Click to jump to signature section
Source: unpacked_1648556.bin.exe | Avira: detected |
Source: https://certifacto.com/R | Avira URL Cloud: Label: phishing |
Source: https://certifacto.com/ | Avira URL Cloud: Label: phishing |
Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM | Avira URL Cloud: Label: phishing |
Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000 | Avira URL Cloud: Label: phishing |
Source: certifacto.com | Virustotal: Detection: 14% | Perma Link |
Source: https://cowspidzu.pro/ | Virustotal: Detection: 5% | Perma Link |
Source: bladisuka.red | Virustotal: Detection: 7% | Perma Link |
Source: https://certifacto.com/ | Virustotal: Detection: 16% | Perma Link |
Source: https://bladisuka.red/ | Virustotal: Detection: 10% | Perma Link |
Source: unpacked_1648556.bin.exe | Virustotal: Detection: 67% | Perma Link |
Source: unpacked_1648556.bin.exe | ReversingLabs: Detection: 57% |
Source: Yara match | File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match | File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: unpacked_1648556.bin.exe | Joe Sandbox ML: detected |
Source: unpacked_1648556.bin.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: unknown | DNS traffic detected: query: muratinue.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: certifacto.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: bladisuka.red replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: cowspidzu.pro replaycode: Name error (3) |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | DNS traffic detected: queries for: certifacto.com |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bladisuka.red/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bladisuka.red/R |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000% |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000= |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://certifacto.com/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://certifacto.com/R |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cowspidzu.pro/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000& |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000l |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://muratinue.com/ |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://muratinue.com/R |
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000 |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000% |
Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2356059601.00000000004CC000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF000000000000000044U3h |
Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000xGM |
Source: Yara match | File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match | File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: unpacked_1648556.bin.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal96.troj.evad.winEXE@1/0@24/0 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | File created: C:\Users\user\AppData\Local\user | Jump to behavior |
Source: unpacked_1648556.bin.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unpacked_1648556.bin.exe | Virustotal: Detection: 67% |
Source: unpacked_1648556.bin.exe | ReversingLabs: Detection: 57% |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Code function: 0_2_004010F6 wsprintfA, | 0_2_004010F6 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Stalling execution: Execution stalls by calling Sleep | graph_0-193 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | RDTSC instruction interceptor: First address: 401131 second address: 401151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | RDTSC instruction interceptor: First address: 401151 second address: 401131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007FF2013B19AAh 0x0000000c jc 00007FF2013B1969h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007FF2013B1968h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007FF2013B199Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007FF2013B18E5h 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Code function: 0_2_00401224 rdtsc | 0_2_00401224 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe TID: 6128 | Thread sleep time: -660000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Last function: Thread delayed |
Source: unpacked_1648556.bin.exe, 00000000.00000002.3304402538.000000000048E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | API call chain: ExitProcess graph end node | graph_0-158 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Code function: 0_2_00401224 rdtsc | 0_2_00401224 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Code function: 0_2_00401000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle, | 0_2_00401000 |
Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe | Code function: 0_2_004014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA, | 0_2_004014F9 |
Source: Yara match | File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match | File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: unpacked_1648556.bin.exe, type: SAMPLE |
Source: Yara match | File source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |