Automated Malware Analysis Report for Securiteinfo

ID: 409370 Sample Name: SecuriteInfo.com.Trojan.Win32.Save.a.32673.17259 Cookbook: default.jbs Time: 03:48:23 Date: 10/05/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Analysis Report SecuriteInfo.com.Trojan.Win32.Save.a.32673.17259 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Threatname: Snake Keylogger 4 Yara Overview 4 Memory Dumps 4 Unpacked PEs 5 Sigma Overview 5 Signature Overview 5 AV Detection: 5 Networking: 5 System Summary: 5 Data Obfuscation: 6 Malware Analysis System Evasion: 6 HIPS / PFW / Operating System Protection Evasion: 6 Stealing of Sensitive Information: 6 Remote Access Functionality: 6 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 10 Public 11 General Information 11 Simulations 12 Behavior and APIs 12 Joe Sandbox View / Context 12 IPs 12 Domains 13 ASN 14 JA3 Fingerprints 15 Dropped Files 15 Created / dropped Files 15 Static File Info 15 General 16 File Icon 16 Static PE Info 16 General 16 Entrypoint Preview 16 Data Directories 18

Copyright Joe Security LLC 2021 Page 2 of 27 Sections 18 Resources 18 Imports 19 Version Infos 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 20 DNS Queries 21 DNS Answers 21 HTTP Request Dependency Graph 22 HTTP Packets 22 HTTPS Packets 23 Code Manipulations 23 Statistics 23 Behavior 23 System Behavior 23 Analysis Process: SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe PID: 2476 Parent PID: 5568 24 General 24 File Activities 24 File Created 24 File Written 24 File Read 25 Analysis Process: SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe PID: 5296 Parent PID: 2476 25 General 25 File Activities 26 File Created 26 File Deleted 26 File Read 26 Registry Activities 26 Disassembly 27 Code Analysis 27

Overview

General Information Detection Signatures Classification

Sample SecuriteInfo.com.Trojan.W Name: in32.Save.a.32673.17259 FFoouunndd maalllwwaarrree ccoonnfffiiigguurrraatttiiioonn (renamed file extension MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiaiiootnino fnffoorrr ssuubbm… from 17259 to exe) Analysis ID: 409370 YMYaaurrrlatai dAdeeVttte eScccttteaednd n SSennra adkkeeet e KKceetiyyolllonog gfgogere rsrrubm

Ransomware MD5: Yara detected Snake Keylogger 2b2be062bfd4947… ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooSddneea ckcoeon nKtttaaeiiiynnlsos gvvgeeerrryyr lllaarrrgg… Miner Spreading SHA1: 084d841a6a8c2e… I.InNnjjeEecTctt ss oaau PPrcEEe f ficilleoe d iinent toco o aan ftfoaorirneesiigg vnne ppryrro olcacereg mmaallliiiccciiioouusss IIInnjjjeecctttss aa PPEE fffiiilllee iiinntttoo aa fffoorrreeiiiggnn pprrrooccee… malicious

Evader Phishing SHA256: sssuusssppiiiccciiioouusss 7a11431e141079… suspicious MInajaeccchhtisiinn eae LPLeEeaa frrrinlneiiin nigng t dode eattte efcocttrtiiieooinng nfffoo prrr r ssoaacmepp…

cccllleeaann Tags: SnakeKeylogger clean Maaycy h ccihnheec cLkke tttahhreen ioonnnglll iiindnee t IeIIPPc t aiaoddndd rfrreoesrs ss a oomfff …p Infos: Exploiter Banker TMTrrraiiieeyss c ttthooe hhcaakrr rvtvheeess ttto aannnlidnd e ss ttItePeaa alll bdbrdrroorwewssssee rror ifiin n… Most interesting Screenshot: Spyware Trojan / Bot Snake Keylogger TTrrriiieess tttoo shsttateeraavllel Msta aaiiillln ccdrrr eesddteeannltt tiibiaarlllsos w (((vvsiiieaar f ffiiilnll… Adware

Score: 92 YTYarairerraas ddtoee tttseetcectttaeeld dM BBaeeildd cssr eOdbbefffunustsicacalasttt oo(rvrria fil Range: 0 - 100 AYAnanttrtiiaivv iiirdrruuesst e oocrrrt eMdaa Bcchehiidinnsee O LLebeafaurrrsnnciiinnaggto ddreettteecc… Whitelisted: false BABiininntaiavrrriyyr u ccsoo nontrtta aMiiinnassc aha i snsueus sLppeiiiccaiiioronuuisns g tttii imdeet esscttt… Confidence: 100% CBCoionnnatttraayiiin ncsso fnffuutnancicntttisiioo nana asllliuiitttysy p tttoioc iaaoccuccsee tssimss lelloo asadtd…

CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((t>>o== a 33c c meiisinns))) load Startup CCrroreenaattatteeinss s aa l oDDniiirgrree csctltteIIInneppuusttt (oo>bb=jjje e3cc ttmt (((oionffft)tteenn fffoo… CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo…

System is w10x64 DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe (PID: 2476 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe' MD5: EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function 2B2BE062BFD494717434723EA3664D75) SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe (PID: 5296 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe MD5: IIEIPPn aadbddlderrrsee ssdsse sbseueegen np iriinniv cicloeongnnenesecctttiiioonn wwiiittthh oo… 2B2BE062BFD494717434723EA3664D75) cleanup JIJPAA 3a3 d SSdSSreLLs ccslll iiieseennettt nfffiiin ningg eecrrroppnrrriininnettt c ssteieoeennn w iiinnit hcco oo…

MJAaa3yy SsslSlleeLee ppc l((i(eevnvata sfsiiniivvgeee lllroopoorpipnsst) )) s ttteooe hhniiin nindd eecrrro …

PMPEEa y fffii illsleel e cceoopnn tt(taaeiiivnnasss ssivtttrreraa nlnoggoeep rsrree) sstoou uhrrriccneedsser

QPEuue efrirrliiiee ssc ottthhneeta vvinoosllluu smtreea niiinngfffoeor rrrmeasaotttiiiouonrnc (e((nnsaam… Malware Configuration SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m …

USUsasemessp alae k kfninloeow wisnn d wwifefeebbr e bbnrroto wtwhssaeenrr ouurssigeeirrn aaglg ee Threatname: Snake Keylogger UUsseess aa kknnoowwnn wweebb bbrrroowwsseerrr uusseerrr aaggee… UUsseess caco okddneeo owobbnfff uuwsseccbaa tttbiiioornon w ttteesccehhrn nuiiiqsqueuere sas g (((…e

