DYNAMIC ANALYSIS REPORT #6226428

Classifications: Keylogger Spyware

MALICIOUS Threat Names: Phoenix

Verdict Reason: -

Sample Type Windows Exe (x86-32)

Sample Name payload_1.bin.exe

ID #2326827

MD5 b7c53f778e82c1594d8a1a27ebb65af0

SHA1 c9995a4bbc9df1bf7446ee85f28311399ec9763a

SHA256 d883e9f8dc3208233448681b3dc6bdc3c08d3eb1dc6c5efb84f720bc5dfa20a0

File Size 187.00 KB

Report Created 2021-05-31 13:03 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 20 DYNAMIC ANALYSIS REPORT #6226428

OVERVIEW

VMRay Threat Identifiers (21 rules, 52 matches)

Score Category Operation Count Classification

5/5 YARA Malicious content matched by YARA rules 1 Keylogger, Spyware

• Rule "PhoenixKeylogger" from ruleset "Malware" has matched on the function strings for (process #2) payload_1.bin.exe.

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: Pidgin, Comodo Dragon, Vivaldi, Google Chrome, Microsoft Outlook, 7Star, FileZilla, Opera, Chrome Canary, Epic Privacy Browser, CentBrowser, Orbitum, Sputnik, Chromium, Maple Studio, CocCoc, Uran, Kometa, Torch, Amigo, Chedot.

2/5 Anti Analysis Tries to detect virtual machine 8 -

• (Process #2) payload_1.bin.exe tries to detect "VMware" via file "c:\windows\syswow64\drivers\vmmouse.sys".

• (Process #2) payload_1.bin.exe tries to detect "VMware" via file "c:\windows\syswow64\drivers\vmmousever.dll".

• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxmouse.sys".

• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxguest.sys".

• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxsf.sys".

• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxvideo.sys".

• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\vboxservice.exe".

• Multiple processes are possibly trying to detect a VM via rdtsc.

2/5 Data Collection Reads sensitive browser data 18 -

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Google Chrome" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Amigo" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Kometa" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "CocCoc" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Orbitum" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Vivaldi" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Chromium" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "CentBrowser" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Chedot" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Comodo Dragon" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Torch" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Opera" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Uran" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "7Star" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Chrome Canary" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Maple Studio" by file.

• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Sputnik" by file.

2/5 Data Collection Reads sensitive mail data 1 -

• (Process #2) payload_1.bin.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.

2/5 Data Collection Reads sensitive ftp data 1 -

• (Process #2) payload_1.bin.exe tries to read sensitive data of ftp application "FileZilla" by file.

2/5 Data Collection Reads sensitive application data 1 -

• (Process #2) payload_1.bin.exe tries to read sensitive data of application "Pidgin" by file.

X-Ray Vision for Malware - www.vmray.com 2 / 20 DYNAMIC ANALYSIS REPORT #6226428

2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -

• (Process #1) payload_1.bin.exe modifies memory of (process #2) payload_1.bin.exe.

2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -

• (Process #1) payload_1.bin.exe alters context of (process #2) payload_1.bin.exe.

1/5 Privilege Escalation Enables process privilege 2 -

• (Process #1) payload_1.bin.exe enables process privilege "SeDebugPrivilege".

• (Process #2) payload_1.bin.exe enables process privilege "SeDebugPrivilege".

1/5 Hide Tracks Creates process with hidden window 1 -

• (Process #1) payload_1.bin.exe starts (process #2) payload_1.bin.exe with a hidden window.

1/5 Discovery Enumerates running processes 1 -

• (Process #1) payload_1.bin.exe enumerates running processes.

1/5 Obfuscation Reads from memory of another process 1 -

• (Process #1) payload_1.bin.exe reads from (process #2) payload_1.bin.exe.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

• (Process #1) payload_1.bin.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Discovery Possibly does reconnaissance 3 -

• (Process #2) payload_1.bin.exe tries to gather information about application "Mozilla Firefox" by file.

• (Process #2) payload_1.bin.exe tries to gather information about application "FileZilla" by file.

• (Process #2) payload_1.bin.exe tries to gather information about application "Pidgin" by file.

1/5 Execution Executes itself 1 -

• (Process #1) payload_1.bin.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\payload_1.bin.exe.

1/5 Network Connection Performs DNS request 3 -

• (Process #2) payload_1.bin.exe resolves host name "checkip.dyndns.org" to IP "162.88.193.70".

• (Process #2) payload_1.bin.exe resolves host name "freegeoip.app" to IP "104.21.19.200".

• (Process #2) payload_1.bin.exe resolves host name "nobetone.xyz" to IP "198.54.126.118".

1/5 Network Connection Connects to remote host 3 -

• (Process #2) payload_1.bin.exe opens an outgoing TCP connection to host "162.88.193.70:80".

• (Process #2) payload_1.bin.exe opens an outgoing TCP connection to host "198.54.126.118:587".

• (Process #2) payload_1.bin.exe opens an outgoing TCP connection to host "104.21.19.200:443".

1/5 Network Connection Tries to connect using an uncommon port 1 -

• (Process #2) payload_1.bin.exe tries to connect to TCP port 587 at 198.54.126.118.

1/5 YARA Content matched by YARA rules 1 -

• Rule "BabelObfuscatorAttributes" from ruleset "Generic" has matched on a memory dump for (process #2) payload_1.bin.exe.

1/5 Discovery Checks external IP address 1 -

• (Process #2) payload_1.bin.exe checks external IP by asking IP info service at "http://checkip.dyndns.org/".

X-Ray Vision for Malware - www.vmray.com 3 / 20 DYNAMIC ANALYSIS REPORT #6226428

Mitre ATT&CK Matrix

Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control

#T1143 - - - - Hidden ------Window

#T1057 ------Process - - - - - Discovery

#T1045 - - - - Software ------Packing

#T1497 #T1497 Virtualization Virtualization ------/Sandbox /Sandbox Evasion Evasion

#T1083 File and ------Directory Discovery

#T1119 ------Automated - - - Collection

#T1081 - - - - - Credentials ------in Files

#T1005 Data ------from Local - - - System

#T1214 - - - - - Credentials ------in Registry

#T1012 ------Query - - - - - Registry

#T1124 ------System Time - - - - - Discovery

#T1065 ------Uncommonly - - Used Port

#T1016 System ------Network - - - - - Configuratio n Discovery

X-Ray Vision for Malware - www.vmray.com 4 / 20 DYNAMIC ANALYSIS REPORT #6226428

Sample Information

ID 6226428

MD5 b7c53f778e82c1594d8a1a27ebb65af0

SHA1 c9995a4bbc9df1bf7446ee85f28311399ec9763a

SHA256 d883e9f8dc3208233448681b3dc6bdc3c08d3eb1dc6c5efb84f720bc5dfa20a0

SSDeep 3072:18xByjBt7aYIwOQdseKpTK5X2QtM4L2hfmy1g2EEZ2OCWSxAERR5fYlfzRX:SqlYYqSwK5mb4Lumy1OjOCnfR4lb

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

Filename payload_1.bin.exe

File Size 187.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-05-31 13:03 (UTC+2)

Analysis Duration 00:03:53

Termination Reason Timeout

Number of Monitored Processes 2

Execution Successfull False

Reputation Analysis Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 2

X-Ray Vision for Malware - www.vmray.com 5 / 20 DYNAMIC ANALYSIS REPORT #6226428

X-Ray Vision for Malware - www.vmray.com 6 / 20 DYNAMIC ANALYSIS REPORT #6226428

NETWORK

General

9.18 KB total sent

13.58 KB total received

3 ports 80, 587, 443

4 contacted IP addresses

0 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

4 DNS requests for 3 domains

1 nameservers contacted

0 total requests returned errors

HTTP/S

1 URLs contacted, 2 servers

23 sessions, 6.01 KB sent, 12.50 KB recivied

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

162.88.193.70, 131.186.161.70, checkip.dyndns.org, A NoError 131.186.113.70, checkip.dyndns.com N/A checkip.dyndns.com 216.146.43.71, 216.146.43.70

104.21.19.200, A freegeoip.app NoError N/A 172.67.188.154

A nobetone.xyz NoError 198.54.126.118 N/A

162.88.193.70, 131.186.161.70, checkip.dyndns.org 131.186.113.70, N/A 216.146.43.71, 216.146.43.70

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

http:// GET 0 bytes N/A checkip.dyndns.org/

X-Ray Vision for Malware - www.vmray.com 7 / 20 DYNAMIC ANALYSIS REPORT #6226428

BEHAVIOR

Process Graph

Modify Memory #1 Modify Control Flow #2 Sample Start payload_1.bin.exe Child Process payload_1.bin.exe

X-Ray Vision for Malware - www.vmray.com 8 / 20 DYNAMIC ANALYSIS REPORT #6226428

Process #1: payload_1.bin.exe

ID 1

Filename c:\users\rdhj0cnfevzx\desktop\payload_1.bin.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\payload_1.bin.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 88886, Reason: Analysis Target

Unmonitor End Time End Time: 219096, Reason: Terminated

Monitor Duration 130.21s

Return Code 0

PID 3268

Parent PID 2132

Bitness 32 Bit

Dropped Files (1)

Filename File Size SHA256 YARA Match

C: d883e9f8dc3208233448681b3dc6bdc3c08d3 \Users\RDhJ0CNFevzX\AppData\Local\Temp 187.00 KB eb1dc6c5efb84f720bc5dfa20a0 \payload_1.bin.exe

Host Behavior

Type Count

File 12

System 2346

User 1

Process 103

Module 23

Registry 6

- 3

- 7

X-Ray Vision for Malware - www.vmray.com 9 / 20 DYNAMIC ANALYSIS REPORT #6226428

Process #2: payload_1.bin.exe

ID 2

Filename c:\users\rdhj0cnfevzx\appdata\local\temp\payload_1.bin.exe

Command Line C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\payload_1.bin.exe

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 213780, Reason: Child Process

Unmonitor End Time End Time: 295346, Reason: Terminated by Timeout

Monitor Duration 81.57s

Return Code Unknown

PID 4004

Parent PID 3268

Bitness 32 Bit

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x400000(4194304) 0x200 1 ktop\payload_1.bin.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x402000(4202496) 0x63e00 1 ktop\payload_1.bin.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x466000(4612096) 0x600 1 ktop\payload_1.bin.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x468000(4620288) 0x200 1 ktop\payload_1.bin.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x3f4008(4145160) 0x4 1 ktop\payload_1.bin.exe

#1: c: Modify Control Flow \users\rdhj0cnfevzx\des 0xcd8 / 0x2f4 - 1 ktop\payload_1.bin.exe

Host Behavior

Type Count

Environment 32

User 5

System 48

Registry 155

Module 11

File 132

- 77

Mutex 2

Window 3

Network Behavior

Type Count

HTTP 22

DNS 4

X-Ray Vision for Malware - www.vmray.com 10 / 20 DYNAMIC ANALYSIS REPORT #6226428

Type Count

TCP 24

X-Ray Vision for Malware - www.vmray.com 11 / 20 DYNAMIC ANALYSIS REPORT #6226428

ARTIFACTS

File

SHA256 Filenames Category Filesize MIME Type Operations Verdict

C: \Users\RDhJ0CNFevzX\ AppData\Local\Temp\pa yload_1.bin.exe, C: d883e9f8dc3208233448 \Users\RDhJ0CNFevzX\ application/ 681b3dc6bdc3c08d3eb1 Desktop\payload_1.bin. Sample File 187.00 KB vnd.microsoft.portable- Write, Create, Access MALICIOUS dc6c5efb84f720bc5dfa2 exe, C: executable 0a0 \Users\RDhJ0CNFevzX\ AppData\Roaming\Micro soft\Windows\Start Menu\Programs\chrom\c hrom.exe

Filename

Filename Category Operations Verdict

C: \Users\RDhJ0CNFevzX\Desktop\payload_1.b Accessed File Access CLEAN in.exe.config

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config

C: \Users\RDhJ0CNFevzX\Desktop\payload_1.b Sample File Access CLEAN in.exe

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Mi Accessed File Create, Access CLEAN crosoft\Windows\Start Menu\Programs\chrom

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Mi Accessed File Access CLEAN crosoft\Windows\Start Menu\Programs

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Mi Sample File Write, Create, Access CLEAN crosoft\Windows\Start Menu\Programs\chrom\chrom.exe

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\Itself.exe

C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Sample File Write, Create, Access CLEAN \payload_1.bin.exe

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Read, Access CLEAN 319\Config\machine.config

C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Accessed File Access CLEAN \payload_1.bin.exe.config

C:\windows\System32\Drivers\Vmmouse.sys Accessed File Access CLEAN

C:\windows\System32\Drivers\vm3dgl.dll Accessed File Access CLEAN

C:\windows\System32\Drivers\vmtray.dll Accessed File Access CLEAN

C: Accessed File Access CLEAN \windows\System32\Drivers\VMToolsHook.dll

C: Accessed File Access CLEAN \windows\System32\Drivers\vmmousever.dll

C: Accessed File Access CLEAN \windows\System32\Drivers\VBoxMouse.sys

C: Accessed File Access CLEAN \windows\System32\Drivers\VBoxGuest.sys

C:\windows\System32\Drivers\VBoxSF.sys Accessed File Access CLEAN

C:\windows\System32\Drivers\VBoxVideo.sys Accessed File Access CLEAN

X-Ray Vision for Malware - www.vmray.com 12 / 20 DYNAMIC ANALYSIS REPORT #6226428

Filename Category Operations Verdict

C:\windows\System32\vboxservice.exe Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Windows\INetCookies

C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access, Delete CLEAN soft\Windows\INetCookies\container.dat

C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\Default\Cookies

C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\Default\Extension Cookies

C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\Firefox\Profiles

C: \Users\RDhJ0CNFevzX\AppData\Local\Amig Accessed File Access CLEAN o\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Xpom Accessed File Access CLEAN \User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Kome Accessed File Access CLEAN ta\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Nichr Accessed File Access CLEAN ome\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\CocC Accessed File Access CLEAN oc\Browser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Tence Accessed File Access CLEAN nt\QQBrowser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Orbit Accessed File Access CLEAN um\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Slimj Accessed File Access CLEAN et\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Iridiu Accessed File Access CLEAN m\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Vival Accessed File Access CLEAN di\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Chro Accessed File Access CLEAN mium\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Ghost Accessed File Access CLEAN Browser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Cent Accessed File Access CLEAN Browser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Xvast Accessed File Access CLEAN \User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Ched Accessed File Access CLEAN ot\User Data\Default\Login Data

X-Ray Vision for Malware - www.vmray.com 13 / 20 DYNAMIC ANALYSIS REPORT #6226428

Filename Category Operations Verdict

C: \Users\RDhJ0CNFevzX\AppData\Local\Super Accessed File Access CLEAN Bird\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\360Br Accessed File Access CLEAN owser\Browser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\360C Accessed File Access CLEAN hrome\Chrome\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Como Accessed File Access CLEAN do\Dragon\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Brave Accessed File Access CLEAN Software\Brave-Browser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Torch Accessed File Access CLEAN \User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\UCBr Accessed File Access CLEAN owser\User Data_i18n\Default\UC Login Data.18

C: \Users\RDhJ0CNFevzX\AppData\Local\Blisk\ Accessed File Access CLEAN User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Epic Accessed File Access CLEAN Privacy Browser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera Software\Opera Stable\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera\Opera\profile\wand.dat

C:\Users\RDhJ0CNFevzX\AppData\Roaming Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Fil Accessed File Access CLEAN eZilla\recentservers.xml

C: \Users\RDhJ0CNFevzX\AppData\Roaming\.p Accessed File Access CLEAN urple\accounts.xml

C: \Users\RDhJ0CNFevzX\AppData\Local\Lieba Accessed File Access CLEAN o7\User Data\Default\EncryptedStorage

C: \Users\RDhJ0CNFevzX\AppData\Local\AVAS Accessed File Access CLEAN T Software\Browser\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Kinza Accessed File Access CLEAN \User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Black Accessed File Access CLEAN Hawk\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Catali Accessed File Access CLEAN naGroup\Citrio\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\uCoz Accessed File Access CLEAN Media\Uran\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Coow Accessed File Access CLEAN on\Coowon\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\7Star\ Accessed File Access CLEAN 7Star\User Data\Default\Login Data

X-Ray Vision for Malware - www.vmray.com 14 / 20 DYNAMIC ANALYSIS REPORT #6226428

Filename Category Operations Verdict

C: \Users\RDhJ0CNFevzX\AppData\Local\QIP Accessed File Access CLEAN Surf\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Roaming\F enrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumView er\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome SxS\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Mapl Accessed File Access CLEAN eStudio\ChromePlus\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Sputn Accessed File Access CLEAN ik\Sputnik\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Edge\User Data\Default\Login Data

C: \Users\RDhJ0CNFevzX\AppData\Roaming\di Accessed File Access CLEAN scord\Local Storage\leveldb\

URL

URL Category IP Address Country HTTP Methods Verdict

http://checkip.dyndns.org 162.88.193.70 GET CLEAN

Domain

Domain IP Address Country Protocols Verdict

131.186.113.70, 162.88.193.70, checkip.dyndns.org 216.146.43.71, 131.186.161.70, DNS, HTTP CLEAN 216.146.43.70

131.186.113.70, 162.88.193.70, checkip.dyndns.com 216.146.43.71, 131.186.161.70, DNS CLEAN 216.146.43.70

freegeoip.app 104.21.19.200, 172.67.188.154 DNS CLEAN

nobetone.xyz 198.54.126.118 DNS CLEAN

IP

IP Address Domains Country Protocols Verdict

192.168.0.1 - UDP, DNS CLEAN

checkip.dyndns.org, 162.88.193.70 United States HTTP, DNS, TCP CLEAN checkip.dyndns.com

198.54.126.118 nobetone.xyz United States DNS, TCP CLEAN

104.21.19.200 freegeoip.app United States HTTPS, DNS, TCP CLEAN

checkip.dyndns.org, 131.186.161.70 United States DNS CLEAN checkip.dyndns.com

checkip.dyndns.org, 131.186.113.70 United States DNS CLEAN checkip.dyndns.com

checkip.dyndns.org, 216.146.43.71 United States DNS CLEAN checkip.dyndns.com

checkip.dyndns.org, 216.146.43.70 United States DNS CLEAN checkip.dyndns.com

172.67.188.154 freegeoip.app United States DNS CLEAN

X-Ray Vision for Malware - www.vmray.com 15 / 20 DYNAMIC ANALYSIS REPORT #6226428

Email

-

Email Address

-

Mutex

-

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Shell access payload_1.bin.exe CLEAN Folders

HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Shell read, access, write payload_1.bin.exe CLEAN Folders\Startup

HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\User Shell access payload_1.bin.exe CLEAN Folders

HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\User Shell read, access, write payload_1.bin.exe CLEAN Folders\Startup

HKEY_PERFORMANCE_DATA access payload_1.bin.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\TZI

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\MUI_Display

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\MUI_Std

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt

HKEY_LOCAL_MACHINE\Software\Microsoft access payload_1.bin.exe CLEAN \Windows NT\CurrentVersion

HKEY_LOCAL_MACHINE\Software\Microsoft read, access payload_1.bin.exe CLEAN \Windows NT\CurrentVersion\InstallationType

HKEY_CURRENT_USER access payload_1.bin.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access payload_1.bin.exe CLEAN Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access payload_1.bin.exe CLEAN Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access payload_1.bin.exe CLEAN t Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access payload_1.bin.exe CLEAN osoft\.NETFramework

X-Ray Vision for Malware - www.vmray.com 16 / 20 DYNAMIC ANALYSIS REPORT #6226428

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access payload_1.bin.exe CLEAN osoft\.NETFramework\LegacyWPADSupport

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access payload_1.bin.exe CLEAN osoft\.NETFramework\v4.0.30319

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\HWRPortR read, access payload_1.bin.exe CLEAN euseOnSocketBind

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access payload_1.bin.exe CLEAN osoft\.NETFramework\AppContext

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr read, access payload_1.bin.exe CLEAN ongCrypto

HKEY_CURRENT_USER\Software\Microsoft \Office\15.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows Messaging access payload_1.bin.exe CLEAN Subsystem\Profiles\Outlook\9375CFF041311 1d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Windows Messaging access payload_1.bin.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88 A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ HTTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ SMTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password

X-Ray Vision for Malware - www.vmray.com 17 / 20 DYNAMIC ANALYSIS REPORT #6226428

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ HTTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ SMTP Password

HKEY_LOCAL_MACHINE\SOFTWARE\Clas access payload_1.bin.exe CLEAN ses\Foxmail.url.mailto\Shell\open\command

HKEY_LOCAL_MACHINE\Software\Microsoft access payload_1.bin.exe CLEAN \.NETFramework

HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin read, access payload_1.bin.exe CLEAN g

HKEY_LOCAL_MACHINE\Software\Microsoft read, access payload_1.bin.exe CLEAN \.NETFramework\DbgManagedDebugger

Process

Process Name Commandline Verdict

payload_1.bin.exe "C:\Users\RDhJ0CNFevzX\Desktop\payload_1.bin.exe" SUSPICIOUS

C: payload_1.bin.exe \Users\RDhJ0CNFevzX\AppData\Local\Temp\payload_1.bin.e SUSPICIOUS xe

X-Ray Vision for Malware - www.vmray.com 18 / 20 DYNAMIC ANALYSIS REPORT #6226428

YARA / AV

YARA (2)

Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict

function_strings_proces Malware PhoenixKeylogger Phoenix Keylogger Function Strings Keylogger, Spyware 5/5 s_2.txt

BabelObfuscatorAttribut Babel Obfuscator Generic Memory Dump - 1/5 es Attributes

X-Ray Vision for Malware - www.vmray.com 19 / 20 DYNAMIC ANALYSIS REPORT #6226428

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.1.1

Dynamic Engine Version 4.1.1 / 02/08/2021 15:19

Static Engine Version 1.6.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)

Built-in AV Database Update 2021-05-31 07:11:28+00:00 Release Date

VTI Ruleset Version 3.8

YARA Built-in Ruleset Version 1.5

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 20 / 20