Click to jump to signature section
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack | Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://103.147.185.85/", "Password": "bvhfgas7", "Port": 21} |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll |
Source: 3EqRILOXx1.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: | Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe |
Source: | Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: | Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | DNS query: name: checkip.dyndns.org |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | DNS query: name: checkip.dyndns.org |
Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://checkip.dyndns.org |
Source: 3EqRILOXx1.exe, 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://checkip.dyndns.org/ |
Source: 3EqRILOXx1.exe | String found in binary or memory: http://checkip.dyndns.org/q |
Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://checkip.dyndns.orgx&Qq |
Source: 3EqRILOXx1.exe | String found in binary or memory: https://api.telegram.org/bot |
Source: 3EqRILOXx1.exe | String found in binary or memory: https://freegeoip.app/xml/ |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Code function: 0_2_00EBA09A recv, |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | .Net Code: TakeScreenshot |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | .Net Code: TakeScreenshot |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | .Net Code: TakeScreenshot |
Source: 3EqRILOXx1.exe, type: SAMPLE | Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 3EqRILOXx1.exe, type: SAMPLE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 3EqRILOXx1.exe, type: SAMPLE | Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR | Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 3EqRILOXx1.exe, type: SAMPLE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 3EqRILOXx1.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 3EqRILOXx1.exe, type: SAMPLE | Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR | Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Code function: 0_2_00EBA67E NtQuerySystemInformation, |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Code function: 0_2_00EBA64D NtQuerySystemInformation, |
Source: 3EqRILOXx1.exe, 00000000.00000002.318794855.00000000007F8000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe |
Source: 3EqRILOXx1.exe | Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe |
Source: unknown | Process created: C:\Users\user\Desktop\3EqRILOXx1.exe "C:\Users\user\Desktop\3EqRILOXx1.exe" |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Code function: 0_2_00EBA502 AdjustTokenPrivileges, |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Code function: 0_2_00EBA4CB AdjustTokenPrivileges, |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs | Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs | Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs | Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll |
Source: 3EqRILOXx1.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: | Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe |
Source: | Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe |
Source: | Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process queried: DebugPort |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs | Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll') |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs | Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll') |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs | Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll') |
Source: C:\Users\user\Desktop\3EqRILOXx1.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 |
Source: Yara match | File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match | File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match | File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match | File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |
Source: Yara match | File source: 3EqRILOXx1.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR |