flash

file.exe

Status: finished
Submission Time: 2022-11-03 12:30:51 +01:00
Malicious
Ransomware
Trojan
Spyware
Evader
CryptOne, Djvu, RedLine, SmokeLoader, Vi

Comments

Tags

  • exe

Details

  • Analysis ID:
    736968
  • API (Web) ID:
    1104301
  • Analysis Started:
    2022-11-03 12:44:46 +01:00
  • Analysis Finished:
    2022-11-03 12:59:48 +01:00
  • MD5:
    4bb5c0ed18f4b7ae33ba272eae17abf2
  • SHA1:
    e0e02b31d3ad2e965d223ebe3451bd9c9e0385fa
  • SHA256:
    418d9b6e1fc560a80fd9f37e34bee51e79a371cfcc24eede84928b506cd918b6
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
26/72

malicious
13/26

malicious

IPs

IP Country Detection
185.174.137.70
Russian Federation
87.251.79.105
Russian Federation
185.220.204.64
Israel
Click to see the 5 hidden entries
193.106.191.15
Russian Federation
162.0.217.254
Canada
91.195.240.101
Germany
95.217.246.41
Germany
149.154.167.99
United Kingdom

Domains

Name IP Detection
o3l3roozuidudu.com
87.251.79.105
shingroup.com
185.220.204.64
o3b1wk8sfk74tf.com
87.251.79.105
Click to see the 7 hidden entries
t.me
149.154.167.99
o3npxslymcyfi2.com
87.251.79.105
api.2ip.ua
162.0.217.254
o36fafs3sn6xou.com
87.251.79.105
furubujjul.net
91.195.240.101
starvestitibo.org
193.106.191.15
o3zxuhcc4hl9mi.com
87.251.79.105

URLs

Name Detection
http://95.217.246.41/1752
78.153.144.3:2510
http://liubertiyyyul.net/
Click to see the 97 hidden entries
http://starvestitibo.org/Mozilla/5.0
http://guluiiiimnstra.net/
http://starvestitibo.org/
http://95.217.246.41/
http://185.174.137.70/s.exe
http://95.217.246.41:80/815243149147.zip
http://gulutina49org.org/
http://95.217.246.41:80/815243149147.zipz
http://95.217.246.41:80
http://stalnnuytyt.org/
http://nuluitnulo.me/
http://youyouumenia5.org/
http://hulimudulinu.net/
http://95.217.246.41/815243149147.zip
http://bururutu44org.org/
http://95.217.246.41/m
http://furubujjul.net/
http://nvulukuluir.net/
http://tempuri.org/Entity/Id10Response
http://tempuri.org/Entity/Id13
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
http://www.openssl.org/support/faq.html
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://tempuri.org/Entity/Id23Response
https://t.me/truemanshohttps://c.im/
https://search.yahoo.com?fr=crmas_sfpf
http://schemas.xmlsoap.org/soap/envelope/
https://t.me/
https://web.telegram.org
http://tempuri.org/Entity/Id19
http://ocsp.sectigo.com0
http://tempuri.org/Entity/Id8Response
http://schemas.xmlsoap.org/ws/2005/02/rm8D
https://sectigo.com/CPS0
http://tempuri.org/Entity/Id1
https://api.2ip.ua/geo.json
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
http://tempuri.org/Entity/Id22Response
http://tempuri.org/Entity/Id11Response
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://tempuri.org/Entity/Id7Response
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
https://t.me/truemansho
http://www.sqlite.org/copyright.html.
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
http://tempuri.org/Entity/Id4Response
http://tempuri.org/Entity/Id13Response
http://95.217.27.155:80
http://tempuri.org/Entity/Id20Response
http://tempuri.org/Entity/Id17Response
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
http://tempuri.org/Entity/Id7
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
https://c.im/
http://tempuri.org/Entity/Id9Response
https://api.ip.sb/ip
http://www.autoitscript.com/autoit3/J
http://tempuri.org/Entity/Id6Response
http://tempuri.org/Entity/Id15Response
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://tempuri.org/Entity/Id19Response
http://tempuri.org/Entity/Id6
http://tempuri.org/Entity/Id20
http://tempuri.org/Entity/Id4
http://tempuri.org/Entity/Id5
http://tempuri.org/Entity/Id8
http://tempuri.org/Entity/Id9
http://tempuri.org/Entity/Id21Response
http://tempuri.org/Entity/Id2Response
http://tempuri.org/
http://95.217.27.155:80hello0bad
http://tempuri.org/Entity/Id12Response
https://duckduckgo.com/ac/?q=
http://schemas.xmlsoap.org/ws/2004/08/addressing
http://tempuri.org/Entity/Id18
http://tempuri.org/Entity/Id17
http://tempuri.org/Entity/Id16
http://tempuri.org/Entity/Id15
http://tempuri.org/Entity/Id14
https://duckduckgo.com/chrome_newtab
http://tempuri.org/Entity/Id16Response
http://tempuri.org/Entity/Id12
http://tempuri.org/Entity/Id11
http://tempuri.org/Entity/Id10
http://tempuri.org/Entity/Id5Response
http://tempuri.org/Entity/
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
http://tempuri.org/Entity/Id1Response
http://tempuri.org/Entity/Id24Response
http://tempuri.org/Entity/Id24
http://tempuri.org/Entity/Id23
http://tempuri.org/Entity/Id22
http://o365.217.246.41/
http://tempuri.org/Entity/Id21

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\uucbfdt:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\sqlite3.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\37F1.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 30 hidden entries
C:\Users\user\AppData\Local\Temp\405E.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\45DE.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\49F6.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\509E.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5487.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5999.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\gecbfdt
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\uucbfdt
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\561C.tmp
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
#
C:\Users\user\AppData\Roaming\bcvbehu
data
#
C:\Users\user\AppData\Local\Temp\3BBD.tmp
SQLite 3.x database, last written using SQLite version 3038005, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 11
#
C:\Users\user\AppData\Local\Temp\1C1E.tmp
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE0E.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Nov 3 19:47:20 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE3E.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
#
C:\ProgramData\00524103327335046441078177
SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB51.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Nov 3 19:47:15 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81B7.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER80EB.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AB0.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Nov 3 19:47:48 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C3.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER167A.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER14B4.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gecbfdt_c858373094792a63fea071725b1e5fecc55c13a_62df2180_159687c0\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_49F6.exe_88d68c73c962642c5d81665eeb6ebaffc25a77e_490ff5e7_11c61f42\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_45DE.exe_b3c36ad93160e4414e3ec698cedf29c8410ddb6_f9ff7ecc_14da9915\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
#
C:\ProgramData\58104588985205123450110019
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
#
C:\ProgramData\52241653186896206030520942
SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
#
C:\ProgramData\48699315731429539716450555
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
#
C:\ProgramData\44876058118800687391965244
SQLite 3.x database, last written using SQLite version 3038005, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 11
#
C:\ProgramData\28782868176069075816534615
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
#