CCleanerBundle-616-Setup.exe

Status: finished

Submission Time: 2023-09-17 12:21:11 +02:00

Malicious

Ransomware

Trojan

Spyware

Evader

Raccoon Stealer v2, RedAlert

Comments

Details

Analysis ID:
1309566
API (Web) ID:
1309566
Analysis Started:

2023-09-17 12:21:13 +02:00
Analysis Finished:

2023-09-17 12:54:27 +02:00
MD5:
4c77bfac974dc61427b5589001c7fb3c
SHA1:
19ac1ddd66e9c215380e620a0fdefed8f2542335
SHA256:
1ea7c167ec0f7c571469c13ddae88556435d365b155082146808945402ea20a4
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 76	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
	Full Report Management Report IOC Report	malicious Score: 80	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Run with higher sleep bypass

Third Party Analysis Engines

Open Full Report

malicious

Score: 16/90

malicious

IPs

IP	Country	Detection
193.142.147.59	Netherlands
146.75.36.157	Sweden
85.217.144.194	Bulgaria
Click to see the 37 hidden entries
104.18.130.236	United States
31.13.71.36	Ireland
20.50.2.53	United States
35.190.60.146	United States
99.84.191.8	United States
18.238.4.105	United States
18.238.4.10	United States
13.224.214.78	United States
34.96.102.137	United States
172.217.13.110	United States
104.244.42.197	United States
104.244.42.3	United States
104.244.42.195	United States
34.160.176.28	United States
18.238.4.47	United States
34.117.223.223	United States
13.224.214.103	United States
142.251.163.154	United States
34.111.24.1	United States
34.149.149.62	United States
95.214.24.244	Germany
172.217.13.164	United States
157.240.241.35	United States
52.17.113.215	United States
104.18.32.137	United States
13.224.214.97	United States
70.42.32.223	United States
13.224.214.65	United States
104.244.42.133	United States
104.244.42.131	United States
142.251.163.155	United States
69.147.92.11	United States
172.64.155.119	United States
34.107.19.138	United States
239.255.255.250	Reserved
31.13.71.7	Ireland
172.217.13.205	United States

Domains

Name	IP	Detection
winqual.sb.avast.com	0.0.0.0
emupdate.avcdn.net	0.0.0.0
shepherd.ff.avast.com	0.0.0.0
Click to see the 55 hidden entries
ipm-provider.ff.avast.com	0.0.0.0
cdn-production.ccleaner.com	0.0.0.0
clients2.google.com	0.0.0.0
wave.outbrain.com	0.0.0.0
static.hotjar.com	0.0.0.0
cdn.linkedin.oribi.io	0.0.0.0
s1.pir.fm	0.0.0.0
c5.adalyser.com	0.0.0.0
analytics.ff.avast.com	0.0.0.0
www.facebook.com	0.0.0.0
s7.addthis.com	0.0.0.0
www.linkedin.com	0.0.0.0
license.piriform.com	0.0.0.0
connect.facebook.net	0.0.0.0
px.ads.linkedin.com	0.0.0.0
ncc.avast.com	0.0.0.0
s.yimg.com	0.0.0.0
cdn-uat.ccleaner.com	0.0.0.0
analytics.twitter.com	0.0.0.0
snap.licdn.com	0.0.0.0
ccleaner.tools.avcdn.net	0.0.0.0
www.ccleaner.com	0.0.0.0
ip-info.ff.avast.com	0.0.0.0
service.piriform.com	0.0.0.0
tr.outbrain.com	0.0.0.0
www.mczbf.com	0.0.0.0
ipm-gcp-prod.ff.avast.com	34.111.24.1
dev.visualwebsiteoptimizer.com	34.96.102.137
microsoft-auth-network.cc	85.217.144.194
platform.twitter.map.fastly.net	146.75.36.157
stats.g.doubleclick.net	142.251.163.155
scontent.xx.fbcdn.net	31.13.71.7
idsync.rlcdn.com	35.190.60.146
t.co	104.244.42.133
script.hotjar.com	13.224.214.103
peso-1422535133.eu-west-1.elb.amazonaws.com	52.17.113.215
www.google.com	172.217.13.164
static-cdn.hotjar.com	13.224.214.97
mstatic.ccleaner.com	20.50.2.53
star-mini.c10r.facebook.com	31.13.71.36
nydc1.outbrain.org	70.42.32.223
ip-info-gcp.ff.avast.com	34.149.149.62
accounts.google.com	172.217.13.205
s.twitter.com	104.244.42.131
winqual.gcp.sb.avast.com	34.107.19.138
analytics-prod-gcp.ff.avast.com	34.117.223.223
shepherd-gcp.ff.avast.com	34.160.176.28
d1ni990a184w7d.cloudfront.net	13.224.214.78
dcjdc5qmbbux7.cloudfront.net	18.238.4.105
clients.l.google.com	172.217.13.110
cdn.cookielaw.org	104.18.130.236
geolocation.onetrust.com	172.64.155.119
edge.gycpi.b.yahoodns.net	69.147.92.11
static.ads-twitter.com	0.0.0.0
amplify.outbrain.com	0.0.0.0

URLs

Name	Detection
http://193.142.147.59:80
https://connect.facebook.net/signals/config/2679475345708101?v=2.9.127&r=stable&domain=www.ccleaner.com
https://www.ccleaner.com/go/app_du_systemrestoreinfo
Click to see the 97 hidden entries
http://www.founder.com.cn/cn/bThe
http://html4/loose.dtd
https://ip-info.ff.avast.com/v2/info
https://honzik.avcdn.net/setup/avira-du/release/avira_driver_updater_online_setup.exe-TODO
https://cdn.cookielaw.org/scripttemplates/otSDKStub.js
https://honzik.avcdn.net/setup/avast-bs/release/avast_battery_saver_online_setup.exeASWSig2A072492C0
https://www.facebook.com/tr/?id=2679475345708101&ev=PageView&dl=https%3A%2F%2Fwww.ccleaner.com%2Frecuva%2Fupdate%3Fv%3D1.53.2083%26l%3D1033%26a%3D3%26lk%3D%26mk%3DKFK7-G3Z5-Y8EB-QJ3K-FPFX-EPQJ-VG4Q-7YT2-BYVN%26o%3D10.0W6&rl=&if=false&ts=1694947290600&sw=1280&sh=1024&v=2.9.127&r=stable&ec=0&o=30&fbp=fb.1.1694947223888.938374452&cs_est=true&it=1694947290067&coo=false&dpo=&tm=1&rqm=GET
https://cdn.cookielaw.org/scripttemplates/6.36.0/assets/otCommonStyles.css
https://static.hotjar.com/c/hotjar-857043.js?sv=6
https://www.facebook.com/tr/?id=2679475345708101&ev=PageView&dl=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Fccleaner-v6-16-10662%3Fcv%3Dv6-16-10662&rl=&if=false&ts=1694947223892&sw=1280&sh=1024&v=2.9.127&r=stable&ec=0&o=30&fbp=fb.1.1694947223888.938374452&cs_est=true&it=1694947221108&coo=false&dpo=&tm=1&rqm=GET
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/patches.ini&&
http://www.gimp.org/xmp/
https://www.advancedinstaller.com
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/patches.inikernel
https://honzik.avcdn.net/setup/norton-av/beta/norton_online_setup.exe-TODO
https://script.hotjar.com/modules.afe18b03a2724895a0ac.js
https://dev.visualwebsiteoptimizer.com/j.php?a=176159&u=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Fccleaner-v6-16-10662%3Fcv%3Dv6-16-10662&r=0.7439892404290362
https://viruslab-samples.sb.avast.com
https://t.co/i/adsct?bci=3&eci=2&event_id=1473c655-4228-45bb-b3ae-b791d5c843c0&events=%5B%5B%22pageview%22%2C%7B%7D%5D%5D&integration=advertiser&p_id=Twitter&p_user_id=0&pl_id=371a6ab6-dbc3-40a0-aeef-8f88de4a75b0&tw_document_href=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Fccleaner-v6-16-10662%3Fcv%3Dv6-16-10662&tw_iframe_status=0&tw_order_quantity=0&tw_sale_amount=0&txn_id=o4ls7&type=javascript&version=2.3.29
http://www.ccleaner.com/inapp/notificationsContent-Type:
http://www.ccleaner.com/ccleaner
https://analytics.ff.avast.com/G
https://honzik.avcdn.net/setup/avast-bg/release/avast_breach_guard_online_setup.exeASWSig2A2457920CE
https://tr.outbrain.com/unifiedPixel?optOut=true&bust=05785544848076736&referrer=&cht=ot&marketerId=001ac0827d67b7b38319c9517e7fa2f4cc&name=PAGE_VIEW&dl=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Fccleaner-v6-16-10662%3Fcv%3Dv6-16-10662&g=1&obApiVersion=1.1&obtpVersion=2.0.5
https://ip-info.ff.avast.com/v1/info
http://www.sandoll.co.kr
http://www.fonts.com
https://analytics.twitter.com/i/adsct?bci=3&eci=2&event_id=df29494c-fe2f-4c20-aaae-87f8a5ab53f6&events=%5B%5B%22pageview%22%2C%7B%7D%5D%5D&integration=advertiser&p_id=Twitter&p_user_id=0&pl_id=92020e3a-ee68-478f-8a48-4f83c282b34b&tw_document_href=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Frecuva-v1-53-2096&tw_iframe_status=0&tw_order_quantity=0&tw_sale_amount=0&txn_id=o4ls7&type=javascript&version=2.3.29
https://www.ccleaner.com/knowledge/ccleaner-v6-16-10662?cv=v6-16-10662
https://shepherd.ff.avast.com/
https://stackoverflow.com/q/11564914/23354;
http://p%03d.sb.avast.com/V1/MD/avast_streambacksubmit_%03d://http://p%03d.sb.avast.com/V1/PD/avast_
https://secure.ccleaner.com/502/uurl-90zu4qtn5p?x-source=833
http://fontfabrik.com
http://www.typography.netD
https://service.piriform.com/installcheck.aspx?p=1&v=6.16.10662&vx=&l=1033&b=2&o=10W6&g=0&i=1&a=3&c=
https://hns-legacy.sb.avast.com
https://analytics.ff.avast.com/receive3
http://cclnqual.sb.avast.com/
https://honzik.avcdn.net/setup/avira-av/beta/avira_internet_security_online_setup.exe-TODO
http://.css
https://akbr-api.avast.com/acquisition?https://akbr-api.avast.com/activation?http://posttestserver.c
https://honzik.avcdn.net/setup/norton-bg/beta/norton_breach_guard_online_setup.exe-TODO
https://www.ccleaner.com/go/app_du_survey
http://www.avast.com0/
http://p%03d.sb.avast.com/V1/MD/avast_streambackraw_%03d://http://p%03d.sb.avast.com/V1/PD/Do
https://s.yimg.com/wi/ytc.js
https://s-trackoff.avcdn.net/trackoff/8ad1526a87b9617cf6dd677cdf9f87a0e3fd1555b6a8828d87ec2bef2850fa
https://honzik.avcdn.net/setup/avira-bg/beta/avira_breach_guard_online_setup.exe-TODO
https://piriform.zendesk.com/hc/en-us/articles/218109957-How-do-I-manage-browser-plugins-
http://www.galapagosdesign.com/DPlease
https://winqual.sb.avast.com
https://honzik.avcdn.net/setup/avast-vpn/release/avast_vpn_online_setup.exeASWSig2A06FCDABA5742BE662
http://p003.sb.avast.com/V1/MD/avast_streambacksubmit_003://http://p002.sb.avast.com/V1/MD/avast_str
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/20180205.dll
https://cdn.cookielaw.org/scripttemplates/6.36.0/assets/v2/otPcCenter.json
http://ccleaner.tools.avcdn.net/pf/VB
https://winqual.sb.avast.comV1/PD/
https://install.avcdn.net/avg/iavs9x/avg_internet_security_setup.exeASWSig2A123D026AE3BEAC0AC7D4DC35
https://analytics.ff.avast.com/?
https://openid-stage.avg.comhttps://openid-stage.avast.comalpha-license-dealer-stage.ff.avast.comalp
https://stats.g.doubleclick.net/j/collect?t=dc&aip=1&_r=3&v=1&_v=j101&tid=UA-69441-21&cid=2083365708.1694947222&jid=490008675&gjid=1756379744&_gid=1481375287.1694947224&_u=QACAAEAAQAAAACAEK~&z=1247229567
https://www.ccleaner.com/docs/ccleaner/ccleaner-settings/choosing-which-cookies-to-keep
http://www.fontbureau.com/designers
https://t.co/i/adsct?bci=3&eci=2&event_id=df29494c-fe2f-4c20-aaae-87f8a5ab53f6&events=%5B%5B%22pageview%22%2C%7B%7D%5D%5D&integration=advertiser&p_id=Twitter&p_user_id=0&pl_id=92020e3a-ee68-478f-8a48-4f83c282b34b&tw_document_href=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Frecuva-v1-53-2096&tw_iframe_status=0&tw_order_quantity=0&tw_sale_amount=0&txn_id=o4ls7&type=javascript&version=2.3.29
http://www.ccleaner.com/inapp/notifications
http://honzik.avcdn.net/setup/norton-tu/beta/norton_tuneup_online_setup.exe-TODO
https://www.avast.com/lp-ppc-nbu-fav-cc
https://analytics.twitter.com/i/adsct?bci=3&eci=2&event_id=1473c655-4228-45bb-b3ae-b791d5c843c0&events=%5B%5B%22pageview%22%2C%7B%7D%5D%5D&integration=advertiser&p_id=Twitter&p_user_id=0&pl_id=371a6ab6-dbc3-40a0-aeef-8f88de4a75b0&tw_document_href=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Fccleaner-v6-16-10662%3Fcv%3Dv6-16-10662&tw_iframe_status=0&tw_order_quantity=0&tw_sale_amount=0&txn_id=o4ls7&type=javascript&version=2.3.29
https://honzik.avcdn.net/setup/norton-av/beta/norton_free_online_setup.exe-TODO
https://ccleaner.com/go/app_cc_license_agreement
https://www.ccleaner.com/business/ccleaner-business-edition
https://c5.adalyser.com/adalyser.js?cid=ccleaner
https://tr.outbrain.com/cachedClickId?marketerId=001ac0827d67b7b38319c9517e7fa2f4cc
http://www.carterandcone.coml
https://license.piriform.com/updateMozilla/4.0lolkmkcvtisElevatedBaseUpdateProviderOnErrorThe
https://honzik.avcdn.net/setup/avast-bs/beta/avast_battery_saver_online_setup.exeASWSig2A3A3BE3789E6
https://www.ccleaner.com/go/app_po_survey
https://service.piriform.com/f)P
https://openid-stage.avast.comhttps://openid-stage.avg.comalpha-iqs.ff.avast.comalpha-crap.ff.avast.
https://ccleaner.com/go/app_cc_privacy_data_factsheet
https://t.co/i/adsct?bci=3&eci=2&event_id=c46867e2-f2bc-429a-b05d-c256c3458020&events=%5B%5B%22pageview%22%2C%7B%7D%5D%5D&integration=advertiser&p_id=Twitter&p_user_id=0&pl_id=24975db5-170d-4631-9a2c-dc5b2804de9a&tw_document_href=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Fspeccy-v1-32&tw_iframe_status=0&tw_order_quantity=0&tw_sale_amount=0&txn_id=o4ls7&type=javascript&version=2.3.29
https://www.ccleaner.com/go/app_cc_help_preloading
https://sciter.com/forums/topic/plus-custom-output-formatter-wont-work-if-they-are-written-in-htm/#p
https://stackoverflow.com/q/14436606/23354
http://honzik.avcdn.net/setup/avira-tu/release/avira_tuneup_online_setup.exe-TODO
https://hns-legacy.sb.avast.comhttps://submit.sb.avast.comhttps://viruslab-samples.sb.avast.comStrea
http://honzik.avcdn.net/setup/norton-tu/release/norton_tuneup_online_setup.exe-TODO
https://install.avcdn.net/beta9x/avast_pro_antivirus_setup_online.exeASWSig2A579D90FED0C6441EE7B258F
https://www.ccleaner.com/knowledge/recuva-v1-53-2096
https://s-trackoff.avcdn.net/avg/trackoff/7854df286ff1c4e1f4d81d466f4a1b0243b39837ac99c5b98817907f76
https://www.ccleaner.com/recuva/update?v=1.53.2083&l=1033&a=3&lk=&mk=KFK7-G3Z5-Y8EB-QJ3K-FPFX-EPQJ-VG4Q-7YT2-BYVN&o=10.0W6
http://www.zhongyicts.com.cn
https://winqual.sb.avast.com/V1/MD
http://files.avast.com/beta9x/avast_free_antivirus_setup_online.exeASWSig2A5549FF2866EA44F68D28FB2B1
http://honzik.avcdn.net/setup/avast-tu/release/avast_cleanup_online_setup.exeASWSig2A4C1A1197A19B18F
https://dev.visualwebsiteoptimizer.com/j.php?a=176159&u=https%3A%2F%2Fwww.ccleaner.com%2Fknowledge%2Frecuva-v1-53-2096&r=0.911162811415839

Dropped files

Name	File Type	Hashes
C:\Program Files\CCleaner\CCUpdate.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Program Files\CCleaner\CCleaner64.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Program Files\CCleaner\CCleanerBugReport.exe	PE32+ executable (console) x86-64, for MS Windows	#
Click to see the 7 hidden entries
C:\Program Files\Recuva\recuva64.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000009.dbtmp	ASCII text	#
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	ASCII text	#
C:\Users\user\AppData\Local\Temp\ccsetup616_pro.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	#
C:\Users\user\AppData\Local\Temp\rcsetup153_pro.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	#
C:\Users\user\AppData\Roaming\WindowsActiveServices\Patch.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\WindowsServices\WindowsServices.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#

Deep Malware Analysis

CCleanerBundle-616-Setup.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Deep Malware Analysis

CCleanerBundle-616-Setup.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

CCleanerBundle-616-Setup.exe