Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.654583285045402
Filename:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Filesize:	942592
MD5:	d6f0e59d1bb1d559029da21e132a1c9b
SHA1:	7b760ca553c6d95126146825b1f5b846d5a69378
SHA256:	0afcaf64f298203c19ee5001aeb67a4a785a2a3a56fac3ead54c86811583d873
SHA512:	21615f5cce87c73e219f8357ad7b989f1c9b769ff1440a3e6804da6a9d020e864f39e22d32361edd996d8d11f9945a60eab2fe0b32f55a9aa5d0901fcb4db4fb
SSDEEP:	24576:FyDdEPf3ZQWjM2Xgx9cyEthRYxdIipRgIdbl:FTPfZpHw0hRO+i3zdbl
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0..Z.........."y... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Antivirus or Machine Learning detection for unpacked file	AV Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Drops PE files	Persistence and Installation Behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Found malware configuration	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses an in-process (OLE) Automation server	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
SQL strings found in memory and binary data	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Reads the hosts file	System Summary	Remote System Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.log
Category:	dropped
Dump:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.355304211458859
Encrypted:	false
Ssdeep:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Category:	dropped
Dump:	wPBZqbH.exe.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.654583285045402
Encrypted:	false
Ssdeep:	24576:FyDdEPf3ZQWjM2Xgx9cyEthRYxdIipRgIdbl:FTPfZpHw0hRO+i3zdbl
Size:	942592
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Windows Management Instrumentation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe:Zone.Identifier
Category:	modified
Dump:	wPBZqbH.exe_Zone.Identifier.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Windows Management Instrumentation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wPBZqbH.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wPBZqbH.exe.log
Category:	dropped
Dump:	wPBZqbH.exe.log.11.dr
ID:	dr_3
Target ID:	11
Process:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.355304211458859
Encrypted:	false
Ssdeep:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
Size:	1216
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Details

Is windows:	false
Is dropped:	false
PID:	5708
Target ID:	0
Parent PID:	3452
Name:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Size:	942592
MD5:	D6F0E59D1BB1D559029DA21E132A1C9B
Time:	13:50:12
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb90000
Modulesize:	966656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Details

Is windows:	false
Is dropped:	false
PID:	64
Target ID:	7
Parent PID:	5708
Name:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Size:	942592
MD5:	D6F0E59D1BB1D559029DA21E132A1C9B
Time:	13:50:22
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x490000
Modulesize:	966656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2816
Target ID:	11
Parent PID:	3452
Name:	wPBZqbH.exe
Path:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Commandline:	"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
Size:	942592
MD5:	D6F0E59D1BB1D559029DA21E132A1C9B
Time:	13:50:46
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x8f0000
Modulesize:	966656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

Details

Is windows:	false
Is dropped:	true
PID:	5328
Target ID:	12
Parent PID:	2816
Name:	wPBZqbH.exe
Path:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Commandline:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Size:	942592
MD5:	D6F0E59D1BB1D559029DA21E132A1C9B
Time:	13:50:54
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x440000
Modulesize:	966656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5316
Target ID:	13
Parent PID:	3452
Name:	wPBZqbH.exe
Path:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Commandline:	"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
Size:	942592
MD5:	D6F0E59D1BB1D559029DA21E132A1C9B
Time:	13:50:54
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xf60000
Modulesize:	966656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://127.0.0.1:HTTP/1.1

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.fontbureau.com/designers?

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

unknown

http://www.tiro.com

unknown

https://Xnj1QfqQIFq9bE.net

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://hVcQOe.com

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://fontfabrik.com

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-jones.html

unknown

http://mail.akademetre.com

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://DynDns.comDynDNSnamejidpasswordPsi/Psi

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://www.sakkal.com

unknown

There are 22 hidden URLs, click here to show them.

Domains

Name

Malicious

mail.akademetre.com

212.58.6.82

Details

Name:	mail.akademetre.com
IP:	212.58.6.82
TargetID:	7
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

_kerberos._tcp.dc._msdcs.akademetre.com

unknown

IPs

Domain

Country

Malicious

212.58.6.82

mail.akademetre.com

Turkey

Details

IP:	212.58.6.82
TargetID:	7
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Country:	Turkey
Countrycode:	TUR
ASN number:	8685
ASN name:	DORUKNETTR
Private:	false
Domain:	mail.akademetre.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

192.168.2.1

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

wPBZqbH

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

wPBZqbH

Memdumps

Base Address

Regiontype

Protect

Malicious

2CF1000

trusted library allocation

page read and write

2911000

trusted library allocation

page read and write

2951000

trusted library allocation

page read and write

420B000

trusted library allocation

page read and write

2FEB000

trusted library allocation

page read and write

2FB1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

32AC000

trusted library allocation

page read and write

3CF9000

trusted library allocation

page read and write

5DF9000

trusted library allocation

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe