magicline4nx_setup.exe

Status: finished

Submission Time: 2022-11-28 15:21:57 +01:00

Malicious

Phishing

Trojan

Spyware

Exploiter

Evader

GuLoader, UACMe

Comments

Details

Analysis ID:
755310
API (Web) ID:
1122586
Analysis Started:

2022-11-28 15:21:58 +01:00
Analysis Finished:

2022-11-28 15:34:09 +01:00
MD5:
7cec32c04fdae116ab0f7f4fd8372abd
SHA1:
8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b
SHA256:
aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f
Technologies:

Engines
IOCs

Full Report	Management Report	IOC Report	Engine	Info	Verdict	Score	Reports
				System: Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 91, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)		90/100

URLs

Name	Detection
https://dynamic.t
https://dev.virtualearth.net/REST/v1/Transit/Stops/
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Click to see the 61 hidden entries
http://crl.rootca1.amazontrust.com/rootca1.crl0
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
http://ocsp.rootca1.amazontrust.com0:
http://nsis.sf.net/NSIS_ErrorError
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
https://%s.xboxlive.com
https://dev.virtualearth.net/REST/v1/Locations
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
https://dev.virtualearth.net/mapcontrol/logging.ashx
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
http://nsis.sf.net/NSIS_Error
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://www.thawte.com/cps0/
http://www.ubikey.co.kr/infovine/download.html
https://www.thawte.com/repository0W
https://dev.virtualearth.net/REST/v1/Routes/Transit
http://crt.rootca1.amazontrust.com/rootca1.cer0?
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
https://dev.ditu.live.com/REST/v1/Transit/Schedules/
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://activity.windows.com
https://dev.ditu.live.com/REST/v1/Locations
http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343
https://%s.dnet.xboxlive.com
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://dev.ditu.live.com/REST/v1/Routes/
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp
https://dev.virtualearth.net/REST/v1/Routes/Driving
http://www.openssl.org/V
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://t0.tiles.ditu.live.com/tiles/gen
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://mobi.yessign.or.kr/mobisignInstall.htm
http://ids.smartcert.kr
http://www.openssl.org/support/faq.html
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
http://pcro.mobilesign.net/mini_cert_install.html
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
http://crl.thawte.com/ThawteTimestampingCA.crl0
https://activity.windows.comds
http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
http://www.bingmapsportal.com
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
http://cps.root-x1.letsencrypt.org0
http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara
https://dev.ditu.live.com/REST/v1/Transit/Stops/
http://ocsp.thawte.com0
https://dev.virtualearth.net/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db	Berkeley DB 1.85 (Hash, version 2, native byte-order)	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
Click to see the 54 hidden entries
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db-journal	SQLite Rollback Journal	#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db	SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3	#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db-journal	SQLite Rollback Journal	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe.hmac	data	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db	SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7	#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db	Berkeley DB 1.85 (Hash, version 2, native byte-order)	#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db	Berkeley DB 1.85 (Hash, version 2, native byte-order)	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\DreamSecurity\MagicLine4NX\logs\install-202211281523.log	ISO-8859 text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\NsisUtil.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\DumpLog.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\KillProcDLL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\libeay32.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ssleay32.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\nsldap32v50.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\mlnp_dreamsecurity_com.ca-bundle	PEM certificate	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\smime3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsExec.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsProcess.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\version.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\MagicLine4NX.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Mar 29 10:06:58 2021, mtime=Mon Nov 28 13:22:36 2022, atime=Mon Mar 29 10:06:58 2021, length=3753952, (…)	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\Uninstall.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Nov 28 13:22:36 2022, mtime=Mon Nov 28 13:22:36 2022, atime=Mon Nov 28 13:22:36 2022, length=113488, (…)	#
C:\Windows\Logs\waasmedic\waasmedic.20221128_142248_759.etl	data	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp	Unicode text, UTF-8 (with BOM) text	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.user.cdp	Unicode text, UTF-8 (with BOM) text	#
\Device\ConDrv	ASCII text, with CRLF line terminators	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.ini	ISO-8859 text, with CRLF line terminators	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\Images\Logo.bmp	PC bitmap, Windows 3.x format, 369 x 73 x 16, image size 54022, resolution 3779 x 3779 px/m, cbSize 54076, bits offset 54	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid.conf	ISO-8859 text, with CRLF line terminators	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid_Eng.conf	ASCII text	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\KOR.ini	Generic INItialization configuration [Message]	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs	ASCII text, with CRLF line terminators	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs	ASCII text, with CRLF line terminators	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der	Certificate, Version=3 Certificate, Version=01	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity.com.der	Certificate, Version=3, Serial=009e5343085f93b442, not-valid-before=2015-09-03 04:11:52 GMT, not-valid-after=2035-08-28 04:11:52 GMT	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\httptx.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libnspr4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplc4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplds4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nspr4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssdbm3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssutil3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plc4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plds4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\sqlite3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#

magicline4nx_setup.exe

Comments

Tags

Available tags:

Details

URLs

Dropped files

magicline4nx_setup.exe Options

Comments

Tags

Available tags:

Details

URLs

Dropped files

Search started

Yara Super Rule creation started

magicline4nx_setup.exe