UUsseess iicinnossdeeecc uuorrrbeef u TTsLLcSSa t //i/ o SSnSS tLeL c vvheenrrrsisqiiiouonen s fffo o(… { "Exfil Mode": "SMTP", YUYasarreraas ddineesttteeccttuteerdde CCTrrLreeSdd e/e nSntttSiiiaaLlll SSvtetteerasalilleoernrr fo "SMTP Info": { "Port": "587", Yara detected Credential Stealer "SMTP Credential": "[email protected]@gmicaprelam.in" } }

Yara Overview

Memory Dumps

Source Rule Description Author Strings 00000002.00000002.461886305.000000000040 JoeSecurity_BedsObfuscat Yara detected Joe Security 2000.00000040.00000001.sdmp or Beds Obfuscator 00000002.00000002.461886305.000000000040 JoeSecurity_SnakeKeylog Yara detected Joe Security 2000.00000040.00000001.sdmp ger Snake Keylogger 00000002.00000002.465638797.000000000343 JoeSecurity_CredentialSte Yara detected Joe Security 1000.00000004.00000001.sdmp aler Credential Stealer 00000000.00000002.229982048.00000000048B JoeSecurity_BedsObfuscat Yara detected Joe Security 8000.00000004.00000001.sdmp or Beds Obfuscator

Copyright Joe Security LLC 2021 Page 4 of 27 Source Rule Description Author Strings 00000000.00000002.229982048.00000000048B JoeSecurity_SnakeKeylog Yara detected Joe Security 8000.00000004.00000001.sdmp ger Snake Keylogger Click to see the 5 entries

Unpacked PEs

Source Rule Description Author Strings 2.2.SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe JoeSecurity_BedsObfuscat Yara detected Joe Security .400000.0.unpack or Beds Obfuscator 2.2.SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe JoeSecurity_SnakeKeylog Yara detected Joe Security .400000.0.unpack ger Snake Keylogger 0.2.SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe JoeSecurity_BedsObfuscat Yara detected Joe Security .48b8ef0.4.unpack or Beds Obfuscator 0.2.SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe JoeSecurity_SnakeKeylog Yara detected Joe Security .48b8ef0.4.unpack ger Snake Keylogger 0.2.SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe JoeSecurity_BedsObfuscat Yara detected Joe Security .4919910.3.unpack or Beds Obfuscator Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Compliance • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Found malware configuration

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Networking:

May check the online IP address of the machine

System Summary:

.NET source code contains very large strings

Yara detected Beds Obfuscator

Malware Analysis System Evasion:

Yara detected Beds Obfuscator

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Remote Access Functionality:

Yara detected Snake Keylogger

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Path Process Masquerading 1 OS Security Software Remote Email Exfiltration Encrypted Eavesdrop on Accounts Management Interception Injection 1 1 2 Credential Discovery 1 Services Collection 1 Over Other Channel 1 2 Insecure Instrumentation Dumping 1 Network Network Medium Communication Default Scheduled Boot or Boot or Logon Disable or Modify Input Process Discovery 2 Remote Input Exfiltration Ingress Tool Exploit SS7 to Accounts Task/Job Logon Initialization Tools 1 Capture 1 Desktop Capture 1 Over Transfer 1 Redirect Phone Initialization Scripts Protocol Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Archive Automated Non- Exploit SS7 to Accounts (Windows) (Windows) Evasion 2 1 Account Evasion 2 1 Admin Shares Collected Exfiltration Application Track Device Manager Data 1 Layer Location Protocol 2 Local At (Windows) Logon Script Logon Script Process NTDS Remote System Distributed Data from Scheduled Application SIM Card Accounts (Mac) (Mac) Injection 1 1 2 Discovery 1 Component Local Transfer Layer Swap Object Model System 1 Protocol 1 3 Cloud Cron Network Network Logon Obfuscated Files or LSA System Network SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Information 1 Secrets Configuration Transfer Channels Device Discovery 1 Size Limits Communication

Replication Launchd Rc.common Rc.common Software Packing 1 Cached System Information VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 3 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Timestomp 1 DCSync Network Sniffing Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Behavior Graph

Copyright Joe Security LLC 2021 Page 6 of 27 Hide Legend Behavior Graph Legend: ID: 409370 Sample: SecuriteInfo.com.Trojan.Win... Process Startdate: 10/05/2021 Signature Architecture: WINDOWS Score: 92 Created File DNS/IP Info

Multi AV Scanner detection Yara detected Snake Is Dropped Found malware configuration 3 other signatures started for submitted file Keylogger Is Windows Process

Number of created Registry Values SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe Number of created Files

Visual Basic 3 Delphi

dropped Java

SecuriteInfo.com.T...ave.a.32673.exe.log, ASCII .Net C# or VB.NET

C, C++ or other language started Is malicious May check the online Injects a PE file into IP address of the machine a foreign processes Internet

SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe

15 2

checkip.dyndns.com freegeoip.app

checkip.dyndns.org 162.88.193.70, 49722, 49723, 80 172.67.188.154, 443, 49726 DYNDNSUS CLOUDFLARENETUS United States United States

Tries to harvest and Tries to steal Mail steal browser information credentials (via file (history, passwords, access) etc)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe 24% Virustotal Browse SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe 13% ReversingLabs Win32.Trojan.Generic SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source Detection Scanner Label Link Download 2.2.SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe.400000.0.unpack 100% Avira TR/Spy.Gen Download File

Domains

Source Detection Scanner Label Link api.globalsign.cloud 0% Virustotal Browse freegeoip.app 1% Virustotal Browse checkip.dyndns.com 0% Virustotal Browse checkip.dyndns.org 0% Virustotal Browse

