flash

q4Z52wRd28.exe

Status: finished
Submission Time: 2022-11-19 16:56:08 +01:00
Malicious
Phishing
Trojan
Spyware
Evader
Ursnif, Amadey, RedLine, SmokeLoader, Vi

Comments

Tags

  • exe
  • SmokeLoader

Details

  • Analysis ID:
    749948
  • API (Web) ID:
    1117237
  • Analysis Started:
    2022-11-19 16:56:08 +01:00
  • Analysis Finished:
    2022-11-19 17:12:25 +01:00
  • MD5:
    a687e1c326c9f03569bbfef53e21c315
  • SHA1:
    1993746a547c67807c1118501e1a7ff9261f7c8b
  • SHA256:
    8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
23/72

malicious
10/14

malicious
22/25

malicious

malicious

IPs

IP Country Detection
193.56.146.168
unknown
45.154.253.151
Sweden
195.96.151.51
unknown
Click to see the 16 hidden entries
46.252.148.24
Italy
185.106.92.111
Russian Federation
77.232.37.228
Russian Federation
108.167.141.212
United States
193.56.146.174
unknown
43.231.112.109
Mongolia
185.199.108.133
Netherlands
104.192.141.1
United States
148.251.234.93
Germany
3.5.21.195
United States
116.202.5.101
Germany
144.76.136.153
Germany
149.154.167.99
United Kingdom
140.82.121.4
United States
216.58.215.238
United States
65.21.213.208
United States

Domains

Name IP Detection
lentaphoto.at
0.0.0.0
2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq
0.0.0.0
raw.githubusercontent.com
185.199.108.133
Click to see the 16 hidden entries
o36fafs3sn6xou.com
77.232.37.228
anonfiles.com
45.154.253.151
hoteldostyk.com
43.231.112.109
cdn-102.anonfiles.com
195.96.151.51
1ecosolution.it
46.252.148.24
srshf.com
108.167.141.212
iplogger.com
148.251.234.93
www.youtube.com
0.0.0.0
bbuseruploads.s3.amazonaws.com
0.0.0.0
transfer.sh
144.76.136.153
youtube-ui.l.google.com
216.58.215.238
s3-w.us-east-1.amazonaws.com
3.5.21.195
t.me
149.154.167.99
iujdhsndjfks.ru
134.0.118.203
github.com
140.82.121.4
bitbucket.org
104.192.141.1

URLs

Name Detection
http://o36fafs3sn6xou.com/
http://116.202.5.101/446391140202.zip
https://www.tiktok.com/@user6068972597711
Click to see the 97 hidden entries
http://o3b1wk8sfk74tf.com/
http://o3l3roozuidudu.com/
http://193.56.146.174/g84kvj4jck/index.php?scr=1
http://o3npxslymcyfi2.com/
http://193.56.146.168/mia/solt.exe
http://116.202.5.101:80
http://o36fafs3sn6xou.com/Mozilla/5.0
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
https://studio.youtube.com/youtubei/v1/ars/grst?alt=json&key=net/http:
https://t.me/deadftxhttps://www.tiktok.com/
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
http://schemas.xmlsoap.org/ws/2004/06/addressingex
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
http://tempuri.org/Entity/Id8Response
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
http://tempuri.org/Entity/Id10Response
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://tempuri.org/Entity/Id5Response
https://t.me/deadftx
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
http://schemas.xmlsoap.org/ws/2002/12/policy
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
http://tempuri.org/Entity/Id22ResponseX%
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
http://tempuri.org/Entity/Id13Response
https://studio.youtube.com/youtubei/v1/att/esr?alt=json&key=https://studio.youtube.com/youtubei/v1/a
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
https://www.google.com/intl/en_uk/chrome/
https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
https://studio.youtube.com28421709430404007434844970703125:
http://tempuri.org/Entity/Id4X%
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
http://search.yahoo.com/search
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
https://studio.youtube.com/youtubei/v1/security/get_web_reauth_url?alt=json&key=tls:
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
https://www.youtube.com
https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe
https://iplogger.com/2bibu4
https://support.google.com/chrome/answer/6315198?product=
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://tempuri.org/Entity/Id2Response
http://tempuri.org/
http://tempuri.org/Entity/Id2ResponseX%
https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
http://schemas.xmlsoap.org/ws/2005/02/rm8Dh
http://tempuri.org/Entity/Id12Response
https://duckduckgo.com/ac/?q=
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
https://duckduckgo.com/chrome_newtab
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
https://api.ip.sb/ip
http://schemas.xmlsoap.org/ws/2004/08/addressing
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
http://tempuri.org/Entity/Id24Response
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
http://tempuri.org/Entity/Id1ResponseinX%
https://bitbucket.org/globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe
https://www.youtube.comindex
https://www.google.com/intl/en_uk/chrome/Google
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
http://65.21.213.208:3000inconsistent
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
https://studio.youtube.com/reauth
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://support.google.com/chrome?p=update_error
http://tempuri.org/Entity/Id15Response
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\cttgcew:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\cttgcew
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
Click to see the 18 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\A852.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\B4A7.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\CF35.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\E35A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\EB2B.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\F771.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
\Device\ConDrv
ASCII text, with no line terminators
#
C:\ProgramData\07477506288530029273670714
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
#
C:\Users\user\AppData\Roaming\ghjhtic
data
#
C:\Users\user\AppData\Local\Temp\prefix3648256442
SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
#
C:\Users\user\AppData\Local\Temp\853321935212
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
#
C:\ProgramData\65329382289861898742549564
SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
#
C:\ProgramData\45253720055769576867799735
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
#
C:\ProgramData\42917201296364153697665931
SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
#
C:\ProgramData\39680000161077974836781923
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
#
C:\ProgramData\34118869306534953191217255
SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
#