S2XJ2wbz7u.exe

Status: finished

Submission Time: 2022-11-19 10:36:06 +01:00

Malicious

Trojan

Spyware

Evader

Ursnif, Amadey, RedLine, SmokeLoader, Vi

Comments

Details

Analysis ID:
749806
API (Web) ID:
1117094
Analysis Started:

2022-11-19 10:36:06 +01:00
Analysis Finished:

2022-11-19 10:49:15 +01:00
MD5:
ffb4cf34b38f126c917e1c1e1d26df73
SHA1:
36e558fdb10418aa971aea3f02d6ba1f4d566ed2
SHA256:
4a47fdbb09dd09ea813c0475d32f693cbbded09b3753def43179f91e1a8f8a55
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 14/91

Open Full Report

malicious

Score: 10/14

malicious

Score: 22/25

malicious

IPs

IP	Country	Detection
195.96.151.53	unknown
193.56.146.168	unknown
45.154.253.151	Sweden
Click to see the 18 hidden entries
46.252.148.24	Italy
77.232.37.228	Russian Federation
185.199.108.133	Netherlands
89.208.107.216	Russian Federation
108.167.141.212	United States
195.96.151.51	unknown
43.231.112.109	Mongolia
144.76.136.153	Germany
149.154.167.99	United Kingdom
52.217.206.73	United States
104.192.141.1	United States
116.202.5.101	Germany
148.251.234.93	Germany
195.216.243.155	United Kingdom
162.159.133.233	United States
193.56.146.174	unknown
140.82.121.4	United States
140.82.121.3	United States

Domains

Name	IP	Detection
lentaphoto.at	0.0.0.0
2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq	0.0.0.0
raw.githubusercontent.com	185.199.108.133
Click to see the 20 hidden entries
cdn-104.anonfiles.com	195.96.151.53
o36fafs3sn6xou.com	77.232.37.228
anonfiles.com	45.154.253.151
hoteldostyk.com	43.231.112.109
cdn-102.anonfiles.com	195.96.151.51
1ecosolution.it	46.252.148.24
srshf.com	108.167.141.212
iplogger.com	148.251.234.93
www.youtube.com	0.0.0.0
bbuseruploads.s3.amazonaws.com	0.0.0.0
windowsupdatebg.s.llnwi.net	178.79.225.0
transfer.sh	144.76.136.153
youtube-ui.l.google.com	172.217.168.14
s3-w.us-east-1.amazonaws.com	52.217.206.73
svedbergbryanthusnonarithmetical.com	84.21.172.142
cdn.discordapp.com	162.159.133.233
t.me	149.154.167.99
github.com	140.82.121.4
u.to	195.216.243.155
bitbucket.org	104.192.141.1

URLs

Name	Detection
http://91.213.50.70/Wavafursq.jpeg
http://o3b1wk8sfk74tf.com/
http://91.213.50.70/Wavafursq.jpeg&BKl:
Click to see the 97 hidden entries
http://o3npxslymcyfi2.com/
http://o3l3roozuidudu.com/
https://www.tiktok.com/@user6068972597711
http://o36fafs3sn6xou.com/Mozilla/5.0
http://193.56.146.168/mia/solt.exe
http://tempuri.org/Entity/Id22Response(5
http://tempuri.org/Entity/Id5Response
https://t.me/deadftx
http://193.56.146.174/
http://www.jiyu-kobo.co.jp/c
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://www.fontbureau.comol
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://tempuri.org/Entity/Id4(5
http://schemas.xmlsoap.org/ws/2004/08/addressing
http://www.jiyu-kobo.co.jp/u
http://tempuri.org/Entity/Id1Response(5
http://svedbergbryanthusnonarithmetical.com/
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://www.carterandcone.coml
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
http://tempuri.org/Entity/Id24Response
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
http://www.jiyu-kobo.co.jp/G
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
http://193.56.146.174/U8eZkQ0Y1ZtSx2oLs
http://www.typography.netD
http://schemas.xmlsoap.org/ws/2004/06/addressingex
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
http://fontfabrik.com
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe
http://www.founder.com.cn/cn/bThe
https://t.me/deadftxhttps://www.tiktok.com/
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dlltE
http://tempuri.org/Entity/Id8Response
https://www.google.com/intl/en_uk/chrome/
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
http://tempuri.org/Entity/Id10Response
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://tempuri.org/
http://193.56.146.174/g84kvj4jck/index.php?scr=1
https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe
https://iplogger.com/2bibu4
https://support.google.com/chrome/answer/6315198?product=
http://tempuri.org/Entity/Id4Sy(5
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://www.fontbureau.com/designers
http://tempuri.org/Entity/Id2Response
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=6
https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllming
http://tempuri.org/Entity/Id12Response
http://116.202.5.101:80
https://duckduckgo.com/ac/?q=
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
http://193.56.146.174/g84kvj4jck/index.phpIM
https://duckduckgo.com/chrome_newtab
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
https://support.google.com/chrome?p=update_error
http://2w3.56.146.174/g84kvj4jck/index.php
https://bitbucket.org/globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe
https://api.ip.sb/ip
http://www.autoitscript.com/autoit3/J
https://www.google.com/intl/en_uk/chrome/Google
http://www.jiyu-kobo.co.jp/Y
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/02/rm8D;
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
http://www.zhongyicts.com.cn
http://tempuri.org/Entity/Id15Response
http://www.galapagosdesign.com/DPlease
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
http://193.56.146.174/g84kvj4jck/index.php)M
http://193.56.146.174/g84kvj4jck/index.php?scr=1kvj4jck/index.php

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\2B4A.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\8C00.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\86EE.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\816F.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\6CEC.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\6644.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\59FE.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\453D.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\3790.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\tiddsjj	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\tiddsjj:Zone.Identifier	ASCII text, with CRLF line terminators	#
\Device\ConDrv	ASCII text, with no line terminators	#
C:\Users\user\AppData\Roaming\PingboardCache\argq.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\PingboardCache\wpiq.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	#
C:\Users\user\AppData\Roaming\fgrijii	data	#
C:\ProgramData\41479232570897308364731578	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4	#
C:\Users\user\AppData\Local\Temp\853321935212	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\wpiq[1].zip	Zip archive data, at least v2.0 to extract, compression method=deflate	#
C:\ProgramData\95786452850497366982696300	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2	#
C:\ProgramData\94088433411392910584223625	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7	#
C:\ProgramData\84206842141166370440363339	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4	#
C:\ProgramData\42863426655515339578900088	SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17	#
C:\ProgramData\41578002959771932956378793	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7	#

S2XJ2wbz7u.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

S2XJ2wbz7u.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

S2XJ2wbz7u.exe