Automated Malware Analysis IOC Report for

Files

File Path

Type

URLs

Name

Malicious

https://gtoyorupaz.emlnk9.com/lt.php?x=3DZy~GDFIXeg6XOu0N28Vuee3aIpj_XxwhphY5TIVnag78B-0Uy.y.e-3I2jmN~w

Details

Filetype:	URL
Filename:	https://gtoyorupaz.emlnk9.com/lt.php?x=3DZy~GDFIXeg6XOu0N28Vuee3aIpj_XxwhphY5TIVnag78B-0Uy.y.e-3I2jmN~w

Signature Hits	Behavior Group	Mitre Attack
Detect drive by download via clipboard copy & paste	Persistence and Installation Behavior	Extra Window Memory Injection
Multi AV Scanner detection for dropped file	AV Detection	Security Software Discovery
Sigma detected: Powershell Decrypt And Execute Base64 Data	Data Obfuscation	Extra Window Memory Injection
Yara detected CAPTCHA Scam ClickFix	Phishing	Extra Window Memory Injection
Yara detected ReflectiveLoader	Data Obfuscation	Extra Window Memory Injection
AI detected suspicious URL	Phishing	Extra Window Memory Injection
HTML page adds supicious text to clipboard	Persistence and Installation Behavior	Browser Extensions Extra Window Memory Injection
Installs a global event hook (focus changed)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Extra Window Memory Injection Credential API Hooking
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Extra Window Memory Injection Input Capture
Powershell drops PE file	System Summary	Extra Window Memory Injection
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary	Extra Window Memory Injection
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary	Extra Window Memory Injection
Sigma detected: Suspicious PowerShell IEX Execution Patterns	System Summary	Extra Window Memory Injection
Suspicious powershell command line found	Data Obfuscation	PowerShell
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Extra Window Memory Injection
Creates files inside the system directory	System Summary	Masquerading
Detected suspicious crossdomain redirect	Networking
Drops PE files	Persistence and Installation Behavior	Extra Window Memory Injection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion	Extra Window Memory Injection
HTML page contains hidden javascript code	Phishing	Extra Window Memory Injection
HTTP GET or POST without a user agent	Networking
Launches processes in debugging mode, may be used to hinder debugging	Anti Debugging	Extra Window Memory Injection Disable or Modify Tools
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary	Extra Window Memory Injection
Queries disk information (often used to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Suricata IDS alerts with low severity for network traffic	Networking
Uses a Windows Living Off The Land Binaries (LOL bins)	System Summary	Extra Window Memory Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Yara detected Credential Stealer	Stealing of Sensitive Information	Extra Window Memory Injection
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Classification label	System Summary	Extra Window Memory Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Extra Window Memory Injection Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Extra Window Memory Injection
Downloads files from webservers via HTTP	Networking	Extra Window Memory Injection
HTML page is missing a favicon	Phishing	Extra Window Memory Injection
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Posts data to webserver	Networking
Queries a list of all running processes	Malware Analysis System Evasion	Extra Window Memory Injection Process Discovery
Reads ini files	System Summary	Extra Window Memory Injection File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Sample crashes during execution, try analyze it on another analysis machine
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook		Application Window Discovery
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary	Extra Window Memory Injection
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary	Extra Window Memory Injection
Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.		Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Extra Window Memory Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading Extra Window Memory Injection
Uses HTTPS	Networking	Encrypted Channel
Uses an in-process (OLE) Automation server	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary
Uses Microsoft Silverlight	System Summary	Extra Window Memory Injection

https://google.com@vstrrrlineproperrms.world/

Details

Name:	https://google.com@vstrrrlineproperrms.world/
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected suspicious URL	Phishing	Browser Extensions
HTML page contains hidden javascript code	Phishing
HTML page is missing a favicon	Phishing

https://google.com@vstrrrlineproperrms.world/sign-in?op_token=TfJdHmLBtgyxynNyAVQfoJA5CI6hyqzkoKUihdfmGSMECOhmRPG7L5ISpinTV2lUg6pqPRSZOtIubLLBVAYQb47bO6BoYssoHdiMBVPi0JRThIGTbjdor5Dq5V0IaJC3XFZn2VYlhEyhQeqDnssydN

Details

Name:	https://google.com@vstrrrlineproperrms.world/sign-in?op_token=TfJdHmLBtgyxynNyAVQfoJA5CI6hyqzkoKUihdfmGSMECOhmRPG7L5ISpinTV2lUg6pqPRSZOtIubLLBVAYQb47bO6BoYssoHdiMBVPi0JRThIGTbjdor5Dq5V0IaJC3XFZn2VYlhEyhQeqDnssydN
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected suspicious URL	Phishing	Browser Extensions
HTML page contains hidden javascript code	Phishing
HTML page is missing a favicon	Phishing

https://apioeks.icu/apic/Qkqxz/EJDGUe

172.67.218.142

Details

Name:	https://apioeks.icu/apic/Qkqxz/EJDGUe
IP:	172.67.218.142
TargetID:	20
From Memory:	false
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://apioeks.icu/apis/wiRsh/jJZDv

172.67.218.142

Details

Name:	https://apioeks.icu/apis/wiRsh/jJZDv
IP:	172.67.218.142
TargetID:	20
From Memory:	false
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://c.pki.goog/r/r4.crl

74.125.137.94

https://apioeks.icu/fix

172.67.218.142

Details

Name:	https://apioeks.icu/fix
IP:	172.67.218.142
TargetID:	20
From Memory:	false
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

vstrrrlineproperrms.world

172.67.206.184

a.nel.cloudflare.com

35.190.80.1

bstatic.com

3.168.147.60

partner.booking.com

13.226.210.124

gtoyorupaz.activehosted.com

104.17.205.31

e10776.b.akamaiedge.net

23.222.165.206

apioeks.icu

172.67.218.142

gtoyorupaz.emlnk9.com

54.225.69.136

code.jquery.com

151.101.2.137

challenges.cloudflare.com

104.18.94.41

www.google.com

74.125.137.105

cdn.cookielaw.org

104.18.87.42

try-cloudfront.abtasty.com

3.167.192.86

try.abtasty.com

unknown

munchkin.marketo.net

unknown

There are 5 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

172.67.206.184

vstrrrlineproperrms.world

United States

142.250.101.138

unknown

United States

172.67.218.142

apioeks.icu

United States

3.168.147.60

bstatic.com

United States

192.168.2.17

unknown

104.18.94.41

challenges.cloudflare.com

United States

192.168.2.18

unknown

192.168.2.4

unknown

142.251.2.113

unknown

United States

142.251.2.138

unknown

United States

142.250.141.84

unknown

United States

35.190.80.1

a.nel.cloudflare.com

United States

104.18.87.42

cdn.cookielaw.org

United States

13.226.210.124

partner.booking.com

United States

3.167.192.86

try-cloudfront.abtasty.com

United States

104.18.95.41

unknown

United States

142.251.2.94

unknown

United States

54.225.69.136

gtoyorupaz.emlnk9.com

United States

142.250.101.100

unknown

United States

151.101.2.137

code.jquery.com

United States

74.125.137.105

www.google.com

United States

23.66.134.242

unknown

United States

23.222.165.206

e10776.b.akamaiedge.net

United States

104.17.205.31

gtoyorupaz.activehosted.com

United States

142.250.101.95

unknown

United States

142.250.101.94

unknown

United States

142.250.141.94

unknown

United States

127.0.0.1

unknown

There are 18 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://gtoyorupaz.emlnk9.com/lt.php?x=3DZy~GDFIXeg6XOu0N28Vuee3aIpj_XxwhphY5TIVnag78B-0Uy.y.e-3I2jmN~w

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://gtoyorupaz.emlnk9.com/lt.php?x=3DZy~GDFIXeg6XOu0N28Vuee3aIpj_XxwhphY5TIVnag78B-0Uy.y.e-3I2jmN~w

Files

URLs

Domains

IPs

IOC Report
https://gtoyorupaz.emlnk9.com/lt.php?x=3DZy~GDFIXeg6XOu0N28Vuee3aIpj_XxwhphY5TIVnag78B-0Uy.y.e-3I2jmN~w