OG9rNsihJ7.exe

Status: finished

Submission Time: 2022-01-14 21:03:18 +01:00

Malicious

Trojan

Evader

RedLine SmokeLoader Tofsee Vidar

Comments

Details

Analysis ID:
553412
API (Web) ID:
920934
Analysis Started:

2022-01-14 21:03:19 +01:00
Analysis Finished:

2022-01-14 21:21:02 +01:00
MD5:
5c7b46771055043f59e0451a342b7ed1
SHA1:
5362af084622dc8efc661c703d4c7c5dd6839be1
SHA256:
0245c82558329cfd8ef5ef901e4929075d4d873ba20d9704731758580caed7be
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 16/35

malicious

Score: 25/28

malicious

IPs

IP	Country	Detection
188.166.28.199	Netherlands
74.201.28.62	United States
185.233.81.115	Russian Federation
Click to see the 10 hidden entries
185.7.214.171	France
185.186.142.166	Russian Federation
40.93.207.0	United States
94.142.143.116	Russian Federation
172.67.139.105	United States
8.209.70.0	Singapore
54.38.220.85	France
162.159.133.233	United States
144.76.136.153	Germany
81.163.30.181	Russian Federation

Domains

Name	IP	Detection
github.com	140.82.121.4
patmushta.info	94.142.143.116
raw.githubusercontent.com	185.199.108.133
Click to see the 12 hidden entries
cdn.discordapp.com	162.159.133.233
ipwhois.app	136.243.172.101
unicupload.top	54.38.220.85
host-data-coin-11.com	8.209.70.0
c9d0e790b353537889bd47a364f5acff43c11f248.xyz	185.112.83.97
privacy-tools-for-you-780.com	8.209.70.0
microsoft-com.mail.protection.outlook.com	40.93.207.0
goo.su	172.67.139.105
transfer.sh	144.76.136.153
api.telegram.org	149.154.167.220
data-host-coin-8.com	8.209.70.0
api.ip.sb	0.0.0.0

URLs

Name	Detection
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://data-host-coin-8.com/files/7729_1642101604_1835.exe
http://data-host-coin-8.com/files/9030_1641816409_7037.exe
Click to see the 53 hidden entries
http://unicupload.top/install5.exe
http://data-host-coin-8.com/files/6961_1642089187_2359.exe
http://74.201.28.62/book/KB5009812.png
http://185.7.214.171:8080/6.php
http://81.163.30.181/l3.exe
http://74.201.28.62/book/KB5009812.exe
http://81.163.30.181/l2.exe
https://%s.xboxlive.com
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/mapcontrol/logging.ashx
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://dynamic.t
https://www.disneyplus.com/legal/privacy-policy
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
http://crl.ver)
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://disneyplus.com/legal.
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://activity.windows.com
https://dev.ditu.live.com/REST/v1/Locations
http://help.disneyplus.com.
https://%s.dnet.xboxlive.com
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
http://www.bingmapsportal.com
https://dev.ditu.live.com/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
http://host-data-coin-11.com/
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
http://data-host-coin-8.com/game.exe
https://www.tiktok.com/legal/report/feedback
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
https://www.disneyplus.com/legal/your-california-privacy-rights
https://api.ip.sb/ip
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
https://dev.ditu.live.com/REST/v1/Transit/Stops/
https://dev.virtualearth.net/REST/v1/Routes/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
http://schemas.microsoft.
https://t0.tiles.ditu.live.com/tiles/gen19
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\254E.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\B1B2.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\9789.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 34 hidden entries
C:\Users\user\AppData\Local\Temp\88E2.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\8017.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\7808.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\6AF7.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\54AF.exe	MS-DOS executable	#
C:\Users\user\AppData\Local\Temp\45AA.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\3BC6.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\3A7E.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\3136.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2F32.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\2473.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\BFBD.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\FC2A.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\xqfkdfcl.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\vfgiwcs	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\vfgiwcs:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Windows\SysWOW64\ffiawxs\xqfkdfcl.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	#
\Device\ConDrv	ASCII text, with CRLF line terminators	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	#
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_050436_607.etl	data	#
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	#
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	#
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3BC6.exe.log	ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA10.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Jan 15 05:05:13 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEED.tmp.txt	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA77.tmp.csv	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER472.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER20E5.tmp.txt	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1914.tmp.csv	data	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_B1B2.exe_97263ecc359653bdc088fc4542e7f7e1a086af1b_57588827_1b13b61d\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x962e81fb, page size 16384, DirtyShutdown, Windows version 10.0	#

OG9rNsihJ7.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

OG9rNsihJ7.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

OG9rNsihJ7.exe