Loading ...

Play interactive tourEdit tour

Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Sample Name:Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Analysis ID:1607
MD5:3db65d6cb8c8f1b0e97dfc293d28e295
SHA1:c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256:6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
Infos:

Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos 0x0M4R
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected PasteDownloader
Detected Hacktool Mimikatz
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Ragnarok ransomware
Yara detected Evrial Stealer
Yara detected Avaddon Ransomware
Yara detected GhostRat
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Koadic
Yara detected Jigsaw
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected Rapid ransomware
Yara detected RansomwareGeneric
Yara detected Ouroboros ransomware
Yara detected Fiesta Ransomware
Yara detected LimeRAT
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Yara detected TeslaCrypt Ransomware
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Crypt ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected LockBit ransomware
Yara detected Arcane Stealer
Yara detected LOCKFILE ransomware
Yara detected Cerber ransomware
Yara detected Rhino ransomware
Yara detected Niros Ransomware
Yara detected Buran Ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Detected Remcos RAT
Yara detected RevengeRAT
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected Parallax RAT
Yara detected Zeppelin Ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Detected Nanocore Rat
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected CryLock ransomware
Yara detected Pony
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected Coinhive miner
Yara detected Knot Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Yara detected Baldr
Multi AV Scanner detection for submitted file
Yara detected Ryuk ransomware
Yara detected Zeoticus ransomware
Yara detected Porn Ransomware
Benign windows process drops PE files
Yara detected DarkSide Ransomware
Malicious sample detected (through community Yara rule)
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected WormLocker Ransomware
Yara detected Nephilim Ransomware
Yara detected Mailto ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected GoGoogle ransomware
Yara detected Axiom Ransomware
Yara detected Ransomware32
Yara detected Artemon Ransomware
Yara detected Betabot
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Yara detected CryptoWall ransomware
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected 0x0M4R Ransomware
Yara detected Growtopia
Yara detected Windows Security Disabler
Yara detected Amnesia ransomware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Uses dynamic DNS services
Hides threads from debuggers
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Found strings related to Crypto-Mining
Tries to detect Any.run
Found Tor onion address
Sample is not signed and drops a device driver
DLL side loading technique detected
Uses ipconfig to lookup or modify the Windows network settings
Found string related to ransomware
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
May drop file containing decryption instructions (likely related to ransomware)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates driver files
Checks if the current process is being debugged
May initialize a security null descriptor
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Contains strings related to BOT control commands
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Winexe tool
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 1848 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • ipconfig.exe (PID: 5564 cmdline: ipconfig.exe /release MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • AZTEKERNES.exe (PID: 3516 cmdline: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe MD5: C7778BEEB7B4EE95495E9268EB7DC6A2)
      • ieinstal.exe (PID: 2332 cmdline: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ipconfig.exe (PID: 312 cmdline: 'C:\Windows\System32\ipconfig.exe' /renew MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • mpam-25cd2963.exe (PID: 6192 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe' /q WD MD5: BBC0691332F6E1994993322482AD8480)
    • MpSigStub.exe (PID: 4180 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)
  • wevtutil.exe (PID: 3364 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • wevtutil.exe (PID: 4860 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • mpam-77b29277.exe (PID: 6444 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe MD5: 34B7B3BDFA61E18D3B2C3B0AC92B78EF)
    • MpSigStub.exe (PID: 4520 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe MD5: 01F92DC7A766FF783AE7AF40FD0334FB)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}

Threatname: Pony

{"C2 list": ["http://download.enet.com.cn/search.php?keyword=%s", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://ow.ly/QoHbJ", "http://santasalete.sp.gov.br/jss/", "http://www.redirserver.com/update4.cfm?tid=&cn_id=", "http://194.5.249.107/2nquxqz2ok4a45l.php", "http://www.youndoo.com/?z=", "http://%s%simg.jpg", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://vod.7ibt.com/index.php?url=", "http://microhelptech.com/gotoassist/", "http://malikberry.com/files101/htamandela.hta", "http://%domain%/update.php", "http://d.sogou.com/music.so?query=%s", "http://%s:%d/%s%d%08d", "http://%s:%i%s?mod=cmd", "http://pages", "http://www.zxboy.com#http://", "http://p.zhongsou.com/p?w=%s", "http://88888888.7766.org/ExeIni", "http://update.7h4uk.com:443/antivirus.php", "http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot\"targetmode=\"external\"/></relationships>", "http://flash.chinaren.com/ip/ip.php", "http://jump.qq.com/clienturl_15", "http://dialup.carpediem.fr/perl/countdialupinter.pl?", "http://www.piram.com.br/hosts.txt", "http://www.now.cn/?SCPMCID=", "http://110.42.4.180:", "http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://www.cashon.co.kr/app/app.php?url=", "http://stats.hosting24.com/count.php", "http://192.189.25.17/cgbin/ukbros", "http://pig.zhongsou.com/helpsimple/help.htm", "http://zsxz.zhongsou.com/route/", "http://whatami.us.to/tc", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://23.249.163.163/qwerty.exe", "http://92.222.7.", "http://darkside", "http://so1.5k5.net/interface?action=install&p=", "http://www.gamedanji.cn/ExeIni", "http://gosgd.com", "http://find.verycd.com/folders?cat=movie&kw=%s", "http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://www.cashon.co.kr/app/uninstall.php?", "http://www.moliv.com.br/stat/email0702/", "http://foo.w97.cn/data/file/kwbuf.ini", "http://chemgioaz.blogspot.com/ ", "http://init.icloud-analysis.com", "http://img.zhongsou.com/i?w=%s", "http://new.beahh.com/startup.php", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://instamailserver.link/finito.ps1", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://mp3.baidu.com/m?tn=baidump3lyric&ct=", "http://3dplayful.blogspot.com/ ", "http://stroyprivoz.ru/dokumente-vom-notar/", "http://a.pomf.cat/", "http://hotedeals.co.uk/ekck095032/", "http://www.iask.com/s?k=%s", "http://vidquick.info/cgi/", "http://gg", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://search.newhua.com/search.asp?Keyword=%s", "http://(www|corail)\\\\.sudoc", "http://stat.wamme.cn/C8C/gl/cnzz60.html", "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline", "http://mp3.zhongsou.com/m?w=%s", "http://yc.book.sohu.com/series_list.php?select=1&text=%s", "http://kremlin-malwrhunterteam.info/scan.exe", "http://8nasrcity.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://bittupadam.blogspot.com/", "http://search.btchina.net/search.php?query=%s", "http://www.bluelook.es/bvvtbbh.php", "http://articlunik.blogspot.com/", "http://localhost:62338/Chipsetsync.asmx", "http://www.microsoft.com0", "http://%20%20@j.mp/as", "http://ys.cn.yahoo.com/mohu/index.html?p=%s", "http://coltaddict.blogspot.com/", "http://jump.qq.com/clienturl_100?clientuin=", "http://www.ip.com.cn/idcard.php?q=%s", "http://www.thon-samson.be/js/_notes/", "http://rl.ammyy.com", "http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14", "http://animefrase.blogspot.com/", "http://binyousafindustries.com/fonts/jo/mops.exe", "http://images.google.cn/images?q=%s", "http://aindonashi.blogspot.com/", "http://alindaenua.blogspot.com/", "http://v.iask.com/v?tag=&k=%s", "http://www.w3.org/1999/xsl/transform", "http://95.173.183.", "http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint@truvo.be", "http://www.cashon.co.kr/search/search.php", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://vequiato.sites.uol.com.br/", "http://</t></si><si><t>188.127.231.", "http://127.0.0.1:20202/remind.html", "http://92.38.135.46/43cfqysryip51zzq.php", "http://%s%s", "http://208.95.104.", "http://abeidaman.blogspot.com/ ", "http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx", "http://20vp.cn/moyu/", "http://www.look2me.com", "http://www.wosss.com/search.aspx?q=%s", "http://www.3322.org/dyndns/getip", "http://www.ip.com.cn/ip.php?q=%s", "http://81.177.26.20/ayayay", "http://cvfanatic.blogspot.com/ ", "http://best4hack.blogspot.com/ ", "http://cicahroti.blogspot.com/ ", "http://www.j.mp/", "http://anomaniez.blogspot.com/ ", "http://62.210.214.", "http://bonkersmen.blogspot.com/", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://search.17173.com/index.jsp?keyword=%s", "http://www.22teens.com/", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://%s:%i%s", "http://vidscentral.net/inc/6348852", "http://download.zhongsou.com/cdsearch/", "http://babukq4e2p4wu4iq.onion", "http://aspx.vod38.com/", "http://200.159.128.", "http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s", "http://www.soso.com/q?w=%s", "http://kavok.ind.br/ds/2312.gif", "http://www.tempuri.org/DataSet1.xsd", "http://batrasiaku.blogspot.com/", "http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/", "http://bigboobsp.blogspot.com/ ", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=", "http://www.look2me.com/products/", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://ks.pconline.com.cn/index.jsp?qx=download&q=%s", "http://blog.x-row.net/", "http://ads.8866.org/", "http://spotdewasa.blogspot.com/", "http://www.zhongsou.com/kefu/zskf.htm", "http://bit.ly", "http://adsl.carpediem.fr/perl/invoc_oneway.pl?", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/", "http://31.192.210.", "http://www.daybt.com/query.asp?q=%s", "http://3117488091/lib/jquery-3.2.1.min.js", "http://funsiteshere.com/redir.php", "http://pic.sogou.com/pics?query=%s", "http://softthrifty.com/security.jsp", "http://www.tq121.com.cn/", "http://dialup.carpediem.fr/perl/dialup.pl", "http://z1.nf-2.net/512.txt", "http://alhalm-now.blogspot.com/", "http://31.192.209.", "http://94.102.14.", "http://aolopdephn.blogspot.com/", "http://50.63.128.", "http://dontkillme/", "http://agressor58.blogspot.com/", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://gosgd2.com", "http://musah.info/", "http://berkah2013.blogspot.com/", "http://wevx.xyz/post.php?uid=", "http://search.union.yahoo.com.cn/click/search.htm?m=", "http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s", "http://www.sagawa-exp.co.jp/", "http://www.look2me.com/cgi", "http://lo0oading.blogspot.com/ ", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://61.19.253.", "http://www.klikspaandelft.nl/", "http://xn--", "http://www.trotux.com/?z=", "http://arifkacip.blogspot.com/ ", "http://clients.lb1networks.com/upd.php?", "http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s", "http://go.58.com/?f=", "http://aspx.qqus.net/wanmei/login.asp", "http://afkar.today/test_coming.training/w_f/", "http://www.3000.ws/", "http://js.pkglayer.com", "http://p.iask.com/p?k=%s", "http://hostthenpost.org/uploads/", "http://www.iciba.com/search?s=%s", "http://%domain%/config.php", "http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=", "http://rapidshare.com/files/", "http://www.mypaymate.com/dialerplatform/tmp.htm", "http://www.baidu.com/baidu?tn=", "http://%s/%s/?m=e&p1=%s&p2=%s&p3=%s", "http://www.sogou.com/web?query=%s", "http://www.sacbarao.kinghost.net/", "http://www.2345.com", "http://203.199.200.61", "http://music.cn.yahoo.com/lyric.html?p=%s", "http://ahmad-roni.blogspot.com/", "http://www.inet4you.com/exit/", "http://185.153.198.216:8010/UserService", "http://search.crsky.com/search.asp?sType=ResName&keyword=%s", "http://www.google.cn/search?q=%s", "http://games.enet.com.cn/article/SearchCategory.php?key=%s", "http://citw-vol2.blogspot.com/ ", "http://ks.pcgames.com.cn/games_index.jsp?q=%s", "http://music.soso.com/q?sc=mus&w=%s", "http://ksn.a", "http://webpatch.ragnarok.co.kr/", "http://2010-kpss.blogspot.com/ ", "http://image.soso.com/image.cgi?w=%s", "http://cbl.toolbar4free.com/cgi-bin/s.exe", "http://aitimatafb.blogspot.com/", "http://61.160.222.11:", "http://mp3.baidu.com/m?tn=", "http://%s/ftp/g.php", "http://weather.265.com/%s", "http://toolbar.deepdo.com/download/", "http://888888.2288.org/Monitor_INI", "http://%s/any2/%s-direct.ex", "http://www.ip.com.cn/mobile.php?q=%s", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&amp;dyfm=cpjyicit", "http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/", "http://www.qq994455.com/", "http://%s", "http://www.ip.com.cn/tel.php?q=%s", "http://community.derbiz.com/", "http://31.192.211.", "http://\"+hashdate().tostring(16)+\".eu/script.html", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a", "http://errors.statsmyapp.com/installer-error.gif?action=wrapper", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://fateh.aba.ae/xyzx.zip", "http://www.ip138.com", "http://gaigoixxx.blogspot.com/ ", "http://batysnewskz.kz/ups.com", "http://104.236.94.", "http://70.38.40.185", "http://1bestgate.blogspot.com/ ", "http://0.82211.net/", "http://dl.dropbox.com/u/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://acayipbiri.blogspot.com/", "http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/", "http://fateh.aba.ae/abc.zip", "http://www.agendagyn.com/media/fotos/2010/", "http://avnisevinc.blogspot.com/", "http://www.linkinc.es/scss/water.php", "http://ip-api.com/", "http://autothich.blogspot.com/ ", "http://www.cashon.co.kr/app/install.php?", "http://178.79.137.25/campo/", "http://srmvx.com.br/uploads/", "http://cert.beahh.com/cert.php", "http://calleveinte.com.mx/ups-quantum-view", "http://cs.zhongsou.com/", "http://foo.w97.cn/SoftInterFace/SearchNum.aspx", "http://weather.265.com/get_weather.php?action=get_city", "http://tempuri.org/", "http://tool.world2.cn/toolbar/", "http://mitotl.com.mx/ups.com/", "http://www.yodao.com/search?ue=utf8&q=%s", "http://%20%20@j.mp/axas", "http://aancyber77.blogspot.com/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://www.", "http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=", "http://arthisoft.blogspot.com/ ", "http://sf3q2wrq34.ddns.net"]}

Threatname: Metasploit

{"Type": "Execute Command", "Command": "\u0001"}

Threatname: CryLock

{"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api  Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
  • 0x32ce:$s1: stratum+tcp://
00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmpRemCom_RemoteCommandExecutionDetects strings from RemCom toolFlorian Roth
  • 0x14218:$: \\.\pipe\%s%s%d
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmpwebshell_asp_generic_eval_on_inputGeneric ASP webshell which uses any eval/exec function directly on user inputArnim Rupp
  • 0xfc4e:$payload_and_input1: eval(request.
  • 0xfc4c:$tagasp_short1: <%e
  • 0xfc71:$tagasp_short2: %>
  • 0xfc4c:$tagasp_long13: <%ev
  • 0xa223:$jsp4: public
  • 0xa281:$jsp4: public
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmpwebshell_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
  • 0xfc8b:$asp_much_sus8: WebShell
  • 0x69f8:$asp_much_sus15: AntiVirus
  • 0x711c:$asp_much_sus15: AntiVirus
  • 0x7f45:$asp_much_sus15: antivirus
  • 0x8022:$asp_much_sus15: antivirus
  • 0x8036:$asp_much_sus15: antivirus
  • 0xd81f:$asp_much_sus15: Antivirus
  • 0xfc67:$asp_much_sus18: "unsafe
  • 0x10610:$asp_much_sus28: exploit
  • 0xe44e:$asp_gen_sus11: "cmd.exe
  • 0xf095:$asp_gen_sus11: "cmd.exe
  • 0x102e8:$asp_gen_sus12: %comspec%
  • 0xfcb0:$asp_gen_sus25: shell_
  • 0xfd73:$asp_gen_obf1: "+"
  • 0x10188:$asp_gen_obf1: "+"
  • 0x1018d:$asp_gen_obf1: "+"
  • 0x10193:$asp_gen_obf1: "+"
  • 0x1019a:$asp_gen_obf1: "+"
  • 0x1019f:$asp_gen_obf1: "+"
  • 0x101a4:$asp_gen_obf1: "+"
  • 0xfc4c:$tagasp_short1: <%e
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmpJoeSecurity_CoinhiveYara detected Coinhive minerJoe Security