DYNAMIC ANALYSIS REPORT #2204689 Classifications: Downloader Spyware MALICIOUS Threat Names: - Verdict Reason: - Sample Type Windows Exe (x86-32) File Name d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe ID #879501 MD5 92d6baf79e990130a1db2175731d4e46 SHA1 db9efd2c26760ce555c1c31ca8d80d1731b26771 SHA256 d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9 File Size 686.00 KB Report Created 2021-08-25 03:00 (UTC+2) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 28 DYNAMIC ANALYSIS REPORT #2204689 OVERVIEW VMRay Threat Identifiers (13 rules, 40 matches) Score Category Operation Count Classification 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Torch, Opera, Comodo Dragon, Elements Browser, Vivaldi, BlackHawk, Chromium, Mozilla Thunderbird,... ...gle Chrome, Mozilla Firefox, CocCoc, CentBrowser, Kometa, Cyberfox, Internet Explorer, Amigo, Epic Privacy Browser, Orbitum, Uran. 3/5 Network Connection Uses HTTP to upload a large amount of data. 1 - • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe uploads 48.603KB data using HTTP POST. 2/5 Data Collection Reads sensitive browser data 18 - • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Google Chrome" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Chromium" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Kometa" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Amigo" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Torch" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Orbitum" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Comodo Dragon" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Vivaldi" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "CocCoc" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Uran" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "CentBrowser" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Elements Browser" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Opera" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Mozilla Firefox" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Cyberfox" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "BlackHawk" by file. 2/5 Data Collection Reads sensitive mail data 1 - • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file. 2/5 Injection Writes into the memory of a process started from a created or modified executable 1 - • (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe modifies memory of (process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe. 2/5 Injection Modifies control flow of a process started from a created or modified executable 1 - • (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe alters context of (process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe. 1/5 Hide Tracks Creates process with hidden window 2 - • (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe starts (process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe with a hidden window. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe starts (process #4) cmd.exe with a hidden window. 1/5 Obfuscation Reads from memory of another process 1 - X-Ray Vision for Malware - www.vmray.com 2 / 28 DYNAMIC ANALYSIS REPORT #2204689 Score Category Operation Count Classification • (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe reads from (process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Discovery Possibly does reconnaissance 4 - • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "Mozilla Firefox" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "Cyberfox" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "blackHawk" by file. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "icecat" by file. 1/5 Execution Executes itself 1 - • (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe executes a copy of the sample at C: \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe. 1/5 Network Connection Downloads executable 7 Downloader • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/6.jpg. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/1.jpg. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/2.jpg. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/3.jpg. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/4.jpg. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/5.jpg. • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/7.jpg. 1/5 Obfuscation Resolves API functions dynamically 1 - • (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe resolves 74 API functions by name. - Trusted Known clean file 7 - • File "C:\\ProgramData\\softokn3.dll" is a known clean file. • File "C:\\ProgramData\\sqlite3.dll" is a known clean file. • File "C:\\ProgramData\\freebl3.dll" is a known clean file. • File "C:\\ProgramData\\mozglue.dll" is a known clean file. • File "C:\\ProgramData\\msvcp140.dll" is a known clean file. • File "C:\\ProgramData\\nss3.dll" is a known clean file. • File "C:\\ProgramData\\vcruntime140.dll" is a known clean file. - Trusted Executable has a trusted signature 4 - • Executable C:\\ProgramData\\softokn3.dll has a trusted signature. • Executable C:\\ProgramData\\freebl3.dll has a trusted signature. • Executable C:\\ProgramData\\mozglue.dll has a trusted signature. • Executable C:\\ProgramData\\nss3.dll has a trusted signature. X-Ray Vision for Malware - www.vmray.com 3 / 28 DYNAMIC ANALYSIS REPORT #2204689 Mitre ATT&CK Matrix Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control #T1071 #T1003 #T1083 File #T1105 #T1119 #T1020 #T1143 Hidden Standard Credential and Directory Remote File Automated Automated Window Application Dumping Discovery Copy Collection Exfiltration Layer Protocol #T1045 #T1081 #T1005 Data #T1105 Software Credentials in from Local Remote File Packing Files System Copy X-Ray Vision for Malware - www.vmray.com 4 / 28 DYNAMIC ANALYSIS REPORT #2204689 Sample Information ID #879501 MD5 92d6baf79e990130a1db2175731d4e46 SHA1 db9efd2c26760ce555c1c31ca8d80d1731b26771 SHA256 d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9 SSDeep 12288:PsIi50Ynk0H5sQH0YDMr1se/fRlA6EiNxcBO3XF02kLxEz33n5+mEJqyOx4:PtiKY/OQUwekXCcBmF3WS3Jta7O4