7f4c 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xe8074 0xea8 data English United States RT_ICON 0xe8f1c 0x8a8 data English United States RT_ICON 0xe97c4 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xe9d2c 0x25a8 dBase III DBT, version number 0, next free block English United States index 40 RT_ICON 0xec2d4 0x10a8 data English United States RT_ICON 0xed37c 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xed7e4 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xed90c 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 3352087671, next used block 8358912 RT_ICON 0xedbf4 0x368 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xedf5c 0xca8 dBase IV DBT of @.DBF, block length 3072, next English United States free block index 40, next free block 3066021255, next used block 4074101470 RT_MENU 0xeec04 0x4a data English United States RT_DIALOG 0xeec50 0x12c data English United States RT_STRING 0xeed7c 0x38 data English United States RT_ACCELERATOR 0xeedb4 0x10 data English United States RT_GROUP_ICON 0xeedc4 0x76 data English United States

Copyright null 2020 Page 13 of 17 Name RVA Size Type Language Country RT_GROUP_ICON 0xeee3c 0x76 data English United States RT_GROUP_ICON 0xeeeb4 0x3e data English United States RT_VERSION 0xeeef4 0x320 data English United States RT_MANIFEST 0xef214 0x15a ASCII text, with CRLF line terminators English United States

Imports

DLL Import KERNEL32.dll GlobalUnlock, GetCurrentProcess, FlushInstructionCache, GlobalFree, GetModuleFileNameW, EnterCriticalSection, LeaveCriticalSection, InterlockedDecrement, InterlockedIncrement, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, RaiseException, SetLastError, lstrcmpW, TlsAlloc, lstrcmpiW, SizeofResource, LoadResource, FindResourceW, CreateThread, GetCurrentThread, OpenProcess, GetSystemTime, SystemTimeToFileTime, GetStdHandle, SetStdHandle, GetFileSize, Sleep, GetFileAttributesExW, VirtualProtect, CreateEventW, SetEvent, ExitProcess, PeekNamedPipe, WaitForSingleObject, GetVersionExW, FlushFileBuffers, GetThreadContext, VirtualQuery, InitializeCriticalSection, SetThreadPriority, VirtualAlloc, OpenThread, GetSystemInfo, GetThreadPriority, GetCurrentProcessId, SuspendThread, ResumeThread, FormatMessageA, GetNativeSystemInfo, CopyFileW, FindFirstFileExW, RemoveDirectoryW, GlobalLock, SetDllDirectoryW, LocalFree, LockResource, GetCommandLineW, GetSystemTimeAsFileTime, LoadLibraryA, GetProcessHeap, HeapFree, InterlockedPushEntrySList, DecodePointer, EncodePointer, InterlockedExchange, InterlockedCompareExchange, GetStringTypeW, IsProcessorFeaturePresent, VirtualFree, InterlockedPopEntrySList, HeapDestroy, HeapReAlloc, HeapSize, GetConsoleCP, GetConsoleMode, WriteConsoleW, GetFileType, HeapSetInformation, GetStartupInfoW, RtlUnwind, LCMapStringW, GetCPInfo, CompareStringW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, SetHandleCount, TlsFree, GetLocaleInfoW, GetACP, GetOEMCP, IsValidCodePage, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, SetEndOfFile, SetEnvironmentVariableA, GlobalAlloc, MulDiv, lstrlenW, CopyFileExW, LoadLibraryExW, GetModuleHandleW, FindNextFileW, FindClose, FindFirstFileW, ReadFile, SetFilePointer, SetFileTime, LocalFileTimeToFileTime, SetFileAttributesW, HeapAlloc, DosDateTimeToFileTime, TlsGetValue, TlsSetValue, GetCurrentThreadId, WriteFile, GetTempFileNameW, GetTempPathW, DeleteFileW, GetTickCount, CloseHandle, CreateFileW, GetFileAttributesW, GetLastError, CreateDirectoryW, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, FreeLibrary, GetProcAddress, GetModuleHandleExW, LoadLibraryW