DYNAMIC ANALYSIS REPORT #6226428
Classifications: Keylogger Spyware
MALICIOUS Threat Names: Phoenix
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name payload_1.bin.exe
ID #2326827
MD5 b7c53f778e82c1594d8a1a27ebb65af0
SHA1 c9995a4bbc9df1bf7446ee85f28311399ec9763a
SHA256 d883e9f8dc3208233448681b3dc6bdc3c08d3eb1dc6c5efb84f720bc5dfa20a0
File Size 187.00 KB
Report Created 2021-05-31 13:03 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 20 DYNAMIC ANALYSIS REPORT #6226428
OVERVIEW
VMRay Threat Identifiers (21 rules, 52 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 1 Keylogger, Spyware
• Rule "PhoenixKeylogger" from ruleset "Malware" has matched on the function strings for (process #2) payload_1.bin.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Pidgin, Comodo Dragon, Vivaldi, Google Chrome, Microsoft Outlook, 7Star, FileZilla, Opera, Chrome Canary, Epic Privacy Browser, CentBrowser, Orbitum, Sputnik, Chromium, Maple Studio, CocCoc, Uran, Kometa, Torch, Amigo, Chedot.
2/5 Anti Analysis Tries to detect virtual machine 8 -
• (Process #2) payload_1.bin.exe tries to detect "VMware" via file "c:\windows\syswow64\drivers\vmmouse.sys".
• (Process #2) payload_1.bin.exe tries to detect "VMware" via file "c:\windows\syswow64\drivers\vmmousever.dll".
• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxmouse.sys".
• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxguest.sys".
• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxsf.sys".
• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\drivers\vboxvideo.sys".
• (Process #2) payload_1.bin.exe tries to detect "VirtualBox" via file "c:\windows\syswow64\vboxservice.exe".
• Multiple processes are possibly trying to detect a VM via rdtsc.
2/5 Data Collection Reads sensitive browser data 18 -
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Google Chrome" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Amigo" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Kometa" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "CocCoc" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Orbitum" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Vivaldi" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Chromium" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "CentBrowser" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Chedot" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Comodo Dragon" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Torch" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Uran" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "7Star" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Chrome Canary" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Maple Studio" by file.
• (Process #2) payload_1.bin.exe tries to read sensitive data of web browser "Sputnik" by file.
2/5 Data Collection Reads sensitive mail data 1 -
• (Process #2) payload_1.bin.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
2/5 Data Collection Reads sensitive ftp data 1 -
• (Process #2) payload_1.bin.exe tries to read sensitive data of ftp application "FileZilla" by file.
2/5 Data Collection Reads sensitive application data 1 -
• (Process #2) payload_1.bin.exe tries to read sensitive data of application "Pidgin" by file.
X-Ray Vision for Malware - www.vmray.com 2 / 20 DYNAMIC ANALYSIS REPORT #6226428
2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -
• (Process #1) payload_1.bin.exe modifies memory of (process #2) payload_1.bin.exe.
2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -
• (Process #1) payload_1.bin.exe alters context of (process #2) payload_1.bin.exe.
1/5 Privilege Escalation Enables process privilege 2 -
• (Process #1) payload_1.bin.exe enables process privilege "SeDebugPrivilege".
• (Process #2) payload_1.bin.exe enables process privilege "SeDebugPrivilege".
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #1) payload_1.bin.exe starts (process #2) payload_1.bin.exe with a hidden window.
1/5 Discovery Enumerates running processes 1 -
• (Process #1) payload_1.bin.exe enumerates running processes.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) payload_1.bin.exe reads from (process #2) payload_1.bin.exe.
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #1) payload_1.bin.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Discovery Possibly does reconnaissance 3 -
• (Process #2) payload_1.bin.exe tries to gather information about application "Mozilla Firefox" by file.
• (Process #2) payload_1.bin.exe tries to gather information about application "FileZilla" by file.
• (Process #2) payload_1.bin.exe tries to gather information about application "Pidgin" by file.
1/5 Execution Executes itself 1 -
• (Process #1) payload_1.bin.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\payload_1.bin.exe.
1/5 Network Connection Performs DNS request 3 -
• (Process #2) payload_1.bin.exe resolves host name "checkip.dyndns.org" to IP "162.88.193.70".
• (Process #2) payload_1.bin.exe resolves host name "freegeoip.app" to IP "104.21.19.200".
• (Process #2) payload_1.bin.exe resolves host name "nobetone.xyz" to IP "198.54.126.118".
1/5 Network Connection Connects to remote host 3 -
• (Process #2) payload_1.bin.exe opens an outgoing TCP connection to host "162.88.193.70:80".
• (Process #2) payload_1.bin.exe opens an outgoing TCP connection to host "198.54.126.118:587".
• (Process #2) payload_1.bin.exe opens an outgoing TCP connection to host "104.21.19.200:443".
1/5 Network Connection Tries to connect using an uncommon port 1 -
• (Process #2) payload_1.bin.exe tries to connect to TCP port 587 at 198.54.126.118.
1/5 YARA Content matched by YARA rules 1 -
• Rule "BabelObfuscatorAttributes" from ruleset "Generic" has matched on a memory dump for (process #2) payload_1.bin.exe.
1/5 Discovery Checks external IP address 1 -
• (Process #2) payload_1.bin.exe checks external IP by asking IP info service at "http://checkip.dyndns.org/".
X-Ray Vision for Malware - www.vmray.com 3 / 20 DYNAMIC ANALYSIS REPORT #6226428
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1143 - - - - Hidden ------Window
#T1057 ------Process - - - - - Discovery
#T1045 - - - - Software ------Packing
#T1497 #T1497 Virtualization Virtualization ------/Sandbox /Sandbox Evasion Evasion
#T1083 File and ------Directory Discovery
#T1119 ------Automated - - - Collection
#T1081 - - - - - Credentials ------in Files
#T1005 Data ------from Local - - - System
#T1214 - - - - - Credentials ------in Registry
#T1012 ------Query - - - - - Registry
#T1124 ------System Time - - - - - Discovery
#T1065 ------Uncommonly - - Used Port
#T1016 System ------Network - - - - - Configuratio n Discovery
X-Ray Vision for Malware - www.vmray.com 4 / 20 DYNAMIC ANALYSIS REPORT #6226428
Sample Information
ID 6226428
MD5 b7c53f778e82c1594d8a1a27ebb65af0
SHA1 c9995a4bbc9df1bf7446ee85f28311399ec9763a
SHA256 d883e9f8dc3208233448681b3dc6bdc3c08d3eb1dc6c5efb84f720bc5dfa20a0
SSDeep 3072:18xByjBt7aYIwOQdseKpTK5X2QtM4L2hfmy1g2EEZ2OCWSxAERR5fYlfzRX:SqlYYqSwK5mb4Lumy1OjOCnfR4lb
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744
Filename payload_1.bin.exe
File Size 187.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-05-31 13:03 (UTC+2)
Analysis Duration 00:03:53
Termination Reason Timeout
Number of Monitored Processes 2
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 0
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 2
X-Ray Vision for Malware - www.vmray.com 5 / 20 DYNAMIC ANALYSIS REPORT #6226428
X-Ray Vision for Malware - www.vmray.com 6 / 20 DYNAMIC ANALYSIS REPORT #6226428
NETWORK
General
9.18 KB total sent
13.58 KB total received
3 ports 80, 587, 443
4 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
4 DNS requests for 3 domains
1 nameservers contacted
0 total requests returned errors
HTTP/S
1 URLs contacted, 2 servers
23 sessions, 6.01 KB sent, 12.50 KB recivied
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
162.88.193.70, 131.186.161.70, checkip.dyndns.org, A NoError 131.186.113.70, checkip.dyndns.com N/A checkip.dyndns.com 216.146.43.71, 216.146.43.70
104.21.19.200, A freegeoip.app NoError N/A 172.67.188.154
A nobetone.xyz NoError 198.54.126.118 N/A
162.88.193.70, 131.186.161.70, checkip.dyndns.org 131.186.113.70, N/A 216.146.43.71, 216.146.43.70
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
http:// GET 0 bytes N/A checkip.dyndns.org/
X-Ray Vision for Malware - www.vmray.com 7 / 20 DYNAMIC ANALYSIS REPORT #6226428
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start payload_1.bin.exe Child Process payload_1.bin.exe
X-Ray Vision for Malware - www.vmray.com 8 / 20 DYNAMIC ANALYSIS REPORT #6226428
Process #1: payload_1.bin.exe
ID 1
Filename c:\users\rdhj0cnfevzx\desktop\payload_1.bin.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\payload_1.bin.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 88886, Reason: Analysis Target
Unmonitor End Time End Time: 219096, Reason: Terminated
Monitor Duration 130.21s
Return Code 0
PID 3268
Parent PID 2132
Bitness 32 Bit
Dropped Files (1)
Filename File Size SHA256 YARA Match
C: d883e9f8dc3208233448681b3dc6bdc3c08d3 \Users\RDhJ0CNFevzX\AppData\Local\Temp 187.00 KB eb1dc6c5efb84f720bc5dfa20a0 \payload_1.bin.exe
Host Behavior
Type Count
File 12
System 2346
User 1
Process 103
Module 23
Registry 6
- 3
- 7
