Edit tour

Windows Analysis Report
123.scr.exe

Overview

General Information

Sample name:	123.scr.exe
Analysis ID:	1361824
MD5:	2cd8134f58cdbda71373f5ea79d5a422
SHA1:	f30cc8c8056e6943a4114e557615552f16cb8e2f
SHA256:	7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0
Tags:	exeUKR
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Contains long sleeps (>= 3 min)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64

123.scr.exe (PID: 1396 cmdline: C:\Users\user\Desktop\123.scr.exe MD5: 2CD8134F58CDBDA71373F5EA79D5A422)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 123.scr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 123.scr.exe	ReversingLabs: Detection: 62%
Source: 123.scr.exe	Virustotal: Detection: 51%			Perma Link

Machine Learning detection for sample

Source: 123.scr.exe

Joe Sandbox ML: detected

Source: 123.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.73.97:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: 123.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.85.189 104.21.85.189
Source: Joe Sandbox View	IP Address: 104.21.73.97 104.21.73.97

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: freegeoip.app

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Dec 2023 00:44:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 25288Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01HHJWFRFJBCPQRY9WEB8PH9PQCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iehUprSwL2YYg7k73o%2Fm2OJsTJlMaKr7PDrJDUypPTS9TtVnp7Ya0sH1eluEFI3VjvHsciJYzOLD%2Fk4dYqHkqiUf14vkRPSUwQx1K1lQvBLob%2BrEWbx4eAYzf53f"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 83526aa2cf724bff-MIAalt-svc: h3=":443"; ma=86400

Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.0.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.0.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: cert9.db.0.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.0.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: tmp753E.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.73.97:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: 123.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 123.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.spyw.evad.winEXE@1/14@2/2

Source: C:\Users\user\Desktop\123.scr.exe

File created: C:\Users\Public\v6zchhhv.default-release

Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp753E.tmp

Jump to behavior

Source: 123.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 123.scr.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\123.scr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\123.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\123.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp766E.tmp.dat.0.dr, tmp75FC.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 123.scr.exe	ReversingLabs: Detection: 62%
Source: 123.scr.exe	Virustotal: Detection: 51%

Source: C:\Users\user\Desktop\123.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 123.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 123.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section name: .text entropy: 7.989676579902905

Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\123.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\123.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe TID: 4332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe TID: 5272	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe TID: 3092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe TID: 4332	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\123.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\123.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\123.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp762E.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\123.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe

Queries volume information: C:\Users\user\Desktop\123.scr.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\123.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\123.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\123.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\123.scr.exe

File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	121 Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	2 Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	4 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
123.scr.exe	62%	ReversingLabs	Win32.Trojan.Generic
123.scr.exe	51%	Virustotal		Browse
123.scr.exe	100%	Avira	HEUR/AGEN.1314436
123.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ipbase.com	1%	Virustotal		Browse
freegeoip.app	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
https://ipbase.com/xml/	0%	Avira URL Cloud	safe
https://ipbase.com/xml/	0%	Virustotal		Browse
https://freegeoip.app/xml/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipbase.com	104.21.85.189	true	false	1%, Virustotal, Browse	unknown
freegeoip.app	104.21.73.97	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipbase.com/xml/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
https://duckduckgo.com/chrome_newtab	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
http://x1.c.lencr.org/0	cert9.db.0.dr	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	cert9.db.0.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.0.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	tmp753E.tmp.tmpdb.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	cert9.db.0.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmp753E.tmp.tmpdb.0.dr	false		high
https://www.ecosia.org/newtab/	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp760D.tmp.dat.0.dr, tmp757E.tmp.dat.0.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp753E.tmp.tmpdb.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.85.189	ipbase.com	United States		13335	CLOUDFLARENETUS	false
104.21.73.97	freegeoip.app	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1361824
Start date and time:	2023-12-14 01:43:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	123.scr.exe
Detection:	MAL
Classification:	mal72.spyw.evad.winEXE@1/14@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.85.189	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse
	rvYr7FRwkG.dll	Get hash	malicious	Unknown	Browse
	case (426).xls	Get hash	malicious	Unknown	Browse
	case (61).xls	Get hash	malicious	Unknown	Browse
104.21.73.97	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse
	bcAE21roAv.exe	Get hash	malicious	Snake Keylogger	Browse
	VegaStealer_v1.bin.exe	Get hash	malicious	Ades Stealer, NitroStealer	Browse
	SPYGAME.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse
	gjqYWrWZfb.exe	Get hash	malicious	Snake Keylogger	Browse
	UNKnyg3t3D.exe	Get hash	malicious	Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipbase.com	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.209.71
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.85.189
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.85.189
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	104.21.28.190
	7nYkVlcnfx.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.147.81
	bcAE21roAv.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.147.81
	VegaStealer_v1.bin.exe	Get hash	malicious	Ades Stealer, NitroStealer	Browse	75.2.60.5
	Yandex.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	75.2.60.5
	SPYGAME.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	75.2.60.5
	A6KiC17VqI.exe	Get hash	malicious	Snake Keylogger	Browse	75.2.60.5
	TwB13kUEGN.exe	Get hash	malicious	Snake Keylogger	Browse	75.2.60.5
	w5gL8sZU6z.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	k2Bg5AlSk1.exe	Get hash	malicious	MassLogger RAT, Matiex, Snake Keylogger	Browse	75.2.60.5
	vYT3XBi8du.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	CJCxcYxjhF.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	g95CmPy67V.exe	Get hash	malicious	Snake Keylogger	Browse	75.2.60.5
	nesbiPpHpN.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	M6VkStAYfV.exe	Get hash	malicious	Snake Keylogger	Browse	99.83.231.61
	2yecaxS2wK.exe	Get hash	malicious	Snake Keylogger	Browse	75.2.60.5
freegeoip.app	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.160.84
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	172.67.160.84
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.73.97
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	172.67.160.84
	7nYkVlcnfx.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.160.84
	bcAE21roAv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.73.97
	VegaStealer_v1.bin.exe	Get hash	malicious	Ades Stealer, NitroStealer	Browse	104.21.73.97
	Yandex.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	172.67.160.84
	SPYGAME.bin.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.73.97
	A6KiC17VqI.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	TwB13kUEGN.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.7
	w5gL8sZU6z.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	k2Bg5AlSk1.exe	Get hash	malicious	MassLogger RAT, Matiex, Snake Keylogger	Browse	188.114.97.7
	vYT3XBi8du.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	CJCxcYxjhF.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.7
	g95CmPy67V.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	nesbiPpHpN.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.7
	M6VkStAYfV.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.7
	2yecaxS2wK.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://pub-d55430a4f9714aa9ac24e3df9ea225ea.r2.dev/do360.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.160.84
	https://pub-6294fd7e4e6045d887ae1d52e7b31e5e.r2.dev/off.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://patl2.000webhostapp.com/login.html	Get hash	malicious	HTMLPhisher	Browse	104.17.162.41
	https://jbz.adw.mybluehost.me/CA/app/	Get hash	malicious	Unknown	Browse	66.235.200.147
	https://pub-543b6c8da6ec4a2dbe07e8b2dc6002c6.r2.dev/floxcc.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	https://steanmcommunllty.com/61666	Get hash	malicious	Unknown	Browse	172.67.199.201
	https://electric-comfortable-glitter.glitch.me/sibe.shtml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://microsoftemailloginsample.dreamclub.repl.co/	Get hash	malicious	Unknown	Browse	104.18.42.150
	https://unica.md/c/index/myaccount/	Get hash	malicious	Unknown	Browse	172.64.173.36
	https://thelinktulsa.org	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://show.zohopublic.com/publish/t9iwfc87a97110d0a4c2cabc47243b4814444	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~////rKvcsuIdVSbio-rad.ims-gmhb%E3%80%82de/amliaW5fam9zZUBiaW8tcmFkLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://nts.embluemail.com/p/cl?data=//mslogisticsgroup.com/984/flq/ZnJhbmsubWV0c2lrYXNzdXNAcHJlZGF0b3JvaWwuY29t	Get hash	malicious	HTMLPhisher	Browse	172.67.133.182
	4Bjyw1Vv.msi	Get hash	malicious	Unknown	Browse	104.21.43.193
	https://r20.rs6.net/tn.jsp?f=00131WKGyRJTPGrM7e0H-3pYeu_51xFHsGKs4ZjwUSfEQC8kSo_vg5XW5RP5TG8coK84HlqPZu8LIjsdDYi4rHGacMtn0jAsuIARihYb5QXoV2vuKRIuOdS7AQki5OZV1h5W-nIw6EoWt2snCZR66qAasdMaUtCVtD62jVdZfvlWYM0qZPsHb3kzA==&c=&ch=//800/wme/bWFuaWplaC5zY2htaWR0QG50c2NvcnAuY29t	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://docksofts.com	Get hash	malicious	Unknown	Browse	104.22.70.197
	r0105-12132023DEC.exe	Get hash	malicious	FormBook	Browse	172.67.190.116
	https://linkprotect.cudasvc.com/url?a=urlr.me/cKV8Y%23Z2FicmllbGRAY29tZm9ydHBtLmNh&c=E,1,RHmAtRtvh3Xjkp0o9U9OT03Z5NUzzlLucALp_SJJJWR1Xmh6DO7zW9jWv190uL58dEKoYea-eq8iWB29jHY4d9c12Gfz6LOW0fq6nJwuL8O5&typo=0	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	https://pub-d55430a4f9714aa9ac24e3df9ea225ea.r2.dev/do360.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.160.84
	https://pub-6294fd7e4e6045d887ae1d52e7b31e5e.r2.dev/off.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://patl2.000webhostapp.com/login.html	Get hash	malicious	HTMLPhisher	Browse	104.17.162.41
	https://jbz.adw.mybluehost.me/CA/app/	Get hash	malicious	Unknown	Browse	66.235.200.147
	https://pub-543b6c8da6ec4a2dbe07e8b2dc6002c6.r2.dev/floxcc.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	https://steanmcommunllty.com/61666	Get hash	malicious	Unknown	Browse	172.67.199.201
	https://electric-comfortable-glitter.glitch.me/sibe.shtml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://microsoftemailloginsample.dreamclub.repl.co/	Get hash	malicious	Unknown	Browse	104.18.42.150
	https://unica.md/c/index/myaccount/	Get hash	malicious	Unknown	Browse	172.64.173.36
	https://thelinktulsa.org	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://show.zohopublic.com/publish/t9iwfc87a97110d0a4c2cabc47243b4814444	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~////rKvcsuIdVSbio-rad.ims-gmhb%E3%80%82de/amliaW5fam9zZUBiaW8tcmFkLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://nts.embluemail.com/p/cl?data=//mslogisticsgroup.com/984/flq/ZnJhbmsubWV0c2lrYXNzdXNAcHJlZGF0b3JvaWwuY29t	Get hash	malicious	HTMLPhisher	Browse	172.67.133.182
	4Bjyw1Vv.msi	Get hash	malicious	Unknown	Browse	104.21.43.193
	https://r20.rs6.net/tn.jsp?f=00131WKGyRJTPGrM7e0H-3pYeu_51xFHsGKs4ZjwUSfEQC8kSo_vg5XW5RP5TG8coK84HlqPZu8LIjsdDYi4rHGacMtn0jAsuIARihYb5QXoV2vuKRIuOdS7AQki5OZV1h5W-nIw6EoWt2snCZR66qAasdMaUtCVtD62jVdZfvlWYM0qZPsHb3kzA==&c=&ch=//800/wme/bWFuaWplaC5zY2htaWR0QG50c2NvcnAuY29t	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://docksofts.com	Get hash	malicious	Unknown	Browse	104.22.70.197
	r0105-12132023DEC.exe	Get hash	malicious	FormBook	Browse	172.67.190.116
	https://linkprotect.cudasvc.com/url?a=urlr.me/cKV8Y%23Z2FicmllbGRAY29tZm9ydHBtLmNh&c=E,1,RHmAtRtvh3Xjkp0o9U9OT03Z5NUzzlLucALp_SJJJWR1Xmh6DO7zW9jWv190uL58dEKoYea-eq8iWB29jHY4d9c12Gfz6LOW0fq6nJwuL8O5&typo=0	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	104.21.85.189 104.21.73.97
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~////rKvcsuIdVSbio-rad.ims-gmhb%E3%80%82de/amliaW5fam9zZUBiaW8tcmFkLmNvbQ==	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	https://www.iemenergy.com/	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	https://www.valleylowvoltage.com/	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	Product_Technical_Specification.scr.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.85.189 104.21.73.97
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.85.189 104.21.73.97
	proforma_invoice.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	104.21.85.189 104.21.73.97
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=category&lg=2&tar=tgt&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//shabirsons.com/new/auth?register=raven@triton-partners.com	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=Category&lg=2&tar=TGT&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//baidu.com///link?url=vC4GC64ae4I9wzsoHp-V0ah20Me1UflwnvmnxUC9BRkuYSMm7qYp63-dMYBSTRdK&wd#.am9obm55X2RhdmlzQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	Payment_Slip_(SWIFT)#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.85.189 104.21.73.97
	payment_slip_copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.85.189 104.21.73.97
	Purchase_Enquiry-Y97STVZCPZC12AQ-03315904351-pdf.exe	Get hash	malicious	AgentTesla	Browse	104.21.85.189 104.21.73.97
	Commercial_Invoice_and_Packing_List.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	104.21.85.189 104.21.73.97
	https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwj_4JyDzIyDAxXVcaQEHcXmCEIQFnoECA8QAQ&url=https%3A%2F%2Fyouareanidiot.cc%2F&usg=AOvVaw36hjTACmKPOCzJrY34wLQm&opi=89978449	Get hash	malicious	Unknown	Browse	104.21.85.189 104.21.73.97
	last.hta	Get hash	malicious	AsyncRAT	Browse	104.21.85.189 104.21.73.97
	RHU-20230911759.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	104.21.85.189 104.21.73.97
	Order_20200703_&_20200704.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	104.21.85.189 104.21.73.97
	REMITTAN.EXE.exe	Get hash	malicious	AgentTesla	Browse	104.21.85.189 104.21.73.97
	fUHlaw338Z.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	104.21.85.189 104.21.73.97

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	620
Entropy (8bit):	4.0822298618700446
Encrypted:	false
SSDEEP:	6:pYcCFWl4BjJRAMVIKNJAU4wSTeldwLLZu0GhU+0Y7VgEA67X:pYzdRTXxtSTeDyV2U+17VrA6r
MD5:	0AAE77ABCEA44270CBD9B3E2663F7C8F
SHA1:	F0FC5B2A49637E191A9540EDFD74D02DC8A506D8
SHA-256:	4FE68384D213EC562ED77FFEFB1A414EDC38B18734AE106F8A183C31BB82561E
SHA-512:	34BAA8AE685F21304AA46C6D6462EA625348FBBDC8E61297B44D634C26268625F5C2CF174523BA805FB151F442E1FE1B9B1B40A5A0F2CAC1F403903AA0120AA5
Malicious:	false
Reputation:	low
Preview:	==================================================. Operating system: Windows 10 Pro (64 Bit). PC user: 045012/user. ClipBoard: . Launch: C:\Users\user\Desktop\123.scr.exe. ==================================================. Screen resolution: 1280x1024. Current time: 14/12/2023 01:44:07. HWID: AD2B2E05BD. ==================================================. CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz. RAM: 4094MB. GPU: YY6U7V1F. ==================================================. IP Geolocation: Fail Fail. Log Date: 12/14/2023 1:44. BSSID: 00:50:56:a7:21:15. ==================================================

C:\ProgramData\44\Process.txt

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4385
Entropy (8bit):	4.806386342006856
Encrypted:	false
SSDEEP:	48:s8kXE//QzkQQE4Q/QQQQQQQpSq6uODQQQdu///QQXsXsNMTMTu3W8kZKF/QQQQQI:5G572Yexw0ZJt/3
MD5:	419F391EA92B4BEBA23A3F55CC18B5DF
SHA1:	62C51A205ADCF381226E77E3F01971D33B7ED507
SHA-256:	F3C5DD1668870C284E42F13D9037DD150FACF5B03C1F0688D5B3585FEC88ECBB
SHA-512:	114F77FA1DF81F8E77335563DFCF10112E8610A187EDE7FBCD218D683427A539C61488BD7B93092B61C4C2521CD65D80AA2AA8324D5FB2011CF41550B8797ABC
Malicious:	false
Reputation:	low
Preview:	NAME: yQoSJIMPbIEjgIkaeLq..NAME: dllhost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: RuntimeBroker..NAME: csrss..NAME: svchost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: svchost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: svchost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: svchost..NAME: dllhost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: svchost..NAME: spoolsv..NAME: sihost..NAME: svchost..NAME: svchost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: svchost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: fontdrvhost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: fontdrvhost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: yQoSJIMPbIEjgIkaeLq..NAME: StartMenuExperienceHost..NAME: conhost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: svchost..NAME: smss..NAME: yQoSJIMPbIEjgIkaeLq..NAME: OfficeClickToRun..NAME: svchost..NAME: svchost..NAME: yQoSJIMPbIEjgIkaeLq..NAME: svchost..NAME: svchost

C:\ProgramData\44\Screen.png

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	691304
Entropy (8bit):	7.926770062305592
Encrypted:	false
SSDEEP:	12288:fmdao6o0nRBx3Ip1lQaEzLw+tOhfXJKme61hexsLpHJLRpe3qUPELo67:f0aorGd3/zLsKc0sLJpe3qU4o+
MD5:	E637C2EB2DBA91D4E02091946D2E58E6
SHA1:	4A67F1773799BF62C501E1E35F400EA7BCD01A81
SHA-256:	9B4E45DEE72B70862898DC646EAE3D6279FFF1E1EB7F094A8BD79A0129A6BF33
SHA-512:	5DAF06D185EE39C72459FFD6D0F539B1C59D1E229F7E083E8057F1B29C4E4F1D150E445330C68348CC284631AE23E94D395E8F8CF1D94A6505DDA1B246A9B712
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g.mWy...}n..F.......v..rUuw9T..F..I.9G$.."...lrF.L2.H"C......Y.,.I.L6.......}.=..9..s...9c<c...w..>Wp.3..`p.....S.......q~..........-..6X5.?_9.7..;..{....Yh...ZOv...7.2\|.w...S.ol=p.y.......o...ks....=.k..G.......j..L..*..`.g..o....G._v...c....X../Y=...}......kkb.._.<.+...O......f..c....-<.%..}&...~...U.\...y..g.:?O...>./.......S.0.M......O.......T..............r_.]x..f..q9...le.cF,<.3......U.....1.O.y.w,q.)..O/..lz...#.]7v....my...nZ...XYx...%.......aK....1\|....a..^.m..%...].P.7.6b.CK...ae......!.V./.z.8..a7u[O+{.zM..!WW...r.qn.i....S..<..R.gqr..I.t.'^..O.....e.....ro%.X..r.u......[..<.........Me..qW.6....h[.....P..a..2w....1..c.O...vR..c........G_........).s.e..c..G.j.c.zB.Vi.G]R...Ee.q........g.Z>..c...cc.....Y.<.S.....G...e.`....+......){Na...V.<b...}.+.?..n.k....~..._4..s.a..e....b-......e}i.o>...tQ...r..'f..g...~D..K,....w~7<..78..

C:\Users\Public\v6zchhhv.default-release\cert9.db

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.643383182059925
Encrypted:	false
SSDEEP:	384:A1zkVmvQhyn+Zoz67kMMTNlH333JqN8j/LKXu5Uu/:AlM0sCyW
MD5:	F23F48363C7BAA0709698208A7E833A0
SHA1:	07D2AEE271A0F2BA14608FE5A9A677E2594D22CC
SHA-256:	51DFB72705CBEB6AF5A14F2BE20FC39172E86263E25704F50BEB292F776B7713
SHA-512:	F8F16198A96F047E320EF82026160EBD5A0836B48FC3496C427F90965CF3BF5FAB5EBE0FB9016E3BDE56657EB42627D7286AED3167A422D69F865524892C3DFA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\v6zchhhv.default-release\key4.db

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08438200565341271
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v4U:51zkVmvQhyn+Zoz67NU
MD5:	F7EEE7B0D281E250D1D8E36486F5A2C3
SHA1:	309736A27E794672BD1BDFBAC69B2C6734FC25CE
SHA-256:	378DD46FE8A8AAC2C430AE8A7C5C1DC3C2A343534A64A263EC9A4F1CE801985E
SHA-512:	CE102A41CA4E2A27CCB27F415D2D69A75A0058BA0F600C23F63B89F30FFC982BA48336140714C522B46CC6D13EDACCE3DF0D6685D02844B8DB0AD3378DB9CABB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\123.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoC1qE4GIs0E4K6sXE4Npv:MxHKQEAHKKkKYHKGSI6oPtHTHK1qHGI8
MD5:	1B713A2FD810C1C9A8F6F6BE36F406B1
SHA1:	0828576CB8B83C21F36AD29E327D845AB3574EBB
SHA-256:	E51E809582894F4D484939BE3990DFC914E43F4AF72AE55A00B01FCFE348763B
SHA-512:	D32200B7FA9D0DFEF4011D98D40260838A522E63C874FBCCE00D331D663169DBE1C613AD0E81C76F69A8CE6C7265605175CA75BA2C8BDA7748290B34579E148B
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Temp\tmp753E.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp757E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp75FC.tmp.dat

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp75FD.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp760D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp762E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp765D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp766E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\123.scr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.985739733331055
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	123.scr.exe
File size:	562'176 bytes
MD5:	2cd8134f58cdbda71373f5ea79d5a422
SHA1:	f30cc8c8056e6943a4114e557615552f16cb8e2f
SHA256:	7e00639b962e167ab8463fa871f8fe12f6e38166a497d7ed8cf3a2370053d1f0
SHA512:	a6042ab229429830a0e98b17873b68b4799ccde6637e55ff7bbf94eaa6af0d4f89e019fea67a04a04550889be89a3db701372978584569cdd350e86a6a2f65a0
SSDEEP:	12288:nYhJzH0hGN8nVY5cdFWOh+0H0uc1k7EIKxih+sgPrv6KfNcyFEOYw76:YfwM+nVMcPVY0U7qHKxugjdeyFm
TLSH:	B7C423DE7654328ECC0BD039CD480EB83790697FAB8F4667552354E7860DAE28F252B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ye.........."......j...(........... ........@.. ....................................`................................

File Icon


Icon Hash:	20f02b23333b0022

Static PE Info

General

Entrypoint:	0x48892e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6579C99E [Wed Dec 13 15:11:26 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x888d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x2488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x86934	0x86a00	False	0.981515131731662	data	7.989676579902905	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x2488	0x2600	False	0.9064555921052632	data	7.7074177570634514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x8a0a8	0x23c7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9523965498416858
RT_GROUP_ICON	0x8c470	0x14	data			1.05

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2023 01:44:06.283051014 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.283122063 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.283209085 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.312927961 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.312962055 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.579565048 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.579688072 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.589175940 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.589189053 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.589509964 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.636068106 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.670085907 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.712740898 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.870414019 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.870481014 CET	443	49704	104.21.73.97	192.168.2.5
Dec 14, 2023 01:44:06.870560884 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:06.874358892 CET	49704	443	192.168.2.5	104.21.73.97
Dec 14, 2023 01:44:07.007097960 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.007116079 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.007188082 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.007627964 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.007642031 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.272891045 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.273113966 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.275790930 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.275803089 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.276032925 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.277173042 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.324738026 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.627938032 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.627989054 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.628020048 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.628110886 CET	443	49705	104.21.85.189	192.168.2.5
Dec 14, 2023 01:44:07.628123999 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.628160954 CET	49705	443	192.168.2.5	104.21.85.189
Dec 14, 2023 01:44:07.637212992 CET	49705	443	192.168.2.5	104.21.85.189