USER32.dll GetSystemMenu, DispatchMessageW, TranslateMessage, GetMessageW, IsWindowEnabled, CopyRect, GetMonitorInfoW, MonitorFromWindow, SetTimer, KillTimer, EnableWindow, GetSystemMetrics, RemoveMenu, LoadMenuW, DialogBoxParamW, GetPropW, GetAncestor, FindWindowExW, SetPropW, GetKeyState, LoadImageW, RegisterWindowMessageW, GetWindowTextLengthW, GetWindowTextW, SetWindowTextW, IsWindowVisible, GetDlgItem, GetClassNameW, GetSysColor, CharNextW, RedrawWindow, LoadCursorW, GetClassInfoExW, RegisterClassExW, CreateAcceleratorTableW, ScreenToClient, SetCapture, ShowWindow, AnimateWindow, SetForegroundWindow, GetForegroundWindow, BringWindowToTop, WindowFromPoint, SendInput, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, CallMsgFilterW, PeekMessageW, MsgWaitForMultipleObjectsEx, PostQuitMessage, EnumWindows, UpdateWindow, TranslateAcceleratorW, LoadAcceleratorsW, LoadStringW, MessageBoxW, ReleaseCapture, FillRect, InvalidateRgn, GetDesktopWindow, DestroyAcceleratorTable, CreateWindowExW, GetWindowThreadProcessId, SendMessageW, PostMessageW, MoveWindow, ClientToScreen, GetWindowRect, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, CallWindowProcW, GetWindowLongW, SetWindowLongW, DefWindowProcW, EndPaint, GetClientRect, BeginPaint, InvalidateRect, SetWindowLongA, SetParent, GetWindowPlacement, AllowSetForegroundWindow, GetMessageExtraInfo, GetWindow, MapVirtualKeyW, GetDC, ReleaseDC, SetWindowPos, EqualRect, IsWindow, SetFocus, GetParent, GetFocus, IsChild, DestroyWindow, EndDialog, UnregisterClassA GDI32.dll GetPixel, CreateFontIndirectW, GetTextExtentPoint32W, CreateSolidBrush, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, DeleteObject, BitBlt, GetStockObject, GetObjectW, GetDeviceCaps, DeleteDC ADVAPI32.dll RegCreateKeyExW, RegEnumKeyW, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegDeleteKeyW, RegQueryValueExW, RegOpenKeyW, RegOverridePredefKey, RegCloseKey, RegCreateKeyW, RegSetValueExW, RegOpenKeyExW, RegEnumValueW SHELL32.dll ShellExecuteW, ShellExecuteExW, SHFileOperationW, SHGetSpecialFolderPathW, SHGetFolderPathW, SHCreateDirectoryExW, CommandLineToArgvW ole32.dll CLSIDFromString, CoCreateInstance, CoMarshalInterThreadInterfaceInStream, CoUnmarshalInterface, CreateStreamOnHGlobal, CoTaskMemAlloc, StringFromCLSID, CoInitialize, CoTaskMemRealloc, OleInitialize, OleUninitialize, StringFromGUID2, CLSIDFromProgID, CoGetClassObject, OleLockRunning, CoTaskMemFree OLEAUT32.dll DispCallFunc, VariantClear, SysFreeString, SysAllocString, VariantCopy, SysStringLen, VariantChangeType, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayCreateVector, SysStringByteLen, SysAllocStringByteLen, VarUI4FromStr, LoadRegTypeLib, SysAllocStringLen, OleCreateFontIndirect, LoadTypeLib, VariantInit dbghelp.dll MiniDumpWriteDump WININET.dll InternetCrackUrlW, InternetCombineUrlW, InternetSetCookieExW, InternetGetCookieExW, InternetSetOptionW, InternetOpenW urlmon.dll RegisterBindStatusCallback, URLDownloadToCacheFileW, CreateURLMoniker, RevokeBindStatusCallback, URLDownloadToFileW, CoInternetSetFeatureEnabled SHLWAPI.dll StrStrIW, PathRemoveFileSpecW, PathStripPathW, PathCreateFromUrlW, StrStrW, PathIsURLW

Version Infos

Description Data LegalCopyright Copyright 2018 Blackfish Software InternalName ietabhelper.exe FileVersion 13.5.27.1 CompanyName Blackfish Software ProductName ietabhelper.exe ProductVersion 13.5.27.1 FileDescription IE Tab Helper application OriginalFilename ietabhelper.exe

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: ietabhelper.exe PID: 3784 Parent PID: 5364

