ddvmzkRbq5.exe

Status: finished

Submission Time: 2022-09-17 08:31:15 +02:00

Malicious

Trojan

Spyware

Evader

DarkTortilla, RedLine, SmokeLoader, Vida

Comments

Details

Analysis ID:
704671
API (Web) ID:
1072129
Analysis Started:

2022-09-17 08:41:26 +02:00
Analysis Finished:

2022-09-17 08:55:15 +02:00
MD5:
51c8d9a3daf034b084fec9fbc34eb15c
SHA1:
c6980758bbafcabe3a305445d6401557dc387ce6
SHA256:
f9ab6d461679c319c17f451d8036ed1ace4f891fbf706fef2fd760a551f8e339
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 21/38

IPs

IP	Country	Detection
89.248.174.169	Netherlands
66.96.149.1	United States
95.161.129.81	Russian Federation
Click to see the 12 hidden entries
45.154.253.151	Sweden
185.199.110.133	Netherlands
162.125.66.18	United States
194.106.216.70	Ukraine
140.82.121.3	United States
140.82.121.4	United States
87.240.132.72	Russian Federation
149.154.167.99	United Kingdom
195.201.253.5	Germany
185.199.108.133	Netherlands
142.250.184.100	United States
31.216.144.5	Luxembourg

Domains

Name	IP	Detection
siasky.net	89.248.174.169
ojinsei.com	95.161.129.81
raw.githubusercontent.com	185.199.110.133
Click to see the 10 hidden entries
www.mzseries.com	66.96.149.1
anonfiles.com	45.154.253.151
mega.nz	31.216.144.5
github.com	140.82.121.4
t.me	149.154.167.99
www-env.dropbox-dns.com	162.125.66.18
www.google.com	142.250.184.100
vk.com	87.240.132.72
fex.net	194.106.216.70
www.dropbox.com	0.0.0.0

URLs

Name	Detection
http://ginjin.org/
http://hiragaih.com/
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Click to see the 97 hidden entries
http://tempuri.org/Entity/Id19Responsel
http://195.201.253.5/9699034538.zipb0987107dafc3071859460-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
http://schemas.xmlsoap.org/ws/2004/06/addressingex
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
http://www.carterandcone.com.
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
http://tempuri.org/Entity/Id12Responsel
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
https://siasky.net/_ALpx6cvjnpbCi6jJXKzKWlFM9chojOecyl4UtitKd-GFw
https://www.mzseries.com/3.exe
http://tempuri.org/Entity/Id8Response
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
http://tempuri.org/Entity/Id10Response
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://tempuri.org/Entity/Id5Response
http://tempuri.org/Entity/Id17Responsel
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://tempuri.org/Entity/Id3Responsel
http://tempuri.org/Entity/Id23Responsel
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
https://vk.com/
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
http://tempuri.org/Entity/Id13Responsel
https://github.com/soslbaby/SiteSoftware2.0/raw/main/setup.rar
http://tempuri.org/Entity/Id22Response
http://go.mail.ru/search
http://www.carterandcone.comlt
http://schemas.xmlsoap.org/ws/2002/12/policy
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
http://tempuri.org/Entity/Id13Response
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://tempuri.org/Entity/Id15Response
http://tempuri.org/Entity/Id6Responsel
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
http://tempuri.org/Entity/Id1Responsel
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
https://raw.githubusercontent.com/Mahmed123123/new-test1/main/PaunchRhizobia29.exe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://www.zhongyicts.com.cn
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://tempuri.org/Entity/Id2Response
http://tempuri.org/
http://tempuri.org/Entity/Id12Response
https://www.dropbox.com/s/cojy63kxxka3v70/ww.exe?dl=1
http://tempuri.org/Entity/Id15Responsel
https://duckduckgo.com/ac/?q=
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
https://duckduckgo.com/chrome_newtab
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
http://195.201.253.5/1661
http://schemas.xmlsoap.org/ws/2004/08/addressing
http://195.201.253.5/9699034538.zipB
http://search.yahoo.com/search
https://t.me/okxtradershttps://social.linux.pizza/
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://tempuri.org/Entity/Id10Responsel
http://www.carterandcone.comn
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
http://tempuri.org/Entity/Id24Response
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
http://schemas.xmlsoap.org/ws/2005/02/rm8D%
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
http://tempuri.org/Entity/Id8Responsel
https://api.ip.sb/ip
http://www.autoitscript.com/autoit3/J
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
http://iptc.tc4xmp
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\4D40.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\5957.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\7740.exe	PE32 executable (console) Intel 80386, for MS Windows	#
Click to see the 3 hidden entries
C:\Users\user\AppData\Local\Temp\9DFD.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\uhiuccc	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\uhiuccc:Zone.Identifier	ASCII text, with CRLF line terminators	#

Deep Malware Analysis

ddvmzkRbq5.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Deep Malware Analysis

ddvmzkRbq5.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

ddvmzkRbq5.exe