Source: 0.2.ciao.exe.2240000.1.raw.unpack |
Malware Configuration Extractor: Dridex {"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]} |
Source: C:\Users\user\Desktop\ciao.exe |
Unpacked PE file: 0.2.ciao.exe.400000.0.unpack |
Source: ciao.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
IPs: 172.104.87.236:1512 |
Source: Malware configuration extractor |
IPs: 111.230.104.169:3388 |
Source: Malware configuration extractor |
IPs: 103.199.16.245:1512 |
Source: Malware configuration extractor |
IPs: 123.206.58.135:8172 |
Source: global traffic |
TCP traffic: 192.168.2.5:49780 -> 111.230.104.169:3388 |
Source: global traffic |
TCP traffic: 192.168.2.5:49789 -> 103.199.16.245:1512 |
Source: global traffic |
TCP traffic: 192.168.2.5:49793 -> 123.206.58.135:8172 |
Source: Joe Sandbox View |
ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa |
Source: Joe Sandbox View |
ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.104.87.236 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.104.87.236 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.104.87.236 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 111.230.104.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 111.230.104.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 111.230.104.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.199.16.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.199.16.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.199.16.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.206.58.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.206.58.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.206.58.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.104.87.236 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.104.87.236 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.104.87.236 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 111.230.104.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 111.230.104.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 111.230.104.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.199.16.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.199.16.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.199.16.245 |
Source: ciao.exe, 00000000.00000002.694824738.000000000009D000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: https://123.206.58.135:8172/h |
Source: unknown |
DNS traffic detected: queries for: store-images.s-microsoft.com |
Source: Yara match |
File source: 0.2.ciao.exe.2240000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ciao.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ciao.exe.2240000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ciao.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00405150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, |
0_2_00405150 |
Source: ciao.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: ciao.exe, 00000000.00000002.695111803.0000000000473000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamePSFTP: vs ciao.exe |
Source: ciao.exe |
Binary or memory string: OriginalFilenamePSFTP: vs ciao.exe |
Source: ciao.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ciao.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00405150 |
0_2_00405150 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004167C8 |
0_2_004167C8 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00421020 |
0_2_00421020 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041D030 |
0_2_0041D030 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004188C0 |
0_2_004188C0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00418CC0 |
0_2_00418CC0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0040ACD0 |
0_2_0040ACD0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041A0D0 |
0_2_0041A0D0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004198DA |
0_2_004198DA |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041E0A0 |
0_2_0041E0A0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0042DCA0 |
0_2_0042DCA0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004250A0 |
0_2_004250A0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00424CA0 |
0_2_00424CA0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00425CB0 |
0_2_00425CB0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00417564 |
0_2_00417564 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00401570 |
0_2_00401570 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041FDD0 |
0_2_0041FDD0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004289F0 |
0_2_004289F0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004271F0 |
0_2_004271F0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041D980 |
0_2_0041D980 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0042D180 |
0_2_0042D180 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041C590 |
0_2_0041C590 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0040F9A0 |
0_2_0040F9A0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00421240 |
0_2_00421240 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041A660 |
0_2_0041A660 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00427660 |
0_2_00427660 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00422E60 |
0_2_00422E60 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00409E70 |
0_2_00409E70 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00419E70 |
0_2_00419E70 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0040CA10 |
0_2_0040CA10 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0042FA10 |
0_2_0042FA10 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00420220 |
0_2_00420220 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0042D620 |
0_2_0042D620 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00423EC0 |
0_2_00423EC0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0042FA10 |
0_2_0042FA10 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00406AD0 |
0_2_00406AD0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004196D0 |
0_2_004196D0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041F6E0 |
0_2_0041F6E0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041B6F0 |
0_2_0041B6F0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00418EF0 |
0_2_00418EF0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004262F0 |
0_2_004262F0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041AE80 |
0_2_0041AE80 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00418AB0 |
0_2_00418AB0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00421EB0 |
0_2_00421EB0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004226B0 |
0_2_004226B0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041BF50 |
0_2_0041BF50 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00415B60 |
0_2_00415B60 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00423B00 |
0_2_00423B00 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00429B10 |
0_2_00429B10 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00421730 |
0_2_00421730 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_004183C0 |
0_2_004183C0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00417FC0 |
0_2_00417FC0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00427FC0 |
0_2_00427FC0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0041E3F0 |
0_2_0041E3F0 |
Source: ciao.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: ciao.exe |
Metadefender: Detection: 32% |
Source: ciao.exe |
ReversingLabs: Detection: 92% |
Source: ciao.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal100.bank.troj.evad.winEXE@1/0@1/4 |
Source: C:\Users\user\Desktop\ciao.exe |
Unpacked PE file: 0.2.ciao.exe.400000.0.unpack .text:ER;.rdata:R;.text3:R;.text2:R;.data:W;.data3:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R; |
Source: C:\Users\user\Desktop\ciao.exe |
Unpacked PE file: 0.2.ciao.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0044449F push ecx; ret |
0_2_004444A0 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00444254 push ecx; retf |
0_2_0044426B |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0222BBC0 push edx; ret |
0_2_0222BD4E |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_022162ED pushad ; iretd |
0_2_02216305 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_021F7192 push dword ptr [ebp+ecx*8-49h]; retf |
0_2_021F7196 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0220F6ED push esi; ret |
0_2_0220F6F7 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_0221FB94 push esi; ret |
0_2_0221FBAB |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_021F89BD push 00000369h; ret |
0_2_021F8A48 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_021F89ED push 00000369h; ret |
0_2_021F8A48 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_021F0EAF push esi; ret |
0_2_021F0EB4 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_021F1D31 push FFFFFFD5h; ret |
0_2_021F1D38 |
Source: ciao.exe |
Static PE information: section name: .text3 |
Source: ciao.exe |
Static PE information: section name: .text2 |
Source: ciao.exe |
Static PE information: section name: .data3 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.42644876953 |
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 |
Thread sleep time: -156000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 |
Thread sleep time: -135000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 |
Thread sleep time: -125000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 |
Thread sleep time: -330000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 |
Thread sleep time: -122000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 |
Thread sleep time: -143000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ciao.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\ciao.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, |
0_2_00405150 |
Source: C:\Users\user\Desktop\ciao.exe |
Code function: 0_2_00413930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation, |
0_2_00413930 |
Source: Yara match |
File source: 00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |