Source: unpacked_1648556.bin.exe |
Avira: detected |
Source: https://certifacto.com/R |
Avira URL Cloud: Label: phishing |
Source: https://certifacto.com/ |
Avira URL Cloud: Label: phishing |
Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM |
Avira URL Cloud: Label: phishing |
Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Avira URL Cloud: Label: phishing |
Source: certifacto.com |
Virustotal: Detection: 14% |
Perma Link |
Source: https://cowspidzu.pro/ |
Virustotal: Detection: 5% |
Perma Link |
Source: bladisuka.red |
Virustotal: Detection: 7% |
Perma Link |
Source: https://certifacto.com/ |
Virustotal: Detection: 16% |
Perma Link |
Source: https://bladisuka.red/ |
Virustotal: Detection: 10% |
Perma Link |
Source: unpacked_1648556.bin.exe |
Virustotal: Detection: 67% |
Perma Link |
Source: unpacked_1648556.bin.exe |
ReversingLabs: Detection: 57% |
Source: Yara match |
File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: unpacked_1648556.bin.exe |
Joe Sandbox ML: detected |
Source: unpacked_1648556.bin.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: unknown |
DNS traffic detected: query: muratinue.com replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: certifacto.com replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: bladisuka.red replaycode: Name error (3) |
Source: unknown |
DNS traffic detected: query: cowspidzu.pro replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
DNS traffic detected: queries for: certifacto.com |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bladisuka.red/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bladisuka.red/R |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000% |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000= |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://certifacto.com/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://certifacto.com/R |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cowspidzu.pro/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000& |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000l |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://muratinue.com/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://muratinue.com/R |
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000% |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2356059601.00000000004CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF000000000000000044U3h |
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000xGM |
Source: Yara match |
File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: unpacked_1648556.bin.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal96.troj.evad.winEXE@1/0@24/0 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
File created: C:\Users\user\AppData\Local\user |
Jump to behavior |
Source: unpacked_1648556.bin.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unpacked_1648556.bin.exe |
Virustotal: Detection: 67% |
Source: unpacked_1648556.bin.exe |
ReversingLabs: Detection: 57% |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Code function: 0_2_004010F6 wsprintfA, |
0_2_004010F6 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
RDTSC instruction interceptor: First address: 401131 second address: 401151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
RDTSC instruction interceptor: First address: 401151 second address: 401131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007FF2013B19AAh 0x0000000c jc 00007FF2013B1969h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007FF2013B1968h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007FF2013B199Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007FF2013B18E5h 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Code function: 0_2_00401224 rdtsc |
0_2_00401224 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe TID: 6128 |
Thread sleep time: -660000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Last function: Thread delayed |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304402538.000000000048E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Code function: 0_2_00401224 rdtsc |
0_2_00401224 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Code function: 0_2_00401000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle, |
0_2_00401000 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe |
Code function: 0_2_004014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA, |
0_2_004014F9 |
Source: Yara match |
File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |