DYNAMIC ANALYSIS REPORT #2117914

Classifications: Spyware Keylogger

MALICIOUS Threat Names: Phoenix Gen:Variant.Bulz.596294

Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name arinzezx.exe

ID #841176

MD5 959d99e82bfcff242d4033435dd3ab32

SHA1 72c3698e242bd733d2bf22f7581f8026a6f51f73

SHA256 0e77d367c706963bb393e99c935c129c66e0f71d70f5836b4abc9c8b91a25425

File Size 788.50 KB

Report Created 2021-08-10 18:22 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 19 DYNAMIC ANALYSIS REPORT #2117914

OVERVIEW

VMRay Threat Identifiers (20 rules, 44 matches)

Score Category Operation Count Classification

5/5 YARA Malicious content matched by YARA rules 1 Keylogger, Spyware

• Rule "PhoenixKeylogger" from ruleset "Malware" has matched on the function strings for (process #2) arinzezx.exe.

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: Chromium, Maple Studio, Kometa, Opera, Torch, Amigo, Epic Privacy Browser, 7Star, FileZilla, Pidg...... , Sputnik, Google Chrome, CentBrowser, Elements Browser, CocCoc, Uran, Microsoft Outlook, Vivaldi, Chedot, Orbitum, Chrome Canary.

4/5 Antivirus Malicious content was detected by heuristic scan 1 -

• Built-in AV detected the sample itself as "Gen:Variant.Bulz.596294".

2/5 Data Collection Reads sensitive mail data 1 -

• (Process #2) arinzezx.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.

2/5 Data Collection Reads sensitive browser data 20 -

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Yandex Browser" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Amigo" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Kometa" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Google Chrome" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "CocCoc" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Orbitum" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Vivaldi" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Chromium" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "CentBrowser" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Chedot" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Comodo Dragon" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Torch" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Opera" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Uran" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "7Star" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Chrome Canary" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Maple Studio" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Sputnik" by file.

• (Process #2) arinzezx.exe tries to read sensitive data of web browser "Elements Browser" by file.

2/5 Data Collection Reads sensitive ftp data 1 -

• (Process #2) arinzezx.exe tries to read sensitive data of ftp application "FileZilla" by file.

2/5 Data Collection Reads sensitive application data 1 -

• (Process #2) arinzezx.exe tries to read sensitive data of application "Pidgin" by file.

2/5 Anti Analysis Delays execution 1 -

• (Process #2) arinzezx.exe has a thread which sleeps more than 5 minutes.

X-Ray Vision for Malware - www.vmray.com 2 / 19 DYNAMIC ANALYSIS REPORT #2117914

Score Category Operation Count Classification

2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -

• (Process #1) arinzezx.exe modifies memory of (process #2) arinzezx.exe.

2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -

• (Process #1) arinzezx.exe alters context of (process #2) arinzezx.exe.

1/5 Hide Tracks Creates process with hidden window 1 -

• (Process #1) arinzezx.exe starts (process #1) arinzezx.exe with a hidden window.

1/5 Obfuscation Reads from memory of another process 1 -

• (Process #1) arinzezx.exe reads from (process #1) arinzezx.exe.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

• (Process #1) arinzezx.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Privilege Escalation Enables process privilege 1 -

• (Process #2) arinzezx.exe enables process privilege "SeDebugPrivilege".

1/5 Discovery Possibly does reconnaissance 2 -

• (Process #2) arinzezx.exe tries to gather information about application "FileZilla" by file.

• (Process #2) arinzezx.exe tries to gather information about application "Pidgin" by file.

1/5 Execution Executes itself 1 -

• (Process #1) arinzezx.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe.

1/5 Network Connection Performs DNS request 3 -

• (Process #2) arinzezx.exe resolves host name "checkip.dyndns.org" to IP "132.226.8.169".

• (Process #2) arinzezx.exe resolves host name "freegeoip.app" to IP "104.21.19.200".

• (Process #2) arinzezx.exe resolves host name "bh-16.webhostbox.net" to IP "199.79.62.16".

1/5 Network Connection Connects to remote host 3 -

• (Process #2) arinzezx.exe opens an outgoing TCP connection to host "199.79.62.16:587".

• (Process #2) arinzezx.exe opens an outgoing TCP connection to host "132.226.8.169:80".

• (Process #2) arinzezx.exe opens an outgoing TCP connection to host "104.21.19.200:443".

1/5 Network Connection Tries to connect using an uncommon port 1 -

• (Process #2) arinzezx.exe tries to connect to TCP port 587 at 199.79.62.16.

1/5 Discovery Checks external IP address 1 -

• (Process #2) arinzezx.exe checks external IP by asking IP info service at "http://checkip.dyndns.org/".

X-Ray Vision for Malware - www.vmray.com 3 / 19 DYNAMIC ANALYSIS REPORT #2117914

Mitre ATT&CK Matrix

Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control

#T1214 #T1119 #T1065 #T1143 Hidden #T1012 Query Credentials in Automated Uncommonly Window Registry Registry Collection Used Port #T1045 #T1081 #T1083 File #T1005 Data Software Credentials in and Directory from Local Packing Files Discovery System #T1016 System Network Configuration Discovery

X-Ray Vision for Malware - www.vmray.com 4 / 19 DYNAMIC ANALYSIS REPORT #2117914

Sample Information

ID #841176

MD5 959d99e82bfcff242d4033435dd3ab32

SHA1 72c3698e242bd733d2bf22f7581f8026a6f51f73

SHA256 0e77d367c706963bb393e99c935c129c66e0f71d70f5836b4abc9c8b91a25425

SSDeep 12288:kzKKrn3qGaNHEyC9/oR9gy5FHK7zWAuZ2xcOYqOEHeMKaAohVkd4hNPunUUUWLHi:k+KDPp9AR95yaIqOpfPLhVkd42UMsn

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

File Name arinzezx.exe

File Size 788.50 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-08-10 18:22 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 2

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 1

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 1

X-Ray Vision for Malware - www.vmray.com 5 / 19 DYNAMIC ANALYSIS REPORT #2117914

X-Ray Vision for Malware - www.vmray.com 6 / 19 DYNAMIC ANALYSIS REPORT #2117914

X-Ray Vision for Malware - www.vmray.com 7 / 19 DYNAMIC ANALYSIS REPORT #2117914

NETWORK

General

40.79 KB total sent

20.02 KB total received

3 ports 80, 587, 443

4 contacted IP addresses

0 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

5 DNS requests for 3 domains

1 nameservers contacted

0 total requests returned errors

HTTP/S

2 URLs contacted, 2 servers

2 sessions, 1.63 KB sent, 9.43 KB received

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

GET http://checkip.dyndns.org/ - - 0 bytes NA

GET https://freegeoip.app/xml/94.114.3.195 - - 0 bytes NA

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

132.226.8.169, 132.226.247.73, A checkip.dyndns.org, checkip.dyndns.com NoError 158.101.44.242, checkip.dyndns.com NA 193.122.6.168, 193.122.130.0

104.21.19.200, A freegeoip.app NoError NA 172.67.188.154

A bh-16.webhostbox.net NoError 199.79.62.16 NA

132.226.8.169, 132.226.247.73, - checkip.dyndns.org - 158.101.44.242, NA 193.122.6.168, 193.122.130.0

X-Ray Vision for Malware - www.vmray.com 8 / 19 DYNAMIC ANALYSIS REPORT #2117914

BEHAVIOR

Process Graph

Modify Memory #1 Modify Control Flow #2 Sample Start arinzezx.exe Child Process arinzezx.exe

X-Ray Vision for Malware - www.vmray.com 9 / 19 DYNAMIC ANALYSIS REPORT #2117914

Process #1: arinzezx.exe

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\arinzezx.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 53783, Reason: Analysis Target

Unmonitor End Time End Time: 140431, Reason: Terminated

Monitor duration 86.65s

Return Code 0

PID 5080

Parent PID 1652

Bitness 32 Bit

Host Behavior

Type Count

Process 1

Module 76

Window 6

Registry 3

File 19

- 3

- 7

X-Ray Vision for Malware - www.vmray.com 10 / 19 DYNAMIC ANALYSIS REPORT #2117914

Process #2: arinzezx.exe

ID 2

File Name c:\users\rdhj0cnfevzx\desktop\arinzezx.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 136097, Reason: Child Process

Unmonitor End Time End Time: 296845, Reason: Terminated by Timeout

Monitor duration 160.75s

Return Code Unknown

PID 5076

Parent PID 5080

Bitness 32 Bit

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x400000(4194304) 0x200 1 \arinzezx.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x402000(4202496) 0x1da00 1 \arinzezx.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x420000(4325376) 0x600 1 \arinzezx.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x422000(4333568) 0x200 1 \arinzezx.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x13d0 0x279008(2592776) 0x4 1 \arinzezx.exe

#1: c: Modify Control Flow \users\rdhj0cnfevzx\desktop 0x13d0 / 0xc08 - 1 \arinzezx.exe

Host Behavior

Type Count

User 61

System 45

Registry 75

Module 13

File 112

- 17

Environment 11

Mutex 15

Window 6

Network Behavior

Type Count

HTTP 2

HTTPS 1

X-Ray Vision for Malware - www.vmray.com 11 / 19 DYNAMIC ANALYSIS REPORT #2117914

Type Count

DNS 5

TCP 16

X-Ray Vision for Malware - www.vmray.com 12 / 19 DYNAMIC ANALYSIS REPORT #2117914

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

0e77d367c706963bb393e99 C: application/ c935c129c66e0f71d70f5836 \Users\RDhJ0CNFevzX\Desktop\arin Sample File 788.50 KB vnd.microsoft.portable- - MALICIOUS b4abc9c8b91a25425 zezx.exe executable

Filename

File Name Category Operations Verdict

C: \Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co Accessed File Access, Read CLEAN nfig

C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe.config Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Local\Yandex\YandexBrowser\User Accessed File Access CLEAN Data\Default\Ya Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Amigo\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Xpom\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Kometa\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Nichrome\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Google\Chrome\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\CocCoc\Browser\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Tencent\QQBrowser\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Orbitum\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Slimjet\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Iridium\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Vivaldi\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Chromium\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\GhostBrowser\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\CentBrowser\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Xvast\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Chedot\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\SuperBird\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\360Browser\Browser\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\360Chrome\Chrome\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Comodo\Dragon\User Accessed File Access CLEAN Data\Default\Login Data

X-Ray Vision for Malware - www.vmray.com 13 / 19 DYNAMIC ANALYSIS REPORT #2117914

File Name Category Operations Verdict

C:\Users\RDhJ0CNFevzX\AppData\Local\BraveSoftware\Brave- Accessed File Access CLEAN Browser\User Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Torch\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\UCBrowser\User Accessed File Access CLEAN Data_i18n\Default\UC Login Data.18

C:\Users\RDhJ0CNFevzX\AppData\Local\Blisk\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Epic Privacy Browser\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Opera Software\Opera Accessed File Access CLEAN Stable\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Opera\Opera\profile\wan Accessed File Access CLEAN d.dat

C:\Users\RDhJ0CNFevzX\AppData\Roaming Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Roaming\FileZilla\recentservers.x Accessed File Access CLEAN ml

C:\Users\RDhJ0CNFevzX\AppData\Roaming\.purple\accounts.xml Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Local\Liebao7\User Accessed File Access CLEAN Data\Default\EncryptedStorage

C:\Users\RDhJ0CNFevzX\AppData\Local\AVAST Accessed File Access CLEAN Software\Browser\User Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Kinza\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\BlackHawk\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\CatalinaGroup\Citrio\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\uCozMedia\Uran\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Coowon\Coowon\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\7Star\7Star\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\QIP Surf\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Fenrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Google\Chrome SxS\User Accessed File Access CLEAN Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\MapleStudio\ChromePlus\U Accessed File Access CLEAN ser Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\SalamWeb\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Sputnik\Sputnik\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Elements Browser\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Edge\User Accessed File Access CLEAN Data\Default\Login Data

C:\Users\RDhJ0CNFevzX\AppData\Roaming\discord\Local Accessed File Access CLEAN Storage\leveldb\

X-Ray Vision for Malware - www.vmray.com 14 / 19 DYNAMIC ANALYSIS REPORT #2117914

URL

URL Category IP Address Country HTTP Methods Verdict

http://checkip.dyndns.org - 132.226.8.169 - GET CLEAN

https://freegeoip.app/xml/94.114.3.195 - 104.21.19.200 - GET CLEAN

Domain

Domain IP Address Country Protocols Verdict

132.226.8.169, 158.101.44.242, 193.122.6.168, checkip.dyndns.org - DNS, HTTP CLEAN 132.226.247.73, 193.122.130.0