Source Detection Scanner Label Link https://freegeoip.app/xml/ 0% URL Reputation safe https://freegeoip.app/xml/ 0% URL Reputation safe https://freegeoip.app/xml/ 0% URL Reputation safe https://freegeoip.app/xml/ 0% URL Reputation safe checkip.dyndns.org/ 0% Virustotal Browse checkip.dyndns.org/ 0% Avira URL Cloud safe https://freegeoip.app/xml/84.17.52.78x 0% URL Reputation safe https://freegeoip.app/xml/84.17.52.78x 0% URL Reputation safe https://freegeoip.app/xml/84.17.52.78x 0% URL Reputation safe https://freegeoip.app/xml/84.17.52.78x 0% URL Reputation safe checkip.dyndns.org/HB 0% Avira URL Cloud safe https://freegeoip.app 0% URL Reputation safe https://freegeoip.app 0% URL Reputation safe https://freegeoip.app 0% URL Reputation safe https://freegeoip.app 0% URL Reputation safe checkip.dyndns.org 0% Virustotal Browse checkip.dyndns.org 0% Avira URL Cloud safe checkip.dyndns.com 0% Virustotal Browse checkip.dyndns.com 0% Avira URL Cloud safe checkip.dyndns.orgD8.l 0% Avira URL Cloud safe https://freegeoip.app/xml/LoadCountryNameClipboard 0% URL Reputation safe https://freegeoip.app/xml/LoadCountryNameClipboard 0% URL Reputation safe https://freegeoip.app/xml/LoadCountryNameClipboard 0% URL Reputation safe freegeoip.app 0% URL Reputation safe freegeoip.app 0% URL Reputation safe freegeoip.app 0% URL Reputation safe checkip.dyndn 0% URL Reputation safe checkip.dyndn 0% URL Reputation safe checkip.dyndn 0% URL Reputation safe https://freegeoip.app/xml/84.17.52.78 0% URL Reputation safe https://freegeoip.app/xml/84.17.52.78 0% URL Reputation safe https://freegeoip.app/xml/84.17.52.78 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation api.globalsign.cloud 104.18.25.243 true false 0%, Virustotal, Browse unknown freegeoip.app 172.67.188.154 true false 1%, Virustotal, Browse unknown checkip.dyndns.com 162.88.193.70 true false 0%, Virustotal, Browse unknown checkip.dyndns.org unknown unknown true 0%, Virustotal, Browse unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation checkip.dyndns.org/ false 0%, Virustotal, Browse unknown Avira URL Cloud: safe

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://freegeoip.app/xml/ SecuriteInfo.com.Trojan.Win32. false URL Reputation: safe unknown Save.a.32673.exe, 00000002.000 URL Reputation: safe 00002.465864750.000000000347A0 URL Reputation: safe 00.00000004.00000001.sdmp URL Reputation: safe https://freegeoip.app/xml/84.17.52.78x SecuriteInfo.com.Trojan.Win32. false URL Reputation: safe unknown Save.a.32673.exe, 00000002.000 URL Reputation: safe 00002.466110070.00000000034E30 URL Reputation: safe 00.00000004.00000001.sdmp URL Reputation: safe

Copyright Joe Security LLC 2021 Page 9 of 27 Name Source Malicious Antivirus Detection Reputation checkip.dyndns.org/HB SecuriteInfo.com.Trojan.Win32. false Avira URL Cloud: safe unknown Save.a.32673.exe, 00000002.000 00002.465638797.00000000034310 00.00000004.00000001.sdmp https://freegeoip.app SecuriteInfo.com.Trojan.Win32. false URL Reputation: safe unknown Save.a.32673.exe, 00000002.000 URL Reputation: safe 00002.465864750.000000000347A0 URL Reputation: safe 00.00000004.00000001.sdmp URL Reputation: safe https://api.telegram.org/bot/sendMessage? SecuriteInfo.com.Trojan.Win32. false high chat_id=&text=Createutf-8 Save.a.32673.exe, 00000002.000 00002.465638797.00000000034310 00.00000004.00000001.sdmp checkip.dyndns.org SecuriteInfo.com.Trojan.Win32. false 0%, Virustotal, Browse unknown Save.a.32673.exe, 00000002.000 Avira URL Cloud: safe 00002.466110070.00000000034E30 00.00000004.00000001.sdmp checkip.dyndns.com SecuriteInfo.com.Trojan.Win32. false 0%, Virustotal, Browse unknown Save.a.32673.exe, 00000002.000 Avira URL Cloud: safe 00002.466110070.00000000034E30 00.00000004.00000001.sdmp schemas.xmlsoap.org/ws/2005/05/identity/claims/name SecuriteInfo.com.Trojan.Win32. false high Save.a.32673.exe, 00000002.000 00002.465974196.00000000034A40 00.00000004.00000001.sdmp checkip.dyndns.orgD8.l SecuriteInfo.com.Trojan.Win32. false Avira URL Cloud: safe unknown Save.a.32673.exe, 00000002.000 00002.466110070.00000000034E30 00.00000004.00000001.sdmp https://freegeoip.app/xml/LoadCountryNameClipboard SecuriteInfo.com.Trojan.Win32. false URL Reputation: safe unknown Save.a.32673.exe, 00000002.000 URL Reputation: safe 00002.465638797.00000000034310 URL Reputation: safe 00.00000004.00000001.sdmp freegeoip.app SecuriteInfo.com.Trojan.Win32. false URL Reputation: safe unknown Save.a.32673.exe, 00000002.000 URL Reputation: safe 00002.466110070.00000000034E30 URL Reputation: safe 00.00000004.00000001.sdmp checkip.dyndn SecuriteInfo.com.Trojan.Win32. false URL Reputation: safe unknown Save.a.32673.exe, 00000002.000 URL Reputation: safe 00002.465974196.00000000034A40 URL Reputation: safe 00.00000004.00000001.sdmp https://freegeoip.app/xml/84.17.52.78 SecuriteInfo.com.Trojan.Win32. false URL Reputation: safe unknown Save.a.32673.exe, 00000002.000 URL Reputation: safe 00002.465864750.000000000347A0 URL Reputation: safe 00.00000004.00000001.sdmp

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

IP Domain Country Flag ASN ASN Name Malicious 162.88.193.70 checkip.dyndns.com United States 33517 DYNDNSUS false 172.67.188.154 freegeoip.app United States 13335 CLOUDFLARENETUS false

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 409370 Start date: 10.05.2021 Start time: 03:48:23 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 27s Hypervisor based Inspection enabled: false Report type: light Sample file name: SecuriteInfo.com.Trojan.Win32.Save.a.32673.17259 (renamed file extension from 17259 to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 24 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal92.troj.spyw.evad.winEXE@3/1@3/2 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI

Copyright Joe Security LLC 2021 Page 11 of 27 Warnings: Show All Excluded IPs from analysis (whitelisted): 104.43.139.144, 204.79.197.200, 13.107.21.200, 13.88.21.125, 40.88.32.150, 20.50.102.62, 2.20.84.85, 92.122.213.247, 92.122.213.194, 205.185.216.42, 205.185.216.10, 20.54.26.129, 20.49.157.6 Excluded domains from analysis (whitelisted): ocsp.msocsp.com, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, www-bing- com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris- prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc- uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, hostedocsp.globalsign.com, a-0001.a- afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, iris- de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 162.88.193.70 Qoute.exe Get hash malicious Browse checkip.d yndns.org/ FPI_0485010214.exe Get hash malicious Browse checkip.d yndns.org/ SOA..exe Get hash malicious Browse checkip.d yndns.org/ Order 122001-220 Guangzhou_pdf.exe Get hash malicious Browse checkip.d yndns.org/ Potwierdzenie Transakcji_20210505_123255.exe Get hash malicious Browse checkip.d yndns.org/ 3e241556_by_Libranalysis.exe Get hash malicious Browse checkip.d yndns.org/ proforma invoice No. 42037,pdf.exe Get hash malicious Browse checkip.d yndns.org/ eHV0IaHe2btEhvP.exe Get hash malicious Browse checkip.d yndns.org/ 5ihsPbk16njhJ9x.exe Get hash malicious Browse checkip.d yndns.org/ Quotation-27-04-2021_PDF.exe Get hash malicious Browse checkip.d yndns.org/ vessel details.xlsx Get hash malicious Browse checkip.d yndns.org/ Copyright Joe Security LLC 2021 Page 12 of 27 Match Associated Sample Name / URL SHA 256 Detection Link Context

Wh00Ny9HXk.exe Get hash malicious Browse checkip.d yndns.org/ ZRpmP5qEC1.exe Get hash malicious Browse checkip.d yndns.org/ Halkbank_Ekstre_20210426_080203_744632.pdf.exe Get hash malicious Browse checkip.d yndns.org/ Aeon Viet Nam Co.,Ltd.doc Get hash malicious Browse checkip.d yndns.org/ RFQ for MR 29483 for Affordable Villa.doc Get hash malicious Browse checkip.d yndns.org/ Enquiry of GI Pipes - Enq 557.doc Get hash malicious Browse checkip.d yndns.org/ 5314ae13_by_Libranalysis.doc Get hash malicious Browse checkip.d yndns.org/ D5PVG3MX.exe Get hash malicious Browse checkip.d yndns.org/ n9v8d0AqE0.exe Get hash malicious Browse checkip.d yndns.org/

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context checkip.dyndns.com Original shipping documents PI SKY0003 SOFABED.exe Get hash malicious Browse 131.186.113.70 FKYVh42iBV2lh5l.exe Get hash malicious Browse 216.146.43.70 Dhl contact form DHL-875689798764#.exe Get hash malicious Browse 131.186.113.70 QUOTATION.exe Get hash malicious Browse 216.146.43.71 INQUIRY.exe Get hash malicious Browse 216.146.43.71 Qoute.exe Get hash malicious Browse 162.88.193.70 DUE INVOICES.exe Get hash malicious Browse 131.186.113.70 DHL 4677348255.exe Get hash malicious Browse 131.186.161.70 GtAMsYQbQHM7u10.exe Get hash malicious Browse 131.186.113.70 SecuriteInfo.com.Trojan.GenericKD.46260253.18072.exe Get hash malicious Browse 216.146.43.70 FPI_0485010214.exe Get hash malicious Browse 162.88.193.70 SOA..exe Get hash malicious Browse 162.88.193.70 vVDRVCHudBWzrDU.exe Get hash malicious Browse 131.186.113.70 Pre Shipment Doc..exe Get hash malicious Browse 131.186.161.70 Order 122001-220 Guangzhou_pdf.exe Get hash malicious Browse 162.88.193.70 PO #KV18RE001-A5193.exe Get hash malicious Browse 131.186.161.70 Payment_Advice.exe Get hash malicious Browse 216.146.43.71 Potwierdzenie Transakcji_20210505_123255.exe Get hash malicious Browse 162.88.193.70 SOA..exe Get hash malicious Browse 216.146.43.71 283773883887009pdf.exe Get hash malicious Browse 216.146.43.70 api.globalsign.cloud 13629175_by_Libranalysis.dll Get hash malicious Browse 104.18.25.243 c681a5e2_by_Libranalysis.dll Get hash malicious Browse 104.18.24.243 CMjsfg603M.exe Get hash malicious Browse 104.18.25.243 notepad.exe Get hash malicious Browse 104.18.24.243 5zKDwKW0td.exe Get hash malicious Browse 104.18.24.243 order 387105.xlsm Get hash malicious Browse 104.18.24.243 cdd2e22b_by_Libranalysis.dll Get hash malicious Browse 104.18.24.243 d7f85eeb_by_Libranalysis.dll Get hash malicious Browse 104.18.24.243 430a30f8_by_Libranalysis.dll Get hash malicious Browse 104.18.25.243 scan of purchase order 8354494.xlsm Get hash malicious Browse 104.18.25.243 d730047a_by_Libranalysis.dll Get hash malicious Browse 104.18.24.243 cbd986ff_by_Libranalysis.dll Get hash malicious Browse 104.18.25.243 d9dc8496_by_Libranalysis.dll Get hash malicious Browse 104.18.24.243 f4a5db61_by_Libranalysis.dll Get hash malicious Browse 104.18.24.243 defdd7d0_by_Libranalysis.dll Get hash malicious Browse 104.18.25.243 f909ca93_by_Libranalysis.dll Get hash malicious Browse 104.18.25.243 Polti Delivery Note 0110010597.exe Get hash malicious Browse 104.18.25.243 2937d9de_by_Libranalysis.dll Get hash malicious Browse 104.18.25.243

ade15550_by_Libranalysis.dll Get hash malicious Browse 104.18.24.243 BANK DETAILS.jar Get hash malicious Browse 104.18.25.243 freegeoip.app Original shipping documents PI SKY0003 SOFABED.exe Get hash malicious Browse 172.67.188.154 FKYVh42iBV2lh5l.exe Get hash malicious Browse 104.21.19.200

Copyright Joe Security LLC 2021 Page 13 of 27 Match Associated Sample Name / URL SHA 256 Detection Link Context Dhl contact form DHL-875689798764#.exe Get hash malicious Browse 172.67.188.154 QUOTATION.exe Get hash malicious Browse 172.67.188.154 INQUIRY.exe Get hash malicious Browse 172.67.188.154 Qoute.exe Get hash malicious Browse 172.67.188.154 DUE INVOICES.exe Get hash malicious Browse 172.67.188.154 DHL 4677348255.exe Get hash malicious Browse 172.67.188.154 GtAMsYQbQHM7u10.exe Get hash malicious Browse 172.67.188.154 SecuriteInfo.com.Trojan.GenericKD.46260253.18072.exe Get hash malicious Browse 104.21.19.200 FPI_0485010214.exe Get hash malicious Browse 104.21.19.200 SOA..exe Get hash malicious Browse 104.21.19.200 vVDRVCHudBWzrDU.exe Get hash malicious Browse 104.21.19.200 Pre Shipment Doc..exe Get hash malicious Browse 104.21.19.200 Order 122001-220 Guangzhou_pdf.exe Get hash malicious Browse 172.67.188.154 PO #KV18RE001-A5193.exe Get hash malicious Browse 104.21.19.200 Payment_Advice.exe Get hash malicious Browse 172.67.188.154 Potwierdzenie Transakcji_20210505_123255.exe Get hash malicious Browse 172.67.188.154 SOA..exe Get hash malicious Browse 104.21.19.200 283773883887009pdf.exe Get hash malicious Browse 104.21.19.200

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context CLOUDFLARENETUS b9178202_by_Libranalysis.exe Get hash malicious Browse 104.23.98.190 QbaOijF6WG.exe Get hash malicious Browse 162.159.13 5.233 New order list.exe Get hash malicious Browse 162.159.13 0.233 cfe14e87_by_Libranalysis.rtf Get hash malicious Browse 162.159.13 0.233 Z9LoM9MPDL.exe Get hash malicious Browse 104.17.63.50 8fsURJpygc.exe Get hash malicious Browse 104.17.62.50 zy5tMPMucl.exe Get hash malicious Browse 104.17.62.50 d15d3eb0_by_Libranalysis.exe Get hash malicious Browse 104.22.19.188 GLqbDRKePPp16Zr.exe Get hash malicious Browse 172.67.202.77 Il nuovo ordine e nell'elenco allegato.exe Get hash malicious Browse 162.159.13 3.233

Order Euro 890,000.exe Get hash malicious Browse 23.227.38.74 SecuriteInfo.com.Trojan.Discord.8711.exe Get hash malicious Browse 162.159.13 5.233 GBtiwIB30h.exe Get hash malicious Browse 172.67.129.134 5JkmZJgS1Q.exe Get hash malicious Browse 104.17.62.50 6CzfqpCMPW.exe Get hash malicious Browse 104.17.63.50 oU51boMrLI.exe Get hash malicious Browse 104.17.62.50 rFGKt028GY.exe Get hash malicious Browse 104.17.62.50 YLcLRyD72Z.exe Get hash malicious Browse 104.17.63.50 Q3zmuriYp4.exe Get hash malicious Browse 104.17.63.50 Original shipping documents PI SKY0003 SOFABED.exe Get hash malicious Browse 172.67.188.154 DYNDNSUS Original shipping documents PI SKY0003 SOFABED.exe Get hash malicious Browse 131.186.113.70 FKYVh42iBV2lh5l.exe Get hash malicious Browse 216.146.43.70 Dhl contact form DHL-875689798764#.exe Get hash malicious Browse 131.186.113.70 QUOTATION.exe Get hash malicious Browse 216.146.43.71 INQUIRY.exe Get hash malicious Browse 216.146.43.71 Qoute.exe Get hash malicious Browse 162.88.193.70 DUE INVOICES.exe Get hash malicious Browse 131.186.113.70 DHL 4677348255.exe Get hash malicious Browse 131.186.161.70 GtAMsYQbQHM7u10.exe Get hash malicious Browse 131.186.113.70 SecuriteInfo.com.Trojan.GenericKD.46260253.18072.exe Get hash malicious Browse 216.146.43.70 FPI_0485010214.exe Get hash malicious Browse 162.88.193.70 SOA..exe Get hash malicious Browse 162.88.193.70 vVDRVCHudBWzrDU.exe Get hash malicious Browse 131.186.113.70 Pre Shipment Doc..exe Get hash malicious Browse 131.186.161.70 Order 122001-220 Guangzhou_pdf.exe Get hash malicious Browse 162.88.193.70 PO #KV18RE001-A5193.exe Get hash malicious Browse 131.186.161.70 Payment_Advice.exe Get hash malicious Browse 216.146.43.71 Potwierdzenie Transakcji_20210505_123255.exe Get hash malicious Browse 162.88.193.70

Copyright Joe Security LLC 2021 Page 14 of 27 Match Associated Sample Name / URL SHA 256 Detection Link Context SOA..exe Get hash malicious Browse 216.146.43.71 283773883887009pdf.exe Get hash malicious Browse 216.146.43.70

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context 54328bd36c14bd82ddaa0c04b25ed9ad b9178202_by_Libranalysis.exe Get hash malicious Browse 172.67.188.154 SecuriteInfo.com.Trojan.Discord.8711.exe Get hash malicious Browse 172.67.188.154 CpOFmSHBGH.exe Get hash malicious Browse 172.67.188.154 Original shipping documents PI SKY0003 SOFABED.exe Get hash malicious Browse 172.67.188.154

rVNGql21DZ.exe Get hash malicious Browse 172.67.188.154 10A30B9776BB8981976FE678E4538E68C8FBBB0A Get hash malicious Browse 172.67.188.154 57F34.exe DDTank.exe Get hash malicious Browse 172.67.188.154 FKYVh42iBV2lh5l.exe Get hash malicious Browse 172.67.188.154 4.5.exe Get hash malicious Browse 172.67.188.154 Spetrum-invoice-95144511.vbs Get hash malicious Browse 172.67.188.154 Dhl contact form DHL-875689798764#.exe Get hash malicious Browse 172.67.188.154 QLODCmfl1h.exe Get hash malicious Browse 172.67.188.154 Z0PVKGyuxF.exe Get hash malicious Browse 172.67.188.154 Tb2PuF1sdM.exe Get hash malicious Browse 172.67.188.154 QUOTATION.exe Get hash malicious Browse 172.67.188.154 INQUIRY.exe Get hash malicious Browse 172.67.188.154 Qoute.exe Get hash malicious Browse 172.67.188.154 DUE INVOICES.exe Get hash malicious Browse 172.67.188.154 DHL 4677348255.exe Get hash malicious Browse 172.67.188.154 GtAMsYQbQHM7u10.exe Get hash malicious Browse 172.67.188.154

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe.log

Process: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 1039 Entropy (8bit): 5.365622957937216 Encrypted: false SSDEEP: 24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhIE4KnKIE4oKFKHKoZAE4Kzr7a:Mgv2HKXwYHKhQnoIHKntHoxHhAHKzva MD5: 2AAAF19599DBB7B2B9269F77209C4FBA SHA1: 17286C6FB357C72FFC81EE46EF05575A1AE134FD SHA-256: 5B8D713F6F10790AF314D4AD256EB7A6BB156912034148D50955AF724FD0F2A4 SHA-512: 8C2E41464E18768F1ABA2CEC8DBBC8C234F538AB01F381ECCF22F865E2624EEFC362E6099C94C1603359FB42C55D2E8F142E44A7DA2B746DFE858811BDFDEB BF Malicious: true Reputation: moderate, very likely benign file Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\Syste m.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System .Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0 89",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77 a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

Static File Info

Copyright Joe Security LLC 2021 Page 15 of 27 General File type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb ly, for MS Windows Entropy (8bit): 2.7929612471980114 TrID: Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe File size: 3210240 MD5: 2b2be062bfd494717434723ea3664d75 SHA1: 084d841a6a8c2e29e983c59cbda2317fffd34ce0 SHA256: 7a11431e141079aabfbc23a56ab312d3094828c2eb0b10 33bb17692054f70208 SHA512: 2c5b18fa94ca3075ac80bbcd2ed58523190dd2882e3d65 261c664279c5e2f6a54c3336dbc5c098bedaa81d10c525 b4014ce66008eba02d6e52fb8e0f82d8d3cb SSDEEP: 3072:vGluM+VS6L9wtITa7djs8WisWbsqokNarsbR/t/Me UB/MXSP3ktkclMPhxDMYn7+:vGf File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L..... i...... "...0..

File Icon

Icon Hash: b4ecccc4d4c4ccd2

Static PE Info

General Entrypoint: 0x6f5b8e Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0xDF69AC0D [Sun Oct 10 11:01:33 2088 UTC] TLS Callbacks: CLR (.Net) Version: v4.0.30319 OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction jmp dword ptr [00402000h] add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright Joe Security LLC 2021 Page 16 of 27 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright Joe Security LLC 2021 Page 17 of 27 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x2f5b34 0x57 .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x2f6000 0x1baf4 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x312000 0xc .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0x2f3b94 0x2f3c00 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rsrc 0x2f6000 0x1baf4 0x1bc00 False 0.190332911036 data 4.06827658142 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x312000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0x2f6220 0x2e68 PNG image data, 256 x 256, 8-bit/color RGBA, non- interlaced RT_ICON 0x2f9088 0x10828 data RT_ICON 0x3098b0 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4286217084, next used block 4286677635

Copyright Joe Security LLC 2021 Page 18 of 27 Name RVA Size Type Language Country RT_ICON 0x30dad8 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4288453790, next used block 4288716961 RT_ICON 0x310080 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4290677641, next used block 4290230200 RT_ICON 0x311128 0x468 GLS_BINARY_LSB_FIRST RT_GROUP_ICON 0x311590 0x5a data RT_VERSION 0x3115ec 0x31c data RT_MANIFEST 0x311908 0x1ea XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL Import mscoree.dll _CorExeMain

Version Infos

Description Data Translation 0x0000 0x04b0 LegalCopyright Copyright 2021 Assembly Version 1.0.0.0 InternalName vaporware.exe FileVersion 1.0.0.0 CompanyName LegalTrademarks Comments ProductName vaporware ProductVersion 1.0.0.0 FileDescription vaporware OriginalFilename vaporware.exe

Network Behavior

Network Port Distribution

Total Packets: 52 • 53 (DNS) • 443 (HTTPS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP May 10, 2021 03:49:22.393601894 CEST 49722 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:22.527188063 CEST 80 49722 162.88.193.70 192.168.2.3 May 10, 2021 03:49:22.528064966 CEST 49722 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:22.556497097 CEST 49722 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:22.689927101 CEST 80 49722 162.88.193.70 192.168.2.3 May 10, 2021 03:49:22.690704107 CEST 80 49722 162.88.193.70 192.168.2.3

Copyright Joe Security LLC 2021 Page 19 of 27 Timestamp Source Port Dest Port Source IP Dest IP May 10, 2021 03:49:22.690740108 CEST 80 49722 162.88.193.70 192.168.2.3 May 10, 2021 03:49:22.690954924 CEST 49722 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:23.018189907 CEST 49722 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:23.151802063 CEST 80 49722 162.88.193.70 192.168.2.3 May 10, 2021 03:49:23.324572086 CEST 49723 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:23.459119081 CEST 80 49723 162.88.193.70 192.168.2.3 May 10, 2021 03:49:23.459213018 CEST 49723 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:23.459640980 CEST 49723 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:23.594753981 CEST 80 49723 162.88.193.70 192.168.2.3 May 10, 2021 03:49:23.594830990 CEST 80 49723 162.88.193.70 192.168.2.3 May 10, 2021 03:49:23.594861984 CEST 80 49723 162.88.193.70 192.168.2.3 May 10, 2021 03:49:23.594981909 CEST 49723 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:23.595303059 CEST 49723 80 192.168.2.3 162.88.193.70 May 10, 2021 03:49:23.729901075 CEST 80 49723 162.88.193.70 192.168.2.3 May 10, 2021 03:49:25.599764109 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:49:25.640921116 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.641033888 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:49:25.689431906 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:49:25.730628967 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.731853008 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.731893063 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.731966019 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:49:25.738766909 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:49:25.779881954 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.779900074 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.828908920 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:49:25.932171106 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:49:25.973649979 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.986978054 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.987020969 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:49:25.987101078 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:51:06.105355024 CEST 49726 443 192.168.2.3 172.67.188.154 May 10, 2021 03:51:06.146657944 CEST 443 49726 172.67.188.154 192.168.2.3 May 10, 2021 03:51:06.146826982 CEST 49726 443 192.168.2.3 172.67.188.154

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP May 10, 2021 03:49:01.034956932 CEST 49199 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:01.083611012 CEST 53 49199 8.8.8.8 192.168.2.3 May 10, 2021 03:49:02.091125965 CEST 50620 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:02.150957108 CEST 53 50620 8.8.8.8 192.168.2.3 May 10, 2021 03:49:02.262056112 CEST 64938 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:02.322158098 CEST 53 64938 8.8.8.8 192.168.2.3 May 10, 2021 03:49:02.554721117 CEST 60152 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:02.603344917 CEST 53 60152 8.8.8.8 192.168.2.3 May 10, 2021 03:49:03.464055061 CEST 57544 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:03.515554905 CEST 53 57544 8.8.8.8 192.168.2.3 May 10, 2021 03:49:04.790292025 CEST 55984 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:04.841886997 CEST 53 55984 8.8.8.8 192.168.2.3 May 10, 2021 03:49:05.947566032 CEST 64185 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:05.996365070 CEST 53 64185 8.8.8.8 192.168.2.3 May 10, 2021 03:49:07.028147936 CEST 65110 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:07.085347891 CEST 53 65110 8.8.8.8 192.168.2.3 May 10, 2021 03:49:08.248539925 CEST 58361 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:08.300456047 CEST 53 58361 8.8.8.8 192.168.2.3 May 10, 2021 03:49:09.377051115 CEST 63492 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:09.434062004 CEST 53 63492 8.8.8.8 192.168.2.3 May 10, 2021 03:49:10.534389973 CEST 60831 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:10.586038113 CEST 53 60831 8.8.8.8 192.168.2.3 May 10, 2021 03:49:12.115993023 CEST 60100 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:12.164875984 CEST 53 60100 8.8.8.8 192.168.2.3 May 10, 2021 03:49:13.019026995 CEST 53195 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:13.102138042 CEST 53 53195 8.8.8.8 192.168.2.3

Copyright Joe Security LLC 2021 Page 20 of 27 Timestamp Source Port Dest Port Source IP Dest IP May 10, 2021 03:49:13.969810963 CEST 50141 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:14.018604994 CEST 53 50141 8.8.8.8 192.168.2.3 May 10, 2021 03:49:15.234165907 CEST 53023 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:15.284332991 CEST 53 53023 8.8.8.8 192.168.2.3 May 10, 2021 03:49:16.314177036 CEST 49563 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:16.373609066 CEST 53 49563 8.8.8.8 192.168.2.3 May 10, 2021 03:49:17.464510918 CEST 51352 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:17.515539885 CEST 53 51352 8.8.8.8 192.168.2.3 May 10, 2021 03:49:20.030070066 CEST 59349 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:20.078790903 CEST 53 59349 8.8.8.8 192.168.2.3 May 10, 2021 03:49:22.202965021 CEST 57084 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:22.253242970 CEST 53 57084 8.8.8.8 192.168.2.3 May 10, 2021 03:49:22.265795946 CEST 58823 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:22.317421913 CEST 53 58823 8.8.8.8 192.168.2.3 May 10, 2021 03:49:23.507117033 CEST 57568 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:23.557218075 CEST 53 57568 8.8.8.8 192.168.2.3 May 10, 2021 03:49:24.641498089 CEST 50540 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:24.690382004 CEST 53 50540 8.8.8.8 192.168.2.3 May 10, 2021 03:49:25.533071041 CEST 54366 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:25.595865011 CEST 53 54366 8.8.8.8 192.168.2.3 May 10, 2021 03:49:34.597558022 CEST 53034 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:34.654930115 CEST 53 53034 8.8.8.8 192.168.2.3 May 10, 2021 03:49:40.707915068 CEST 57762 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:40.786417961 CEST 53 57762 8.8.8.8 192.168.2.3 May 10, 2021 03:49:45.981405020 CEST 55435 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:46.041989088 CEST 53 55435 8.8.8.8 192.168.2.3 May 10, 2021 03:49:55.282212019 CEST 50713 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:55.332473993 CEST 53 50713 8.8.8.8 192.168.2.3 May 10, 2021 03:49:55.814305067 CEST 56132 53 192.168.2.3 8.8.8.8 May 10, 2021 03:49:55.879256964 CEST 53 56132 8.8.8.8 192.168.2.3 May 10, 2021 03:50:10.207535982 CEST 58987 53 192.168.2.3 8.8.8.8 May 10, 2021 03:50:10.272923946 CEST 53 58987 8.8.8.8 192.168.2.3 May 10, 2021 03:50:13.281563044 CEST 56579 53 192.168.2.3 8.8.8.8 May 10, 2021 03:50:13.342363119 CEST 53 56579 8.8.8.8 192.168.2.3 May 10, 2021 03:50:46.948571920 CEST 60633 53 192.168.2.3 8.8.8.8 May 10, 2021 03:50:47.023562908 CEST 53 60633 8.8.8.8 192.168.2.3 May 10, 2021 03:50:48.284044981 CEST 61292 53 192.168.2.3 8.8.8.8 May 10, 2021 03:50:48.341574907 CEST 53 61292 8.8.8.8 192.168.2.3

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class May 10, 2021 03:49:22.202965021 CEST 192.168.2.3 8.8.8.8 0xfaf Standard query checkip.dy A (IP address) IN (0x0001) (0) ndns.org May 10, 2021 03:49:22.265795946 CEST 192.168.2.3 8.8.8.8 0x40c9 Standard query checkip.dy A (IP address) IN (0x0001) (0) ndns.org May 10, 2021 03:49:25.533071041 CEST 192.168.2.3 8.8.8.8 0xa8be Standard query freegeoip.app A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class May 10, 2021 8.8.8.8 192.168.2.3 0xb5a6 No error (0) api.global 104.18.25.243 A (IP address) IN (0x0001) 03:49:02.322158098 sign.cloud CEST May 10, 2021 8.8.8.8 192.168.2.3 0xb5a6 No error (0) api.global 104.18.24.243 A (IP address) IN (0x0001) 03:49:02.322158098 sign.cloud CEST May 10, 2021 8.8.8.8 192.168.2.3 0xfaf No error (0) checkip.dy checkip.dyndns.com CNAME IN (0x0001) 03:49:22.253242970 ndns.org (Canonical CEST name) May 10, 2021 8.8.8.8 192.168.2.3 0xfaf No error (0) checkip.dy 162.88.193.70 A (IP address) IN (0x0001) 03:49:22.253242970 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0xfaf No error (0) checkip.dy 131.186.161.70 A (IP address) IN (0x0001) 03:49:22.253242970 ndns.com CEST

Copyright Joe Security LLC 2021 Page 21 of 27 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class May 10, 2021 8.8.8.8 192.168.2.3 0xfaf No error (0) checkip.dy 216.146.43.71 A (IP address) IN (0x0001) 03:49:22.253242970 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0xfaf No error (0) checkip.dy 131.186.113.70 A (IP address) IN (0x0001) 03:49:22.253242970 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0xfaf No error (0) checkip.dy 216.146.43.70 A (IP address) IN (0x0001) 03:49:22.253242970 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0x40c9 No error (0) checkip.dy checkip.dyndns.com CNAME IN (0x0001) 03:49:22.317421913 ndns.org (Canonical CEST name) May 10, 2021 8.8.8.8 192.168.2.3 0x40c9 No error (0) checkip.dy 162.88.193.70 A (IP address) IN (0x0001) 03:49:22.317421913 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0x40c9 No error (0) checkip.dy 131.186.161.70 A (IP address) IN (0x0001) 03:49:22.317421913 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0x40c9 No error (0) checkip.dy 216.146.43.71 A (IP address) IN (0x0001) 03:49:22.317421913 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0x40c9 No error (0) checkip.dy 131.186.113.70 A (IP address) IN (0x0001) 03:49:22.317421913 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0x40c9 No error (0) checkip.dy 216.146.43.70 A (IP address) IN (0x0001) 03:49:22.317421913 ndns.com CEST May 10, 2021 8.8.8.8 192.168.2.3 0xa8be No error (0) freegeoip.app 172.67.188.154 A (IP address) IN (0x0001) 03:49:25.595865011 CEST May 10, 2021 8.8.8.8 192.168.2.3 0xa8be No error (0) freegeoip.app 104.21.19.200 A (IP address) IN (0x0001) 03:49:25.595865011 CEST

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49722 162.88.193.70 80 C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe

kBytes Timestamp transferred Direction Data May 10, 2021 1284 OUT GET / HTTP/1.1 03:49:22.556497097 CEST User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive May 10, 2021 1284 IN HTTP/1.1 200 OK 03:49:22.690704107 CEST Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: Current IP CheckCurrent IP Address: 84.17.52.78

Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.3 49723 162.88.193.70 80 C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe

kBytes Timestamp transferred Direction Data May 10, 2021 1285 OUT GET / HTTP/1.1 03:49:23.459640980 CEST User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org

Copyright Joe Security LLC 2021 Page 22 of 27 kBytes Timestamp transferred Direction Data May 10, 2021 1286 IN HTTP/1.1 200 OK 03:49:23.594830990 CEST Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: Current IP CheckCurrent IP Address: 84.17.52.78

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest May 10, 2021 172.67.188.154 443 192.168.2.3 49726 CN=sni.cloudflaressl.com, CN=Cloudflare Inc Mon Tue Aug 769,49162-49161- 54328bd36c14bd82ddaa0 03:49:25.731893063 O="Cloudflare, Inc.", L=San ECC CA-3, Aug 10 10 49172-49171-53- c04b25ed9ad CEST Francisco, ST=CA, C=US O="Cloudflare, Inc.", 02:00:00 14:00:00 47-10,0-10-11-35- CN=Cloudflare Inc ECC CA-3, C=US CN=Baltimore CEST CEST 23-65281,29-23- O="Cloudflare, Inc.", C=US CyberTrust Root, 2020 2021 24,0 OU=CyberTrust, Mon Jan Wed O=Baltimore, C=IE 27 Jan 01 13:48:08 00:59:59 CET CET 2020 2025 CN=Cloudflare Inc ECC CA-3, CN=Baltimore Mon Jan Wed O="Cloudflare, Inc.", C=US CyberTrust Root, 27 Jan 01 OU=CyberTrust, 13:48:08 00:59:59 O=Baltimore, C=IE CET CET 2020 2025

Code Manipulations

Statistics

Behavior

• SecuriteInfo.com.Trojan.Win32.Sav… • SecuriteInfo.com.Trojan.Win32.Sav…

Click to jump to process

System Behavior

Copyright Joe Security LLC 2021 Page 23 of 27 Analysis Process: SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe PID: 2476 Parent PID: 5568

General

Start time: 03:49:06 Start date: 10/05/2021 Path: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe' Imagebase: 0x860000 File size: 3210240 bytes MD5 hash: 2B2BE062BFD494717434723EA3664D75 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.229982048.00000000048B8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.229982048.00000000048B8000.00000004.00000001.sdmp, Author: Joe Security

Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6E14CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6E14CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ read attributes | device synchronous io success or wait 1 6E45C78D CreateFileW SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe.log synchronize | non alert | non generic write directory file

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2021 Page 24 of 27 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 1039 31 2c 22 66 75 73 69 1,"fusion","GAC",0..1,"Win success or wait 1 6E45C907 WriteFile crosoft\CLR_v4.0_32\UsageLogs\ 6f 6e 22 2c 22 47 41 RT", SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe.log 43 22 2c 30 0d 0a 31 "NotApp",1..2,"Microsoft.Vi 2c 22 57 69 6e 52 54 sualBasic, 22 2c 22 4e 6f 74 41 Version=10.0.0.0, Cult 70 70 22 2c 31 0d 0a ure=neutral, 32 2c 22 4d 69 63 72 PublicKeyToken=b0 6f 73 6f 66 74 2e 56 3f5f7f11d50a3a",0..3,"Syst 69 73 75 61 6c 42 61 em, Version=4.0.0.0, 73 69 63 2c 20 56 65 Culture=neutral, 72 73 69 6f 6e 3d 31 PublicKeyToken=b77a5c5 30 2e 30 2e 30 2e 30 6193 2c 20 43 75 6c 74 75 4e089","C:\Windows\asse 72 65 3d 6e 65 75 74 mbly\NativeImages_v4.0 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 30 33 66 35 66 37 66 31 31 64 35 30 61 33 61 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 4e 61 74 69 76 65 49 6d 61 67 65 73 5f 76 34 2e 30

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E125705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E125705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6E0803DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E12CA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6E0803DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6E0803DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6E0803DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6E0803DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E125705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E125705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF91B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6CF91B4F ReadFile

Analysis Process: SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe PID: 5296 Parent PID: 2476

General

Start time: 03:49:17 Start date: 10/05/2021 Path: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe Wow64 process (32bit): true Commandline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe Imagebase: 0xde0000 File size: 3210240 bytes MD5 hash: 2B2BE062BFD494717434723EA3664D75 Copyright Joe Security LLC 2021 Page 25 of 27 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000002.00000002.461886305.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.461886305.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.465638797.0000000003431000.00000004.00000001.sdmp, Author: Joe Security Reputation: low

File Activities

File Created

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\container.dat success or wait 1 6CF96A95 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie success or wait 1 6CF96A95 DeleteFileW C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies success or wait 1 6CF96A95 DeleteFileW

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E125705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E125705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6E0803DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E12CA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6E0803DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6E0803DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6E0803DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6E0803DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E125705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E125705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF91B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6CF91B4F ReadFile C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data unknown 40960 success or wait 1 6CF91B4F ReadFile

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Code Analysis