MALICIOUS Threat Names: Gen:Variant.Barys.127331 Trojan.PWS.ZKD
DYNAMIC ANALYSIS REPORT #5911857
Classifications: Spyware
Lokibot C2/Generic-A Gen:Variant.Nemesis.1464 MALICIOUS Threat Names: Gen:Variant.Barys.127331 Trojan.PWS.ZKD
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name deZBpGP3HfhxPOIf.exe
ID #2187282
MD5 7d92a55119f09bb46b48b64bf541e75b
SHA1 f6f6945cc13edbb7b9213317f91e57497a9f3397
SHA256 38fa948bf971903a64d251a0afeada8065449eaaed939ec666c0f9566502d598
File Size 164.31 KB
Report Created 2021-04-28 09:30 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 23 DYNAMIC ANALYSIS REPORT #5911857
OVERVIEW
VMRay Threat Identifiers (23 rules, 64 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 2 Spyware
• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #1) dezbpgp3hfhxpoif.exe.
• Rule "Lokibot" from ruleset "Malware" has matched on the function strings for (process #2) dezbpgp3hfhxpoif.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: QtWeb Internet Browser, Total Commander, FTP Navigator, Trojita, Pidgin, Microsoft Outlook, Pocomail, Opera Mail, FAR Manager, IncrediMail, FileZilla, KiTTY, Bitvise SSH Client, BlazeFTP, NCH Fling, NCH Classic FTP, Internet Explorer, PuTTY, WinChips, LinasFTP, Internet Explorer / Edge, SecureFX.
4/5 Reputation Contacts known malicious URL 1 -
• Reputation analysis labels the URL "http://203.159.80.239/tele/jhgfghj/fre.php" which was contacted by (process #2) dezbpgp3hfhxpoif.exe as "C2/Generic-A".
4/5 Antivirus Malicious content was detected by heuristic scan 4 -
• Built-in AV detected the sample itself as "Gen:Variant.Nemesis.1464".
• Built-in AV detected the dropped file C:\Users\RDHJ0C~1\AppData\Local\Temp\nsb9E0D.tmp\wn296y7dbe3hv.dll as "Gen:Variant.Barys.127331".
• Built-in AV detected a memory dump of (process #1) dezbpgp3hfhxpoif.exe as "Trojan.PWS.ZKD".
• Built-in AV detected a memory dump of (process #1) dezbpgp3hfhxpoif.exe as "Gen:Variant.Barys.127331".
3/5 Discovery Reads installed applications 1 Spyware
• Reads installed programs by enumerating the SOFTWARE registry key.
2/5 Data Collection Reads sensitive browser data 4 -
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
2/5 Data Collection Reads sensitive application data 5 -
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of application "Pidgin" by file.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of application "Bitvise SSH Client" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of application "KiTTY" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of application "PuTTY" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of application "WinChips" by registry.
2/5 Data Collection Reads sensitive ftp data 10 -
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "LinasFTP" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "FileZilla" by file.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "BlazeFTP" by file.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "Total Commander" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "FAR Manager" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "SecureFX" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "NCH Fling" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
2/5 Data Collection Reads sensitive mail data 5 -
X-Ray Vision for Malware - www.vmray.com 2 / 23 DYNAMIC ANALYSIS REPORT #5911857
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to read sensitive data of mail application "Trojita" by registry.
2/5 Anti Analysis Delays execution 1 -
• (Process #2) dezbpgp3hfhxpoif.exe has a thread which sleeps more than 5 minutes.
2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 5 -
• (Process #1) dezbpgp3hfhxpoif.exe makes a direct system call to "NtUnmapViewOfSection".
• (Process #1) dezbpgp3hfhxpoif.exe makes a direct system call to "NtCreateSection".
• (Process #1) dezbpgp3hfhxpoif.exe makes a direct system call to "NtMapViewOfSection".
• (Process #1) dezbpgp3hfhxpoif.exe makes a direct system call to "NtWriteVirtualMemory".
• (Process #1) dezbpgp3hfhxpoif.exe makes a direct system call to "NtResumeThread".
2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -
• (Process #1) dezbpgp3hfhxpoif.exe modifies memory of (process #2) dezbpgp3hfhxpoif.exe.
2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -
• (Process #1) dezbpgp3hfhxpoif.exe alters context of (process #2) dezbpgp3hfhxpoif.exe.
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #1) dezbpgp3hfhxpoif.exe starts (process #2) dezbpgp3hfhxpoif.exe with a hidden window.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) dezbpgp3hfhxpoif.exe reads from (process #2) dezbpgp3hfhxpoif.exe.
1/5 Discovery Reads system data 1 -
• (Process #2) dezbpgp3hfhxpoif.exe reads the cryptographic machine GUID from registry.
1/5 Mutex Creates mutex 1 -
• (Process #2) dezbpgp3hfhxpoif.exe creates mutex with name "B7274519EDDE9BDC8AE51348".
1/5 Discovery Possibly does reconnaissance 13 -
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Comodo IceDragon" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Safari" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "K-Meleon" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Mozilla SeaMonkey" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Mozilla Flock" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Cyberfox" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Total Commander" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "NetScape" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Default Programs" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Bitvise SSH Client" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "SecureFX" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Postbox" by registry.
• (Process #2) dezbpgp3hfhxpoif.exe tries to gather information about application "Trojita" by registry.
1/5 Privilege Escalation Enables process privilege 1 -
X-Ray Vision for Malware - www.vmray.com 3 / 23 DYNAMIC ANALYSIS REPORT #5911857
• (Process #2) dezbpgp3hfhxpoif.exe enables process privilege "SeDebugPrivilege".
1/5 Execution Executes itself 1 -
• (Process #1) dezbpgp3hfhxpoif.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\dezbpgp3hfhxpoif.exe.
1/5 Execution Drops PE file 1 -
• (Process #1) dezbpgp3hfhxpoif.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\nsb9E0D.tmp\wn296y7dbe3hv.dll".
1/5 Network Connection Performs DNS request 2 -
• (Process #2) dezbpgp3hfhxpoif.exe resolves host name "203.159.80.239" to IP "203.159.80.239".
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 • (Process #2) dezbpgp3hfhxpoif.exe resolves host name " 97 8B 8B 8F åððíïìñîêæñçïñíìæðð8Bð9Añ93 9A 95" 97to98 IP99 98 "-".97 95 99 8D 9A 8F 97 8F
1/5 Network Connection Connects to remote host 1 -
• (Process #2) dezbpgp3hfhxpoif.exe opens an outgoing TCP connection to host "203.159.80.239:80".
- Trusted Known clean file 2 -
• File "C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck" is a known clean file.
• File "c: \users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f- 8c0f-c90408af5778" is a known clean file.
Remarks
Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "16 minutes" to "2 minutes, 40 seconds" to reveal dormant functionality.
X-Ray Vision for Malware - www.vmray.com 4 / 23 DYNAMIC ANALYSIS REPORT #5911857
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1143 - - - - Hidden ------Window
#T1082 System ------Information Discovery
#T1012 ------Query - - - - - Registry
#T1119 ------Automated - - - Collection
#T1214 - - - - - Credentials ------in Registry
#T1005 Data ------from Local - - - System
#T1217 Browser ------Bookmark Discovery
#T1003 - - - - - Credential ------Dumping
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
X-Ray Vision for Malware - www.vmray.com 5 / 23 DYNAMIC ANALYSIS REPORT #5911857
Sample Information
ID 5911857
MD5 7d92a55119f09bb46b48b64bf541e75b
SHA1 f6f6945cc13edbb7b9213317f91e57497a9f3397
SHA256 38fa948bf971903a64d251a0afeada8065449eaaed939ec666c0f9566502d598
SSDeep 3072:jEre7GjyCaFvciT/5Dfri5g/fnb5qbqRnazyiTVHSCTKZWBgtxemFH+uB9YF/uHQ:jPXP5qbq1AsCT3BqAmFeuBKF2w
ImpHash ea4e67a31ace1a72683a99b80cf37830
Filename deZBpGP3HfhxPOIf.exe
File Size 164.31 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-04-28 09:30 (UTC+2)
Analysis Duration 00:03:49
Termination Reason Timeout
Number of Monitored Processes 2
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 4
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 2
X-Ray Vision for Malware - www.vmray.com 6 / 23 DYNAMIC ANALYSIS REPORT #5911857
X-Ray Vision for Malware - www.vmray.com 7 / 23 DYNAMIC ANALYSIS REPORT #5911857
X-Ray Vision for Malware - www.vmray.com 8 / 23 DYNAMIC ANALYSIS REPORT #5911857
NETWORK
General
11.42 KB total sent
8.01 KB total received
1 ports 80
2 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
34 DNS requests for 2 domains
1 nameservers contacted
16 total requests returned errors
HTTP/S
1 URLs contacted, 1 servers
18 sessions, 10.55 KB sent, 7.47 KB recivied
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
203.159.80.239 203.159.80.239 N/A
00 00 00 00 00 00 97 8B 8B 8F åððíïìñîêæñçïñíìæð 8B 9A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 N/A 93 9A ðð95ñ97 98 99 98 97 95 99 8D 9A 8F 97 8F
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
http://203.159.80.239/ POST 0 bytes N/A tele/jhgfghj/fre.php
X-Ray Vision for Malware - www.vmray.com 9 / 23 DYNAMIC ANALYSIS REPORT #5911857
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start dezbpgp3hfhxpoif.exe Child Process dezbpgp3hfhxpoif.exe
X-Ray Vision for Malware - www.vmray.com 10 / 23 DYNAMIC ANALYSIS REPORT #5911857
Process #1: dezbpgp3hfhxpoif.exe
ID 1
Filename c:\users\rdhj0cnfevzx\desktop\dezbpgp3hfhxpoif.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\deZBpGP3HfhxPOIf.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 93242, Reason: Analysis Target
Unmonitor End Time End Time: 162007, Reason: Terminated
Monitor Duration 68.77s
Return Code 0
PID 4080
Parent PID 2132
Bitness 32 Bit
Dropped Files (3)
Filename File Size SHA256 YARA Match
C: daab247622812c3f79508d6fc178a96a512e2 \Users\RDHJ0C~1\AppData\Local\Temp\wlb 6.50 KB 6cf1b1db57c64c01dcd1d0d89c4 wu0cazjz2hvy
C: e8a3b6d9a4319c5112320ba5ecada5ccd8a4 \Users\RDHJ0C~1\AppData\Local\Temp\zlq7 104.00 KB e192a6a8fc5a92b5e256da0ed1ef 58h7oxv1ysy2gbvq
C: 0c0bb7efa4ff72629f38882125b7ea7580e785 \Users\RDHJ0C~1\AppData\Local\Temp\nsb9 4.00 KB dc105f75cf3dfc2af7a8330804 E0D.tmp\wn296y7dbe3hv.dll
Host Behavior
Type Count
System 33
Module 41
File 208
Process 1
- 3
- 2
X-Ray Vision for Malware - www.vmray.com 11 / 23 DYNAMIC ANALYSIS REPORT #5911857
Process #2: dezbpgp3hfhxpoif.exe
ID 2
Filename c:\users\rdhj0cnfevzx\desktop\dezbpgp3hfhxpoif.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\deZBpGP3HfhxPOIf.exe"
Initial Working Directory C:\Users\RDHJ0C~1\AppData\Local\Temp\
Monitor Start Time Start Time: 145987, Reason: Child Process
Unmonitor End Time End Time: 323165, Reason: Terminated by Timeout
Monitor Duration 177.18s
Return Code Unknown
PID 1220
Parent PID 4080
Bitness 32 Bit
Injection Information (3)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0xffc 0x400000(4194304) 0xa2000 1 ktop\dezbpgp3hfhxpoif.e xe
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0xffc 0x3b4008(3883016) 0x4 1 ktop\dezbpgp3hfhxpoif.e xe
#1: c: \users\rdhj0cnfevzx\des 0x77728fe0(200399664 Modify Control Flow 0xffc / 0x7fc - 1 ktop\dezbpgp3hfhxpoif.e 0) xe
Dropped Files (5)
Filename File Size SHA256 YARA Match
C: 38fa948bf971903a64d251a0afeada8065449e \Users\RDhJ0CNFevzX\AppData\Roaming\9 164.31 KB aaed939ec666c0f9566502d598 EDDE9\9BDC8A.exe
e641ff8107a4197ded9f558d1891e716811e9a - 53 bytes 7f109f14e876f5a8394844dc34
C: 859ffdca62ee0971821a4b2dedfc023d0f9a02 \Users\RDhJ0CNFevzX\AppData\Roaming\9 4 bytes 1391b5ac336ddb49d53d28330e EDDE9\9BDC8A.hdb
C: 6b86b273ff34fce19d6b804eff5a3f5747ada4e \Users\RDhJ0CNFevzX\AppData\Roaming\9 1 bytes aa22f1d49c01e52ddb7875b4b EDDE9\9BDC8A.lck
353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f - 53 bytes 812e7594cf2ec5ca1175785b50
Host Behavior
Type Count
Module 1452
Registry 181
Mutex 1
File 297
System 47
User 10
X-Ray Vision for Malware - www.vmray.com 12 / 23 DYNAMIC ANALYSIS REPORT #5911857
Network Behavior
Type Count
HTTP 18
DNS 34
TCP 20
X-Ray Vision for Malware - www.vmray.com 13 / 23 DYNAMIC ANALYSIS REPORT #5911857
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
C: \Users\RDhJ0CNFevzX\ Desktop\deZBpGP3Hfhx 38fa948bf971903a64d2 POIf.exe, C: application/ 51a0afeada8065449eaa \Users\RDhJ0CNFevzX\ Read, Delete, Create, Sample File 164.31 KB vnd.microsoft.portable- MALICIOUS ed939ec666c0f9566502 Desktop\dezbpgp3hfhxp Access, Write executable d598 oif.exe, C: \Users\RDhJ0CNFevzX\ AppData\Roaming\9ED DE9\9BDC8A.exe
C: 0c0bb7efa4ff72629f388 \Users\RDHJ0C~1\App application/ 82125b7ea7580e785dc Data\Local\Temp\nsb9E Dropped File 4.00 KB vnd.microsoft.portable- Create, Write, Access MALICIOUS 105f75cf3dfc2af7a8330 0D.tmp\wn296y7dbe3hv executable 804 .dll
C: \Users\RDHJ0C~1\App daab247622812c3f7950 Data\Local\Temp\wlbwu 8d6fc178a96a512e26cf Create, Read, Write, 0cazjz2hvy, C: Dropped File 6.50 KB application/octet-stream CLEAN 1b1db57c64c01dcd1d0d Access \Users\RDHJ0C~1\App 89c4 Data\Local\Temp\ \wlbwu0cazjz2hvy
e8a3b6d9a4319c51123 C: 20ba5ecada5ccd8a4e19 \Users\RDHJ0C~1\App Create, Read, Write, Dropped File 104.00 KB application/octet-stream CLEAN 2a6a8fc5a92b5e256da0 Data\Local\Temp\zlq758 Access ed1ef h7oxv1ysy2gbvq
c: \users\rdhj0cnfevzx\app data\roaming\microsoft\c e641ff8107a4197ded9f5 rypto\rsa\s-1-5-21-1560 58d1891e716811e9a7f1 258661-3990802383-18 Dropped File 53 bytes application/octet-stream CLEAN 09f14e876f5a8394844d 11730007-1000\3d3578 c34 a85286f88c6cd9d151e4 412949_03845cb8-7441 -4a2f-8c0f- c90408af5778
859ffdca62ee0971821a C: 4b2dedfc023d0f9a0213 \Users\RDhJ0CNFevzX\ Create, Delete, Write, Dropped File 4 bytes text/plain CLEAN 91b5ac336ddb49d53d2 AppData\Roaming\9ED Access 8330e DE9\9BDC8A.hdb
6b86b273ff34fce19d6b8 C: 04eff5a3f5747ada4eaa2 \Users\RDhJ0CNFevzX\ Create, Delete, Write, Dropped File 1 bytes application/octet-stream CLEAN 2f1d49c01e52ddb7875b AppData\Roaming\9ED Access 4b DE9\9BDC8A.lck
c: \users\rdhj0cnfevzx\app data\roaming\microsoft\c 353fd628b7f6e7d426e5 rypto\rsa\s-1-5-21-1560 d6a27d1bc3ac22fa7f81 258661-3990802383-18 Dropped File 53 bytes application/octet-stream CLEAN 2e7594cf2ec5ca117578 11730007-1000\3d3578 5b50 a85286f88c6cd9d151e4 412949_03845cb8-7441 -4a2f-8c0f- c90408af5778
Filename
Filename Category Operations Verdict
C:\Users\RDHJ0C~1\AppData\Local\Temp\ Accessed File Create, Access CLEAN
C: \Users\RDHJ0C~1\AppData\Local\Temp\nsl9 Accessed File Create, Delete, Access CLEAN D5F.tmp
C: \Users\RDhJ0CNFevzX\Desktop\deZBpGP3 Sample File Read, Access CLEAN HfhxPOIf.exe
C: \Users\RDHJ0C~1\AppData\Local\Temp\nsb9 Accessed File Create, Read, Write, Access CLEAN D70.tmp
C:\Users Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1 Accessed File Create, Access CLEAN
X-Ray Vision for Malware - www.vmray.com 14 / 23 DYNAMIC ANALYSIS REPORT #5911857
Filename Category Operations Verdict
C:\Users\RDHJ0C~1\AppData Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local\Temp Accessed File Create, Access CLEAN
C: \Users\RDHJ0C~1\AppData\Local\Temp\wlb Dropped File Create, Write, Access CLEAN wu0cazjz2hvy
C: \Users\RDHJ0C~1\AppData\Local\Temp\zlq7 Dropped File Create, Read, Write, Access CLEAN 58h7oxv1ysy2gbvq
C: \Users\RDHJ0C~1\AppData\Local\Temp\nsb9 Accessed File Create, Delete, Access CLEAN E0D.tmp
C: \Users\RDHJ0C~1\AppData\Local\Temp\nsb9 Dropped File Create, Write, Access CLEAN E0D.tmp\wn296y7dbe3hv.dll
C:\Users\RDHJ0C~1\AppData\Local\Temp\ Dropped File Read, Access CLEAN \wlbwu0cazjz2hvy
C:\Windows\SYSTEM32\ntdll.dll Accessed File Read, Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\9 Accessed File Create, Access CLEAN EDDE9
C: \Users\RDhJ0CNFevzX\AppData\Roaming\9 Dropped File Create, Delete, Write, Access CLEAN EDDE9\9BDC8A.hdb
C: \Users\RDhJ0CNFevzX\AppData\Roaming\9 Dropped File Create, Delete, Write, Access CLEAN EDDE9\9BDC8A.lck
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Read, Access CLEAN soft\Credentials\DFBE70A7E5CC19A398EBF 1B96859CE5D
C: \Users\RDhJ0CNFevzX\Desktop\dezbpgp3hf Sample File Delete, Access CLEAN hxpoif.exe
C: \Users\RDhJ0CNFevzX\AppData\Roaming\9 Sample File Create, Write, Access CLEAN EDDE9\9BDC8A.exe
URL
URL Category IP Address Country HTTP Methods Verdict
http://203.159.80.239/tele/ 203.159.80.239 POST MALICIOUS jhgfghj/fre.php
Domain
Domain IP Address Country Protocols Verdict
203.159.80.239 203.159.80.239 DNS, HTTP CLEAN
IP
IP Address Domains Country Protocols Verdict
192.168.0.1 - UDP, DNS CLEAN
203.159.80.239 Netherlands DNS, TCP, HTTP CLEAN
-
X-Ray Vision for Malware - www.vmray.com 15 / 23 DYNAMIC ANALYSIS REPORT #5911857
Email Address
-
Mutex
Name Operations Parent Process Name Verdict
B7274519EDDE9BDC8AE51348 access dezbpgp3hfhxpoif.exe CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access dezbpgp3hfhxpoif.exe CLEAN osoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access dezbpgp3hfhxpoif.exe CLEAN osoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE read, access dezbpgp3hfhxpoif.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Com read, access dezbpgp3hfhxpoif.exe CLEAN odoGroup\IceDragon\Setup\SetupPath
HKEY_LOCAL_MACHINE\SOFTWARE\Appl read, access dezbpgp3hfhxpoif.exe CLEAN e Computer, Inc.\Safari\InstallDir
HKEY_LOCAL_MACHINE\SOFTWARE\K- read, access dezbpgp3hfhxpoif.exe CLEAN Meleon\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\mozil read, access dezbpgp3hfhxpoif.exe CLEAN la.org\SeaMonkey\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access dezbpgp3hfhxpoif.exe CLEAN la\SeaMonkey\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access dezbpgp3hfhxpoif.exe CLEAN la\Flock\CurrentVersion
HKEY_CURRENT_USER\Software\QtWeb.N access dezbpgp3hfhxpoif.exe CLEAN ET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft access dezbpgp3hfhxpoif.exe CLEAN \Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pec read, access dezbpgp3hfhxpoif.exe CLEAN xstudios\Cyberfox86\RootDir
HKEY_LOCAL_MACHINE\SOFTWARE\8pec read, access dezbpgp3hfhxpoif.exe CLEAN xstudios\Cyberfox\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access dezbpgp3hfhxpoif.exe CLEAN la\Pale Moon\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access dezbpgp3hfhxpoif.exe CLEAN la\Waterfox\CurrentVersion
HKEY_CURRENT_USER\Software\LinasFTP access dezbpgp3hfhxpoif.exe CLEAN \Site Manager
HKEY_CURRENT_USER\Software\FlashPea read, access dezbpgp3hfhxpoif.exe CLEAN k\BlazeFtp\Settings\LastPassword
HKEY_CURRENT_USER\Software\Ghisler\T read, access dezbpgp3hfhxpoif.exe CLEAN otal Commander\FtpIniName
HKEY_CURRENT_USER\Software access dezbpgp3hfhxpoif.exe CLEAN
HKEY_CURRENT_USER\Software\AppData access dezbpgp3hfhxpoif.exe CLEAN Low
HKEY_CURRENT_USER\Software\IM access dezbpgp3hfhxpoif.exe CLEAN Providers
HKEY_CURRENT_USER\Software\Microsoft access dezbpgp3hfhxpoif.exe CLEAN
HKEY_CURRENT_USER\Software\Netscape access dezbpgp3hfhxpoif.exe CLEAN
HKEY_CURRENT_USER\Software\ODBC access dezbpgp3hfhxpoif.exe CLEAN
HKEY_CURRENT_USER\Software\Policies access dezbpgp3hfhxpoif.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 16 / 23 DYNAMIC ANALYSIS REPORT #5911857
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Registere access dezbpgp3hfhxpoif.exe CLEAN dApplications
HKEY_CURRENT_USER\Software\Wow643 access dezbpgp3hfhxpoif.exe CLEAN 2Node
HKEY_CURRENT_USER\Software\Classes access dezbpgp3hfhxpoif.exe CLEAN
HKEY_CURRENT_USER\Software\Far\Plugi access dezbpgp3hfhxpoif.exe CLEAN ns\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plu access dezbpgp3hfhxpoif.exe CLEAN gins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\B read, access dezbpgp3hfhxpoif.exe CLEAN vSshClient\LastUsedProfile
HKEY_CURRENT_USER\Software\VanDyke\ read, access dezbpgp3hfhxpoif.exe CLEAN SecureFX\Config Path
HKEY_LOCAL_MACHINE\Software\NCH access dezbpgp3hfhxpoif.exe CLEAN Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH access dezbpgp3hfhxpoif.exe CLEAN Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH access dezbpgp3hfhxpoif.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH access dezbpgp3hfhxpoif.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\ access dezbpgp3hfhxpoif.exe CLEAN KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTat access dezbpgp3hfhxpoif.exe CLEAN ham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTa access dezbpgp3hfhxpoif.exe CLEAN tham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com access dezbpgp3hfhxpoif.exe CLEAN \KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access dezbpgp3hfhxpoif.exe CLEAN la\Mozilla Thunderbird\CurrentVersion
HKEY_CURRENT_USER\Software\IncrediM access dezbpgp3hfhxpoif.exe CLEAN ail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediM access dezbpgp3hfhxpoif.exe CLEAN ail\Identities
HKEY_CURRENT_USER\Software\Martin access dezbpgp3hfhxpoif.exe CLEAN Prikryl
HKEY_LOCAL_MACHINE\Software\Martin access dezbpgp3hfhxpoif.exe CLEAN Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Post read, access dezbpgp3hfhxpoif.exe CLEAN box\Postbox\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access dezbpgp3hfhxpoif.exe CLEAN la\FossaMail\CurrentVersion
HKEY_CURRENT_USER\Software\WinChips access dezbpgp3hfhxpoif.exe CLEAN \UserAccounts
HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows access dezbpgp3hfhxpoif.exe CLEAN Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft access dezbpgp3hfhxpoif.exe CLEAN \Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft access dezbpgp3hfhxpoif.exe CLEAN \Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\0a0d02 access dezbpgp3hfhxpoif.exe CLEAN 0000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\0a0d02 read, access dezbpgp3hfhxpoif.exe CLEAN 0000000000c000000000000046\Email
X-Ray Vision for Malware - www.vmray.com 17 / 23 DYNAMIC ANALYSIS REPORT #5911857
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\13dbb0c access dezbpgp3hfhxpoif.exe CLEAN 8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\13dbb0c read, access dezbpgp3hfhxpoif.exe CLEAN 8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\2db91c5 access dezbpgp3hfhxpoif.exe CLEAN fd8470d46b1a5bc5efab4cae7
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\2db91c5 read, access dezbpgp3hfhxpoif.exe CLEAN fd8470d46b1a5bc5efab4cae7\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\351749 access dezbpgp3hfhxpoif.exe CLEAN 0d76624c419a828607e2a54604
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\351749 read, access dezbpgp3hfhxpoif.exe CLEAN 0d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\6c29d51 access dezbpgp3hfhxpoif.exe CLEAN f56390b45a924b3b787013a66
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\6c29d51 read, access dezbpgp3hfhxpoif.exe CLEAN f56390b45a924b3b787013a66\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\850302 access dezbpgp3hfhxpoif.exe CLEAN 0000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\850302 read, access dezbpgp3hfhxpoif.exe CLEAN 0000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\876320 access dezbpgp3hfhxpoif.exe CLEAN 3907727d498bce4b981b157d7b
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\876320 read, access dezbpgp3hfhxpoif.exe CLEAN 3907727d498bce4b981b157d7b\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\893893 access dezbpgp3hfhxpoif.exe CLEAN ade607c44aa338ac7df5d6cb42
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\893893 read, access dezbpgp3hfhxpoif.exe CLEAN ade607c44aa338ac7df5d6cb42\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9207f3e access dezbpgp3hfhxpoif.exe CLEAN 0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9207f3e read, access dezbpgp3hfhxpoif.exe CLEAN 0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email
X-Ray Vision for Malware - www.vmray.com 18 / 23 DYNAMIC ANALYSIS REPORT #5911857
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Email Address
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP User
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 User
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Email Address
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP User
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP User
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Server URL
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTPMail User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTPMail Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Port
X-Ray Vision for Malware - www.vmray.com 19 / 23 DYNAMIC ANALYSIS REPORT #5911857
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Port
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Port
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTPMail Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access dezbpgp3hfhxpoif.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\dc48e7c access dezbpgp3hfhxpoif.exe CLEAN 6d33441458035ee20beefe18a
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\dc48e7c read, access dezbpgp3hfhxpoif.exe CLEAN 6d33441458035ee20beefe18a\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\e57f6d0 access dezbpgp3hfhxpoif.exe CLEAN b27b6134693ca7113a4ab34a6
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\e57f6d0 read, access dezbpgp3hfhxpoif.exe CLEAN b27b6134693ca7113a4ab34a6\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f35c115 access dezbpgp3hfhxpoif.exe CLEAN 766b7c94cb080da6869ae8f9d
X-Ray Vision for Malware - www.vmray.com 20 / 23 DYNAMIC ANALYSIS REPORT #5911857
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f35c115 read, access dezbpgp3hfhxpoif.exe CLEAN 766b7c94cb080da6869ae8f9d\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f86ed29 access dezbpgp3hfhxpoif.exe CLEAN 03a4a11cfb57e524153480001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f86ed29 read, access dezbpgp3hfhxpoif.exe CLEAN 03a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\SOFTWARE\flaska read, access dezbpgp3hfhxpoif.exe CLEAN .net\trojita\imap.auth.pass
HKEY_CURRENT_USER\SOFTWARE\flaska read, access dezbpgp3hfhxpoif.exe CLEAN .net\trojita\msa.smtp.auth.pass
HKEY_LOCAL_MACHINE\�������� �������������Ћ���Е�� write, access dezbpgp3hfhxpoif.exe CLEAN ����Й��я��\9EDDE9
Process
Process Name Commandline Verdict
dezbpgp3hfhxpoif.exe "C:\Users\RDhJ0CNFevzX\Desktop\deZBpGP3HfhxPOIf.exe" MALICIOUS
X-Ray Vision for Malware - www.vmray.com 21 / 23 DYNAMIC ANALYSIS REPORT #5911857
YARA / AV
YARA (2)
Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
function_strings_proces Malware Lokibot Lokibot Stealer Function Strings Spyware 5/5 s_2.txt
Antivirus (4)
File Type Threat Name Filename Verdict
C: SAMPLE Gen:Variant.Nemesis.1464 \Users\RDhJ0CNFevzX\Desktop\deZBpGP3 MALICIOUS HfhxPOIf.exe
C: DROPPED Gen:Variant.Barys.127331 \Users\RDHJ0C~1\AppData\Local\Temp\nsb9 MALICIOUS E0D.tmp\wn296y7dbe3hv.dll
MEMORY_DUMP Trojan.PWS.ZKD - MALICIOUS
MEMORY_DUMP Gen:Variant.Barys.127331 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 22 / 23 DYNAMIC ANALYSIS REPORT #5911857
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-04-28 04:37:49+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 23 / 23