Automated Malware Analysis Report for Zphoenixminer.Exe

ID: 333796 Sample Name: zphoenixminer.exe Cookbook: default.jbs Time: 23:37:39 Date: 23/12/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report zphoenixminer.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Unpacked PEs 5 Sigma Overview 6 Signature Overview 6 AV Detection: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 E-Banking Fraud: 7 Spam, unwanted Advertisements and Ransom Demands: 7 System Summary: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 HIPS / PFW / Operating System Protection Evasion: 7 Stealing of Sensitive Information: 7 Remote Access Functionality: 7 Mitre Att&ck Matrix 7 Behavior Graph 8 Screenshots 9 Thumbnails 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 10 Domains 10 URLs 10 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 12 Public 12 General Information 12 Simulations 13 Behavior and APIs 13 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 14 JA3 Fingerprints 14 Dropped Files 14 Created / dropped Files 14 Static File Info 19 General 20 File Icon 20 Static PE Info 20 General 20 Entrypoint Preview 20 Copyright null 2020 Page 2 of 34 Data Directories 21 Sections 22 Resources 22 Imports 24 Exports 24 Version Infos 25 Possible Origin 25 Network Behavior 25 TCP Packets 25 Code Manipulations 26 Statistics 26 Behavior 26 System Behavior 26 Analysis Process: zphoenixminer.exe PID: 5740 Parent PID: 5532 26 General 26 Analysis Process: nslookup.exe PID: 240 Parent PID: 5740 27 General 27 File Activities 27 File Read 27 Analysis Process: conhost.exe PID: 1000 Parent PID: 240 27 General 27 Analysis Process: cmd.exe PID: 4196 Parent PID: 240 28 General 28 Analysis Process: cmd.exe PID: 1740 Parent PID: 240 28 General 28 Analysis Process: cmd.exe PID: 404 Parent PID: 240 28 General 28 Analysis Process: cmd.exe PID: 3492 Parent PID: 240 29 General 29 Analysis Process: cmd.exe PID: 620 Parent PID: 240 29 General 29 Analysis Process: notepad.exe PID: 4260 Parent PID: 240 29 General 29 File Activities 30 File Created 30 File Written 31 Registry Activities 33 Key Created 33 Key Value Created 33 Disassembly 33 Code Analysis 33

Overview

General Information Detection Signatures Classification

Sample zphoenixminer.exe Name: DDeettteeccttteedd RReemccooss RRAATT

Analysis ID: 333796 MDeaatlllieiiccciiiotoeuudss Rssaeampcpllolees d dReeAttteeTccttteedd (((ttthhrrroouugghh … MD5: fb0b58548f18718… SMSyyassltittceeimou pspr rrosoaccemesspssl e cc odonenntneeeccctttetssd ttt oo(t hnnreeotttwuwgoohrrr… SHA1: Ransomware 03e68d10cbe6dfc… System process connects to networ YSYayarsrraate ddmee tttpeerccottteceedds RRs eecmonccnooess c RRtsAA tTTo networ Miner Spreading SHA256: 891c233cff0f39e… AYAlalllooracca adtteestse mcteemd oRorreyym iinnc offoosr reReiigAgnTn pprroocceessss mmaallliiiccciiioouusss AAllllllooccaattteess meemoorrryy iiinn fffoorrreeiiiggnn pprrroocceessss… malicious

Tags: exe RemcosRAT Evader Phishing sssuusssppiiiccciiioouusss CACololonnctttaaiitinness fffmuunneccmtttiiioonrnyaa lilliniittty yf o tttoroe ccigaanpp tttpuurrrroeec aeansndsd… suspicious Most interesting Screenshot: cccllleeaann

clean CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo iicinnajjjepectcuttt rcceoo dadene d … Exploiter Banker

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrirneejggeiiicssttt eecrrro ada e llloo …

Spyware Trojan / Bot Remcos CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srsettteegaaislll t CeCrhh rarroo lmo… Adware

Score: 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ssttteeaalll FCFiiihrrreerofffoom… Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaalllttitytyy t ttotoo c cshhtaeananglg Fee i rttthehefeo … Whitelisted: false DCDrroroonpptsas i enexsxe efcucunutcttaatbibolllene a tttoloty aa t occ oocmhamnoognne ttthhiiierrrdd … Confidence: 100% HDHiirijjjoaapccksks se ttxthheeec uccotoannbtttrlrreoo lllt offflllo oaww c iioinnm aamnnoottnthh etehrrr i prpdrrr…

MHiaajappcssk asa DtDhLeLL Lc oornrr mtroeelm floowrrryy i anar rreaeana o iiintnhtttoeo r a apnnr… Startup OMvaveeprrrsww arrrii itttDeesLs L cc ooddr eem wweiimittthho uruynn cacoorennadd iiitittniiiootnona aalll n jjj… UOUsvseesrsw nnrssitllleoosoo kkcuuoppd...ee xxweei t thttoo u qqnuuceeorrrnyy d dditooiomnaaiiilnn jss

System is w10x64 WUsrrrieiittteses sn ttstoolo fffookrrreueiipigg.nne xmee etmo oqorruryye rrreyeg gdiiioonmnssains zphoenixminer.exe (PID: 5740 cmdline: 'C:\Users\user\Desktop\zphoenixminer.exe' MD5: FB0B58548F18718F51BB0A189064B9DA) AWAbbrnintoeorsrrm toaa lll f hohiriigeghihg CnC PPmUUe mUUsosaraygg ereegions nslookup.exe (PID: 240 cmdline: C:\Windows\system32\nslookup.exe MD5: 8E82529D1475D67615ADCB4E1B8F4EEC) conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForcAAenbnVttnti1iivov iiMirrrmuuDssa 5 olo :hrr r E iMgAhaa7 cCc7hh7PiiinDnUeeE U LELeseAaa7grrr8nne2iiinnEgg8 dBdee4tttDeec7c…C7C33BBF8A4496) cmd.exe (PID: 4196 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) CAChnheteivccikkrsus s iiif ff o ttthrh eMe cacuucrrhrrrreiennnettt Lpperrrooaccrenesisnssg i iisds ebbteeiiicnn… cmd.exe (PID: 1740 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6CCFh7he3ec4ckEkss3 i5iff 7 tth2he3e 5 ccFuu4rrrrDeen5nt8t p9pr8roo5cc8ee2ssDss) iiss bbeeiinn… cmd.exe (PID: 404 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6FCC7oh3one4nttcEtaak3iiinsn5 ssi7f f2fftuuh3nne5cc Ftcttii4iouoDnrnra5eall8nliiittt9tyy 8 p fff5oroo8rrr c 2rrreeDsaa)sdd i dsd aabttteaai nfff… cmd.exe (PID: 3492 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tftoo r c craaelllal ndna adttiaivvteea ff cmd.exe (PID: 620 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6FCC7o3on4nttEtaa3iiinn5ss7 f2ffuu3nn5ccFtttii4iooDnna5all8liiittt9yy8 ttt5oo8 cc2aaDllllll ) nnaatttiiivvee fff…

notepad.exe (PID: 4260 cmdline: C:\Windows\system32\notepad.exe MD5: D693FCC1o3onFnttEtaa3iiinnAssA fffu2un0nc1ct0ttiiioBonn8aa5llli4iitttyCy t4ttooC dcd6oao0wlw6l n7nl1allooBtaiav8ddeE aaf2…) cleanup CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ddyoynwnaanmloiiicacadal llllalyy…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo edenynunumameerirrcaaatttelel y …

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo eennuumeerrraatttee …

Malware Configuration CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo llelaanuuunnmcchhe raa tcceoo …

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qlqauuueenrrrcyyh CC aPP cUUo … No configs have been found CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hloeec PPaElEeBB

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreeaadd ttthhee cPcllliEii…B

Yara Overview CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srsehhauudtttdd toohwwen nc l///i …

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ssiihimuutudlllaaotttwee n m /…

Memory Dumps CCrroreenaattatteeinss s aa f uDDniiirrcreetcicotttInIInnappliuutyttt otoobb jjsjeeicmcttt u (((oloafffttteen nm fffoo…

CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo… Source Rule Description Author Strings 00000010.00000002.701587054.000000000040 JoeSecurity_Remcos Yara detecCCterrrdeea attteess ffafiiilJl leepossre o ii incSnseseiisidcdseue ir nttithth yseeu ssyypssetttenemde ddi iirrmreecoc… 0000.00000040.00000001.sdmp Remcos RAT CCrrreeaattteess jjfjoiolbeb s fff iiililleness i d(((aaeuu tttthooess tttsaayrrrttst)))tem direc 00000010.00000002.701587054.000000000040 Remcos_1 Remcos Payload kevoreilly 0x16498:$name: Remcos 0000.00000040.00000001.sdmp DCDereettteaectcettteesd dj o TTbCC fPiPle oosrr r ( UaUuDDtPoPs tttrrraaarffftfff)iiicc oonn nnoo0nnx…16810:$name: Remcos 0x16d5c:$name: Remcos DDeettteeccttteedd pTpoCotttePen notttiiriaa Ulll ccDrrryPypp tttrooa fffufuicnn ccotttniiioo nno0nx16daf:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i DDrrerootpeppcpteedd fffpiiillleoe t seseneeteinan l i iincn r cycopontnonn efeuccntttiiciootnino wnwiiittthh… DDrrooppppeedd ffiillee sseeeenn iinn ccoonnnneeccttiioonn wwii0tthhx…156fc:$time: %02i:%02i:%02i:%03i 0x16b60:$time: %02i:%02i:%02i:%03i DDrrrooppsps e PPdEE f ifflfieiilllee sseen in connection with 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B EDExrxottteepnnsss PiiivvEee ufuilsseees oofff GeetttPPrrrooccAAddddrrreessss 0(((oo1… 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ... FEFoxoutuennndds didvrrreoo puppspeed do PfP GEE e fffiitillPlee r wowchhAiiiccdhhd hrheaassss n n(oo…

Found dropped PE file which has no Copyright null 2020 Page 4 of 34 Source Rule Description Author Strings 00000010.00000002.701587054.000000000040 REMCOS_RAT_variants unknown unknown 0x16680:$str_a1: C:\Windows\System32\cmd.exe 0000.00000040.00000001.sdmp 0x1669c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System /v EnableLUA /t REG_DWOR 0x1669c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System /v EnableLUA /t REG_DWOR 0x15d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16384:$str_b1: CreateObject("Scripting.FileSystemO bject").DeleteFile(Wscript.ScriptFullName) 0x15964:$str_b2: Executing file: 0x16720:$str_b3: GetDirectListeningPort 0x161c4:$str_b4: Set fso = CreateObject("Scripting.File SystemObject") 0x164bc:$str_b5: licence_code.txt 0x16420:$str_b6: \restart.vbs 0x16344:$str_b8: \uninstall.vbs 0x15920:$str_b9: Downloaded file: 0x15934:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i se conds 0x15980:$str_b12: Failed to upload file: 0x16760:$str_b13: StartForward 0x16744:$str_b14: StopForward 0x162b4:$str_b15: fso.DeleteFile " 0x16318:$str_b16: On Error Resume Next 0x16280:$str_b17: fso.DeleteFolder " 0x15998:$str_b18: Uploaded file:

00000000.00000002.407364535.00000000027A MAL_crime_win32_rat_par Detects Parallax @VK_Intel 0x2809:$ntdll_load: 55 8B EC 81 EC D0 08 00 00 53 5 0000.00000040.00000001.sdmp allax_shell_bin injected code 6 57 E8 76 FC FF FF 89 85 78 FF FF FF 8D BD 30 F7 FF FF 33 C0 B9 ... 0x1d34:$call_func: 81 EC BC 00 00 00 8D 45 E0 56 50 6A 00 6A 01 FF 75 08 E8 D3 05 00 00 8B F0 83 C4 10 85 F6 0F 84 ... 0x1661:$cryp_hex: 8B EC 8B 45 08 25 55 55 55 55 D1 E0 8B 4D 08 D1 E9 81 E1 55 55 55 55 0B C1 89 45 08 8B 55 08 81 ... 00000010.00000002.710156064.000000000340 JoeSecurity_Keylogger_G Yara detected Joe Security 4000.00000004.00000001.sdmp eneric Keylogger Generic Click to see the 12 entries

Unpacked PEs

Source Rule Description Author Strings 0.2.zphoenixminer.exe.27a0000.3.raw.unpack MAL_crime_win32_rat_par Detects Parallax @VK_Intel 0x2809:$ntdll_load: 55 8B EC 81 EC D0 08 00 00 53 5 allax_shell_bin injected code 6 57 E8 76 FC FF FF 89 85 78 FF FF FF 8D BD 30 F7 FF FF 33 C0 B9 ... 0x1d34:$call_func: 81 EC BC 00 00 00 8D 45 E0 56 50 6A 00 6A 01 FF 75 08 E8 D3 05 00 00 8B F0 83 C4 10 85 F6 0F 84 ... 0x1661:$cryp_hex: 8B EC 8B 45 08 25 55 55 55 55 D1 E0 8B 4D 08 D1 E9 81 E1 55 55 55 55 0B C1 89 45 08 8B 55 08 81 ...

0.2.zphoenixminer.exe.27a0000.3.unpack MAL_crime_win32_rat_par Detects Parallax @VK_Intel 0xf34:$call_func: 81 EC BC 00 00 00 8D 45 E0 56 50 6 allax_shell_bin injected code A 00 6A 01 FF 75 08 E8 D3 05 00 00 8B F0 83 C4 10 8 5 F6 0F 84 ... 0x861:$cryp_hex: 8B EC 8B 45 08 25 55 55 55 55 D1 E0 8B 4D 08 D1 E9 81 E1 55 55 55 55 0B C1 89 45 08 8B 55 08 81 ... 16.2.notepad.exe.400000.0.raw.unpack JoeSecurity_Remcos Yara detected Joe Security Remcos RAT 16.2.notepad.exe.400000.0.raw.unpack Remcos_1 Remcos Payload kevoreilly 0x16498:$name: Remcos 0x16810:$name: Remcos 0x16d5c:$name: Remcos 0x16daf:$name: Remcos 0x15674:$time: %02i:%02i:%02i:%03i 0x156fc:$time: %02i:%02i:%02i:%03i 0x16b60:$time: %02i:%02i:%02i:%03i 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...

Copyright null 2020 Page 5 of 34 Source Rule Description Author Strings 16.2.notepad.exe.400000.0.raw.unpack REMCOS_RAT_variants unknown unknown 0x16680:$str_a1: C:\Windows\System32\cmd.exe 0x1669c:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System /v EnableLUA /t REG_DWOR 0x1669c:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System /v EnableLUA /t REG_DWOR 0x15d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x16384:$str_b1: CreateObject("Scripting.FileSystemO bject").DeleteFile(Wscript.ScriptFullName) 0x15964:$str_b2: Executing file: 0x16720:$str_b3: GetDirectListeningPort 0x161c4:$str_b4: Set fso = CreateObject("Scripting.File SystemObject") 0x164bc:$str_b5: licence_code.txt 0x16420:$str_b6: \restart.vbs 0x16344:$str_b8: \uninstall.vbs 0x15920:$str_b9: Downloaded file: 0x15934:$str_b10: Downloading file: 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i se conds 0x15980:$str_b12: Failed to upload file: 0x16760:$str_b13: StartForward 0x16744:$str_b14: StopForward 0x162b4:$str_b15: fso.DeleteFile " 0x16318:$str_b16: On Error Resume Next 0x16280:$str_b17: fso.DeleteFolder " 0x15998:$str_b18: Uploaded file: Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • Spam, unwanted Advertisements and Ransom Demands • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Yara detected Remcos RAT

Networking:

Uses nslookup.exe to query domains

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

E-Banking Fraud:

Yara detected Remcos RAT

Spam, unwanted Advertisements and Ransom Demands:

Contains functionalty to change the wallpaper

System Summary:

Malicious sample detected (through community Yara rule)

Persistence and Installation Behavior:

Drops executable to a common third party application directory

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Hijacks the control flow in another process

Maps a DLL or memory area into another process

Writes to foreign memory regions

Stealing of Sensitive Information:

Yara detected Remcos RAT

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Remote Access Functionality:

Detected Remcos RAT

Yara detected Remcos RAT

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Valid Native API 1 Application Application Deobfuscate/Decode OS Credential System Time Remote Archive Exfiltration Over Other Accounts Shimming 1 Shimming 1 Files or Information 1 Dumping 1 Discovery 1 Services Collected Network Medium Data 1

Default Command and Windows Access Token Obfuscated Files or Credential API Account Discovery 1 Remote Credential API Exfiltration Over Accounts Scripting Service 1 Manipulation 1 Information 2 Hooking 1 Desktop Hooking 1 Bluetooth Interpreter 1 2 Protocol

Copyright null 2020 Page 7 of 34 Initial Privilege Credential Lateral Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Domain Scheduled Scheduled Windows Software Packing 1 Input System Service SMB/Windows Input Automated Exfiltration Accounts Task/Job 1 Task/Job 1 Service 1 Capture 2 2 1 Discovery 1 Admin Shares Capture 2 2 1

Local Service Logon Script Process Masquerading 1 1 1 Credentials In File and Directory Distributed Clipboard Scheduled Transfer Accounts Execution 2 (Mac) Injection 6 2 1 Files 2 Discovery 2 Component Data 2 Object Model Cloud Cron Network Scheduled Virtualization/Sandbox LSA Secrets System Information SSH Keylogging Data Transfer Size Accounts Logon Script Task/Job 1 Evasion 2 Discovery 4 4 Limits

Replication Launchd Rc.common Rc.common Access Token Cached Domain Security Software VNC GUI Input Exfiltration Over C2 Through Manipulation 1 Credentials Discovery 1 1 Capture Channel Removable Media External Scheduled Task Startup Startup Items Process DCSync Virtualization/Sandbox Windows Web Portal Exfiltration Over Remote Items Injection 6 2 1 Evasion 2 Remote Capture Alternative Protocol Services Management Drive-by Command and Scheduled Scheduled Indicator Removal from Proc Filesystem Process Discovery 2 Shared Credential API Exfiltration Over Compromise Scripting Task/Job Task/Job Tools Webroot Hooking Symmetric Encrypted Interpreter Non-C2 Protocol Exploit PowerShell At (Linux) At (Linux) Masquerading /etc/passwd and System Owner/User Software Data Staged Exfiltration Over Public- /etc/shadow Discovery 1 Deployment Asymmetric Encrypted Facing Tools Non-C2 Protocol Application Supply AppleScript At At (Windows) Invalid Code Signature Network Sniffing System Network Taint Shared Local Data Exfiltration Over Chain (Windows) Configuration Content Staging Unencrypted/Obfuscated Compromise Discovery 1 Non-C2 Protocol

Behavior Graph

Hide Legend Legend: Behavior Graph

ID: 333796 Process

Sample: zphoenixminer.exe Startdate: 23/12/2020 Signature Architecture: WINDOWS Score: 100 Created File DNS/IP Info

Malicious sample detected Yara detected Remcos Uses nslookup.exe to (through community Yara Detected Remcos RAT started RAT query domains rule) Is Dropped

Is Windows Process

zphoenixminer.exe Number of created Registry Values

Number of created Files

Visual Basic

Overwrites code with unconditional jumps Hijacks the control Uses nslookup.exe to 2 other signatures started - possibly settings flow in another process query domains Delphi hooks in foreign process Java

nslookup.exe .Net C# or VB.NET

C, C++ or other language 1 Is malicious

Overwrites code with unconditional jumps Hijacks the control Writes to foreign memory Maps a DLL or memory Internet started started started - possibly settings flow in another process regions area into another process hooks in foreign process

notepad.exe conhost.exe cmd.exe

4 other processes

2 21

94.242.206.175, 49705, 5886

ROOTLU dropped dropped dropped dropped Luxembourg

C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 C:\Users\user\AppData\...\HelpPane.exe, PE32 C:\Users\user\AppData\Local\...\cghelp.dll, PE32 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32

System process connects Overwrites code with to network (likely due unconditional jumps Contains functionalty 6 other signatures to code injection or - possibly settings to change the wallpaper exploit) hooks in foreign process

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Copyright null 2020 Page 9 of 34 Source Detection Scanner Label Link C:\Users\user\AppData\Local\Adobe\Acrobat\RuntimeBroker.exe 0% Virustotal Browse C:\Users\user\AppData\Local\Adobe\Acrobat\RuntimeBroker.exe 0% Metadefender Browse C:\Users\user\AppData\Local\Adobe\Acrobat\RuntimeBroker.exe 2% ReversingLabs C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\HelpPane.exe 0% Virustotal Browse C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\HelpPane.exe 3% Metadefender Browse C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\HelpPane.exe 2% ReversingLabs

Unpacked PE Files

Source Detection Scanner Label Link Download 0.2.zphoenixminer.exe.27a0000.3.unpack 100% Avira TR/Crypt.XPACK.Gen2 Download File 16.2.notepad.exe.400000.0.unpack 100% Avira BDS/Backdoor.Gen Download File

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.url.com): 0% Avira URL Cloud safe picku.pp.ua/ 0% Avira URL Cloud safe ocsp.thawte.com0 0% URL Reputation safe ocsp.thawte.com0 0% URL Reputation safe ocsp.thawte.com0 0% URL Reputation safe ocsp.thawte.com0 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://i.imgur.com/epwnMdM.png zphoenixminer.exe, 00000000.00 false high 000002.405723992.000000000019C 000.00000004.00000010.sdmp, ns lookup.exe, 00000001.00000002. 366230240.0000000000E80000.000 00004.00000001.sdmp https://github.com/openvpn/openvpn-gui/Z nslookup.exe, 00000001.0000000 false high 2.398582346.0000000019356000.0 0000004.00000001.sdmp, cmd.exe, 0000000B.00000002.335058571. 0000000003584000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.339192528.00000000037B 4000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3422 87978.0000000002F84000.0000000 4.00000001.sdmp https://i.imgur.com/epwnMdM.pngV nslookup.exe, 00000001.0000000 false high 2.366230240.0000000000E80000.0 0000004.00000001.sdmp

Copyright null 2020 Page 10 of 34 Name Source Malicious Antivirus Detection Reputation www.url.com): nslookup.exe, 00000001.0000000 false Avira URL Cloud: safe low 2.398582346.0000000019356000.0 0000004.00000001.sdmp, cmd.exe, 0000000B.00000002.333949048. 0000000002E00000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.336749636.000000000303 0000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3390 11342.0000000002800000.0000000 4.00000001.sdmp, cmd.exe, 0000 000E.00000002.341640796.000000 0002900000.00000004.00000001.sdmp, cmd.exe, 0000000F.00000002.34416239 5.0000000002800000.00000004.00 000001.sdmp crl.thawte.com/ThawteTimestampingCA.crl0 nslookup.exe, 00000001.0000000 false high 2.398582346.0000000019356000.0 0000004.00000001.sdmp, cmd.exe, 0000000B.00000002.333949048. 0000000002E00000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.336749636.000000000303 0000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3390 11342.0000000002800000.0000000 4.00000001.sdmp, cmd.exe, 0000 000E.00000002.341640796.000000 0002900000.00000004.00000001.sdmp, cmd.exe, 0000000F.00000002.34416239 5.0000000002800000.00000004.00 000001.sdmp picku.pp.ua/ nslookup.exe, 00000001.0000000 false Avira URL Cloud: safe unknown 2.398582346.0000000019356000.0 0000004.00000001.sdmp, cmd.exe, 0000000B.00000002.335058571. 0000000003584000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.339192528.00000000037B 4000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3422 87978.0000000002F84000.0000000 4.00000001.sdmp, cmd.exe, 0000 000E.00000002.344505798.000000 0003084000.00000004.00000001.sdmp https://openvpn.net/ cmd.exe, 0000000E.00000002.344 false high 505798.0000000003084000.000000 04.00000001.sdmp www.symauth.com/cps0( nslookup.exe, 00000001.0000000 false high 2.398582346.0000000019356000.0 0000004.00000001.sdmp, cmd.exe, 0000000B.00000002.333949048. 0000000002E00000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.336749636.000000000303 0000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3390 11342.0000000002800000.0000000 4.00000001.sdmp, cmd.exe, 0000 000E.00000002.341640796.000000 0002900000.00000004.00000001.sdmp, cmd.exe, 0000000F.00000002.34416239 5.0000000002800000.00000004.00 000001.sdmp www.symauth.com/rpa00 nslookup.exe, 00000001.0000000 false high 2.398582346.0000000019356000.0 0000004.00000001.sdmp, cmd.exe, 0000000B.00000002.333949048. 0000000002E00000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.336749636.000000000303 0000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3390 11342.0000000002800000.0000000 4.00000001.sdmp, cmd.exe, 0000 000E.00000002.341640796.000000 0002900000.00000004.00000001.sdmp, cmd.exe, 0000000F.00000002.34416239 5.0000000002800000.00000004.00 000001.sdmp

Copyright null 2020 Page 11 of 34 Name Source Malicious Antivirus Detection Reputation https://github.com/OpenVPN/openvpn-gui/ nslookup.exe, 00000001.0000000 false high 2.398582346.0000000019356000.0 0000004.00000001.sdmp, cmd.exe, 0000000B.00000002.335058571. 0000000003584000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.339192528.00000000037B 4000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3422 87978.0000000002F84000.0000000 4.00000001.sdmp, cmd.exe, 0000 000E.00000002.344505798.000000 0003084000.00000004.00000001.sdmp ocsp.thawte.com0 nslookup.exe, 00000001.0000000 false URL Reputation: safe unknown 2.398582346.0000000019356000.0 URL Reputation: safe 0000004.00000001.sdmp, cmd.exe, URL Reputation: safe 0000000B.00000002.333949048. URL Reputation: safe 0000000002E00000.00000004.0000 0001.sdmp, cmd.exe, 0000000C.0 0000002.336749636.000000000303 0000.00000004.00000001.sdmp, c md.exe, 0000000D.00000002.3390 11342.0000000002800000.0000000 4.00000001.sdmp, cmd.exe, 0000 000E.00000002.341640796.000000 0002900000.00000004.00000001.sdmp, cmd.exe, 0000000F.00000002.34416239 5.0000000002800000.00000004.00 000001.sdmp

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 94.242.206.175 unknown Luxembourg 5577 ROOTLU true

General Information

Joe Sandbox Version: 31.0.0 Red Diamond

Copyright null 2020 Page 12 of 34 Analysis ID: 333796 Start date: 23.12.2020 Start time: 23:37:39 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 13m 14s Hypervisor based Inspection enabled: false Report type: light Sample file name: zphoenixminer.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 23 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal100.rans.troj.spyw.evad.winEXE@16/16@0/1 EGA Information: Failed HDC Information: Successful, ratio: 43.5% (good quality ratio 32.9%) Quality average: 61.7% Quality standard deviation: 41.4% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time Type Description 23:39:41 API Interceptor 1380x Sleep call for process: notepad.exe modified 23:39:43 Task Scheduler Run new task: HelpPane path: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\HelpPane.exe s>- fegxbrs -on -vcwi -dbkzct=15606242

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 94.242.206.175 zethpill.exe Get hash malicious Browse ethpill.exe Get hash malicious Browse

Domains

No context Copyright null 2020 Page 13 of 34 ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context ROOTLU zethpill.exe Get hash malicious Browse 94.242.206.175 ethpill.exe Get hash malicious Browse 94.242.206.175 R2ZgSf2y9X.exe Get hash malicious Browse 94.242.224.249 HTTP://ubar-pro4.ru Get hash malicious Browse 94.242.214.159 HTTP://ubar-pro4.ru Get hash malicious Browse 94.242.214.159 .exe Get hash malicious Browse 94.242.232.66 26attachmen.exe Get hash malicious Browse 94.242.232.66 .exe Get hash malicious Browse 94.242.232.66 office-automation.usa.cc/147/redirect/? Get hash malicious Browse 94.242.202.177 [email protected] office-automation.usa.cc/147/redirect/? Get hash malicious Browse 94.242.202.177 [email protected] 4text.htm Get hash malicious Browse 195.24.76.171 .exe .exe Get hash malicious Browse 94.242.232.66 35message.htm Get hash malicious Browse 94.242.232.66 .exe 55vazsfmj.exe Get hash malicious Browse 195.24.76.171 .exe Get hash malicious Browse 195.24.76.171 1letter.exe Get hash malicious Browse 195.24.76.171 kir.exe Get hash malicious Browse 195.24.77.223 kir.exe Get hash malicious Browse 195.24.77.223 staff-bio.exe Get hash malicious Browse 195.24.77.223 1transcrip.exe Get hash malicious Browse 195.24.76.171

JA3 Fingerprints

No context

Dropped Files

Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Adobe\Acr zethpill.exe Get hash malicious Browse obat\RuntimeBroker.exe C:\Users\user\AppData\Roaming\Micros zethpill.exe Get hash malicious Browse oft\Internet Explorer\HelpPane.exe zethpill.exe Get hash malicious Browse 9wTCLD6gaX.exe Get hash malicious Browse ethpill.exe Get hash malicious Browse First Entry.exe Get hash malicious Browse EthMinev5.exe Get hash malicious Browse MoneroUV6.exe Get hash malicious Browse TaskAudio Driver.exe Get hash malicious Browse bmdiv.exe Get hash malicious Browse MoneroMinerv4.exe Get hash malicious Browse 7EwzINPlKU.exe Get hash malicious Browse RF28R6201SR_V40.doc Get hash malicious Browse 3235.doc Get hash malicious Browse adobeupd.exe Get hash malicious Browse Dianetax2018_2019.doc Get hash malicious Browse

Created / dropped Files

C:\Users\user\AppData\Local\Adobe\Acrobat\RuntimeBroker.exe

Process: C:\Windows\SysWOW64\notepad.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 3324880 Entropy (8bit): 6.658679685668313 Encrypted: false

SSDEEP: 49152:b3eB0z1A8edhHdJASCEAmgHNOqpHqy6TJtXm9:bFedqOqWm MD5: 8D6BC27E5E6CFA274B6D5B361FE78DE4 SHA1: 943DEAC05FD3AD3726713B1B6889AB68793132F5 SHA-256: 7BEC1FB86B337F9D35D32FE838FCFE857DBE333DC716731AD0FA4EFBEAA02F90 SHA-512: E74575841EA694668C2E35159FD7E3ECE53F9577EA2291343236289B47BDA9E64E7A86731A0B9A788200E9DB64EFB5D3E5D995AA01E03E44AEC6C33BDCDBDFE 2 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2% Joe Sandbox Filename: zethpill.exe, Detection: malicious, Browse View: Reputation: low Preview: MZP...... @...... jr...... !..L.!..This program must be run under Win32..$7...... PE..L....E.X...... ,..@...... D"...... ,...@...... 3...... 2...... @/...... 6...P/...... 2...... @0...... 0/...... text.....,...... x,...... `.data....@....,..F...~,...... @....tls...... -...... @....rdata...... -...... @..P.idata...@...... 8....-...... @[email protected]...... 0/...... @...

C:\Users\user\AppData\Local\Adobe\Acrobat\cghelp.dll

Process: C:\Windows\SysWOW64\notepad.exe File Type: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows Category: dropped Size (bytes): 4889600 Entropy (8bit): 6.525869730886278 Encrypted: false SSDEEP: 49152:w+avudqS6vdIJH5m+A2O0RPLK7HHztGsFXEezqWmT6Td/GDlEzt:/kjoLKTFXEe+7E MD5: F591EB1FBC9B8DD6DED9919D3CA86B57 SHA1: D799192518F9576E880E76B088402F1BFFE37D87 SHA-256: 21F75C17323457C269EBCC3972DB8E6E884BBC9B9B55E6EB596A64F52DD2C8B2 SHA-512: 7BE1AE5777B8AA271CDAB884E4F7AA2FC44630E9D69EE3AE988D60D6B53607B181DFFFB78FF43EFA8931F9A5DA0ABFDED51C56F83F16AF997883365D372E59 94 Malicious: true Reputation: low Preview: MZP...... @...... pjr...... !..L.!..This program must be run under Win32..$7...... PE..L....>.C...... #...... ?...... `%...... ?...@...... L...... 0D...... [email protected]...... G.p...... D. u...... text.....?...... ?...... `.data...... ?...... ?...... @....tls...... C...... A...... @....idata...P....C..B....A...... @[email protected]...... D...... B...... @... .edata...... 0D...... B...... @..@

C:\Users\user\AppData\Local\Temp\byfeyvafhmqfku Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 211092 Entropy (8bit): 2.799257034425035 Encrypted: false SSDEEP: 6144:WKf8XLW3rRib9ulIxaFEYR33mc1/myXacJlc8LY:2Li7uMrk MD5: CBC4D7E3DECC159F551C08B3A68A1A8C SHA1: C90298EDEBD93A22DF6DF2B011D70AE8D4A14805 SHA-256: 3C2CBA9FD9729E9B89469619DFE8CE745DA29F87F3842DDE0F36BD7D79914215 SHA-512: 8C00945099D07BEC31085EB80D0E78D44597E4D343740C8BD5123418B4BB6E4B4A9C3B70D9C34D7312D079E5026B7174FB9D01EE67F4C5A3DE95A651B3E7BE29 Malicious: false Reputation: low Preview: 6...... e...... d...... y...F...@...... F...s...B...... T...... o...... w...... v...... @...... a...... q...U...... o...... &...... u...... R...... 2...@...(...... ,...... `...... p...... >...]...... 5...... >...9...... /...... -...... J... ,...G...f...... 9...... x...... @...... S...<...... =...... '...... f...... m...... 5...e...... :...B...... %...0...... Z...... b...... B...... n...*...... B...+...t...... >...... %...t...Q...O...... V...h...<...... :...... $...g...... k...M...... $...6...... R...k...... _...... ,...... T...#......

C:\Users\user\AppData\Local\Temp\frphokv Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 208828 Entropy (8bit): 2.799781795872102 Encrypted: false Copyright null 2020 Page 15 of 34 C:\Users\user\AppData\Local\Temp\frphokv SSDEEP: 6144:Acz9jJ/9gOpiHvXIwrnAzIS/emg4tK7dKpTl:5tE7wF1l MD5: D51EB2A92CCD9860E163ACAAE63CA252 SHA1: AE004D764B4F704B1B7F65EE3221B384D3051533 SHA-256: 08E92D7B7F19EE9054B7574AFE16574D54D9379DBAC473476039372B8495A4AA SHA-512: C1D02F2C2D76D0CA6EA4E15A0DFBC395F104413D9B7312E74C4BD002F83A89C15C0347AFE7F8D493C11C9712D55F5B7850C160C2A7F041CD1A8A1AA1E851897 5 Malicious: false Reputation: low Preview: ...... ?...~...... D...... M...... L...... R...... ^...<...!...... {...... |...... 2...... P...... ]...{...... 9...?...... I...... W...r...8...... |...... h...2...... g...x...M...$...I...... b...... B...Z...... 0...... C...... Y...... X...-...;...... F...... (...l...... :...%...:...+...... i...... L...Z...... C...... <...h...... }...... p...... `...... J...a...... <...:...... O...C...... >...b...... l...L...b...i...+...S...... d...g...... 4...... Z...... w...d...... o...B...... S...... >...... '...\...$...C...q...y...... u...i...:...... u...... p...... i...... `...... Y...Q...... w...... (...... :...... 3...... g......

C:\Users\user\AppData\Local\Temp\kahnxynhj Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 210304 Entropy (8bit): 2.7997758127266072 Encrypted: false SSDEEP: 6144:1v8I4Xp7X92kBAgXepe0jbOKV4MVgpNqO:lka6n MD5: 1A7F92AB9BFEBD4EDE1C7A6C926126D7 SHA1: 2BD10A0516B6B88CCB65423974998340C9CD94C9 SHA-256: BC2C643595D1841C84925328A92FE3BB7BBB098A09C348203843D98CD69579E5 SHA-512: AE8682EAD7EAC3409FD5B15A190C01648EAD6B3CA536B499CF83E28D31E15847BB0BECE0E3619A85527B5888EAA45728B72120C903D421D8B5156D074DA7986 C Malicious: false Reputation: low Preview: )...... G...... L...(.../...{...... w...... *...... G...... &...... Y...y...,...... O...... K...P...... >...... i...... m...R...... l...S...... L...q...... P...g...... &...... z...a...L...... }...... T...... d...... h...V...... S...E...... 4...d...... t...3...... >...... s...... w...... D...... m...... I...\...... H...s...... A...... w...... K...2...... 8...... |...u...... @...... *...... \...... !...... 2...... n...... O...... }...p...... j...... |...L...... z...... P...... `...%...... J...%...... ~...+...I...... [...... T. ..@...(...

C:\Users\user\AppData\Local\Temp\klfixtbcmu Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 220404 Entropy (8bit): 2.7988854381584627 Encrypted: false SSDEEP: 3072:3y6GVTw8QAcTcI54JJ/rDhxACSVbxr6SAZqo7VElhTY:3+ZwccTcI54JJTtxACSVbxuLQEElVY MD5: 681531A6815442FA758B210EEB3CF20C SHA1: 4EA0173649AD031F0D325F2F30DED499D18C9395 SHA-256: A71F90ADFB50B1D656350DEC70DFDBD0A63C4EB2F2EB3DDE838E7238E40F169D SHA-512: 165FA050ADFB58653E1F8A82D491E78AE5BD7F103C381B1B54051F45CCDCA34786612D134C01665FF760F1AFA046E1A5800C144C0EF219370AF42C709D7D5329 Malicious: false Reputation: low Preview: ....Z...... O...... Y...... W...... ]...... &...... W...... `...... z...4...... \...... !.../...... =...... [...E...... $...... }...w...... n...... A...... i...S...... {...... *...A...... H...... e...(...T...f...... R...... g...]...... %...#...... p...... %...... "...... :...... j...... >...v...&...... }...... r...P...... Z...... k...... 7...i...... B...O...... o...... 3...$...... )...x...... d...5...... a...... A...... &...9...... t...^...F...... R...W...w...=...l...... H...... u...... b...I...... r...'...l...d...Q...w...... >...... %...... P...m...... !...... b...... o...... ~...... P......

C:\Users\user\AppData\Local\Temp\klpgae Process: C:\Windows\SysWOW64\notepad.exe File Type: lif file Category: dropped Size (bytes): 218056 Entropy (8bit): 2.8007563942470304 Encrypted: false SSDEEP: 3072:czKgLU45kUuTvvE6h1cu3fKXK4+La5mf2zv8a:cWgg45kUuTvsS1cuP07+La0f2zv8a MD5: 922B7ABCE8399CC6F6ACE514A0D66FE6 SHA1: 105BC4DCD14242D086DACA267363FE529B7CBDF5 SHA-256: E8F2979B5E86616DA3012189CF9A7F4DB9BB6373DC9BC65FCEED66CF36E3DE93

Copyright null 2020 Page 16 of 34 C:\Users\user\AppData\Local\Temp\klpgae SHA-512: 950E69F1EB023B0410AC4D916D71693A69920ACFA7D56E078610DB13D89ADC3E6DD9216D5EBA2A6DDA8E3F0EAA128C91C9EB3B2836EFDB1B8EA97D486B9E1 146 Malicious: false Reputation: low Preview: ...... {...... <...l...... :...... |...... *...;...... \...... 7...I...... L...... E...... 0...9...... e...Q...r...... +...... L...... {...... @...... O...'...... 7...... g...... 8...... '...e...,...... +...... )...... G...... m...... ^...... =...'...... h...... 3...K...... 9...... [...... _...... @...F...... 2...... V...... J...k...... U...... [...H...S.../...Q...... ?...... %...X...}...... U...... m...... (...E...... N...A...#...... #...... R...... u...w...{...... d...... a...W...... &...{...... u...... N...\...^...... w...... 8...v...?...... #...C...... w......

C:\Users\user\AppData\Local\Temp\orxxvnjxxv Process: C:\Windows\SysWOW64\notepad.exe File Type: Hitachi SH big-endian COFF object file, not stripped, 0 section, symbol offset=0xa0000000, 218103808 symbols, optional header size 56576 Category: dropped Size (bytes): 231148 Entropy (8bit): 2.8003311895952967 Encrypted: false SSDEEP: 6144:meeLxZ2RqNN5K9jOKURVngg79Rb5dHKwhAe:msjZg7Ye MD5: EB2DD0CE87C4990C4273B34C3835E04D SHA1: D8F2ED300E1E6535B70A09CB463A0D846466ED47 SHA-256: 7DE307290759716816DF44E7BE5EA05CD2B4F521A828ECBF75376D89B0B5F5B5 SHA-512: C517F9A11590058E455D6D9091595811907809DDBFCCB62B7CCD7F6D45086668AFA55641FDC606A26C2978C4EB3A1C29B929DBE46628312515CDB7084D394CD7 Malicious: false Preview: ...... Z...... ]...`...... }...~...... '...[...%...B...k...... j...... a...... s...... J...... K...... ?...#...... g...... `...F...T...... k...... t...C...... I...[...... :...6...... `...... d...... L...... o...... G...... \...... #...s...^...6...P...... W...... S...q...... Y...)...... c...... s...... A... (...... g...I...r...... f...... T...t...B...... F...%...... @...... T...... -...|...... h...h...... _...... \..._...... b...... I...... u...... "...y...... ?...$...... l...5. ..?...... ;...... +...!...... O...>...... k...... #...... v...[...... 4...... `...... W...... t...... <...... l...... R...+...9...0......

C:\Users\user\AppData\Local\Temp\rjovwvcmc Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 214136 Entropy (8bit): 2.7994235639404272 Encrypted: false SSDEEP: 6144:B+K1Ps/yK5MLnTkI0HxWAMkW9E8IlLFEztRteYTvG:MuKrr MD5: FC407ACA856C716378BEF3311D6406CD SHA1: BE0C1E4F81578B87BBA094179C2C14DACA28C720 SHA-256: D5DB0426BEB867123777E07E019F906D978232BAC7C85BD9A45ED0FD48253B79 SHA-512: E6304195F121283D8CA29A52C46F02A68A3D68E94C3EC9F5682FBA8C4EDDA8A8093446F6C5A671A4EC199F9E76A777FF078CF3D39EDEEF42CBF1FCEA6C892C DD Malicious: false Preview: D...... v...... i...... N...=...... _...... _...... /...... 1...[...... a...... J...J...... Z...A...... 8...:...$...... ?...... /. .._...... %...... ?...... w...}...m...... Z...... Q...... v...... 6...... w...... [...... Y...... 4...=...... s...W...... C...... *...... p...'...Z...*.../...... >...b...M...... _...f...M...... 6...... b...\...... k...... f...... "...n...... ^...V...U...W...?...... )...X...... }...... \...... z...... a...... -...,...;...... u...B...... *...9...... o...%...... *...i......

C:\Users\user\AppData\Local\Temp\tbtgbiqyp Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 226676 Entropy (8bit): 2.7994549068223527 Encrypted: false SSDEEP: 6144:Em8s01eXs3s35HFZSD6CUwx9KD9R4KYD5oRCV:z03nGlRCV MD5: 5FD469811B7AA8276FF749ECA3E817F7 SHA1: F4178494E431593747CAB5AB79B3D53995F7FB66 SHA-256: 168B03AB46221A2FD3C0D9B020A4FC334B49BC40F29F4D56C135AAB3318D422A SHA-512: 1B2103253B9EE2A6F68C6B31C88D198522BC8CCCEBCC3211513305D20962FC49B08BE0EB24FC993A905DA236AFEA5911FEA383A38EE1AF6E69CCCE5736955E DD Malicious: false Preview: [...... X...<...... l...h...... ~...4...a...... n...... M...5...... J...... i...... /...... g...... '...v...... v...5...... 6...... S...\...G...c...... w...... :...... =...r...... -...... +...F...t...Z...... a...... Z...w...!...... K...... A...... l...... n...... Q...... q...:...... G...... ;...o...... L...... _...... _...... +...... F...... "...2...... i...U...H...... 2...Q...... u...... A...... W...... P...... 9...... 8...U...... 7...... W...\...... [...... 1...... r...... K...... ~...... ~...O...)...#...N...u...:...... 0...... f...... l...^...H...s...... 3...... )...... 7...... F...... c...B...N...#...... ?...... [...s...+...... D...... -...

Copyright null 2020 Page 17 of 34 C:\Users\user\AppData\Local\Temp\upmpltfnefjy Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 223016 Entropy (8bit): 2.7997011424538947 Encrypted: false SSDEEP: 6144:f+fBXBUHQj/KnKNHYxXg25WG68H/jQy3CId:1vhd MD5: F7C5C67BC398BF8D49AFC1477E185CFE SHA1: A311EA7C39BBD92AA996D98C15FB1DC1BF723945 SHA-256: 03FF68AD4862517B012621FBF3D8ECDFD59450020AD439F6FEF202A623EDA266 SHA-512: 43AA63848C0358F7BA2D8F813C88E110B74A10BA163A50096184743D8BEBD47E29577FB8C5A70241AD4AFA457440A270662C69C4E9ADF6206F83EA6A0E56FEC3 Malicious: false Preview: ....Q...]...... x...... #...K...... 5...... N...... +...... 8...~...... >...1...`...... d...... <...... ]...... "...... Y...... D...... <...G...A...3...,...~...... v...K...... I...\...... 0...=...... }...... s...\...$...3...... -...... E...?...~...... v..."...c...... z...I...... b...... J...... c...l...... :...,...... !...... _...+...R...... d...*...G...... b...... j...... V...... [...7...z...... Q...... <...... L...... }...8...Y... +...~...... x...... S...... L...... C...^...... g...p...... v...... <...V...... 8...A...+...... "...... W...... w...q...F...o...+...... h...<...h...Z...... U.../...... >...... +...... c......

C:\Users\user\AppData\Local\Temp\uxdxqobftu Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: modified Size (bytes): 36312 Entropy (8bit): 2.795197425386724 Encrypted: false SSDEEP: 384:x4Bj4dnyAVHhW5Z9tc6ZXaxL6QD7+40DAU497rEk2PEMfyeJ7xzh5L52Sp5rtnZz:xljAj2MpDAUW7CF1pDiaV MD5: 8AD36547CDF8AE484D26368D7C2AD705 SHA1: 6894D401ABAD59B2EC336097F9C9113CA9E1A31D SHA-256: F7FF2776698D3FEACE0617CF081CB3D03F3C51A6D400C6AB74F4A2A4B01D69F6 SHA-512: 6574F6ADD70DDEE5B88D5012E1C4AE331FA9C766A8D74581BA2E0367570C99091D4418902B6B4A69F5DF27AAA7A6FBAD6FD2F5F7D45C26848A5E78EFA265067 1 Malicious: false Preview: ...... f...... j...... 7...... #...4...... |...... H...... L...... }...... *...X...=...t...... 6...... R...]...... /...... k...0...... -...... u...|...... J...K...... ,...... B...... }...A...... F...... >...T...q...... 6...... L...... /...... ~...+...... e...... `...... n...B...K...... o...~...... d...... C...0...... #...... ?...... p...^...... Z...... K...P...... 5...E...l...... }...... a...k...... ^...t...... 7...... n...;...8...... v...... =...... 4...... q...... K...... "...... '...... ~...... /...3...o...... O...... u...}...... P...... T...b...C...... 1...K...... q...... V...... U...... O...... h...... l......

C:\Users\user\AppData\Roaming\MSI\logs.dat Process: C:\Windows\SysWOW64\notepad.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 74 Entropy (8bit): 4.662420853767955 Encrypted: false SSDEEP: 3:ttVPnkjJrA4RXMRPHv31aeo:tMjVXqdHv3IP MD5: 9F25D1679DFDCA866197475770029EF3 SHA1: 7C0C826D26013FA62922ACF5AD133561CE87FD80 SHA-256: 576C9B53562CA596B319BA8BBFDE925B0FA05A7EB310AF81444E3E99AB0C2A5F SHA-512: 5F2C179E2DD640DFD71251DD8ACDAB41AF461463D3B58C968059176A3A1A3D2D4168BA16F24D65D7FDD01D08E3C4673DBDA13C8F5E636E663613F8535B38FFE 8 Malicious: false Preview: ..[2020/12/23 23:39:53 Offline Keylogger Started]....[ Program Manager ]..

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\HelpPane.exe

Process: C:\Windows\SysWOW64\notepad.exe File Type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows Category: dropped Size (bytes): 645248 Entropy (8bit): 4.83564965395614 Encrypted: false SSDEEP: 3072:7cETKI0rIua2CyxcD5Yhcwjub0Mt3wSYzhOxSHisQ3tCH544U7+YFGf/oB8Ld//w:7cQMsnYlPHD44UZiC4PSOv/QJNkms6V MD5: 7215C1B9693B1394AAA7C86DCD741AD7 SHA1: 290DDA9A0F85CF5F119CB726E4F5D86696672BBC SHA-256: 1D2914C04B213029550EBA1E0C0B40E36A32B443A76EFC9C2F779E8B9448BDD5

SHA-512: E79B8A8FFBF75A17AB8B16752D3DA68BE9C6F7C50FEDF4A6049DA2393FF8B1B43E1F9CD9B9BFDC06C8B62764031D959962CFC11898BD81BF22A9970D6C63B94 5 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2% Joe Sandbox Filename: zethpill.exe, Detection: malicious, Browse View: Filename: zethpill.exe, Detection: malicious, Browse Filename: 9wTCLD6gaX.exe, Detection: malicious, Browse Filename: ethpill.exe, Detection: malicious, Browse Filename: First Entry.exe, Detection: malicious, Browse Filename: EthMinev5.exe, Detection: malicious, Browse Filename: MoneroUV6.exe, Detection: malicious, Browse Filename: TaskAudio Driver.exe, Detection: malicious, Browse Filename: bmdiv.exe, Detection: malicious, Browse Filename: MoneroMinerv4.exe, Detection: malicious, Browse Filename: 7EwzINPlKU.exe, Detection: malicious, Browse Filename: RF28R6201SR_V40.doc, Detection: malicious, Browse Filename: 3235.doc, Detection: malicious, Browse Filename: adobeupd.exe, Detection: malicious, Browse Filename: Dianetax2018_2019.doc, Detection: malicious, Browse

Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L....4.5...... @...... @...... R...... l#...... <...... text...d...... `.P`.data...... @.`..rdata.../...... 0...... @.`@.bss...... `..edata..R...... @[email protected]#...... $...... @.0..CRT....4...... @.0..tls...... @.0..rsrc...... @.0..reloc...... @.0B......

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\libcrypto-1_1.dll

Process: C:\Windows\SysWOW64\notepad.exe File Type: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows Category: dropped Size (bytes): 1108992 Entropy (8bit): 6.708910338053909 Encrypted: false SSDEEP: 12288:jtjo8UvLWkWg81ilkuyHhguYeGKvo/6uaR+RBuABRk1mhQJ6Db2:Z/UD3Wg81mihguYeGKvo2QRTQJMb2 MD5: 24BC0F1C6CB3B17492A098B0C3C4C8C1 SHA1: 45C60082CA8393937EC305BDC52E1F7BA4C332F9 SHA-256: 105F009770FE3071D63C947446C7110F3C952674A4973B24BDA31C9A1AB609CE SHA-512: 51531B684D9A0D0BC463D460BA7FEAA945DF53E5680CB261C84A07BBE60F5D12E795057DF94E0E900AB5016041BE1775B409174FAE2C28D4A4A7EB8BFAE4F87 B Malicious: true Preview: MZP...... @...... jr...... !..L.!..This program must be run under Win32..$7...... PE..L....>.C...... #.....`...... p....@...... @...... J...... 2...... C...... X...... text....`...... V...... `.data...... p...... \...... @....tls...... p...... ^...... @....idata...... `...... @[email protected]...... p...... @....edata...... r...... @..@

C:\Windows\Tasks\HelpPane.job Process: C:\Windows\SysWOW64\notepad.exe File Type: data Category: dropped Size (bytes): 402 Entropy (8bit): 3.7579864913522067 Encrypted: false SSDEEP: 6:iIePreDi82elV3Ti1UEZglJPZBcZDvEMl4oOAc6tE7YNzdHOicF/JTMy0ljnlGrG:cyi82e33qMJEvEMgf7YNzOFhwVjnoK MD5: 1AE368821593297C59B6136F5B353EDE SHA1: B22875ACB36B3F9D3AE2D57B02B1836D685613B8 SHA-256: E0EE951FC8C65D970E843E85749108683BF29D6584B877553D0336215A202008 SHA-512: 8DE2F2C7405B4CD1968516ABB18BC57A9F954BF139B4F3D6B61727C87511BD8748C16AA6DFD198C5B9F8031D752A2A2F248EAF49C10BD8D4BE07B5C5F16FA7B 0 Malicious: false Preview: ....ff.p.TxG..*...u.F.`.....<...... "...... H.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.H.e.l.p.P.a.n.e...e. x.e...$.-.f.e.g.x.b.r.s. .-.o.n. .-.v.c.w.i. .-.d.b.k.z.c.t.=.1.5.6.0.6.2.4.2...... D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.h.a.r.d.z...... 0...... _...... '......

Static File Info

Copyright null 2020 Page 19 of 34 General File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows Entropy (8bit): 6.519276325955326 TrID: Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% File name: zphoenixminer.exe File size: 4423680 MD5: fb0b58548f18718f51bb0a189064b9da SHA1: 03e68d10cbe6dfca2af6a3b88905c078025cb9e1 SHA256: 891c233cff0f39e408dea777835b5a9de9169152c7778d3 7bbd443d55cae18de SHA512: c30041fa6f95b5b5fb3bd33f61a16cd2fb28d8d7973e4a2b bd54390aecd666fd80e2d5aa49dee280868e4bda8ddb5e 5a8a5a75e44c18ec4a6d35cd8b0ce3db8c SSDEEP: 49152:D3zWtcb1X8oh1zSnnfCpqOHQHtuU/AM6XuTlT wtExDt:bvBUfhOHWEwD File Content Preview: MZP...... @...... pjr...... !..L.!.. This program must be run under Win32..$7......

File Icon

Icon Hash: f96c7860b2706cd6

Static PE Info

General Entrypoint: 0x402424 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED DLL Characteristics: Time Stamp: 0x5FE3845A [Wed Dec 23 17:54:34 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 6978784b5def80b431c80b9401a9927f

Entrypoint Preview

Instruction jmp 00007F9304B372C2h bound di, dword ptr [edx] inc ebx sub ebp, dword ptr [ebx] dec eax dec edi dec edi dec ebx nop jmp 00007F93052CA361h mov eax, dword ptr [0079309Fh]

Copyright null 2020 Page 20 of 34 Instruction shl eax, 02h mov dword ptr [007930A3h], eax push edx push 00000000h call 00007F9304EC5FC6h mov edx, eax mov dword ptr [007930A7h], edx call 00007F9304EB7841h pop edx call 00007F9304EB7763h call 00007F9304EB7996h push 00000000h call 00007F9304EC2FAFh pop ecx push 00793048h push 00000000h call 00007F9304EC5F9Ah mov dword ptr [007930A7h], eax push 00000000h jmp 00007F9304EC1E0Ah jmp 00007F9304EC2FE1h xor eax, eax mov al, byte ptr [00793091h] ret mov eax, dword ptr [007930A7h] ret pushad mov ebx, BCB05000h push ebx push 00000BADh ret mov ecx, 000000F0h or ecx, ecx je 00007F9304B372FFh cmp dword ptr [0079309Fh], 00000000h jnc 00007F9304B372BCh mov eax, 000000FEh call 00007F9304B3728Ch mov ecx, 000000F0h push ecx push 00000008h call 00007F9304EC5F63h push eax call 00007F9304EC6023h or eax, eax jne 00007F9304B372BCh mov eax, 000000FDh call 00007F9304B3726Bh push eax push eax push dword ptr [0079309Fh] call 00007F9304EC1FB0h

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x3c8000 0x5433 .edata IMAGE_DIRECTORY_ENTRY_IMPORT 0x3c3000 0x3b96 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x3ce000 0x31800 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x400000 0x47d28 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

Copyright null 2020 Page 21 of 34 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x3c2000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x3c7000 0x853 .didata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x392000 0x391200 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x393000 0x2e000 0x23200 False 0.478411365658 data 6.56278524662 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .tls 0x3c1000 0x1000 0x200 False 0.02734375 data 0.0 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0x3c2000 0x1000 0x200 False 0.05078125 data 0.205445628135 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ .idata 0x3c3000 0x4000 0x3c00 False 0.313802083333 data 5.11040396566 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .didata 0x3c7000 0x1000 0xa00 False 0.35390625 data 4.04886880564 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .edata 0x3c8000 0x6000 0x5600 False 0.220112645349 data 5.59318495848 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .rsrc 0x3ce000 0x32000 0x31800 False 0.149305555556 data 3.13902173492 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x400000 0x48000 0x47e00 False 0.651236413043 data 6.73196043969 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_CURSOR 0x3cf574 0x134 data Russian Russia RT_CURSOR 0x3cf6a8 0x134 data English United States RT_CURSOR 0x3cf7dc 0x134 data English United States RT_CURSOR 0x3cf910 0x134 data English United States RT_CURSOR 0x3cfa44 0x134 data English United States RT_CURSOR 0x3cfb78 0x134 data English United States RT_CURSOR 0x3cfcac 0x134 data English United States RT_CURSOR 0x3cfde0 0x134 data Russian Russia RT_CURSOR 0x3cff14 0x134 data Russian Russia RT_CURSOR 0x3d0048 0x134 data English United States RT_BITMAP 0x3d017c 0x1d0 data English United States RT_BITMAP 0x3d034c 0x1e4 data English United States RT_BITMAP 0x3d0530 0x1d0 data English United States RT_BITMAP 0x3d0700 0x1d0 data English United States RT_BITMAP 0x3d08d0 0x1d0 data English United States RT_BITMAP 0x3d0aa0 0x1d0 data English United States RT_BITMAP 0x3d0c70 0x1d0 data English United States RT_BITMAP 0x3d0e40 0x1d0 data English United States RT_BITMAP 0x3d1010 0x1d0 data English United States RT_BITMAP 0x3d11e0 0x1d0 data English United States RT_BITMAP 0x3d13b0 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1470 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1550 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1630 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1710 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d17d0 0xc8 data RT_BITMAP 0x3d1898 0x268 dBase IV DBT, block length 512, next free block Russian Russia index 40, next free block 0, next used block 4278190080 RT_BITMAP 0x3d1b00 0xc8 data Copyright null 2020 Page 22 of 34 Name RVA Size Type Language Country RT_BITMAP 0x3d1bc8 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1c88 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1d68 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1e28 0xe0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1f08 0xc0 GLS_BINARY_LSB_FIRST English United States RT_BITMAP 0x3d1fc8 0xe0 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x3d20a8 0x2e8 dBase IV DBT of @.DBF, block length 512, next English United States free block index 40, next free block 13028386, next used block 0 RT_STRING 0x3d2390 0x1f8 data RT_STRING 0x3d2588 0xbf8 data RT_STRING 0x3d3180 0x7c4 data RT_STRING 0x3d3944 0x440 data RT_STRING 0x3d3d84 0x444 data RT_STRING 0x3d41c8 0x414 data RT_STRING 0x3d45dc 0x444 data RT_STRING 0x3d4a20 0x180 data RT_STRING 0x3d4ba0 0xec data RT_STRING 0x3d4c8c 0x134 data RT_STRING 0x3d4dc0 0x2d4 data RT_STRING 0x3d5094 0x428 data RT_STRING 0x3d54bc 0x3a8 data RT_STRING 0x3d5864 0x484 data RT_STRING 0x3d5ce8 0x3e8 data RT_STRING 0x3d60d0 0x3fc data RT_STRING 0x3d64cc 0x4b8 data RT_STRING 0x3d6984 0x570 data RT_STRING 0x3d6ef4 0x388 data RT_STRING 0x3d727c 0x3cc data RT_STRING 0x3d7648 0x470 data RT_STRING 0x3d7ab8 0x128 data RT_STRING 0x3d7be0 0xec data RT_STRING 0x3d7ccc 0x264 data RT_STRING 0x3d7f30 0x434 data RT_STRING 0x3d8364 0x378 data RT_STRING 0x3d86dc 0x338 data RT_STRING 0x3d8a14 0x33c data RT_RCDATA 0x3d8d50 0x10 data RT_RCDATA 0x3d8d60 0x2 data English United States RT_RCDATA 0x3d8d64 0x1841 gzip compressed data, was "1", last modified: Thu Russian Russia Mar 22 19:55:10 1979, from FAT filesystem (MS- DOS, OS/2, NT) RT_RCDATA 0x3da5a8 0x130 Delphi compiled form 'TfrxDialogForm' RT_RCDATA 0x3da6d8 0x9b2 Delphi compiled form 'TfrxHTMLExportDialog' RT_RCDATA 0x3db08c 0x821 Delphi compiled form 'TfrxIMGExportDialog' RT_RCDATA 0x3db8b0 0x46a2 Delphi compiled form 'TfrxInheritErrorForm' RT_RCDATA 0x3dff54 0x1162 Delphi compiled form 'TfrxPageSettingsForm' RT_RCDATA 0x3e10b8 0x1c06 Delphi compiled form 'TfrxPasswordForm' RT_RCDATA 0x3e2cc0 0xe1c Delphi compiled form 'TfrxPreviewForm' RT_RCDATA 0x3e3adc 0x1acaf Delphi compiled form 'TfrxPrintDialog' RT_RCDATA 0x3fe78c 0x3c5 Delphi compiled form 'TfrxProgress' RT_RCDATA 0x3feb54 0x5fb Delphi compiled form 'TfrxSearchDialog' RT_RCDATA 0x3ff150 0x1b0 Delphi compiled form 'TPRO' RT_GROUP_CURSOR 0x3ff300 0x14 Lotus unknown worksheet or configuration, revision Russian Russia 0x1 RT_GROUP_CURSOR 0x3ff314 0x14 Lotus unknown worksheet or configuration, revision Russian Russia 0x1 RT_GROUP_CURSOR 0x3ff328 0x14 Lotus unknown worksheet or configuration, revision Russian Russia 0x1 RT_GROUP_CURSOR 0x3ff33c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x3ff350 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x3ff364 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x3ff378 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1

