flash

DQxttu2Qrr.exe

Status: finished
Submission Time: 2022-12-09 10:37:12 +01:00
Malicious
Phishing
Trojan
Adware
Spyware
Evader
Amadey, Laplas Clipper, RedLine, SystemB

Comments

Tags

  • 32
  • ArkeiStealer
  • exe
  • trojan

Details

  • Analysis ID:
    764033
  • API (Web) ID:
    1131309
  • Analysis Started:
    2022-12-09 10:37:13 +01:00
  • Analysis Finished:
    2022-12-09 10:53:47 +01:00
  • MD5:
    7434b42e11380272961c92e061072e78
  • SHA1:
    a2dea715e33a860dc09d09b219db18831e6bb1a5
  • SHA256:
    9922432bfa7768bdfb6e8b079c90744c9f3d33a5a258a97abc8519f81a680e40
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
21/26

malicious

malicious

IPs

IP Country Detection
65.21.119.56
United States
89.22.236.225
Russian Federation
85.209.135.109
Germany
Click to see the 5 hidden entries
8.8.8.8
United States
104.192.141.1
United States
45.159.188.118
Netherlands
54.231.164.65
United States
88.119.169.157
Lithuania

URLs

Name Detection
http://65.21.119.56:80
85.209.135.109/jg94cVd30f/index.php
http://pesterbdd.com/images/Pester.png
Click to see the 68 hidden entries
https://contoso.com/Icon
http://cjDliFVN3QKbi0ymi0MA.WclWOx4jCqZsNQbjvsAivMLJa9uT5DhrasATByTHQ5iENK14UsJkLrDsnRarngdZ7r0MiULb
https://web-security-reports.services.atlassian.com/csp-report/bb-website
https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/cba79466-746d-
https://go.micro
https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/down.
http://www.apache.org/licenses/LICENSE-2.0.html
http://schemas.xmlsoap.org/soap/encoding/
https://github.com/Pester/Pester
https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c
https://t.me/dishastahttps://steamcommunity.com/profiles/76561199441933804http://167.235.150.8:80dis
https://sectigo.com/CPS0
http://nuget.org/NuGet.exe
https://bitbucket.org/
https://bbuseruploads.s3.amazonaws.com/l
http://www.sqlite.org/copyright.html.
http://www.zlib.net/D
https://t.me/dishasta
https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binl
https://bbuseruploads.s3.amazonaws.com/
https://aui-cdn.atlassian.com
https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binin
https://bitbucket.org/D
http://schemas.xmlsoap.org/wsdl/
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
https://bitbucket.org/versal
https://ion=v4.5
https://bitbucket.org/alfolod79597
https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binIua2gnOxsYQNjWglYDZ3357MMJTmqF
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin8
http://167.235.150.8:80
https://support.google.com/installer/?product=
https://bbuseruploads.s3.amazonaws.com/H
https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
https://d301sr5gafysq2.cloudfront.net;
https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin
https://support.google.com/chrome/answer/6315198?product=
http://65.21.119.56:80/update.zip
http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/
https://t.me/vmt001
https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binR
https://steamcommunity.com/profiles/76561199441933804
https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
http://ripple-wells-2022.net/
https://contoso.com/License
https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b803c041-f8b5-
https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin8
http://ocsp.sectigo.com0
http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/)a
https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin
https://contoso.com/
https://bbuseruploads.s3.amazonaws.com/E
http://65.21.119.56:80https://t.me/vmt001hello0;open_open
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://support.google.com/chrome?p=update_error
https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin6
https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin
https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b97f81fe-0ba4-
https://nuget.org/nuget.exe
https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bind
http://65.21.119.56:80/update.zipb0dfc5b548762778904926-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963
https://bitbucket.org/ww
https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bint
https://www.google.com/intl/en_uk/chrome/
https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.binn
https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin0c9c7142b75e/library.bin
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\advapi32.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
Click to see the 32 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\nppshell[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\jekppnay.tmp
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe
PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\avicapn32[1].exe
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
#
C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\1000019012\syncfiles.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\1000018002\avicapn32.exe
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
#
C:\ProgramData\61312899942613011832.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\Locktime\RtkAudUService64.exe
PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
#
C:\Windows\System32\drivers\etc\hosts
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe
PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzpuqn5z.g0g.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\minor[2].bin
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjjnzwnv.xjd.psm1
very short file (no magic)
#
\Device\ConDrv
ASCII text, with no line terminators
#
\Device\Mup\computer\PIPE\samr
GLS_BINARY_LSB_FIRST
#
C:\Users\user\AppData\Local\Temp\853321935212
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\ProgramData\11164286057916229991747962
SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\resource[1].bin
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin
data
#
C:\ProgramData\48205952313381291261104955
SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
#
C:\ProgramData\44571614278734644827034568
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
#
C:\ProgramData\17061304525933759500214796
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
#
C:\ProgramData\14765269315554389947119608
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
#
C:\ProgramData\11693430970401306944494184
SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
#