Source: 0.0.3EqRILOXx1.exe.780000.0.unpack |
Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://103.147.185.85/", "Password": "bvhfgas7", "Port": 21} |
Source: 3EqRILOXx1.exe |
ReversingLabs: Detection: 69% |
Source: 3EqRILOXx1.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll |
Jump to behavior |
Source: 3EqRILOXx1.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: |
Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe |
Source: |
Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: |
Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: Traffic |
Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.4:49738 -> 132.226.247.73:80 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
DNS query: name: checkip.dyndns.org |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
DNS query: name: checkip.dyndns.org |
Source: Joe Sandbox View |
ASN Name: UTMEMUS UTMEMUS |
Source: Joe Sandbox View |
IP Address: 132.226.247.73 132.226.247.73 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.org |
Source: 3EqRILOXx1.exe, 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.org/ |
Source: 3EqRILOXx1.exe |
String found in binary or memory: http://checkip.dyndns.org/q |
Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.orgx&Qq |
Source: 3EqRILOXx1.exe |
String found in binary or memory: https://api.telegram.org/bot |
Source: 3EqRILOXx1.exe |
String found in binary or memory: https://freegeoip.app/xml/ |
Source: unknown |
DNS traffic detected: queries for: checkip.dyndns.org |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Code function: 0_2_00EBA09A recv, |
0_2_00EBA09A |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
.Net Code: TakeScreenshot |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
.Net Code: TakeScreenshot |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
.Net Code: TakeScreenshot |
Source: 3EqRILOXx1.exe, type: SAMPLE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 3EqRILOXx1.exe, type: SAMPLE |
Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 3EqRILOXx1.exe, type: SAMPLE |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 3EqRILOXx1.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 3EqRILOXx1.exe, type: SAMPLE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 3EqRILOXx1.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 3EqRILOXx1.exe, type: SAMPLE |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Code function: 0_2_00EBA67E NtQuerySystemInformation, |
0_2_00EBA67E |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Code function: 0_2_00EBA64D NtQuerySystemInformation, |
0_2_00EBA64D |
Source: 3EqRILOXx1.exe, 00000000.00000002.318794855.00000000007F8000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe |
Source: 3EqRILOXx1.exe |
Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe |
Source: 3EqRILOXx1.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: 3EqRILOXx1.exe |
ReversingLabs: Detection: 69% |
Source: 3EqRILOXx1.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\3EqRILOXx1.exe "C:\Users\user\Desktop\3EqRILOXx1.exe" |
|
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
|
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Code function: 0_2_00EBA502 AdjustTokenPrivileges, |
0_2_00EBA502 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Code function: 0_2_00EBA4CB AdjustTokenPrivileges, |
0_2_00EBA4CB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5266.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@3/3@1/1 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking |
Source: 3EqRILOXx1.exe |
String found in binary or memory: F-Stopw |
Source: 3EqRILOXx1.exe |
String found in binary or memory: F-Stopw |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll |
Jump to behavior |
Source: 3EqRILOXx1.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: 3EqRILOXx1.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: |
Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe |
Source: |
Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: |
Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: initial sample |
Static PE information: section name: .text entropy: 7.74079601316 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process queried: DebugPort |
Jump to behavior |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs |
Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll') |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs |
Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll') |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs |
Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs |
Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll') |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match |
File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match |
File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match |
File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match |
File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |