ID: 399715 Sample Name: wget.exe Cookbook: default.jbs Time: 04:14:24 Date: 29/04/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Analysis Report wget.exe 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Networking: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 General 9 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wget.exe PID: 6932 Parent PID: 6020 10 General 10 Disassembly 10 Code Analysis 10

Copyright Joe Security LLC 2021 Page 2 of 10 Analysis Report wget.exe

Overview

General Information Detection Signatures Classification

Sample wget.exe Name: FFoouunndd TToorrr oonniiioonn aaddddrrreessss

Analysis ID: 399715 DFDoeeuttteenccdttte eTddo prp oottnteeinontnttiiia aalll dccdrrryyrpeptsttoos fffuunncctttiiioonn MD5: 8ab07993aa4c3d… PDPrrerootgegrrcraatemd ddpooeetess n nntoioatttl sschhryoopwwt o m fuucnchch t aiaoccntttiiivviii…

SHA1: 3e7d90ead707b7… Ransomware Program does not show much activi Miner Spreading SHA256: 1b532832ecfcffe…

mmaallliiiccciiioouusss Infos: malicious Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

Most interesting Screenshot: cccllleeaann clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 21 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 wget.exe (PID: 6932 cmdline: 'C:\Users\user\Desktop\wget.exe' MD5: 8AB07993AA4C3DB71B44D0552950BD17) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Cryptography

Copyright Joe Security LLC 2021 Page 3 of 10 • Networking • System Summary • Malware Analysis System Evasion • Anti Debugging

Click to jump to signature section

Networking:

Found Tor onion address

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Command Path Path Direct OS System Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts and Scripting Interception Interception Volume Credential Service Services Collected Over Other Channel 1 Insecure Track Device System Interpreter 2 Access Dumping Discovery Data 1 1 Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS Application Remote Data from Exfiltration Proxy 1 Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory Window Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization

Behavior Graph

Copyright Joe Security LLC 2021 Page 4 of 10 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Behavior Graph Is Windows Process ID: 399715 Number of created Registry Values Sample: wget.exe Number of created Files Startdate: 29/04/2021 Visual Basic Architecture: WINDOWS Delphi Score: 21 Java

.Net C# or VB.NET

C, C++ or other language

Found Tor onion address started Is malicious

Internet

wget.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link wget.exe 4% ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 6 of 10 Source Detection Scanner Label Link https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://ftpftp://ftpsftps://Rpcrt4.dllUuidCreateUuidToStringARpcStringFreeA 0% Avira URL Cloud safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns:metalinktagsidentityfilesfilenames 0% Avira URL Cloud safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe www.metalinker.org/ 0% Virustotal Browse www.metalinker.org/ 0% Avira URL Cloud safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation crl.sectigo.com/SectigoRSATimeStampingCA.crl0t wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://sectigo.com/CPS0 wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe wget.exe false Avira URL Cloud: safe low https://ftpftp://ftpsftps://Rpcrt4.dllUuidCreateUuidToStringARpc StringFreeA ocsp.sectigo.com0 wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe

netpreserve.org/warc/1.0/revisit/identical-payload- wget.exe false high digestWARC-Truncatedlength crt.sectigo.com/SectigoRSATimeStampingCA.crt0# wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://savannah.gnu.org/bugs/? wget.exe false high func=additem&group=wget. https://sectigo.com/CPS0D wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://gnu.org/licenses/ wget.exe false high www.gnu.org/licenses/gpl.html wget.exe false high Copyright Joe Security LLC 2021 Page 7 of 10 Name Source Malicious Antivirus Detection Reputation https://gnu.org/licenses/gpl.html wget.exe false high netpreserve.org/warc/1.0/revisit/identical-payload-digest wget.exe false high wget.exe true Avira URL Cloud: safe unknown www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns: metalinktagsidentityfilesfilenames crl.sectigo.com/SectigoRSACodeSigningCA.crl0s wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe www.metalinker.org/ wget.exe true 0%, Virustotal, Browse unknown Avira URL Cloud: safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe wget.exe false high bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft. pdf

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 399715 Start date: 29.04.2021 Start time: 04:14:24 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 14s Hypervisor based Inspection enabled: false Report type: light Sample file name: wget.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus21.evad.winEXE@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Copyright Joe Security LLC 2021 Page 8 of 10 Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: PE32+ executable (console) x86-64, for MS Windows Entropy (8bit): 6.516220049875966 TrID: Win64 Executable Console (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01% File name: wget.exe File size: 10074800 MD5: 8ab07993aa4c3db71b44d0552950bd17 SHA1: 3e7d90ead707b7b66dc044c53218a92661ad3ebe SHA256: 1b532832ecfcffe61f3e7a27c31d95d111b349471bde171 afb3751c74d424841 SHA512: a0ad9c628cdfdbeb10f271c4c63b4947544d92c86addb7b 346232df2eb82ee37aeb5dc1105e5beec1610c2adeff66c 28660018f83840b97995067fb6c1182692 SSDEEP: 196608:jXiZYhXiNsoYrOWsVD7yktOz44JyktOg1:jXiSXi q2D+ktJ4Mktp1 File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..d...... 2L...... '....#.`4.. L..H...... @...... M..... 3;M......

Copyright Joe Security LLC 2021 Page 9 of 10 File Icon

Icon Hash: 00828e8e8686b000

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: wget.exe PID: 6932 Parent PID: 6020

General

Start time: 04:15:06 Start date: 29/04/2021 Path: C:\Users\user\Desktop\wget.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\wget.exe' Imagebase: 0x400000 File size: 10074800 bytes MD5 hash: 8AB07993AA4C3DB71B44D0552950BD17 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Disassembly

Code Analysis

Copyright Joe Security LLC 2021 Page 10 of 10