DYNAMIC ANALYSIS REPORT #2117914
Classifications: Spyware Keylogger
MALICIOUS Threat Names: Phoenix Gen:Variant.Bulz.596294
Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name arinzezx.exe
ID #841176
MD5 959d99e82bfcff242d4033435dd3ab32
SHA1 72c3698e242bd733d2bf22f7581f8026a6f51f73
SHA256 0e77d367c706963bb393e99c935c129c66e0f71d70f5836b4abc9c8b91a25425
File Size 788.50 KB
Report Created 2021-08-10 18:22 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 19 DYNAMIC ANALYSIS REPORT #2117914
OVERVIEW
VMRay Threat Identifiers (20 rules, 44 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 1 Keylogger, Spyware
• Rule "PhoenixKeylogger" from ruleset "Malware" has matched on the function strings for (process #2) arinzezx.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Chromium, Maple Studio, Kometa, Opera, Torch, Amigo, Epic Privacy Browser, 7Star, FileZilla, Pidg...... , Sputnik, Google Chrome, CentBrowser, Elements Browser, CocCoc, Uran, Microsoft Outlook, Vivaldi, Chedot, Orbitum, Chrome Canary.
4/5 Antivirus Malicious content was detected by heuristic scan 1 -
• Built-in AV detected the sample itself as "Gen:Variant.Bulz.596294".
2/5 Data Collection Reads sensitive mail data 1 -
• (Process #2) arinzezx.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
2/5 Data Collection Reads sensitive browser data 20 -
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Yandex Browser" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Amigo" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Kometa" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Google Chrome" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "CocCoc" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Orbitum" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Vivaldi" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Chromium" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "CentBrowser" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Chedot" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Comodo Dragon" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Torch" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Uran" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "7Star" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Chrome Canary" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Maple Studio" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Sputnik" by file.
• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Elements Browser" by file.
2/5 Data Collection Reads sensitive ftp data 1 -
• (Process #2) arinzezx.exe tries to read sensitive data of ftp application "FileZilla" by file.
2/5 Data Collection Reads sensitive application data 1 -
• (Process #2) arinzezx.exe tries to read sensitive data of application "Pidgin" by file.
2/5 Anti Analysis Delays execution 1 -
• (Process #2) arinzezx.exe has a thread which sleeps more than 5 minutes.
X-Ray Vision for Malware - www.vmray.com 2 / 19 DYNAMIC ANALYSIS REPORT #2117914
Score Category Operation Count Classification
2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -
• (Process #1) arinzezx.exe modifies memory of (process #2) arinzezx.exe.
2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -
• (Process #1) arinzezx.exe alters context of (process #2) arinzezx.exe.
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #1) arinzezx.exe starts (process #1) arinzezx.exe with a hidden window.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) arinzezx.exe reads from (process #1) arinzezx.exe.
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #1) arinzezx.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Privilege Escalation Enables process privilege 1 -
• (Process #2) arinzezx.exe enables process privilege "SeDebugPrivilege".
1/5 Discovery Possibly does reconnaissance 2 -
• (Process #2) arinzezx.exe tries to gather information about application "FileZilla" by file.
• (Process #2) arinzezx.exe tries to gather information about application "Pidgin" by file.
1/5 Execution Executes itself 1 -
• (Process #1) arinzezx.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe.
1/5 Network Connection Performs DNS request 3 -
• (Process #2) arinzezx.exe resolves host name "checkip.dyndns.org" to IP "132.226.8.169".
• (Process #2) arinzezx.exe resolves host name "freegeoip.app" to IP "104.21.19.200".
• (Process #2) arinzezx.exe resolves host name "bh-16.webhostbox.net" to IP "199.79.62.16".
1/5 Network Connection Connects to remote host 3 -
• (Process #2) arinzezx.exe opens an outgoing TCP connection to host "199.79.62.16:587".
• (Process #2) arinzezx.exe opens an outgoing TCP connection to host "132.226.8.169:80".
• (Process #2) arinzezx.exe opens an outgoing TCP connection to host "104.21.19.200:443".
1/5 Network Connection Tries to connect using an uncommon port 1 -
• (Process #2) arinzezx.exe tries to connect to TCP port 587 at 199.79.62.16.
1/5 Discovery Checks external IP address 1 -
• (Process #2) arinzezx.exe checks external IP by asking IP info service at "http://checkip.dyndns.org/".
X-Ray Vision for Malware - www.vmray.com 3 / 19 DYNAMIC ANALYSIS REPORT #2117914
Mitre ATT&CK Matrix
Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control
#T1214 #T1119 #T1065 #T1143 Hidden #T1012 Query Credentials in Automated Uncommonly Window Registry Registry Collection Used Port #T1045 #T1081 #T1083 File #T1005 Data Software Credentials in and Directory from Local Packing Files Discovery System #T1016 System Network Configuration Discovery
X-Ray Vision for Malware - www.vmray.com 4 / 19 DYNAMIC ANALYSIS REPORT #2117914
Sample Information
ID #841176
MD5 959d99e82bfcff242d4033435dd3ab32
SHA1 72c3698e242bd733d2bf22f7581f8026a6f51f73
SHA256 0e77d367c706963bb393e99c935c129c66e0f71d70f5836b4abc9c8b91a25425
SSDeep 12288:kzKKrn3qGaNHEyC9/oR9gy5FHK7zWAuZ2xcOYqOEHeMKaAohVkd4hNPunUUUWLHi:k+KDPp9AR95yaIqOpfPLhVkd42UMsn
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744
File Name arinzezx.exe
File Size 788.50 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-08-10 18:22 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 2
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 1
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 1
X-Ray Vision for Malware - www.vmray.com 5 / 19 DYNAMIC ANALYSIS REPORT #2117914
X-Ray Vision for Malware - www.vmray.com 6 / 19 DYNAMIC ANALYSIS REPORT #2117914
X-Ray Vision for Malware - www.vmray.com 7 / 19 DYNAMIC ANALYSIS REPORT #2117914
NETWORK
General
40.79 KB total sent
20.02 KB total received
3 ports 80, 587, 443
4 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
5 DNS requests for 3 domains
1 nameservers contacted
0 total requests returned errors
HTTP/S
2 URLs contacted, 2 servers
2 sessions, 1.63 KB sent, 9.43 KB received
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
GET http://checkip.dyndns.org/ - - 0 bytes NA
GET https://freegeoip.app/xml/94.114.3.195 - - 0 bytes NA
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
132.226.8.169, 132.226.247.73, A checkip.dyndns.org, checkip.dyndns.com NoError 158.101.44.242, checkip.dyndns.com NA 193.122.6.168, 193.122.130.0
104.21.19.200, A freegeoip.app NoError NA 172.67.188.154
A bh-16.webhostbox.net NoError 199.79.62.16 NA
132.226.8.169, 132.226.247.73, - checkip.dyndns.org - 158.101.44.242, NA 193.122.6.168, 193.122.130.0
X-Ray Vision for Malware - www.vmray.com 8 / 19 DYNAMIC ANALYSIS REPORT #2117914
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start arinzezx.exe Child Process arinzezx.exe
X-Ray Vision for Malware - www.vmray.com 9 / 19 DYNAMIC ANALYSIS REPORT #2117914
Process #1: arinzezx.exe
ID 1
File Name c:\users\rdhj0cnfevzx\desktop\arinzezx.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 53783, Reason: Analysis Target
Unmonitor End Time End Time: 140431, Reason: Terminated
Monitor duration 86.65s
Return Code 0
PID 5080
Parent PID 1652
Bitness 32 Bit
Host Behavior
Type Count
Process 1
Module 76
Window 6
Registry 3
File 19
- 3
- 7
X-Ray Vision for Malware - www.vmray.com 10 / 19 DYNAMIC ANALYSIS REPORT #2117914
Process #2: arinzezx.exe
ID 2
File Name c:\users\rdhj0cnfevzx\desktop\arinzezx.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 136097, Reason: Child Process
Unmonitor End Time End Time: 296845, Reason: Terminated by Timeout
Monitor duration 160.75s
Return Code Unknown
PID 5076
Parent PID 5080
Bitness 32 Bit
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x400000(4194304) 0x200 1 \arinzezx.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x402000(4202496) 0x1da00 1 \arinzezx.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x420000(4325376) 0x600 1 \arinzezx.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x422000(4333568) 0x200 1 \arinzezx.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x279008(2592776) 0x4 1 \arinzezx.exe
#1: c: Modify Control Flow \users\rdhj0cnfevzx\desktop 0x13d0 / 0xc08 - 1 \arinzezx.exe
Host Behavior
Type Count
User 61
System 45
Registry 75
Module 13
File 112
- 17
Environment 11
Mutex 15
Window 6
Network Behavior
Type Count
HTTP 2
HTTPS 1
X-Ray Vision for Malware - www.vmray.com 11 / 19 DYNAMIC ANALYSIS REPORT #2117914
Type Count
DNS 5
TCP 16
X-Ray Vision for Malware - www.vmray.com 12 / 19 DYNAMIC ANALYSIS REPORT #2117914
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
0e77d367c706963bb393e99 C: application/ c935c129c66e0f71d70f5836 \Users\RDhJ0CNFevzX\Desktop\arin Sample File 788.50 KB vnd.microsoft.portable- - MALICIOUS b4abc9c8b91a25425 zezx.exe executable
Filename
File Name Category Operations Verdict
C: \Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co Accessed File Access, Read CLEAN nfig
C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe.config Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Yandex\YandexBrowser\User Accessed File Access CLEAN Data\Default\Ya Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Amigo\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Xpom\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Kometa\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Nichrome\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Google\Chrome\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\CocCoc\Browser\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Tencent\QQBrowser\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Orbitum\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Slimjet\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Iridium\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Vivaldi\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Chromium\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\GhostBrowser\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\CentBrowser\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Xvast\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Chedot\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\SuperBird\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\360Browser\Browser\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\360Chrome\Chrome\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Comodo\Dragon\User Accessed File Access CLEAN Data\Default\Login Data
X-Ray Vision for Malware - www.vmray.com 13 / 19 DYNAMIC ANALYSIS REPORT #2117914
File Name Category Operations Verdict
C:\Users\RDhJ0CNFevzX\AppData\Local\BraveSoftware\Brave- Accessed File Access CLEAN Browser\User Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Torch\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\UCBrowser\User Accessed File Access CLEAN Data_i18n\Default\UC Login Data.18
C:\Users\RDhJ0CNFevzX\AppData\Local\Blisk\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Epic Privacy Browser\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Opera Software\Opera Accessed File Access CLEAN Stable\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Opera\Opera\profile\wan Accessed File Access CLEAN d.dat
C:\Users\RDhJ0CNFevzX\AppData\Roaming Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\FileZilla\recentservers.x Accessed File Access CLEAN ml
C:\Users\RDhJ0CNFevzX\AppData\Roaming\.purple\accounts.xml Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Liebao7\User Accessed File Access CLEAN Data\Default\EncryptedStorage
C:\Users\RDhJ0CNFevzX\AppData\Local\AVAST Accessed File Access CLEAN Software\Browser\User Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Kinza\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\BlackHawk\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\CatalinaGroup\Citrio\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\uCozMedia\Uran\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Coowon\Coowon\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\7Star\7Star\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\QIP Surf\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Fenrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Google\Chrome SxS\User Accessed File Access CLEAN Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\MapleStudio\ChromePlus\U Accessed File Access CLEAN ser Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\SalamWeb\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Sputnik\Sputnik\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Elements Browser\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Edge\User Accessed File Access CLEAN Data\Default\Login Data
C:\Users\RDhJ0CNFevzX\AppData\Roaming\discord\Local Accessed File Access CLEAN Storage\leveldb\
X-Ray Vision for Malware - www.vmray.com 14 / 19 DYNAMIC ANALYSIS REPORT #2117914
URL
URL Category IP Address Country HTTP Methods Verdict
http://checkip.dyndns.org - 132.226.8.169 - GET CLEAN
https://freegeoip.app/xml/94.114.3.195 - 104.21.19.200 - GET CLEAN
Domain
Domain IP Address Country Protocols Verdict
132.226.8.169, 158.101.44.242, 193.122.6.168, checkip.dyndns.org - DNS, HTTP CLEAN 132.226.247.73, 193.122.130.0
158.101.44.242, 193.122.6.168, 132.226.247.73, checkip.dyndns.com - DNS CLEAN 193.122.130.0, 132.226.8.169
freegeoip.app 104.21.19.200, 172.67.188.154 - DNS, HTTPS CLEAN
bh-16.webhostbox.net 199.79.62.16 - DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
192.168.0.1 - - DNS, UDP CLEAN
199.79.62.16 bh-16.webhostbox.net United States TCP, DNS CLEAN
132.226.8.169 checkip.dyndns.com, checkip.dyndns.org Japan TCP, DNS, HTTP CLEAN
104.21.19.200 freegeoip.app United States TCP, DNS, HTTPS CLEAN
132.226.247.73 checkip.dyndns.com, checkip.dyndns.org Brazil DNS CLEAN
158.101.44.242 checkip.dyndns.com, checkip.dyndns.org United States DNS CLEAN
193.122.6.168 checkip.dyndns.com, checkip.dyndns.org Germany DNS CLEAN
193.122.130.0 checkip.dyndns.com, checkip.dyndns.org United States DNS CLEAN
172.67.188.154 freegeoip.app United States DNS CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access arinzezx.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg access, read arinzezx.exe CLEAN JITDebugLaunchSetting
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg access, read arinzezx.exe CLEAN ManagedDebugger
HKEY_PERFORMANCE_DATA access arinzezx.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic access arinzezx.exe CLEAN DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard access, read arinzezx.exe CLEAN Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt
X-Ray Vision for Malware - www.vmray.com 15 / 19 DYNAMIC ANALYSIS REPORT #2117914
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access arinzezx.exe CLEAN NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\InstallationType
HKEY_CURRENT_USER access arinzezx.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current access arinzezx.exe CLEAN Version\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current access arinzezx.exe CLEAN Version\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows access arinzezx.exe CLEAN \CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework access arinzezx.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read arinzezx.exe CLEAN LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access arinzezx.exe CLEAN v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read arinzezx.exe CLEAN v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access arinzezx.exe CLEAN AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read arinzezx.exe CLEAN v4.0.30319\SchUseStrongCrypto
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging access arinzezx.exe CLEAN Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging access arinzezx.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Em access, read arinzezx.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMA access, read arinzezx.exe CLEAN P Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\PO access, read arinzezx.exe CLEAN P3 Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HT access, read arinzezx.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SM access, read arinzezx.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Em access, read arinzezx.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA access, read arinzezx.exe CLEAN P Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO access, read arinzezx.exe CLEAN P3 Password
X-Ray Vision for Malware - www.vmray.com 16 / 19 DYNAMIC ANALYSIS REPORT #2117914
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT access, read arinzezx.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM access, read arinzezx.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM access, read arinzezx.exe CLEAN TP Server
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Em access, read arinzezx.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMA access, read arinzezx.exe CLEAN P Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\PO access, read arinzezx.exe CLEAN P3 Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HT access, read arinzezx.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SM access, read arinzezx.exe CLEAN TP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Foxmail.url.mailto\ access arinzezx.exe CLEAN Shell\open\command
Process
Process Name Commandline Verdict
arinzezx.exe "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe" MALICIOUS
arinzezx.exe "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe" MALICIOUS
X-Ray Vision for Malware - www.vmray.com 17 / 19 DYNAMIC ANALYSIS REPORT #2117914
YARA / AV
YARA (1)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
Keylogger, Malware PhoenixKeylogger Phoenix Keylogger Function Strings function_strings_process_2.txt 5/5 Spyware
Antivirus (1)
File Type Threat Name File Name Verdict
Sample File Gen:Variant.Bulz.596294 C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe MALICIOUS
X-Ray Vision for Malware - www.vmray.com 18 / 19 DYNAMIC ANALYSIS REPORT #2117914
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update Release 2021-08-10 12:55:49+00:00 Date
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.33 / 2021-08-02 14:31:04
YARA Built-in Ruleset Version 4.2.2.34
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 19 / 19