=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

T5dzWoyBkt.exe

Status: finished
Submission Time: 2022-01-06 08:07:11 +01:00
Malicious
Trojan
Spyware
Evader
RedLine SmokeLoader Tofsee Vidar

Comments

Tags

  • exe
  • RedLineStealer

Details

  • Analysis ID:
    548650
  • API (Web) ID:
    916173
  • Analysis Started:
    2022-01-06 08:07:13 +01:00
  • Analysis Finished:
    2022-01-06 08:23:46 +01:00
  • MD5:
    f073b540a352759bb44d7a1eb641fe61
  • SHA1:
    af036e219b6e7d6551713ad406d816d9f88b4312
  • SHA256:
    067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
28/67

malicious
9/35

malicious
25/28

malicious

IPs

IP Country Detection
185.233.81.115
Russian Federation
185.7.214.171
France
185.186.142.166
Russian Federation
Click to see the 12 hidden entries
139.28.222.172
Russian Federation
188.166.28.199
Netherlands
86.107.197.138
Romania
54.38.220.85
France
162.159.133.233
United States
104.21.38.221
United States
144.76.136.153
Germany
141.8.193.236
Russian Federation
94.103.94.64
Russian Federation
67.199.248.15
United States
67.199.248.10
United States
91.243.44.130
Russian Federation

Domains

Name IP Detection
unicupload.top
54.38.220.85
f0616387.xsph.ru
141.8.193.236
host-data-coin-11.com
139.28.222.172
Click to see the 8 hidden entries
bit.ly
67.199.248.10
bitly.com
67.199.248.15
cdn.discordapp.com
162.159.133.233
goo.su
104.21.38.221
transfer.sh
144.76.136.153
privacytools-foryou-777.com
139.28.222.172
file-file-host4.com
139.28.222.172
data-host-coin-8.com
139.28.222.172

URLs

Name Detection
http://privacytools-foryou-777.com/downloads/toolspab2.exe
http://185.7.214.171:8080/6.php
http://data-host-coin-8.com/files/8584_1641133152_551.exe
Click to see the 60 hidden entries
http://data-host-coin-8.com/game.exe
http://91.243.44.130/stlr/maps.exe
http://data-host-coin-8.com/files/2184_1641247228_8717.exe
http://unicupload.top/install5.exe
http://data-host-coin-8.com/files/6155_1641424911_5543.exe
https://185.233.81.115/32739433.dat?iddqd=1
https://cdn.discordapp.com/attachments/928021103304134716/928022474753474631/Teemless.exe
http://f0616387.xsph.ru/blcd.exe
https://dev.ditu.live.com/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://t0.tiles.ditu.live.com/tiles/gen
http://host-data-coin-11.com/
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
https://bitly.com/a/blocked?hash=3eHgQQR&url=https%3A%2F%2Fcdn-131.anonfiles.com%2FP0m5w4j2xc%2Fcac3eb98-1640853984%2F%40Cryptobat9.exe
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://bit.ly/3eHgQQR
https://goo.su/afU3
http://file-file-host4.com/tratata.php
http://www.bingmapsportal.com
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
https://www.disneyplus.com/legal/your-california-privacy-rights
https://api.ip.sb/ip
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
https://dev.ditu.live.com/REST/v1/Transit/Stops/
https://dev.virtualearth.net/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
http://file-file-host4.com/sqlite3.dll
https://www.tiktok.com/legal/report/feedback
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://%s.xboxlive.com
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/mapcontrol/logging.ashx
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://www.disneyplus.com/legal/privacy-policy
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.t
http://file-file-host4.com/tratata.phpx
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://disneyplus.com/legal.
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://activity.windows.com
https://dev.ditu.live.com/REST/v1/Locations
http://help.disneyplus.com.
https://transfer.sh/get/BaQ0zM/d.exe
https://%s.dnet.xboxlive.com
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\A9A9.exe
MS-DOS executable
#
C:\Users\user\AppData\Local\Temp\AD19.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\B94A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 33 hidden entries
C:\Users\user\AppData\Local\Temp\C48A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\CD6F.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\DACD.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\DB1C.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\E5F9.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\EF80.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\npcipivi.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\eijrgvi
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\eijrgvi:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\16PP8GLX
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\Temp\26FU3EKF
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\Temp\5FCTR1D2
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\Temp\YUAI5X4W
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001. (copy)
data
#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
data
#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy)
data
#
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220106_160807_384.etl
data
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C48A.exe_2673aa158c6a893c1138be40a650902eb2d08864_a906c4f4_16b24a5a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9092.tmp.csv
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9487.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Jan 6 16:09:08 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A96.tmp.txt
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E40.tmp.csv
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EBA.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7A.tmp.txt
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA552.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA94D.tmp.csv
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB11E.tmp.txt
data
#
C:\ProgramData\sqlite3.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EF80.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sqlite3[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
#