General

Start time: 20:26:55 Start date: 15/07/2020 Path: C:\Users\user\Desktop\ietabhelper.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\ietabhelper.exe' Imagebase: 0x820000 File size: 1015896 bytes MD5 hash: 98AE86F63A216F057A221FE00D5B2458 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Copyright null 2020 Page 15 of 17 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe read data or list device sequential only | success or wait 1 8891AF CopyFileW \:Zone.Identifier:$DATA directory | synchronous io synchronize | non alert generic write C:\Users\user\AppData\Local\IE Tab\ietab_nm_manifest.json read attributes | device synchronous io success or wait 1 8893E1 CreateFileW synchronize | non alert | non generic read | directory file generic write

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe 0 262144 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 4 8891AF CopyFileW 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... C...-...-...- 00 00 00 00 00 00 00 .'.....-...... -...... -...... -...... - 00 00 00 00 00 00 00 ...... -...,...-...... -...... -...... - 00 00 00 00 00 00 00 .Rich..-...... 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f0 d9 43 bc b4 b8 2d ef b4 b8 2d ef b4 b8 2d ef 27 f6 b5 ef b6 b8 2d ef db ce b3 ef af b8 2d ef db ce 86 ef fe b8 2d ef db ce 87 ef 1d b8 2d ef bd c0 ae ef b8 b8 2d ef bd c0 be ef ad b8 2d ef b4 b8 2c ef dd b9 2d ef db ce 82 ef 82 b8 2d ef db ce b7 ef b5 b8 2d ef db ce b0 ef b5 b8 2d ef 52 69 63 68 b4 b8 2d ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\IE Tab\13.5.27.1\ietabhelper.exe 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 8891AF CopyFileW :Zone.Identifier 61 6e 73 66 65 72 5d 0d 0a 0d 0a 5a 6f 6e 65 49 64 3d 30

Copyright null 2020 Page 16 of 17 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\IE Tab\ietab_nm_manifest.json unknown 537 7b 0a 09 22 6e 61 6d {.."name": success or wait 1 889492 WriteFile 65 22 3a 20 22 6e 65 "net.ietab.ietabhel 74 2e 69 65 74 61 62 per.peruser",.."descr 2e 69 65 74 61 62 68 iption": "IE Tab 65 6c 70 65 72 2e 70 Helper",.."path": "C:\\Users 65 72 75 73 65 72 22 \\user\\AppData\\Local\\IE 2c 0a 09 22 64 65 73 Tab 63 72 69 70 74 69 6f \\13.5.27.1\\ietabhelper.ex 6e 22 3a 20 22 49 45 e",.."type": 20 54 61 62 20 48 65 "stdio",.."allowed_origins": 6c 70 65 72 22 2c 0a [ "chrome-extension:/ 09 22 70 61 74 68 22 /bjndombghfcohmonofdcfn 3a 20 22 43 3a 5c 5c hjldidnmhd/", " 55 73 65 72 73 5c 5c 47 75 63 63 69 5c 5c 41 70 70 44 61 74 61 5c 5c 4c 6f 63 61 6c 5c 5c 49 45 20 54 61 62 5c 5c 31 33 2e 35 2e 32 37 2e 31 5c 5c 69 65 74 61 62 68 65 6c 70 65 72 2e 65 78 65 22 2c 0a 09 22 74 79 70 65 22 3a 20 22 73 74 64 69 6f 22 2c 0a 09 22 61 6c 6c 6f 77 65 64 5f 6f 72 69 67 69 6e 73 22 3a 20 5b 20 22 63 68 72 6f 6d 65 2d 65 78 74 65 6e 73 69 6f 6e 3a 2f 2f 62 6a 6e 64 6f 6d 62 67 68 66 63 6f 68 6d 6f 6e 6f 66 64 63 66 6e 68 6a 6c 64 69 64 6e 6d 68 64 2f 22 2c 20 22 unknown unknown 4 18 00 00 00 .... invalid handle 1 876224 WriteFile

File Read

Source File Path Offset Length Completion Count Address Symbol unknown unknown 4 invalid handle 1 8761EF ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\NativeMessagingHosts\net.ietab.ietabhelper.peruser success or wait 1 82F9F8 RegCreateKeyExW HKEY_CURRENT_USER\SOFTWARE\IE Tab success or wait 1 82F9F8 RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Goo NULL unicode C:\Users\user\AppData\Local\IE success or wait 1 889544 RegSetValueExW gle\Chrome\NativeMessagingHost Tab\ietab_nm_manifest.json s\net.ietab.ietabhelper.peruser HKEY_CURRENT_USER\Software\IE Tab CurrentVersion unicode 13.5.27.1 success or wait 1 83E6FF RegSetValueExW

Disassembly

Code Analysis