Copyright null 2020 Page 23 of 34 Name RVA Size Type Language Country RT_GROUP_CURSOR 0x3ff38c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x3ff3a0 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x3ff3b4 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_ICON 0x3ff3c8 0x14 data English United States RT_VERSION 0x3ff3dc 0x140 MIPSEB-LE MIPS-III ECOFF executable not English United States stripped - version 0.79 RT_MANIFEST 0x3ff51c 0x2ca XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import ADVAPI32.DLL CryptGetKeyParam, RegCloseKey, RegConnectRegistryW, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegLoadKeyW, RegNotifyChangeKeyValue, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegReplaceKeyW, RegRestoreKeyW, RegSaveKeyW, RegSetValueExW, RegUnLoadKeyW KERNEL32.DLL CloseHandle, CompareStringW, CreateEventW, CreateFileA, CreateFileW, CreateThread, DeleteCriticalSection, DeleteFileA, DeleteFileW, EnterCriticalSection, EnumCalendarInfoW, EnumResourceNamesW, EnumResourceTypesA, EnumSystemLocalesW, ExitProcess, ExitThread, FileTimeToDosDateTime, FileTimeToLocalFileTime, FindClose, FindFirstFileW, FindNextFileW, FindResourceW, FormatMessageW, FreeLibrary, FreeResource, GetACP, GetCPInfo, GetCPInfoExW, GetCommandLineW, GetComputerNameW, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetDiskFreeSpaceW, GetDriveTypeW, GetEnvironmentStringsW, GetExitCodeThread, GetFileAttributesA, GetFileAttributesW, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoA, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOEMCP, GetPrivateProfileStringW, GetProcAddress, GetProcessHeap, GetProfileStringW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetSystemDefaultUILanguage, GetSystemInfo, GetTempFileNameW, GetTempPathW, GetThreadLocale, GetThreadPriority, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultUILanguage, GetVersion, GetVersionExA, GetVersionExW, GetVolumeInformationW, GlobalAddAtomW, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomW, GlobalFree, GlobalHandle, GlobalLock, GlobalSize, GlobalUnlock, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, InitializeCriticalSection, IsDBCSLeadByte, IsDBCSLeadByteEx, IsDebuggerPresent, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LockResource, MoveFileW, MulDiv, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFile, ReleaseMutex, RemoveDirectoryW, ResetEvent, ResumeThread, RtlUnwind, SetConsoleCtrlHandler, SetCurrentDirectoryW, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetHandleCount, SetLastError, SetStdHandle, SetSystemTime, SetThreadLocale, SetThreadPriority, SetThreadPriorityBoost, SizeofResource, Sleep, SleepEx, SuspendThread, SwitchToThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, VirtualQueryEx, WaitForMultipleObjectsEx, WaitForSingleObject, WideCharToMultiByte, WriteFile, WritePrivateProfileStringW, lstrcmpW, lstrlenW, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, HeapSize VERSION.DLL GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW WINSPOOL.DRV ClosePrinter, DeviceCapabilitiesW, DocumentPropertiesW, EndDocPrinter, EndPagePrinter, EnumPrintersW, OpenPrinterW, StartDocPrinterW, StartPagePrinter, WritePrinter COMCTL32.DLL FlatSB_GetScrollInfo, FlatSB_GetScrollPos, FlatSB_SetScrollInfo, FlatSB_SetScrollPos, FlatSB_SetScrollProp, ImageList_Add, ImageList_BeginDrag, ImageList_Copy, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetIcon, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_LoadImageW, ImageList_Read, ImageList_Remove, ImageList_Replace, ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_SetImageCount, ImageList_SetOverlayImage, ImageList_Write, InitializeFlatSB, _TrackMouseEvent COMDLG32.DLL ChooseColorW, ChooseFontW, GetSaveFileNameW, PrintDlgW, GetOpenFileNameW

Exports

Name Ordinal Address @$xp$26Shdocvw_tlb@TCppWebBrowser 12 0x404af8 @$xp$28Shdocvw_tlb@TCppShellWindows 6 0x403ab8 @$xp$29Shdocvw_tlb@TCppShellUIHelper 4 0x4039bc @$xp$32Shdocvw_tlb@TCppInternetExplorer 10 0x404384 @$xp$35Shdocvw_tlb@TInternetExplorerMedium 8 0x403c0c @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace 2 0x403808 @@Seal@Finalize 18 0x408294 @@Seal@Initialize 17 0x408284 @@Shdocvw_ocx@Finalize 302 0x6a5b10 @@Shdocvw_ocx@Initialize 301 0x6a5af8 @@Shdocvw_tlb@Finalize 21 0x69d850 @@Shdocvw_tlb@Initialize 20 0x69d840 @Shdocvw_ocx@Register$qqrv 22 0x69d860 @Shdocvw_tlb@CLSID_CppCScriptErrorList 333 0x7a75c8

Copyright null 2020 Page 24 of 34 Name Ordinal Address @Shdocvw_tlb@CLSID_CppInternetExplorer 318 0x7a74d8 @Shdocvw_tlb@CLSID_CppShellBrowserWindow 320 0x7a74f8 @Shdocvw_tlb@CLSID_CppShellUIHelper 327 0x7a7568 @Shdocvw_tlb@CLSID_CppShellWindows 323 0x7a7528 @Shdocvw_tlb@CLSID_CppWebBrowser 317 0x7a74c8 @Shdocvw_tlb@CLSID_CppWebBrowser_V1 316 0x7a74b8 @Shdocvw_tlb@CLSID_InternetExplorerMedium 319 0x7a74e8 @Shdocvw_tlb@CLSID_ShellFavoritesNameSpace 331 0x7a75a8 @Shdocvw_tlb@DIID_DShellNameSpaceEvents 328 0x7a7578 @Shdocvw_tlb@DIID_DShellWindowsEvents 321 0x7a7508 @Shdocvw_tlb@DIID_DWebBrowserEvents 312 0x7a7478 @Shdocvw_tlb@DIID_DWebBrowserEvents2 315 0x7a74a8 @Shdocvw_tlb@IID_IScriptErrorList 332 0x7a75b8 @Shdocvw_tlb@IID_IShellFavoritesNameSpace 329 0x7a7588 @Shdocvw_tlb@IID_IShellNameSpace 330 0x7a7598 @Shdocvw_tlb@IID_IShellUIHelper 324 0x7a7538 @Shdocvw_tlb@IID_IShellUIHelper2 325 0x7a7548 @Shdocvw_tlb@IID_IShellUIHelper3 326 0x7a7558 @Shdocvw_tlb@IID_IShellWindows 322 0x7a7518 @Shdocvw_tlb@IID_IWebBrowser 311 0x7a7468 @Shdocvw_tlb@IID_IWebBrowser2 314 0x7a7498 @Shdocvw_tlb@IID_IWebBrowserApp 313 0x7a7488 @Shdocvw_tlb@LIBID_SHDocVw 310 0x7a7458 @Shdocvw_tlb@TCppInternetExplorer@ 308 0x79c988 @Shdocvw_tlb@TCppInternetExplorer@$bctr$qqrp25System@Classes@TComponent 11 0x404a8c @Shdocvw_tlb@TCppInternetExplorer@BeforeDestruction$qqrv 51 0x69ece4 @Shdocvw_tlb@TCppInternetExplorer@ClientToWindow$qqrpit1 64 0x69ff74 @Shdocvw_tlb@TCppInternetExplorer@Connect$qqrv 49 0x69e9a8

Version Infos

Description Data FileVersion 1.0.0.0 ProductVersion 1.0.0.0 Translation 0x0409 0x04e4

