top title background image
flash

h1GodtbhC8.exe

Status: finished
Submission Time: 2020-12-05 08:25:12 +01:00
Malicious
E-Banking Trojan
Spyware
Evader
Trojan

Comments

Tags

  • exe

Details

  • Analysis ID:
    327203
  • API (Web) ID:
    556205
  • Analysis Started:
    2020-12-05 08:25:13 +01:00
  • Analysis Finished:
    2020-12-05 08:57:07 +01:00
  • MD5:
    3ca6df4914385efd4ba9cd239b5ed254
  • SHA1:
    b66535ff43334177a5a167b9f2b07ade75484eec
  • SHA256:
    0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 87
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Run with higher sleep bypass

Third Party Analysis Engines

malicious
Score: 33/71
malicious
Score: 7/37
malicious
Score: 18/28
malicious
malicious

IPs

IP Country Detection
172.67.142.39
United States
104.28.4.129
United States

Domains

Name IP Detection
dream.pics
8.208.85.95
pmap.sandai.net
47.97.7.140
relay.phub.hz.sandai.net
0.0.0.0
Click to see the 22 hidden entries
hub5pnc.hz.sandai.net
0.0.0.0
imhub5pr.hz.sandai.net
0.0.0.0
hub5pn.hz.sandai.net
0.0.0.0
hub5pr.hz.sandai.net
0.0.0.0
pmap.hz.sandai.net
0.0.0.0
hubstat.hz.sandai.net
0.0.0.0
score.phub.hz.sandai.net
0.0.0.0
hub5sr.shub.hz.sandai.net
0.0.0.0
hub5u.hz.sandai.net
0.0.0.0
hub5idx.shub.hz.sandai.net
0.0.0.0
hub5c.hz.sandai.net
0.0.0.0
ef6df4af06ba6896.xyz
104.28.4.129
cncidx.m.hub.sandai.net
112.64.218.64
cnc.hub5pn.sandai.net
153.3.232.174
www.sodown.xyz
104.18.63.67
cnc.hub5pnc.sandai.net
47.92.99.221
1c5491a87d65f1ef.club
172.67.142.39
EF6DF4AF06BA6896.xyz
104.28.4.129
bgphub5pr.sandai.net
47.92.39.6
iplogger.org
88.99.66.31
bgphub5u.sandai.net
39.98.57.143
cnchubstat.sandai.net
140.206.225.136

URLs

Name Detection
http://dream.pics/setup_10.2_mix1.exeimet
http://www.sodown.xyz/index.exe
http://dream.pics/setup_10.2_mix1.exe/silentHKEY_CURRENT_USERSoftware
Click to see the 83 hidden entries
http://dream.pics/setup_10.2_mix1.exe6b_x
http://dream.pics/setup_10.2_mix1.exe
https://ac.ecosia.org/autocomplete?q=
https://twitter.com/compose/tweetsec-fetch-mode:
https://upload.twitter.com/i/media/upload.json
http://ef6df4af06ba6896.xyz/info/du
https://api.twitter.com/1.1/statuses/update.json
https://twitter.com/
http://nsis.sf.net/NSIS_ErrorError
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
https://1C5491A87D65F1EF.club/
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
https://www.messenger.com/origin:
https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
http://EF6DF4AF06BA6896.xyz/dbo
https://www.instagram.com/
https://twitter.com/compose/tweetsec-fetch-dest:
http://www.youtube.com
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
http://www.sodown.xyz/in
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:
https://feedback.googleusercontent.com
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
http://ocsp.usertrus
http://EF6DF4AF06BA6896.xyz/
https://www.messenger.com/accept:
http://EF6DF4AF06BA6896.xyz/info/dddi_u
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://crl.usertrust.
http://ef6df4af06ba6896.xyz/info/r
https://1C5491A87D65F1EF.club/Info_t/up
http://EF6DF4AF06BA6896.xyz/info/r
http://EF6DF4AF06BA6896.xyz/info/g
http://ef6df4af06ba6896.xyz/info/e
http://nsis.sf.net/NSIS_Error
http://ef6df4af06ba6896.xyz/info/g
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
http://EF6DF4AF06BA6896.xyz//
https://twitter.comsec-fetch-dest:
https://1C5491A87D65F1EF.club/Info_t/upData
https://curl.haxx.se/docs/http-cookies.html
https://twitter.com/ookie:
http://EF6DF4AF06BA6896.xyz/;
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
http://nsis.sf.net/NSIS_Error...
https://apreltech.com/SilentInstallBuilder/Doc/&t=event&ec=%s&ea=%s&el=_
http://EF6DF4AF06BA6896.xyz/info/w
http://www.nirsoft.net
https://iplogger.org/14Zhe7
http://ef6df4af06ba6896.xyz/info/w
http://EF6DF4AF06BA6896.xyz/0
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
https://www.messenger.com/
http://EF6DF4AF06BA6896.xyz/info/du
http://ocsp.sectigo.com0
https://duckduckgo.com/ac/?q=
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
https://duckduckgo.com/chrome_newtab
http://ef6df4af06ba6896.xyz/
http://EF6DF4AF06BA6896.xyz/info/ddd
https://1C5491A87D65F1EF.club/Info_t/upycfa
http://crt.com
http://ef6df4af06ba6896.xyz/info/du.
http://www.nirsoft.net/
https://www.messenger.com/login/nonce/
https://.twitter.com/s
https://www.instagram.com/accept:
https://www.messenger.com
https://sectigo.com/CPS0
https://sectigo.com/CPS0D
http://www.interestvideo.com/video1.php
https://twitter.comReferer:
http://www.youtube.com_7
http://EF6DF4AF06BA6896.xyz/info/wlub
https://www.instagram.com/sec-fetch-site:
http://ef6df4af06ba6896.xyz/info/du:
https://www.instagram.com/accounts/login/ajax/facebook/
https://www.instagram.comsec-fetch-mode:

Dropped files

Name File Type Hashes Detection
C:\Program Files (x86)\71eza90awf48\aliens.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\1E1C360C582DF797.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h1GodtbhC8.exe.log
ASCII text, with CRLF line terminators
#
Click to see the 47 hidden entries
C:\Users\user\AppData\Local\Temp\nsqEF29.tmp\Sibuia.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\0\setup.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\download\atl71.dll
empty
#
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll
empty
#
C:\Users\user\AppData\Local\Temp\download\download_engine.dll
empty
#
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll
empty
#
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
empty
#
C:\Users\user\AppData\Local\Temp\download\zlib1.dll
empty
#
C:\Users\user\AppData\Local\Temp\ecv38E9.tmp
empty
#
C:\Users\user\AppData\Local\Temp\ecv77D7.tmp
empty
#
C:\Users\user\AppData\Local\Temp\gdiview.msi
empty
#
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe
empty
#
C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\SibCa.dll
data
#
C:\Users\user\AppData\Local\Temp\sibEFF5.tmp\SibClr.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\xldl.dat
empty
#
C:\Users\user\AppData\Local\Temp\xldl.dll
empty
#
C:\Users\user\AppData\Local\Web Data1607186582842
empty
#
C:\Users\user\AppData\Local\crx.7z
empty
#
C:\Users\user\AppData\Local\crx.json
empty
#
C:\Users\user\AppData\Localwebdata1607186582842
empty
#
C:\Users\user\AppData\Roaming\1607186572092.exe
empty
#
C:\Users\user\AppData\Roaming\1607186572092.txt
empty
#
C:\Users\user\AppData\Roaming\1607186588295.exe
empty
#
C:\Users\user\AppData\Roaming\1607186588295.txt
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\manifest.json
empty
#
C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibCa.dll
data
#
C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\SibClr.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\ProgramData\sib\{7C999AAA-0000-487E-97BD-7619B45532F4}\sib.dat
data
#
C:\Users\user\AppData\Local\Cookies1607186571999
empty
#
C:\Users\user\AppData\Local\Cookies1607186582639
empty
#
C:\Users\user\AppData\Local\Cookies1607186588295
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\background.js
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\book.js
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\icon.png
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\icon48.png
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\jquery-1.8.3.min.js
empty
#
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\popup.html
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\codadfjafjohpbonogiakdokmmnfeaje\1.0.0.0_0\popup.js
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
empty
#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
empty
#
C:\Users\user\AppData\Local\Login Data1607186571889
empty
#
C:\Users\user\AppData\Local\Login Data1607186582639
empty
#
C:\Users\user\AppData\Local\Login Data1607186588249
empty
#
C:\Users\user\AppData\Local\Temp\1607186617055
empty
#
C:\Users\user\AppData\Local\Temp\1607186619758
empty
#
C:\Users\user\AppData\Local\Temp\MSI5715.tmp
empty
#