X-Ray Vision for Malware - www.vmray.com 9 / 20 DYNAMIC ANALYSIS REPORT #6226428
Process #2: payload_1.bin.exe
ID 2
Filename c:\users\rdhj0cnfevzx\appdata\local\temp\payload_1.bin.exe
Command Line C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\payload_1.bin.exe
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 213780, Reason: Child Process
Unmonitor End Time End Time: 295346, Reason: Terminated by Timeout
Monitor Duration 81.57s
Return Code Unknown
PID 4004
Parent PID 3268
Bitness 32 Bit
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x400000(4194304) 0x200 1 ktop\payload_1.bin.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x402000(4202496) 0x63e00 1 ktop\payload_1.bin.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x466000(4612096) 0x600 1 ktop\payload_1.bin.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x468000(4620288) 0x200 1 ktop\payload_1.bin.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xcd8 0x3f4008(4145160) 0x4 1 ktop\payload_1.bin.exe
#1: c: Modify Control Flow \users\rdhj0cnfevzx\des 0xcd8 / 0x2f4 - 1 ktop\payload_1.bin.exe
Host Behavior
Type Count
Environment 32
User 5
System 48
Registry 155
Module 11
File 132
- 77
Mutex 2
Window 3
Network Behavior
Type Count
HTTP 22
DNS 4
X-Ray Vision for Malware - www.vmray.com 10 / 20 DYNAMIC ANALYSIS REPORT #6226428
Type Count
TCP 24
X-Ray Vision for Malware - www.vmray.com 11 / 20 DYNAMIC ANALYSIS REPORT #6226428
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
C: \Users\RDhJ0CNFevzX\ AppData\Local\Temp\pa yload_1.bin.exe, C: d883e9f8dc3208233448 \Users\RDhJ0CNFevzX\ application/ 681b3dc6bdc3c08d3eb1 Desktop\payload_1.bin. Sample File 187.00 KB vnd.microsoft.portable- Write, Create, Access MALICIOUS dc6c5efb84f720bc5dfa2 exe, C: executable 0a0 \Users\RDhJ0CNFevzX\ AppData\Roaming\Micro soft\Windows\Start Menu\Programs\chrom\c hrom.exe
Filename
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\Desktop\payload_1.b Accessed File Access CLEAN in.exe.config
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config
C: \Users\RDhJ0CNFevzX\Desktop\payload_1.b Sample File Access CLEAN in.exe
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Mi Accessed File Create, Access CLEAN crosoft\Windows\Start Menu\Programs\chrom
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Mi Accessed File Access CLEAN crosoft\Windows\Start Menu\Programs
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Mi Sample File Write, Create, Access CLEAN crosoft\Windows\Start Menu\Programs\chrom\chrom.exe
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\Itself.exe
C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Sample File Write, Create, Access CLEAN \payload_1.bin.exe
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Read, Access CLEAN 319\Config\machine.config
C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Accessed File Access CLEAN \payload_1.bin.exe.config
C:\windows\System32\Drivers\Vmmouse.sys Accessed File Access CLEAN
C:\windows\System32\Drivers\vm3dgl.dll Accessed File Access CLEAN
C:\windows\System32\Drivers\vmtray.dll Accessed File Access CLEAN
C: Accessed File Access CLEAN \windows\System32\Drivers\VMToolsHook.dll
C: Accessed File Access CLEAN \windows\System32\Drivers\vmmousever.dll
C: Accessed File Access CLEAN \windows\System32\Drivers\VBoxMouse.sys
C: Accessed File Access CLEAN \windows\System32\Drivers\VBoxGuest.sys
C:\windows\System32\Drivers\VBoxSF.sys Accessed File Access CLEAN
C:\windows\System32\Drivers\VBoxVideo.sys Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 12 / 20 DYNAMIC ANALYSIS REPORT #6226428
Filename Category Operations Verdict
C:\windows\System32\vboxservice.exe Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Windows\INetCookies
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access, Delete CLEAN soft\Windows\INetCookies\container.dat
C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\Default\Cookies
C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\Default\Extension Cookies
C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\Firefox\Profiles
C: \Users\RDhJ0CNFevzX\AppData\Local\Amig Accessed File Access CLEAN o\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Xpom Accessed File Access CLEAN \User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Kome Accessed File Access CLEAN ta\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Nichr Accessed File Access CLEAN ome\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\CocC Accessed File Access CLEAN oc\Browser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Tence Accessed File Access CLEAN nt\QQBrowser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Orbit Accessed File Access CLEAN um\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Slimj Accessed File Access CLEAN et\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Iridiu Accessed File Access CLEAN m\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Vival Accessed File Access CLEAN di\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Chro Accessed File Access CLEAN mium\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Ghost Accessed File Access CLEAN Browser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Cent Accessed File Access CLEAN Browser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Xvast Accessed File Access CLEAN \User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Ched Accessed File Access CLEAN ot\User Data\Default\Login Data
X-Ray Vision for Malware - www.vmray.com 13 / 20 DYNAMIC ANALYSIS REPORT #6226428
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\AppData\Local\Super Accessed File Access CLEAN Bird\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\360Br Accessed File Access CLEAN owser\Browser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\360C Accessed File Access CLEAN hrome\Chrome\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Como Accessed File Access CLEAN do\Dragon\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Brave Accessed File Access CLEAN Software\Brave-Browser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Torch Accessed File Access CLEAN \User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\UCBr Accessed File Access CLEAN owser\User Data_i18n\Default\UC Login Data.18
C: \Users\RDhJ0CNFevzX\AppData\Local\Blisk\ Accessed File Access CLEAN User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Epic Accessed File Access CLEAN Privacy Browser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera Software\Opera Stable\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera\Opera\profile\wand.dat
C:\Users\RDhJ0CNFevzX\AppData\Roaming Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Fil Accessed File Access CLEAN eZilla\recentservers.xml
C: \Users\RDhJ0CNFevzX\AppData\Roaming\.p Accessed File Access CLEAN urple\accounts.xml
C: \Users\RDhJ0CNFevzX\AppData\Local\Lieba Accessed File Access CLEAN o7\User Data\Default\EncryptedStorage
C: \Users\RDhJ0CNFevzX\AppData\Local\AVAS Accessed File Access CLEAN T Software\Browser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Kinza Accessed File Access CLEAN \User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Black Accessed File Access CLEAN Hawk\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Catali Accessed File Access CLEAN naGroup\Citrio\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\uCoz Accessed File Access CLEAN Media\Uran\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Coow Accessed File Access CLEAN on\Coowon\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\7Star\ Accessed File Access CLEAN 7Star\User Data\Default\Login Data
X-Ray Vision for Malware - www.vmray.com 14 / 20 DYNAMIC ANALYSIS REPORT #6226428
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\AppData\Local\QIP Accessed File Access CLEAN Surf\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Roaming\F enrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumView er\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome SxS\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Mapl Accessed File Access CLEAN eStudio\ChromePlus\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Sputn Accessed File Access CLEAN ik\Sputnik\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Edge\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Roaming\di Accessed File Access CLEAN scord\Local Storage\leveldb\
URL
URL Category IP Address Country HTTP Methods Verdict
http://checkip.dyndns.org 162.88.193.70 GET CLEAN
Domain
Domain IP Address Country Protocols Verdict
131.186.113.70, 162.88.193.70, checkip.dyndns.org 216.146.43.71, 131.186.161.70, DNS, HTTP CLEAN 216.146.43.70
131.186.113.70, 162.88.193.70, checkip.dyndns.com 216.146.43.71, 131.186.161.70, DNS CLEAN 216.146.43.70
freegeoip.app 104.21.19.200, 172.67.188.154 DNS CLEAN
nobetone.xyz 198.54.126.118 DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
192.168.0.1 - UDP, DNS CLEAN
checkip.dyndns.org, 162.88.193.70 United States HTTP, DNS, TCP CLEAN checkip.dyndns.com
198.54.126.118 nobetone.xyz United States DNS, TCP CLEAN
104.21.19.200 freegeoip.app United States HTTPS, DNS, TCP CLEAN
checkip.dyndns.org, 131.186.161.70 United States DNS CLEAN checkip.dyndns.com
checkip.dyndns.org, 131.186.113.70 United States DNS CLEAN checkip.dyndns.com
checkip.dyndns.org, 216.146.43.71 United States DNS CLEAN checkip.dyndns.com
checkip.dyndns.org, 216.146.43.70 United States DNS CLEAN checkip.dyndns.com
172.67.188.154 freegeoip.app United States DNS CLEAN
X-Ray Vision for Malware - www.vmray.com 15 / 20 DYNAMIC ANALYSIS REPORT #6226428
-
Email Address
-
Mutex
-
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Shell access payload_1.bin.exe CLEAN Folders
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\Shell read, access, write payload_1.bin.exe CLEAN Folders\Startup
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\User Shell access payload_1.bin.exe CLEAN Folders
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Explorer\User Shell read, access, write payload_1.bin.exe CLEAN Folders\Startup
HKEY_PERFORMANCE_DATA access payload_1.bin.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access payload_1.bin.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\Software\Microsoft access payload_1.bin.exe CLEAN \Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft read, access payload_1.bin.exe CLEAN \Windows NT\CurrentVersion\InstallationType
HKEY_CURRENT_USER access payload_1.bin.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access payload_1.bin.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access payload_1.bin.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access payload_1.bin.exe CLEAN t Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access payload_1.bin.exe CLEAN osoft\.NETFramework
X-Ray Vision for Malware - www.vmray.com 16 / 20 DYNAMIC ANALYSIS REPORT #6226428
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access payload_1.bin.exe CLEAN osoft\.NETFramework\LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access payload_1.bin.exe CLEAN osoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\HWRPortR read, access payload_1.bin.exe CLEAN euseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access payload_1.bin.exe CLEAN osoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr read, access payload_1.bin.exe CLEAN ongCrypto
HKEY_CURRENT_USER\Software\Microsoft \Office\15.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows Messaging access payload_1.bin.exe CLEAN Subsystem\Profiles\Outlook\9375CFF041311 1d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows Messaging access payload_1.bin.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88 A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password
X-Ray Vision for Malware - www.vmray.com 17 / 20 DYNAMIC ANALYSIS REPORT #6226428
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access payload_1.bin.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ SMTP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Clas access payload_1.bin.exe CLEAN ses\Foxmail.url.mailto\Shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft access payload_1.bin.exe CLEAN \.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin read, access payload_1.bin.exe CLEAN g
HKEY_LOCAL_MACHINE\Software\Microsoft read, access payload_1.bin.exe CLEAN \.NETFramework\DbgManagedDebugger
Process
Process Name Commandline Verdict
payload_1.bin.exe "C:\Users\RDhJ0CNFevzX\Desktop\payload_1.bin.exe" SUSPICIOUS
C: payload_1.bin.exe \Users\RDhJ0CNFevzX\AppData\Local\Temp\payload_1.bin.e SUSPICIOUS xe
X-Ray Vision for Malware - www.vmray.com 18 / 20 DYNAMIC ANALYSIS REPORT #6226428
YARA / AV
YARA (2)
Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict
function_strings_proces Malware PhoenixKeylogger Phoenix Keylogger Function Strings Keylogger, Spyware 5/5 s_2.txt
BabelObfuscatorAttribut Babel Obfuscator Generic Memory Dump - 1/5 es Attributes
X-Ray Vision for Malware - www.vmray.com 19 / 20 DYNAMIC ANALYSIS REPORT #6226428
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-05-31 07:11:28+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 20 / 20