GZe6EcSTpO.exe

Status: finished

Submission Time: 2021-04-02 13:35:36 +02:00

Malicious

Ransomware

Trojan

Exploiter

Evader

Miner

Mimikatz HawkEye Nanocore xRAT CobaltStrike Codoso Ghost Coinhive Crypto Miner GhostRat Mini RAT Mirai Nukesped PupyRAT Quasar RevengeRAT ComRAT UACMe WebMonitor RAT Xmrig Xtreme RAT

Comments

Details

Analysis ID:
380813
API (Web) ID:
663762
Analysis Started:

2021-04-02 13:45:10 +02:00
Analysis Finished:

2021-04-02 14:02:45 +02:00
MD5:
87e0355c098d2dfd890ae4c9da26bbdd
SHA1:
5f300f4dd15cccbe51cd4df51ac30b7c2c84fc75
SHA256:
570c3c298c2d30bfd7d824b0ec8e28b3efa51bf269297348fc5fc30cb81a2d7e
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 37/70

malicious

Score: 20/48

malicious

URLs

Name	Detection
http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-y8
http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/Spear
http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aOperation
Click to see the 97 hidden entries
https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi
http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-emNetTraveler
https://blogs.rsa.com/wp-content/Operation
https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99Ransom.ShurL0ckr
http://go.cybereason.com/rs/996-
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD1Truebot.A
http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets
http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/dDDG:
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/4PowerStager
http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlxCaon
http://x.x.x/x.dll
http://www.clearskysec.com/dustysky/
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32
http://www.waseda.jp/navi/security/2017/0414.htmlCallisto
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate
http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfMiniduke
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaLeviathan:
http://www.clearskysec.com/winnti/Recent
https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac9Vulnerabilities
http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-
https://github.com/ptrrkssn/pnscan
http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti:/Multiple
http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackD1Following
http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlTThere
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-si
https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoZEUS
https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-move8
https://www.openssl.org/docs/faq.html
https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-atOilRig
https://securelist.com/analysis/publications/69953/the-naikon-apt/
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot
https://goo.gl/t3uUTG
https://twitter.com/0x766c6164/status/794176576011309056
https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/
https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf.
http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malverNew
http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-gove
http://blog.talosintelligence.com/2017/02/korean-maldoc.htmlCloud
https://objective-see.com/blog/blog_0x26.html
http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-h24A
https://twitter.com/cyb3rops/status/1097423665472376832ASCS
https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RRSA
https://twitter.com/eyaBanking
https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/
https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-rePotential
http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfSakula
http://phishme.com/disrupting-an-adware-serving-skype-botnet/
http://blog.cylance.com/spear-a-threat-actor-resurfacesThe
http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intellige8
https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-Spearphising
https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishinn
https://goo.gl/rW1yvZ
http://cyber.verint.com/nymaim-malware-variant/aAPT28
http://goo.gl/SGcS2HSymantec
https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmls/Operation
https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidsOperation
http://www.welivesecurity.com/2015/04/09/operation-buhtrap/ROKRAT
http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-famiComment
https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser
https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuClDeciphering
http://news.asiaone.com/news
https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdfStantinko
https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeNwOperation
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.htThe
http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking
http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfpoOperation
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spfdNearly
https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-kCommunities
http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20araHangover
https://www.alienvault.com/open-threat-ex/Operation
http://www.welivesecurity.com/2016/07/12/nymaim-rides-2016-reaches-brazil/Regin
https://www.alienvault.com/blogs/labs-researcwrWannaCry
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversKorplug
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
http://blogs.cisco.com/security/talos/malicious-pngs6b44c772bac7cc958b1b4535f02a584fc3a55377a3e7f4cc
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeioOperation
https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfampAnalysis
https://vms.drweb.com/virus/?_is=1&ampLinux.Proxy.10
http://2016.eicar.org/85-0-Download.html
http://phishme.com/disrupting-an-adware-serving-skype-botnet/Pushdo
https://securelist.com/analysis/publications/69953/the-naikon-apt/Citadel
http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfHancitor
https://www.blueliv.com
https://goo.gl/joxXHF
http://blog.talosintelligence.com/2017/09/brazilbanking.htmlGlobe
https://goo.gl/7jGkpV
https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas.Operation
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pd
http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-Bolek:
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-pe
https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoChinese
https://research.checkpoint.com/apt-attack-middle-east-big-bang/
https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfLegspin
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw-Gold
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tieseNew

Dropped files

Name	File Type	Hashes
C:\Users\user\Desktop\otx-c2-iocs.txt	Unknown	#
C:\Users\user\Desktop\filename-iocs.txt	Unknown	#
C:\Users\user\Desktop\lib\win32ui.pyd	Unknown	#
Click to see the 97 hidden entries
C:\Users\user\Desktop\status.log	ASCII text, with no line terminators	#
C:\Users\user\Desktop\python27.dll	Unknown	#
C:\Users\user\Desktop\otx-hash-iocs.txt	Unknown	#
C:\Users\user\Desktop\otx-filename-iocs.txt	Unknown	#
C:\Users\user\Desktop\otx-c2-iocs-ipv4.txt	Unknown	#
C:\Users\user\Desktop\msvcr100.dll	Unknown	#
C:\Users\user\Desktop\msvcp90.dll	Unknown	#
C:\Users\user\Desktop\msvcm90.dll	Unknown	#
C:\Users\user\Desktop\lib\yara.pyd	Unknown	#
C:\Users\user\Desktop\lib\winxpgui.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32wnet.pyd	Unknown	#
C:\Users\user\Desktop\tcl\clock.tcl	Unknown	#
C:\Users\user\Desktop\lib\win32trace.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32process.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32pipe.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32pdh.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32gui.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32file.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32event.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.taskscheduler.taskscheduler.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.shell.shell.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.propsys.propsys.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.mapi.mapi.pyd	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1258.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp864.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp863.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp862.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp861.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp860.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp857.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp855.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp852.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp850.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp775.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp737.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp437.enc	Unknown	#
C:\Users\user\Desktop\tcl\auto.tcl	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1257.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1256.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1255.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1254.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1253.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1252.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1251.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\cp1250.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\big5.enc	Unknown	#
C:\Users\user\Desktop\tcl\encoding\ascii.enc	Unknown	#
C:\Users\user\Desktop\lib\win32com.mapi.exchdapi.pyd	Unknown	#
C:\Users\user\Desktop\hash-iocs.txt	Unknown	#
C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._constant_time.pyd	Unknown	#
C:\Users\user\Desktop\lib\bz2.pyd	Unknown	#
C:\Users\user\Desktop\lib\_win32sysloader.pyd	Unknown	#
C:\Users\user\Desktop\lib\_tkinter.pyd	Unknown	#
C:\Users\user\Desktop\lib\_ssl.pyd	Unknown	#
C:\Users\user\Desktop\lib\_socket.pyd	Unknown	#
C:\Users\user\Desktop\lib\_multiprocessing.pyd	Unknown	#
C:\Users\user\Desktop\lib\_hashlib.pyd	Unknown	#
C:\Users\user\Desktop\lib\_ctypes.pyd	Unknown	#
C:\Users\user\Desktop\lib\_cffi_backend.pyd	Unknown	#
C:\Users\user\Desktop\lib\MSVCR90.dll	Unknown	#
C:\Users\user\Desktop\keywords.txt	Unknown	#
C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._openssl.pyd	Unknown	#
C:\Users\user\Desktop\fc38c7ee-ad18-4c74-a67c-9df763b1d8a4.bin	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\Desktop\falsepositive-hashes.txt	Unknown	#
C:\Users\user\Desktop\c2-iocs.txt	Unknown	#
C:\Users\user\Desktop\ad421c32-aaf8-4995-847c-18069215aace.md	Unknown	#
C:\Users\user\Desktop\a6be3467-9cec-43b3-8e87-ded73d446923.bin	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\Desktop\Microsoft.VC90.CRT.manifest	Unknown	#
C:\Users\user\Desktop\MSVCR90.dll	Unknown	#
C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll	Unknown	#
C:\Users\user\Desktop\93d72046-08db-4412-ab52-b014148c1823.bin	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\Desktop\2a5e15fa-fe3f-471c-b784-6a56e4aeac95.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\Desktop\28f4fa56-e109-42e0-9d12-1e216cf1181f.bin	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\Desktop\lib\win32api.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.mapi.exchange.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.internet.internet.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.ifilter.ifilter.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.directsound.directsound.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.bits.bits.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.axscript.axscript.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.axdebug.axdebug.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.axcontrol.axcontrol.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.authorization.authorization.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32com.adsi.adsi.pyd	Unknown	#
C:\Users\user\Desktop\lib\win32clipboard.pyd	Unknown	#
C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll	Unknown	#
C:\Users\user\Desktop\lib\unicodedata.pyd	Unknown	#
C:\Users\user\Desktop\lib\tk85.dll	Unknown	#
C:\Users\user\Desktop\lib\tcl85.dll	Unknown	#
C:\Users\user\Desktop\lib\select.pyd	Unknown	#
C:\Users\user\Desktop\lib\pywintypes27.dll	Unknown	#
C:\Users\user\Desktop\lib\pythoncom27.dll	Unknown	#
C:\Users\user\Desktop\lib\python27.dll	Unknown	#
C:\Users\user\Desktop\lib\pyexpat.pyd	Unknown	#
C:\Users\user\Desktop\lib\mfc90.dll	Unknown	#
C:\Users\user\Desktop\lib\library.zip	Unknown	#
C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._padding.pyd	Unknown	#