zmbGUZTICp.exe

Status: finished

Submission Time: 2022-01-14 10:36:16 +01:00

Malicious

Trojan

Spyware

Evader

Amadey Raccoon RedLine SmokeLoader Tofse

Comments

Details

Analysis ID:
553117
API (Web) ID:
920640
Analysis Started:

2022-01-14 10:42:04 +01:00
Analysis Finished:

2022-01-14 11:00:36 +01:00
MD5:
9af4d2022dc05c2dbbc4d218a8f0974c
SHA1:
f87c7511d2c4ea4894603d3cfddd478c8c2b3ead
SHA256:
c8fe81088b2caa9df35d92a588fb266a145c95b81b5c66d5bfe181fa73b17d82
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 24/68

malicious

Score: 18/43

malicious

IPs

IP	Country	Detection
185.215.113.35	Portugal
188.166.28.199	Netherlands
185.186.142.166	Russian Federation
Click to see the 14 hidden entries
185.7.214.171	France
185.233.81.115	Russian Federation
162.159.135.233	United States
185.163.204.24	Germany
185.163.204.22	Germany
141.8.194.74	Russian Federation
144.76.136.153	Germany
104.21.38.221	United States
185.163.45.70	Moldova Republic of
54.38.220.85	France
8.209.70.0	Singapore
86.107.197.138	Romania
94.142.143.116	Russian Federation
40.93.207.0	United States

Domains

Name	IP	Detection
unicupload.top	54.38.220.85
host-data-coin-11.com	8.209.70.0
patmushta.info	94.142.143.116
Click to see the 6 hidden entries
cdn.discordapp.com	162.159.135.233
microsoft-com.mail.protection.outlook.com	40.93.207.0
goo.su	104.21.38.221
transfer.sh	144.76.136.153
a0621298.xsph.ru	141.8.194.74
data-host-coin-8.com	8.209.70.0

URLs

Name	Detection
http://185.163.204.22/capibar
http://data-host-coin-8.com/files/7729_1642101604_1835.exe
http://data-host-coin-8.com/files/6961_1642089187_2359.exe
Click to see the 83 hidden entries
http://data-host-coin-8.com/files/9030_1641816409_7037.exe
http://185.215.113.35/d2VxjasuwS/index.php
http://185.215.113.35/d2VxjasuwS/plugins/cred.dll
https://185.163.204.22/capibar
http://185.215.113.35/d2VxjasuwS/index.php?scr=1
http://185.7.214.171:8080/6.php
http://185.163.45.70/capibar
http://unicupload.top/install5.exe
http://data-host-coin-8.com/files/8474_1641976243_3082.exe
http://passport.net/tb
http://185.163.204.24/0
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
http://crl.ver)
http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b841
http://a0621298.xsph.ru/9.exe
https://login.live.c
http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate
https://account.live.com/msangcwam
https://account.live.com/inlinesignup.aspx?iww=1&id=80604
https://account.live.com/inlinesignup.aspx?iww=1&id=80605
https://account.live.com/InlineSignup.aspx?iww=1&id=80502
http://schemas.xmlsoap.org/ws/2004/09/policy
http://185.163.204.24/B
https://logilive.c
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=18
https://account.live.com/inlinesignup.aspx?iww=1&id=80604
https://account.live.com/inlinesignup.aspx?iww=1&id=80603
http://schemas.xmlsoap.org/ws/2005/02/trustp
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsecuri
https://account.live.com/inlinesignup.aspx?iww=1&id=80605
http://178.62.113.205/capibar
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://185.163.204.24/as
https://account.live.com/inlinesignup.aspx?iww=1&id=80600
https://account.live.com/inlinesignup.aspx?iww=1&id=80601
http://schemas.xmlsoap.org/ws/2005/02/sc
https://account.live.com/Wizard/Password/Change?id=80601
http://www.autoitscript.com/autoit3/J
https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
https://t.me/capibar
http://data-host-coin-8.com/game.exe
https://login.liUTF-8/p
http://185.163.204.24/
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
http://185.163.204.24/a
http://schemas.xmlsoap.org/ws/2005/02/scAM
http://schemas.xmlsoap.org/ws/2005/02/trust
http://185.163.204.24/r
http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/53d4f78085a60d100b5580840cacffadb56a356d
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
https://support.google.com/chrome/?p=plugin_flash
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
http://host-data-coin-11.com/
http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8
http://schemas.xmlsoap.org/ws/2004/09/policyt
https://telegram.org/img/t_logo.png
https://account.live.com/inlinesignup.aspx?iww=1&id=80601y0
https://support.google.com/chrome/answer/6258784
http://a0621298.xsph.ru/7.exe
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1ctLMEM
https://account.live.com/inlinesignup.aspx?iww=1&id=80603
https://account.live.com/inlinesignup.aspx?iww=1&id=80600
https://account.live.com/inlinesignup.aspx?iww=1&id=80601
http://www.msn.com/?ocid=iehpy
http://185.163.204.24/F
https://login.live
https://signup.live.com/signup.aspx
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0)
https://login.liUTF-16p
https://api.ip.sb/ip
https://account.live.com/InlineSignup.aspx?iww=1&id=80502
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
http://Passport.NET/tb
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
https://account.live.com/inlinesignup.aspx?iww=1&id=80603xB
https://account.live.com/inlinesignup.aspx?iww=1&id=80600:
http://www.msn.com/?ocid=iehp
http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8v
https://account.live.com/InlineSignup.aspx?i

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\1D34.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\1E7F.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\239.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 48 hidden entries
C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2D04.exe	MS-DOS executable	#
C:\Users\user\AppData\Roaming\gdrgbdj:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\gdrgbdj	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\tejjnepq.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2DB3.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\309C.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\A7F0.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\3F71.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sqlite3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\ucrtbase.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3F71.exe.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\BC16.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\D452.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	#
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	#
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	#
\Device\ConDrv	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0x2d162e1b, page size 16384, DirtyShutdown, Windows version 10.0	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1E7F.exe_56ef6c3f939a5c31c54ae423594576eccb36d7e_39743ca4_173f7c90\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E1E.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Jan 14 18:44:02 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5581.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER59A9.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6219.tmp.csv	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER66CE.tmp.txt	data	#
C:\Users\user\AppData\LocalLow\1xVPfvJcrg	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\LocalLow\RYwTiizs2t	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\LocalLow\frAQBc8Wsa	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\LocalLow\rQF69AzBla	SQLite 3.x database, last written using SQLite version 3032001	#
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	#
C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy_InUse.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\dI3hX2r.zip	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#

zmbGUZTICp.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

zmbGUZTICp.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

zmbGUZTICp.exe