Possible Origin

Language of compilation system Country where language is spoken Map

Russian Russia

English United States

Network Behavior

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Dec 23, 2020 23:39:44.635293961 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:39:44.686288118 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:39:44.686408043 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:39:44.687356949 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:39:44.765125036 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:39:44.769417048 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:39:44.846123934 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:40:04.767503023 CET 5886 49705 94.242.206.175 192.168.2.3 Copyright null 2020 Page 25 of 34 Timestamp Source Port Dest Port Source IP Dest IP

Dec 23, 2020 23:40:04.769728899 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:40:04.841468096 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:40:24.768439054 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:40:24.771977901 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:40:24.843990088 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:40:44.769314051 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:40:44.776098967 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:40:44.837393999 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:41:04.770308018 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:41:04.823649883 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:41:05.181947947 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:41:05.254441977 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:41:24.771286011 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:41:24.774800062 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:41:24.836383104 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:41:44.772226095 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:41:44.781702995 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:41:44.854041100 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:42:04.773364067 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:42:04.779611111 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:42:04.853220940 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:42:24.774194002 CET 5886 49705 94.242.206.175 192.168.2.3 Dec 23, 2020 23:42:24.774795055 CET 49705 5886 192.168.2.3 94.242.206.175 Dec 23, 2020 23:42:24.852057934 CET 5886 49705 94.242.206.175 192.168.2.3

Code Manipulations

Statistics

Behavior

• zphoenixminer.exe • nslookup.exe • conhost.exe • cmd.exe • cmd.exe • cmd.exe • cmd.exe • cmd.exe • notepad.exe

Click to jump to process

System Behavior

Analysis Process: zphoenixminer.exe PID: 5740 Parent PID: 5532

General Copyright null 2020 Page 26 of 34 Start time: 23:38:38 Start date: 23/12/2020 Path: C:\Users\user\Desktop\zphoenixminer.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\zphoenixminer.exe' Imagebase: 0x400000 File size: 4423680 bytes MD5 hash: FB0B58548F18718F51BB0A189064B9DA Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Yara matches: Rule: MAL_crime_win32_rat_parallax_shell_bin, Description: Detects Parallax injected code, Source: 00000000.00000002.407364535.00000000027A0000.00000040.00000001.sdmp, Author: @VK_Intel Reputation: low

Analysis Process: nslookup.exe PID: 240 Parent PID: 5740

General

Start time: 23:38:42 Start date: 23/12/2020 Path: C:\Windows\SysWOW64\nslookup.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\nslookup.exe Imagebase: 0xed0000 File size: 78336 bytes MD5 hash: 8E82529D1475D67615ADCB4E1B8F4EEC Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.400034747.0000000019C85000.00000004.00000001.sdmp, Author: Joe Security Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\597a790d.png unknown 8 success or wait 1 32A66D3 ReadFile C:\Users\user\AppData\Local\Temp\597a790d.png unknown 8 success or wait 2 32A6727 ReadFile

Analysis Process: conhost.exe PID: 1000 Parent PID: 240

General

Start time: 23:38:42 Start date: 23/12/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Copyright null 2020 Page 27 of 34 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: cmd.exe PID: 4196 Parent PID: 240

General

Start time: 23:39:26 Start date: 23/12/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe Imagebase: 0x3f0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.335058571.0000000003584000.00000004.00000001.sdmp, Author: Joe Security

Reputation: high

Analysis Process: cmd.exe PID: 1740 Parent PID: 240

General

Start time: 23:39:28 Start date: 23/12/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe Imagebase: 0x3f0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.339192528.00000000037B4000.00000004.00000001.sdmp, Author: Joe Security Reputation: high

Analysis Process: cmd.exe PID: 404 Parent PID: 240

General

Start time: 23:39:29 Start date: 23/12/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe Imagebase: 0x3f0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D

Copyright null 2020 Page 28 of 34 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.342287978.0000000002F84000.00000004.00000001.sdmp, Author: Joe Security Reputation: high

Analysis Process: cmd.exe PID: 3492 Parent PID: 240

General

Start time: 23:39:30 Start date: 23/12/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe Imagebase: 0x3f0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.344505798.0000000003084000.00000004.00000001.sdmp, Author: Joe Security Reputation: high

Analysis Process: cmd.exe PID: 620 Parent PID: 240

General

Start time: 23:39:31 Start date: 23/12/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe Imagebase: 0x3f0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.347499318.0000000002F84000.00000004.00000001.sdmp, Author: Joe Security Reputation: high

Analysis Process: notepad.exe PID: 4260 Parent PID: 240

General

Start time: 23:39:32 Start date: 23/12/2020 Path: C:\Windows\SysWOW64\notepad.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\notepad.exe Imagebase: 0xc40000 Copyright null 2020 Page 29 of 34 File size: 236032 bytes MD5 hash: D693F13FE3AA2010B854C4C60671B8E2 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.701587054.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Remcos_1, Description: Remcos Payload, Source: 00000010.00000002.701587054.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.701587054.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.710156064.0000000003404000.00000004.00000001.sdmp, Author: Joe Security

Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\HelpPane.exe write data or device synchronous io success or wait 1 1A62B0 CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\libcrypto-1_1.dll write data or device synchronous io success or wait 1 1A62B0 CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Roaming\MSI read data or list device directory file | success or wait 1 405526 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\MSI\logs.dat append data or device synchronous io success or wait 2 412C18 CreateFileW add subdirector non alert | non y or create pipe directory file instance | read attributes | synchronize C:\Users\user\AppData\Roaming\MSI read data or list device directory file | object name collision 1 405526 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Application Data\Adobe\Acrobat\R write data or device synchronous io success or wait 1 1A62B0 CreateFileW untimeBroker.exe add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Application Data\Adobe\Acrobat\cghelp.dll write data or device synchronous io success or wait 1 1A62B0 CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\tbtgbiqyp write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\frphokv write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\klfixtbcmu write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\byfeyvafhmqfku write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\kahnxynhj write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize Copyright null 2020 Page 30 of 34 Source File Path Access Attributes Options Completion Count Address Symbol

C:\Users\user\AppData\Local\Temp\rjovwvcmc write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\upmpltfnefjy write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\orxxvnjxxv write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\klpgae write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\uxdxqobftu write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\ahqwdqublpyr write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\ivvxmxxiw write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize C:\Users\user\AppData\Local\Temp\xrahb write data or device synchronous io success or wait 1 1A540B CreateFileW add file | read non alert | non attributes | directory file synchronize

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\He unknown 645248 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 1A62D5 WriteFile lpPane.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....4.5...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ..@...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... R.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 f5 34 17 35 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 1a 00 98 01 00 00 b4 09 00 00 c0 02 00 d0 14 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 0c 00 00 04 00 00 e8 bb 0a 00 02 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 04 00 52 00 00

Copyright null 2020 Page 31 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\li unknown 1108992 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 1 1A62D5 WriteFile bcrypto-1_1.dll 00 04 00 0f 00 ff ff 00 ..jr...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 fb 80 6a 72 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 02 00 00 ...... ba 10 00 0e 1f b4 09 ...... cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Roaming\MSI\logs.dat unknown 51 0d 0a 5b 32 30 32 30 ..[2020/12/23 23:39:53 success or wait 2 412C4B WriteFile 2f 31 32 2f 32 33 20 Offline Keylogger 32 33 3a 33 39 3a 35 Started].. 33 20 4f 66 66 6c 69 6e 65 20 4b 65 79 6c 6f 67 67 65 72 20 53 74 61 72 74 65 64 5d 0d 0a C:\Users\user\AppData\Local\Adobe\Acrobat\RuntimeBroker.exe unknown 3324880 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 1 1A62D5 WriteFile 00 04 00 0f 00 ff ff 00 ..jr...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 fb 80 6a 72 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 02 00 00 ...... ba 10 00 0e 1f b4 09 ...... cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Copyright null 2020 Page 32 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Adobe\Acrobat\cghelp.dll unknown 4889600 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 1 1A62D5 WriteFile 00 04 00 0f 00 ff ff 00 .pjr...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 fb 70 6a 72 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 02 00 00 ...... ba 10 00 0e 1f b4 09 ...... cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\tbtgbiqyp unknown 4 5b 00 00 00 [... success or wait 56669 1A548F WriteFile C:\Users\user\AppData\Local\Temp\frphokv unknown 4 b9 00 00 00 .... success or wait 52207 1A548F WriteFile C:\Users\user\AppData\Local\Temp\klfixtbcmu unknown 4 c1 00 00 00 .... success or wait 55101 1A548F WriteFile C:\Users\user\AppData\Local\Temp\byfeyvafhmqfku unknown 4 36 00 00 00 6... success or wait 52773 1A548F WriteFile C:\Users\user\AppData\Local\Temp\kahnxynhj unknown 4 29 00 00 00 )... success or wait 52576 1A548F WriteFile C:\Users\user\AppData\Local\Temp\rjovwvcmc unknown 4 44 00 00 00 D... success or wait 53534 1A548F WriteFile C:\Users\user\AppData\Local\Temp\upmpltfnefjy unknown 4 8b 00 00 00 .... success or wait 55754 1A548F WriteFile C:\Users\user\AppData\Local\Temp\orxxvnjxxv unknown 4 05 00 00 00 .... success or wait 57787 1A548F WriteFile C:\Users\user\AppData\Local\Temp\klpgae unknown 4 80 00 00 00 .... success or wait 54514 1A548F WriteFile C:\Users\user\AppData\Local\Temp\uxdxqobftu unknown 4 ee 00 00 00 .... success or wait 9078 1A548F WriteFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\MSI-PBVFMV\ success or wait 1 40B5C7 RegCreateKeyA

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\MSI-PBVFMV exepath binary 1C 1F DD 4C 6C 25 46 B6 30 03 C9 A0 success or wait 1 40B5F3 RegSetValueExA 2C 7E 20 68 3E 46 E1 EB D9 3B 71 1A 1C F2 30 42 EA 9D 98 C0 EB 18 BA 9C D7 79 D9 4A 50 30 3B 20 E8 C1 89 1C 7E 8D 7F 85 2F CD 79 DE CB 58 E6 56 80 60 53 DF HKEY_CURRENT_USER\Software\MSI-PBVFMV licence unicode 330E49A5A829C138EFE0AEC6757684 success or wait 1 40B5F3 RegSetValueExA 82

Disassembly

Code Analysis