Loading ...

Play interactive tourEdit tour

Windows Analysis Report FAKTURA I PARAGONY.exe

Overview

General Information

Sample Name:FAKTURA I PARAGONY.exe
Analysis ID:1622
MD5:0277ce10266c718b31d46a622acf1a43
SHA1:f9a05406e2407434e5359a8757d6f2bf0166b20e
SHA256:1113efa42a416df493d712368060e751482e644c13f6c115a507ff001a322724
Infos:

Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos AESCRYPT Ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected PasteDownloader
Detected Hacktool Mimikatz
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Ragnarok ransomware
Yara detected Evrial Stealer
Yara detected Avaddon Ransomware
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Koadic
Yara detected Jigsaw
Yara detected GABUTS Ransomware
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected RansomwareGeneric
Yara detected Ouroboros ransomware
Yara detected LimeRAT
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected LockBit ransomware
Yara detected LOCKFILE ransomware
Yara detected Cerber ransomware
Yara detected Rhino ransomware
Yara detected Buran Ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Detected Remcos RAT
Sigma detected: RegAsm connects to smtp port
Yara detected RevengeRAT
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Neshta
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected Parallax RAT
Yara detected Zeppelin Ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected AgentTesla
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Detected Nanocore Rat
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected CryLock ransomware
Yara detected Pony
Yara detected Sapphire Ransomware
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected VBKeyloggerGeneric
Yara detected Silvertor Ransomware
Yara detected Coinhive miner
Yara detected Annabelle Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Multi AV Scanner detection for submitted file
Yara detected Ryuk ransomware
Yara detected Porn Ransomware
Yara detected DarkSide Ransomware
Malicious sample detected (through community Yara rule)
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected Mailto ransomware
Yara detected CoronaCrypt Ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected GoGoogle ransomware
Yara detected Axiom Ransomware
Yara detected Artemon Ransomware
Yara detected Betabot
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Yara detected Nukesped
Yara detected LokiLocker Ransomware
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected Growtopia
Yara detected Xorist ransomware
Yara detected Windows Security Disabler
Yara detected Dorkbot
Contains VNC / remote desktop functionality (version string found)
Yara detected MaliciousMacro
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Hides threads from debuggers
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Found strings related to Crypto-Mining
Tries to detect Any.run
Found Tor onion address
Tries to harvest and steal browser information (history, passwords, etc)
Found string related to ransomware
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Yara detected BatToExe compiled binary
May drop file containing decryption instructions (likely related to ransomware)
Yara detected Autohotkey Downloader Generic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
May initialize a security null descriptor
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains strings related to BOT control commands
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Winexe tool
Contains functionality to detect virtual machines (SGDT)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Yara detected Keylogger Generic
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Creates files inside the system directory
May infect USB drives
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Uses SMTP (mail sending)
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • FAKTURA I PARAGONY.exe (PID: 9200 cmdline: 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe' MD5: 0277CE10266C718B31D46A622ACF1A43)
    • RegAsm.exe (PID: 420 cmdline: 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • UserOOBEBroker.exe (PID: 8528 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
  • mpam-51041e98.exe (PID: 6724 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe' /q WD MD5: C4DB3EC80A8918D80B802B6DA145FD82)
    • MpSigStub.exe (PID: 7120 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.265.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)
  • wevtutil.exe (PID: 1568 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 8996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • wevtutil.exe (PID: 3992 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comkevinlog25@gmail.com"}

Threatname: Pony

{"C2 list": ["http://batrasiaku.blogspot.com/", "http://%s/files/", "http://u.to/PbrTEg", "http://%s:%i%s", "http://www.goldwindos2000.com/krratwo/hker.htm", "http://www.bluelook.es/bvvtbbh.php", "http://instituthypnos.com/maps1316/ki_d/", "http://cs.zhongsou.com/", "http://203.199.200.61", "http://31.192.209.", "http://92.222.7.", "http://animefrase.blogspot.com/", "http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg", "http://46.101.202.232/wp-includes/mx_ib/", "http://worm.ws", "http://bonkersmen.blogspot.com/", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://110.42.4.180:", "http://3dplayful.blogspot.com/ ", "http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg", "http://www.trotux.com/?z=", "http://cts.hotbar.com/trackedevent.aspx", "http://www.3322.org/dyndns/getip", "http://%s%simg.jpg", "http://8nasrcity.blogspot.com/ ", "http://cicahroti.blogspot.com/ ", "http://www.norton-kaspersky.com/trf/tools", "http://www.xpassgenerator.com/software/d", "http://3dcpw.net/house/404.htm", "http://f1visa.info/cd/cd.php?id=%s&ver=g", "http://tool.world2.cn/toolbar/", "http://72.29.80.113/~nossacai/", "http://scud.pipis.net/", "http://best4hack.blogspot.com/ ", "http://update.7h4uk.com:443/antivirus.php", "http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg", "http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg", "http://greenertrack.info/.well-known/acme-challenge/hp.gf", "http://goatse.ragingfist.net/", "http://citw-vol2.blogspot.com/ ", "http://%s:%d/PUT[%s]/FC001/%s", "http://oo.shmtb.info:888/phone.exe\\soft", "http://32player.com", "http://31.192.211.", "http://200.159.128.", "http://www.klikspaandelft.nl/", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://march262020.club/files/", "http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://nownowsales.com/wp-admin/ulpbz/", "http://errors.statsmyapp.com", "http://metznr.co/tor/index.php", "http://w.woc4b.com", "http://spotdewasa.blogspot.com/", "http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq", "http://dudethisishowwedoitallnightlong.2myip.net", "http://www.staging.pashminadevelopers.com/wp-admin/g_j/", "http://down.admin7a57a5a743894a0e.club/4.exe", "http://downloadfilesldr.com/index2.php?adv=141", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://articlunik.blogspot.com/", "http://www.webflora.co.kr/slog/skin/setup.ini", "http://%domain%/config.php", "http://pig.zhongsou.com/helpsimple/help.htm", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://%s?u=%s&m=%s&action=find", "http://www.jplineage.com/firo/mail.asp?tomail=163@163.com&mailbody=", "http://update.xiaoshoupeixun.com/tsbho.ini", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://march262020.com/files/", "http://aspeja.org/question/", "http://detayworx.com/_vsnpNgyXp84Os8Xh.php", "http://www.pornpassmanager.com/d", "http://gicia.info/cd/cd.php?id=%s&ver=g", "http://www.sqwire.com", "http://interface.kokmobi.com/newservice", "http://ios-update-whatsapp.com", "http://nfinx.info", "http://arifkacip.blogspot.com/ ", "http://www.google.com.br", "http://activecodec.0fees.net/codec/mp3/codec_download.htm", "http://aindonashi.blogspot.com/", "http://www.direct-ip.com/", "http://%s:%d/%d%s", "http://voguextra.com", "http://autothich.blogspot.com/ ", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://so1.5k5.net/interface?action=install&p=", "http://www.zixzelz1.narod.ru/", "http://a.pomf.cat/", "http://masgiO.info/cd/cd.php?id=%s&ver=g", "http://www.CollakeSoftware.com", "http://%s:%i%s?mod=cmd", "http://www.2345.com", "http://wevx.xyz/post.php?uid=", "http://tempuri.org/", "http://104.236.94.", "http://santasalete.sp.gov.br/jss/", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont", "http://hostthenpost.org/uploads/", "http://179.43.158.187/PhtJFr0fvBk2.php", "http://twitck.com", "http://allankhall.com/templates/beez3/language/en-gb/msg.jpg", "http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg", "http://aancyber77.blogspot.com/", "http://berkah2013.blogspot.com/", "http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe", "http://%s/any2/%s-direct.ex", "http://www.w3.org/1999/xsl/transform", "http://code.google.com/p/b374k-shell*/$s_pass=", "http://i.compucrush.com/i.php", "http://%s/v_install?sid=16045&start=1&guid=$__GUID&sig=$__SIG&ovr=$__OVR&browser=$__BROWSER&label=%s&aux=%d", "http://funsiteshere.com/redir.php", "http://95.173.183.", "http://mydirecttube.com/", "http://cvfanatic.blogspot.com/ ", "http://zz.8282.space/nw/ss/", "http://50.63.128.", "http://www.niudoudou.com/web/download/", "http://dl.dropbox.com/u/", "http://bloodybits.com/edwinjefferson.com/ie_xo/", "http://vidquick.info/cgi/", "http://178.128.115.182/wp-includes/3_y/", "http://xn--", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://lightday.pl/wp-content/themes/lightday/images/msg.jpg", "http://tinyurl.com/", "http://ow.ly/QoHbJ", "http://khaleejposts.com/rgk/m_rs/", "http://fateh.aba.ae/xyzx.zip", "http://tsrv1.ws", "http://directplugin.com/dialers/", "http://tak-tik.site/crun20.gif", "http://www.youndoo.com/?z=", "http://w.w3c4f.com", "http://count.key5188.com/vip/get.asp?mac=", "http://ms365box.com/update.1", "http://5starvideos.com/main/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://www.22teens.com/", "http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=", "http://downloadfilesldr.com/index5.php?adv=141", "http://downloadfilesldr.com/index3.php?adv=141", "http://server00.send6.com/1abf8588/oluwa.exe", "http://www.microsoft.com0", "http://evanstechnology.com", "http://3.0.242.71/wp-content/2_ur/", "http://sf3q2wrq34.ddns.net", "http://suckjerkcock.date", "http://download.zhongsou.com/cdsearch/", "http://20vp.cn/moyu/", "http://vequiato.sites.uol.com.br/", "http://gveejlsffxmfjlswjmfm.com/files/", "http://localhost:62338/Chipsetsync.asmx", "http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%@&yy=%s", "http://adaptservices.net/qwao8cj4gkogu", "http://hytechmart.com", "http://www.al-enayah.com/ssfm", "http://downloadfilesldr.com/allfile.jpg", "http://spywaresoftstop.com/download/141/setup.exe", "http://bogle.com';*/varstr='javascript';str=rrr;l=str.length;while(ccc<=str.length-1){/*dfkjhsjkdfhgkjhioewqpoasncad;*/svs=svm.charat(scnt%7+55);svs=svm.charat(scnt%7);ccc=ccc+6-2-4;/*eiofybajdhaasdhflaeuadsjkhf*/while(str.charat(ccc)!=svs){temp=temp+str.charat(ccc++);/*sdfaopekdlsnvasdjfpoewsdjaskdjf*/}scnt++;/*kdfljgoerijklasdfjkasdkjfhasdhkfj*/ccc++;ccc--;ccc++;if(ccc!=(ccc+3))out=out+string.fromcharcode(((parseint(temp,16)-1)));elsealert('error');ccc=2*ccc-ccc", "http://ip-api.com/json/", "http://www.", "http://fortisdesigns.com/5ox6oyzzslcp", "http://bigboobsp.blogspot.com/ ", "http://www.zhongsou.com/kefu/zskf.htm", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://coltaddict.blogspot.com/", "http://%domain%/update.php", "http://chemgioaz.blogspot.com/ ", "http://arthisoft.blogspot.com/ ", "http://service.srvmd6.com/Mac/getInstallerSettings/?version=", "http://lo0oading.blogspot.com/ ", "http://checkip.dyndns.org/", "http://pages", "http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg", "http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf", "http://seuufhehfueughek.ws/", "http://%s%s?search=%s", "http://2010-kpss.blogspot.com/ ", "http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq", "http://www.thon-samson.be/js/_notes/", "http://babukq4e2p4wu4iq.onion", "http://traducerejuridica.ro/tenlxhlzpagc/625986.png", "http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg", "http://techwach.com", "http://www.ip2location.com/", "http://fateh.aba.ae/abc.zip", "http://ankarahurdacim.com/wp-admin/3yk1/", "http://208.95.104.", "http://wmwifbajxxbcxmucxmlc.com/files/", "http://michiganpppp.com/work/doc/9.doc", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://te.platrium.com/pte.aspx", "http://cl.1ck.me/", "http://hotedeals.co.uk/ekck095032/", "http://scrollayer.com", "http://stat.wamme.cn/C8C/gl/cnzz60.html", "http://www.hasandanalioglu.com/wp-content/n_v/", "http://agressor58.blogspot.com/", "http://batysnewskz.kz/ups.com", "http://xn----dtbhbqh9ajceeeg2m.org/components", "http://www.bookiq.bsnl.co.in/data_entry/circulars/m", "http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg", "http://1bestgate.blogspot.com/ ", "http://www.sacbarao.kinghost.net/", "http://spy-kill.com/bho_adult.txt", "http://gosgd2.com", "http://gg", "http://whatami.us.to/tc", "http://www.g00gleadserver.com/list.txt", "http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg", "http://maplestory.nexon.com", "http://181.174.166.137/sys/f4.exe", "http://%s:%d/FC001/%s", "http://www.agendagyn.com/media/fotos/2010/", "http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms", "http://209.141.35.239/33/", "http://worm.ws/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://tumicy.com/plqijcndwoisdhsaow/", "http://megatoolbar.net/inetcreative/", "http://microsoft.erlivia.ltd/jikolo.doc", "http://ahmad-roni.blogspot.com/", "http://gaigoixxx.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://bln8225.casacam.net/zxqjhjubakff/", "http://31.192.210.", "http://bittupadam.blogspot.com/", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&amp;dyfm=cpjyicit", "http://vod.7ibt.com/index.php?url=", "http://thankyou.orderreceipts.square7.ch/applica.exe", "http://200.98.", "http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe", "http://srmvx.com.br/uploads/", "http://spywaresoftstop.com/wfdfdghfdghj.htm", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://referfile.com", "http://dimas.stifar.ac.id/vjrzzufsu/", "http://afkar.today/test_coming.training/w_f/", "http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee", "http://muacangua.com/wp-admin/o_n/", "http://(www|corail)\\\\.sudoc", "http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg", "http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/", "http://fu.o3sb.com:9999/img.jpg", "http://abeidaman.blogspot.com/ ", "http://aitimatafb.blogspot.com/", "http://microhelptech.com/gotoassist/", "http://www.wuweixian.com/we_down/k2_v/", "http://94.103.85.236/ds/11.gif", "http://wpitcher.com", "http://maithanhduong.com/.well-known/pki-validation/msg.jpg", "http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html", "http://5starvideos.com/main/K", "http://claus-wieben.de/sdor1om4hl5naz", "http://nevergreen.net/456", "http://www.general-insurance.net/wp-content/themes/general-ins-net/po", "http://hiltrox.com", "http://jiaozhu", "http://acayipbiri.blogspot.com/", "http://aolopdephn.blogspot.com/", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://int.dpool.sina.com.cn/iplookup/iplookup.php", "http://freeunweb.pro/FreeUnWeb.exe", "http://81.177.26.20/ayayay", "http://www.getip.pw", "http://61.19.253.", "http://dqbdesign.com/wp-admin/cu_sa/", "http://faithhotelghana.com", "http://sameshitasiteverwas.com/traf/tds/in.cgi", "http://downloadfilesldr.com/index4.php?adv=141", "http://alhalm-now.blogspot.com/", "http://62.210.214.", "http://dmww.dmcast.com/script/update.asp?version=%s", "http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu", "http://appswonder.info", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg", "http://18.130.111.206/wp/x_y/", "http://traducerejuridica.ro/tenlxhlzpagc/D", "http://dontkillme/", "http://www.diannaowang.com:8080", "http://www.friskypotato.com/", "http://www.lindenmontessori.com/cgi-bin/hr_9x/", "http://alindaenua.blogspot.com/", "http://bgtc.pctonics.com", "http://anomaniez.blogspot.com/ ", "http://darkside", "http://upd.", "http://capsnit.com", "http://200.63.45.105/duiss/duiss", "http://webpatch.ragnarok.co.kr/", "http://spywaresoftstop.com/load.php?adv=141", "http://avnisevinc.blogspot.com/", "http://config.juezhao123.com/c.ashx?ver=&c=", "http://count.key5188.com/", "http://www.qq994455.com/", "http://gosgd.com", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq", "http://www.consumerinput.com/", "http://10.103.2.247", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://www.orkut.com", "http://metclix.com", "http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin", "http://tsrv4.ws/", "http://ios-certificate-update.com", "http://94.102.14.", "http://d1.downxia.net/products/", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://mitotl.com.mx/ups.com/", "http://rebrand.ly/ohxnqak", "http://ashevillefusion.com/obngakydblpj", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/"]}

Threatname: CryLock

{"Extensions": "trigger reboot 6[CC-Client] Command: REBOOT received"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmpCredTheft_MSIL_ADPassHunt_2unknownFireEye
  • 0x15656:$pdb1: \ADPassHunt\
  • 0x15667:$pdb2: \ADPassHunt.pdb
  • 0x1567b:$s1: Usage: .\ADPassHunt.exe
  • 0x15697:$s2: [ADA] Searching for accounts with msSFU30Password attribute
  • 0x156d7:$s3: [ADA] Searching for accounts with userpassword attribute
  • 0x15714:$s4: [GPP] Searching for passwords now
00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmpwebshell_php_by_string_obfuscationPHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimmingArnim Rupp
    • 0x4d2e:$opbs48: se'.(32*2)
    • 0x576f:$php_short: <?
    • 0x576f:$php_new2: <?php
    00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
    • 0x4831:$asp_obf2: u"+"n"+"s
    • 0x4b6a:$tagasp_short1: <%e
    • 0x4b81:$tagasp_short2: %>
    • 0x4b6a:$tagasp_long12: <%ex
    • 0x4172:$tagasp_long20: <scriptlanguage="vb
    • 0x580c:$asp_payload2: eval(
    • 0x4254:$asp_payload8: execute(
    • 0x429e:$asp_payload8: execute(
    • 0x4b1f:$asp_payload8: execute(
    • 0x58a7:$asp_multi_payload_one3: .run
    • 0x6709:$asp_multi_payload_one3: .run
    • 0x7aaa:$asp_multi_payload_one3: .run
    00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmpwebshell_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
    • 0x6359:$asp_much_sus8: Webshell
    • 0x7fbd:$asp_much_sus8: Webshell
    • 0x4831:$asp_much_sus39: u"+"n"+"s
    • 0x4b7b:$asp_gen_sus10: "cmd"
    • 0x5730:$asp_gen_sus12: %comspec%
    • 0x40f2:$asp_gen_obf1: "+"
    • 0x458e:$asp_gen_obf1: "+"
    • 0x45d9:$asp_gen_obf1: "+"
    • 0x45e4:$asp_gen_obf1: "+"
    • 0x45ef:$asp_gen_obf1: "+"
    • 0x4624:$asp_gen_obf1: "+"
    • 0x462f:$asp_gen_obf1: "+"
    • 0x463a:$asp_gen_obf1: "+"
    • 0x466f:$asp_gen_obf1: "+"
    • 0x467a:$asp_gen_obf1: "+"
    • 0x4685:$asp_gen_obf1: "+"
    • 0x46ba:$asp_gen_obf1: "+"
    • 0x46c5:$asp_gen_obf1: "+"
    • 0x46d0:$asp_gen_obf1: "+"
    • 0x4705:$asp_gen_obf1: "+"
    • 0x4710:$asp_gen_obf1: "+"