flash

S2XJ2wbz7u.exe

Status: finished
Submission Time: 2022-11-19 10:36:06 +01:00
Malicious
Trojan
Spyware
Evader
Ursnif, Amadey, RedLine, SmokeLoader, Vi

Comments

Tags

  • exe
  • RedLineStealer

Details

  • Analysis ID:
    749806
  • API (Web) ID:
    1117094
  • Analysis Started:
    2022-11-19 10:36:06 +01:00
  • Analysis Finished:
    2022-11-19 10:49:15 +01:00
  • MD5:
    ffb4cf34b38f126c917e1c1e1d26df73
  • SHA1:
    36e558fdb10418aa971aea3f02d6ba1f4d566ed2
  • SHA256:
    4a47fdbb09dd09ea813c0475d32f693cbbded09b3753def43179f91e1a8f8a55
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
14/91

malicious
10/14

malicious
22/25

malicious

malicious

IPs

IP Country Detection
195.96.151.53
unknown
193.56.146.168
unknown
45.154.253.151
Sweden
Click to see the 18 hidden entries
46.252.148.24
Italy
77.232.37.228
Russian Federation
185.199.108.133
Netherlands
89.208.107.216
Russian Federation
108.167.141.212
United States
195.96.151.51
unknown
43.231.112.109
Mongolia
144.76.136.153
Germany
149.154.167.99
United Kingdom
52.217.206.73
United States
104.192.141.1
United States
116.202.5.101
Germany
148.251.234.93
Germany
195.216.243.155
United Kingdom
162.159.133.233
United States
193.56.146.174
unknown
140.82.121.4
United States
140.82.121.3
United States

Domains

Name IP Detection
lentaphoto.at
0.0.0.0
2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq
0.0.0.0
raw.githubusercontent.com
185.199.108.133
Click to see the 20 hidden entries
cdn-104.anonfiles.com
195.96.151.53
o36fafs3sn6xou.com
77.232.37.228
anonfiles.com
45.154.253.151
hoteldostyk.com
43.231.112.109
cdn-102.anonfiles.com
195.96.151.51
1ecosolution.it
46.252.148.24
srshf.com
108.167.141.212
iplogger.com
148.251.234.93
www.youtube.com
0.0.0.0
bbuseruploads.s3.amazonaws.com
0.0.0.0
windowsupdatebg.s.llnwi.net
178.79.225.0
transfer.sh
144.76.136.153
youtube-ui.l.google.com
172.217.168.14
s3-w.us-east-1.amazonaws.com
52.217.206.73
svedbergbryanthusnonarithmetical.com
84.21.172.142
cdn.discordapp.com
162.159.133.233
t.me
149.154.167.99
github.com
140.82.121.4
u.to
195.216.243.155
bitbucket.org
104.192.141.1

URLs

Name Detection
http://91.213.50.70/Wavafursq.jpeg
http://o3b1wk8sfk74tf.com/
http://91.213.50.70/Wavafursq.jpeg&BKl:
Click to see the 97 hidden entries
http://o3npxslymcyfi2.com/
http://o3l3roozuidudu.com/
https://www.tiktok.com/@user6068972597711
http://o36fafs3sn6xou.com/Mozilla/5.0
http://193.56.146.168/mia/solt.exe
http://tempuri.org/Entity/Id22Response(5
http://tempuri.org/Entity/Id5Response
https://t.me/deadftx
http://193.56.146.174/
http://www.jiyu-kobo.co.jp/c
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://www.fontbureau.comol
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://tempuri.org/Entity/Id4(5
http://schemas.xmlsoap.org/ws/2004/08/addressing
http://www.jiyu-kobo.co.jp/u
http://tempuri.org/Entity/Id1Response(5
http://svedbergbryanthusnonarithmetical.com/
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://www.carterandcone.coml
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
http://tempuri.org/Entity/Id24Response
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
http://www.jiyu-kobo.co.jp/G
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
http://193.56.146.174/U8eZkQ0Y1ZtSx2oLs
http://www.typography.netD
http://schemas.xmlsoap.org/ws/2004/06/addressingex
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
http://fontfabrik.com
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe
http://www.founder.com.cn/cn/bThe
https://t.me/deadftxhttps://www.tiktok.com/
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dlltE
http://tempuri.org/Entity/Id8Response
https://www.google.com/intl/en_uk/chrome/
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
http://tempuri.org/Entity/Id10Response
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://tempuri.org/
http://193.56.146.174/g84kvj4jck/index.php?scr=1
https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe
https://iplogger.com/2bibu4
https://support.google.com/chrome/answer/6315198?product=
http://tempuri.org/Entity/Id4Sy(5
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://www.fontbureau.com/designers
http://tempuri.org/Entity/Id2Response
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=6
https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllming
http://tempuri.org/Entity/Id12Response
http://116.202.5.101:80
https://duckduckgo.com/ac/?q=
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
http://193.56.146.174/g84kvj4jck/index.phpIM
https://duckduckgo.com/chrome_newtab
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
https://support.google.com/chrome?p=update_error
http://2w3.56.146.174/g84kvj4jck/index.php
https://bitbucket.org/globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe
https://api.ip.sb/ip
http://www.autoitscript.com/autoit3/J
https://www.google.com/intl/en_uk/chrome/Google
http://www.jiyu-kobo.co.jp/Y
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/02/rm8D;
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
http://www.zhongyicts.com.cn
http://tempuri.org/Entity/Id15Response
http://www.galapagosdesign.com/DPlease
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
http://193.56.146.174/g84kvj4jck/index.php)M
http://193.56.146.174/g84kvj4jck/index.php?scr=1kvj4jck/index.php

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\2B4A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\8C00.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\86EE.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\816F.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\6CEC.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\6644.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\59FE.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\453D.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\3790.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\tiddsjj
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\tiddsjj:Zone.Identifier
ASCII text, with CRLF line terminators
#
\Device\ConDrv
ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\PingboardCache\argq.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\PingboardCache\wpiq.zip
Zip archive data, at least v2.0 to extract, compression method=deflate
#
C:\Users\user\AppData\Roaming\fgrijii
data
#
C:\ProgramData\41479232570897308364731578
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
#
C:\Users\user\AppData\Local\Temp\853321935212
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\wpiq[1].zip
Zip archive data, at least v2.0 to extract, compression method=deflate
#
C:\ProgramData\95786452850497366982696300
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
#
C:\ProgramData\94088433411392910584223625
SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
#
C:\ProgramData\84206842141166370440363339
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
#
C:\ProgramData\42863426655515339578900088
SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
#
C:\ProgramData\41578002959771932956378793
SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
#