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2023 01:44:06.145927906 CET	54434	53	192.168.2.5	1.1.1.1
Dec 14, 2023 01:44:06.272604942 CET	53	54434	1.1.1.1	192.168.2.5
Dec 14, 2023 01:44:06.878026009 CET	59361	53	192.168.2.5	1.1.1.1
Dec 14, 2023 01:44:07.006154060 CET	53	59361	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 14, 2023 01:44:06.145927906 CET	192.168.2.5	1.1.1.1	0xaffb	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Dec 14, 2023 01:44:06.878026009 CET	192.168.2.5	1.1.1.1	0x9fc8	Standard query (0)	ipbase.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 14, 2023 01:44:06.272604942 CET	1.1.1.1	192.168.2.5	0xaffb	No error (0)	freegeoip.app	104.21.73.97	A (IP address)	IN (0x0001)	false
Dec 14, 2023 01:44:06.272604942 CET	1.1.1.1	192.168.2.5	0xaffb	No error (0)	freegeoip.app	172.67.160.84	A (IP address)	IN (0x0001)	false
Dec 14, 2023 01:44:07.006154060 CET	1.1.1.1	192.168.2.5	0x9fc8	No error (0)	ipbase.com	104.21.85.189	A (IP address)	IN (0x0001)	false
Dec 14, 2023 01:44:07.006154060 CET	1.1.1.1	192.168.2.5	0x9fc8	No error (0)	ipbase.com	172.67.209.71	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

freegeoip.app

ipbase.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.73.97	443	1396	C:\Users\user\Desktop\123.scr.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-14 00:44:06 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2023-12-14 00:44:06 UTC	637	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 14 Dec 2023 00:44:06 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Thu, 14 Dec 2023 01:44:06 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xmPbkFhOuIhqDIhzUR8euqDG2nPjYUblUkgalKDKrzuv%2B869aoapNmi%2FOSM%2B2LG8rn4FVpV5Q%2FtI4%2FEnAzox%2Bh3qDYq8pyWXFhMXvzX%2Fk%2Fs%2B1kzaV9kZv5luBfwZOm%2F%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 83526a9e785d5c6b-MIA alt-svc: h3=":443"; ma=86400
2023-12-14 00:44:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.85.189	443	1396	C:\Users\user\Desktop\123.scr.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-14 00:44:07 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2023-12-14 00:44:07 UTC	735	IN	HTTP/1.1 404 Not Found Date: Thu, 14 Dec 2023 00:44:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 25288 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; hit Vary: Accept-Encoding X-Nf-Request-Id: 01HHJWFRFJBCPQRY9WEB8PH9PQ CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iehUprSwL2YYg7k73o%2Fm2OJsTJlMaKr7PDrJDUypPTS9TtVnp7Ya0sH1eluEFI3VjvHsciJYzOLD%2Fk4dYqHkqiUf14vkRPSUwQx1K1lQvBLob%2BrEWbx4eAYzf53f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 83526aa2cf724bff-MIA alt-svc: h3=":443"; ma=86400
2023-12-14 00:44:07 UTC	634	IN	Data Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
2023-12-14 00:44:07 UTC	1369	IN	Data Raw: 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 Data Ascii: : 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 1
2023-12-14 00:44:07 UTC	1086	IN	Data Raw: 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294
2023-12-14 00:44:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	01:44:04
Start date:	14/12/2023
Path:	C:\Users\user\Desktop\123.scr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\123.scr.exe
Imagebase:	0x1d831910000
File size:	562'176 bytes
MD5 hash:	2CD8134F58CDBDA71373F5EA79D5A422
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 123.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\44\Information.txt

C:\ProgramData\44\Process.txt

C:\ProgramData\44\Screen.png

C:\Users\Public\v6zchhhv.default-release\cert9.db

C:\Users\Public\v6zchhhv.default-release\key4.db

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\123.scr.exe.log

C:\Users\user\AppData\Local\Temp\tmp753E.tmp.tmpdb

C:\Users\user\AppData\Local\Temp\tmp757E.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp75FC.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp75FD.tmp.tmpdb

C:\Users\user\AppData\Local\Temp\tmp760D.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp762E.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp765D.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp766E.tmp.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
123.scr.exe