Source: Yara match |
File source: 0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.Tk6dsSEyOC.exe.2340000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Tk6dsSEyOC.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Tk6dsSEyOC.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
Code function: 0_2_0040E727 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, |
0_2_0040E727 |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
Code function: 0_2_0040D560 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, |
0_2_0040D560 |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
Code function: 0_2_0042770E CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, |
0_2_0042770E |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
Code function: 0_2_0040F78B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, |
0_2_0040F78B |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
Code function: 0_2_004278E1 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, |
0_2_004278E1 |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
Code function: 0_2_0040DC7B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, |
0_2_0040DC7B |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
Code function: 0_2_0041E52C __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot, |
0_2_0041E52C |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr |
Source: |
Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb source: Tk6dsSEyOC.exe |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr |
Source: |
Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr |
Source: |
Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr |
Source: |
Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.427951428.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000002.481321705.000000004BC7E000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr |
Source: |
Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb0= source: Tk6dsSEyOC.exe |
Source: |
Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr |
Source: |
Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr |
Source: |
Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr |
Source: |
Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr, MapiProxy_InUse.dll.0.dr |
Source: |
Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr |
Source: |
Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr |
Source: |
Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr |
Source: |
Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr |
Source: |
Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr |
Source: |
Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr, mozMapi32_InUse.dll.0.dr |
Source: |
Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr |
Source: |
Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr |
Source: |
Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.372483857.000000004BC51000.00000004.00000010.sdmp, AccessibleMarshal.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr |
Source: |
Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr |
Source: |
Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.373618716.000000004BC7F000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373284353.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373416548.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373403037.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373313194.000000004BC7E000.00000004.00000010.sdmp, breakpadinjector.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr |
Source: |
Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ |
Jump to behavior |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ |
Jump to behavior |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ |
Jump to behavior |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ |
Jump to behavior |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ |
Jump to behavior |
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ |
Jump to behavior |
Source: Malware configuration extractor |
URLs: http://91.219.236.162/masterdanteloma |
Source: Malware configuration extractor |
URLs: http://185.163.47.176/masterdanteloma |
Source: Malware configuration extractor |
URLs: http://193.38.54.238/masterdanteloma |
Source: Malware configuration extractor |
URLs: http://74.119.192.122/masterdanteloma |
Source: Malware configuration extractor |
URLs: http://91.219.236.240/masterdanteloma |
Source: Malware configuration extractor |
URLs: https://t.me/masterdanteloma |
Source: global traffic |
HTTP traffic detected: GET /masterdanteloma HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 91.219.236.69 |
Source: global traffic |
HTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/762b827e1bbc7bd715bf97e0fb01fbddd5bf5ab2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69 |
Source: global traffic |
HTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69 |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1400Host: 91.219.236.69 |