3YzgU3S0nW.exe

Status: finished

Submission Time: 2021-12-31 19:21:09 +01:00

Malicious

Trojan

Spyware

Evader

RedLine SmokeLoader Tofsee Vidar

Comments

Details

Analysis ID:
546826
API (Web) ID:
914348
Analysis Started:

2021-12-31 19:21:09 +01:00
Analysis Finished:

2021-12-31 19:36:12 +01:00
MD5:
720b195655e0a571c4d511088b51202b
SHA1:
f171845fe7b3ae9576ea0f698edd8d65d6bf6ead
SHA256:
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 27/43

malicious

IPs

IP	Country	Detection
188.166.28.199	Netherlands
185.233.81.115	Russian Federation
185.7.214.171	France
Click to see the 11 hidden entries
185.186.142.166	Russian Federation
86.107.197.138	Romania
54.38.220.85	France
104.21.41.11	United States
162.159.133.233	United States
91.243.44.128	Russian Federation
144.76.136.153	Germany
31.28.27.130	Russian Federation
164.132.207.80	France
67.199.248.15	United States
67.199.248.10	United States

Domains

Name	IP	Detection
unicupload.top	54.38.220.85
dodecoin.org	164.132.207.80
host-data-coin-11.com	31.28.27.130
Click to see the 9 hidden entries
bit.ly	67.199.248.10
bitly.com	67.199.248.15
t.me	149.154.167.99
cdn.discordapp.com	162.159.133.233
transfer.sh	144.76.136.153
privacytools-foryou-777.com	31.28.27.130
file-file-host4.com	31.28.27.130
short.link	104.21.41.11
data-host-coin-8.com	31.28.27.130

URLs

Name	Detection
http://185.7.214.171:8080/6.php
http://privacytools-foryou-777.com/downloads/toolspab2.exe
http://data-host-coin-8.com/game.exe
Click to see the 97 hidden entries
https://support.google.com/chrome/?p=plugin_java
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
http://tempuri.org/Entity/Id13Response
https://support.google.com/chrome/?p=plugin_divx
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
http://schemas.xmlsoap.org/ws/2004/06/addressingex
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
https://cdn.discordapp.com/attachments/916319571638620172/925647741571452938/Pyroxylic.exe
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://support.google.com/chrome/?p=plugin_wmp
http://tempuri.org/Entity/Id8Response
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
http://schemas.xmlsoap.org/ws/2002/12/policy
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
https://get.adob
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
https://www.tiktok.com/legal/report/feedback
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
http://file-file-host4.com/sqlite3.dll
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
https://dev.ditu.live.com/REST/v1/Transit/Stops/
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
http://tempuri.org/Entity/Id19ResponseX
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
http://tempuri.org/Entity/Id10Response
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://tempuri.org/Entity/Id15Response
https://bit.ly/3eHgQQR
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
https://support.google.com/chrome/?p=plugin_real
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
http://data-host-coin-8.com/files/6976_1640974830_4226.exe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://tempuri.org/Entity/Id2Response
http://tempuri.org/
https://dodecoin.org/dogewallet-setup.exe
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
http://tempuri.org/Entity/Id12Response
https://duckduckgo.com/ac/?q=
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
https://duckduckgo.com/chrome_newtab
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
http://schemas.xmlsoap.org/ws/2004/08/addressing
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
https://transfer.sh/%28/8V4TRR/q.exe%29.zip
http://tempuri.org/Entity/Id5Response
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://support.google.com/chrome/?p=plugin_shockwave
https://dynamic.t
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
http://data-host-coin-8.com/files/5376_1640094939_1074.exe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
https://dev.virtualearth.net/REST/v1/Locations
http://tempuri.org/Entity/Id24Response
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
https://api.ip.sb/ip
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Roaming\ahtdegs:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\ahtdegs	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\7085.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 23 hidden entries
C:\Users\user\AppData\Local\Temp\8132.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\8A8A.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\9355.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\atingifo.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\FFBD.exe	MS-DOS executable	#
C:\Users\user\AppData\Local\Temp\F338.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\AI58QQIW	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Windows\SysWOW64\tfktmtml\atingifo.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220101_032203_728.etl	data	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001WS (copy)	data	#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)	data	#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001@ (copy)	data	#
C:\Users\user\AppData\Local\Temp\DJMYU3EC	SQLite 3.x database, last written using SQLite version 3032001	#
C:\ProgramData\sqlite3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\6PZCBASJ	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\Local\Temp\2NOH4EKN	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\Local\Temp\175C.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl	data	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl	data	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sqlite3[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9355.exe.log	ASCII text, with CRLF line terminators	#

3YzgU3S0nW.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

3YzgU3S0nW.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

3YzgU3S0nW.exe