U3E7zMaux2.exe

Status: finished

Submission Time: 2022-01-14 00:13:36 +01:00

Malicious

Trojan

Spyware

Evader

Miner

Amadey Raccoon RedLine SmokeLoader Tofse

Comments

Details

Analysis ID:
552969
API (Web) ID:
920491
Analysis Started:

2022-01-14 00:13:36 +01:00
Analysis Finished:

2022-01-14 00:32:29 +01:00
MD5:
8362e0f91ae3379c73422bbca7bac493
SHA1:
ec761f77bbe9900aed7ffa0a9303dc6801a9effb
SHA256:
adfea20237be615461c44fea423d6043fc74bf1c5303ee33fcecd8acd201291e
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 28/68

malicious

Score: 19/41

malicious

IPs

IP	Country	Detection
185.215.113.35	Portugal
185.163.204.24	Germany
185.186.142.166	Russian Federation
Click to see the 14 hidden entries
185.7.214.171	France
185.233.81.115	Russian Federation
188.166.28.199	Netherlands
40.93.212.0	United States
104.21.38.221	United States
93.189.42.167	Russian Federation
144.76.136.153	Germany
162.159.130.233	United States
54.38.220.85	France
8.209.67.104	Singapore
86.107.197.138	Romania
141.8.194.74	Russian Federation
185.163.204.22	Germany
185.163.45.70	Moldova Republic of

Domains

Name	IP	Detection
pool-fr.supportxmr.com	91.121.140.167
unicupload.top	54.38.220.85
host-data-coin-11.com	93.189.42.167
Click to see the 9 hidden entries
patmushta.info	8.209.67.104
cdn.discordapp.com	162.159.130.233
privacy-tools-for-you-780.com	93.189.42.167
microsoft-com.mail.protection.outlook.com	40.93.212.0
goo.su	104.21.38.221
transfer.sh	144.76.136.153
a0621298.xsph.ru	141.8.194.74
data-host-coin-8.com	93.189.42.167
pool.supportxmr.com	0.0.0.0

URLs

Name	Detection
http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/870316542b6e8d6795384509412b3780ad4b1d32
http://185.7.214.171:8080/6.php
http://185.215.113.35/d2VxjasuwS/plugins/cred.dll
Click to see the 97 hidden entries
http://data-host-coin-8.com/files/9030_1641816409_7037.exe
http://185.163.204.24/
http://185.215.113.35/d2VxjasuwS/index.php?scr=1
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
http://a0621298.xsph.ru/443.exe
http://a0621298.xsph.ru/File.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
http://schemas.xmlsoap.org/ws/2002/12/policy
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
http://tempuri.org/Entity/Id13Response
https://support.google.com/chrome/?p=plugin_divx
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
http://data-host-coin-8.com/game.exe
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
http://a0621298.xsph.ru/45512.exe
http://schemas.xmlsoap.org/ws/2004/06/addressingex
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
https://support.google.com/chrome/?p=plugin_java
http://schemas.xmlsoap.org/ws/2005/02/sc
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
http://service.r
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
http://schemas.xmlsoap.org/soap/actor/next
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
http://schemas.xmlsoap.org/ws/2005/02/rm
http://tempuri.org/Entity/Id3Response
https://disneyplus.com/legal.
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
http://service.real.com/realplayer/security/02062012_player/en/
http://tempuri.org/Entity/Id18Response
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
https://get.adob
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
https://www.tiktok.com/legal/report/feedback
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
http://tempuri.org/Entity/Id22Response
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://tempuri.org/Entity/Id15Response
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
http://a0621298.xsph.ru/advert.msi
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
https://support.google.com/chrome/?p=plugin_real
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://tempuri.org/Entity/Id2Response
http://tempuri.org/
http://tempuri.org/Entity/Id12Response
https://duckduckgo.com/ac/?q=
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
https://duckduckgo.com/chrome_newtab
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
https://support.google.com/chrome/?p=plugin_wmp
http://tempuri.org/Entity/Id8Response
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
http://tempuri.org/Entity/Id10Response
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
http://tempuri.org/Entity/Id5Response
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
https://support.google.com/chrome/?p=plugin_shockwave
http://schemas.xmlsoap.org/ws/2004/08/addressing
http://a0621298.xsph.ru/9.exe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
http://tempuri.org/Entity/Id24Response
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
https://api.ip.sb/ip

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\E666.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\8EC4.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\8ED5.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 47 hidden entries
C:\Users\user\AppData\Local\Temp\9A02.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\86C4.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\7CA1.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\7801.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8EC4.exe.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\lagavljy.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\uufaeea	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\uufaeea:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Windows\SysWOW64\shayesoq\lagavljy.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\B58B.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sqlite3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\ucrtbase.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\ACEF.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\BEB3.exe	MS-DOS executable	#
C:\Users\user\AppData\Local\Temp\CC60.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\D984.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	#
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	#
\Device\ConDrv	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E45.tmp.csv	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER29CF.tmp.txt	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EAC.tmp.csv	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62F3.tmp.txt	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6FE.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Jan 13 23:15:23 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD49.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE103.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\LocalLow\1xVPfvJcrg	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\LocalLow\RYwTiizs2t	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\LocalLow\frAQBc8Wsa	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\LocalLow\rQF69AzBla	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_D984.exe_bcd76db1fe5d7f46e1bf3aadcd0e64871c556_e6d2f5c0_1ad174c5\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\dI3hX2r.zip	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#

U3E7zMaux2.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

U3E7zMaux2.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

U3E7zMaux2.exe