top title background image
flash

T5dzWoyBkt.exe

Status: finished
Submission Time: 2022-01-06 08:07:11 +01:00
Malicious
Trojan
Spyware
Evader
RedLine SmokeLoader Tofsee Vidar

Comments

Tags

  • exe
  • RedLineStealer

Details

  • Analysis ID:
    548650
  • API (Web) ID:
    916173
  • Analysis Started:
    2022-01-06 08:07:13 +01:00
  • Analysis Finished:
    2022-01-06 08:23:46 +01:00
  • MD5:
    f073b540a352759bb44d7a1eb641fe61
  • SHA1:
    af036e219b6e7d6551713ad406d816d9f88b4312
  • SHA256:
    067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious
Score: 28/67
malicious
Score: 9/35
malicious
Score: 25/28
malicious

IPs

IP Country Detection
185.233.81.115
Russian Federation
185.7.214.171
France
185.186.142.166
Russian Federation
Click to see the 12 hidden entries
139.28.222.172
Russian Federation
188.166.28.199
Netherlands
86.107.197.138
Romania
54.38.220.85
France
162.159.133.233
United States
104.21.38.221
United States
144.76.136.153
Germany
141.8.193.236
Russian Federation
94.103.94.64
Russian Federation
67.199.248.15
United States
67.199.248.10
United States
91.243.44.130
Russian Federation

Domains

Name IP Detection
unicupload.top
54.38.220.85
f0616387.xsph.ru
141.8.193.236
host-data-coin-11.com
139.28.222.172
Click to see the 8 hidden entries
bit.ly
67.199.248.10
bitly.com
67.199.248.15
cdn.discordapp.com
162.159.133.233
goo.su
104.21.38.221
transfer.sh
144.76.136.153
privacytools-foryou-777.com
139.28.222.172
file-file-host4.com
139.28.222.172
data-host-coin-8.com
139.28.222.172

URLs

Name Detection
http://data-host-coin-8.com/files/2184_1641247228_8717.exe
http://91.243.44.130/stlr/maps.exe
http://data-host-coin-8.com/files/6155_1641424911_5543.exe
Click to see the 60 hidden entries
http://data-host-coin-8.com/game.exe
http://unicupload.top/install5.exe
http://privacytools-foryou-777.com/downloads/toolspab2.exe
http://185.7.214.171:8080/6.php
https://185.233.81.115/32739433.dat?iddqd=1
http://data-host-coin-8.com/files/8584_1641133152_551.exe
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://www.disneyplus.com/legal/privacy-policy
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/mapcontrol/logging.ashx
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://%s.xboxlive.com
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://www.tiktok.com/legal/report/feedback
http://file-file-host4.com/sqlite3.dll
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.t
http://file-file-host4.com/tratata.phpx
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://disneyplus.com/legal.
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://activity.windows.com
https://dev.ditu.live.com/REST/v1/Locations
http://help.disneyplus.com.
https://transfer.sh/get/BaQ0zM/d.exe
https://%s.dnet.xboxlive.com
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
http://f0616387.xsph.ru/blcd.exe
https://dev.ditu.live.com/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://t0.tiles.ditu.live.com/tiles/gen
http://host-data-coin-11.com/
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
https://bitly.com/a/blocked?hash=3eHgQQR&url=https%3A%2F%2Fcdn-131.anonfiles.com%2FP0m5w4j2xc%2Fcac3eb98-1640853984%2F%40Cryptobat9.exe
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
https://bit.ly/3eHgQQR
https://goo.su/afU3
http://file-file-host4.com/tratata.php
http://www.bingmapsportal.com
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
https://www.disneyplus.com/legal/your-california-privacy-rights
https://api.ip.sb/ip
https://cdn.discordapp.com/attachments/928021103304134716/928022474753474631/Teemless.exe
https://dev.ditu.live.com/REST/v1/Transit/Stops/
https://dev.virtualearth.net/REST/v1/Routes/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\EF80.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\A9A9.exe
MS-DOS executable
#
C:\Users\user\AppData\Local\Temp\AD19.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 33 hidden entries
C:\Users\user\AppData\Local\Temp\B94A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\C48A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\CD6F.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\DACD.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\DB1C.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\E5F9.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\npcipivi.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\eijrgvi
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\eijrgvi:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\5FCTR1D2
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\Temp\YUAI5X4W
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001. (copy)
data
#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
data
#
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy)
data
#
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220106_160807_384.etl
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB11E.tmp.txt
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9092.tmp.csv
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9487.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Jan 6 16:09:08 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A96.tmp.txt
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E40.tmp.csv
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EBA.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7A.tmp.txt
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA552.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA94D.tmp.csv
data
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C48A.exe_2673aa158c6a893c1138be40a650902eb2d08864_a906c4f4_16b24a5a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\sqlite3.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EF80.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sqlite3[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
#
C:\Users\user\AppData\Local\Temp\16PP8GLX
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\Temp\26FU3EKF
SQLite 3.x database, last written using SQLite version 3032001
#