158.101.44.242, 193.122.6.168, 132.226.247.73, checkip.dyndns.com - DNS CLEAN 193.122.130.0, 132.226.8.169

freegeoip.app 104.21.19.200, 172.67.188.154 - DNS, HTTPS CLEAN

bh-16.webhostbox.net 199.79.62.16 - DNS CLEAN

IP

IP Address Domains Country Protocols Verdict

192.168.0.1 - - DNS, UDP CLEAN

199.79.62.16 bh-16.webhostbox.net United States TCP, DNS CLEAN

132.226.8.169 checkip.dyndns.com, checkip.dyndns.org Japan TCP, DNS, HTTP CLEAN

104.21.19.200 freegeoip.app United States TCP, DNS, HTTPS CLEAN

132.226.247.73 checkip.dyndns.com, checkip.dyndns.org Brazil DNS CLEAN

158.101.44.242 checkip.dyndns.com, checkip.dyndns.org United States DNS CLEAN

193.122.6.168 checkip.dyndns.com, checkip.dyndns.org Germany DNS CLEAN

193.122.130.0 checkip.dyndns.com, checkip.dyndns.org United States DNS CLEAN

172.67.188.154 freegeoip.app United States DNS CLEAN

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access arinzezx.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg access, read arinzezx.exe CLEAN JITDebugLaunchSetting

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg access, read arinzezx.exe CLEAN ManagedDebugger

HKEY_PERFORMANCE_DATA access arinzezx.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic access arinzezx.exe CLEAN DST

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard access, read arinzezx.exe CLEAN Time\MUI_Display

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt

X-Ray Vision for Malware - www.vmray.com 15 / 19 DYNAMIC ANALYSIS REPORT #2117914

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access arinzezx.exe CLEAN NT\CurrentVersion

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access, read arinzezx.exe CLEAN NT\CurrentVersion\InstallationType

HKEY_CURRENT_USER access arinzezx.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current access arinzezx.exe CLEAN Version\Internet Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current access arinzezx.exe CLEAN Version\Internet Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows access arinzezx.exe CLEAN \CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework access arinzezx.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read arinzezx.exe CLEAN LegacyWPADSupport

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access arinzezx.exe CLEAN v4.0.30319

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read arinzezx.exe CLEAN v4.0.30319\HWRPortReuseOnSocketBind

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access arinzezx.exe CLEAN AppContext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read arinzezx.exe CLEAN v4.0.30319\SchUseStrongCrypto

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging access arinzezx.exe CLEAN Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging access arinzezx.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Em access, read arinzezx.exe CLEAN ail

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMA access, read arinzezx.exe CLEAN P Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\PO access, read arinzezx.exe CLEAN P3 Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HT access, read arinzezx.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SM access, read arinzezx.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Em access, read arinzezx.exe CLEAN ail

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA access, read arinzezx.exe CLEAN P Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO access, read arinzezx.exe CLEAN P3 Password

X-Ray Vision for Malware - www.vmray.com 16 / 19 DYNAMIC ANALYSIS REPORT #2117914

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT access, read arinzezx.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM access, read arinzezx.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM access, read arinzezx.exe CLEAN TP Server

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access arinzezx.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Em access, read arinzezx.exe CLEAN ail

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMA access, read arinzezx.exe CLEAN P Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\PO access, read arinzezx.exe CLEAN P3 Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HT access, read arinzezx.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SM access, read arinzezx.exe CLEAN TP Password

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Foxmail.url.mailto\ access arinzezx.exe CLEAN Shell\open\command

Process

Process Name Commandline Verdict

arinzezx.exe "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe" MALICIOUS

arinzezx.exe "C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe" MALICIOUS

X-Ray Vision for Malware - www.vmray.com 17 / 19 DYNAMIC ANALYSIS REPORT #2117914

YARA / AV

YARA (1)

Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict

Keylogger, Malware PhoenixKeylogger Phoenix Keylogger Function Strings function_strings_process_2.txt 5/5 Spyware

Antivirus (1)

File Type Threat Name File Name Verdict

Sample File Gen:Variant.Bulz.596294 C:\Users\RDhJ0CNFevzX\Desktop\arinzezx.exe MALICIOUS

X-Ray Vision for Malware - www.vmray.com 18 / 19 DYNAMIC ANALYSIS REPORT #2117914

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update Release 2021-08-10 12:55:49+00:00 Date

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.33 / 2021-08-02 14:31:04

YARA Built-in Ruleset Version 4.2.2.34

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 19 / 19