Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 23 21:24:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Category:	dropped
Dump:	Docs.lnk.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 23 21:24:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.992046339835152
Encrypted:	false
Size:	2673
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Category:	dropped
Dump:	Gmail.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 23 21:24:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.00966080017285
Encrypted:	false
Size:	2675
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Category:	dropped
Dump:	Google Drive.lnk.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.0155505060407
Encrypted:	false
Size:	2689
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Category:	dropped
Dump:	Sheets.lnk.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 23 21:24:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.006651954364976
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Category:	dropped
Dump:	Slides.lnk.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 23 21:24:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.9940583573888095
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 23 21:24:55 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Category:	dropped
Dump:	YouTube.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu May 23 21:24:55 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.005064664991991
Encrypted:	false
Size:	2679
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

URLs

Name

Malicious

https://mariobadescu.tyb.xyz/

Details

Filetype:	URL
Filename:	https://mariobadescu.tyb.xyz/

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
Performs DNS queries to domains with low reputation	Networking
Detected clear text password fields (password is not hidden)	Phishing
Detected non-DNS traffic on DNS port	Networking
Found iframes	Phishing	Drive-by Compromise
HTML body contains low number of good links	Phishing
HTML page contains hidden URLs or javascript code	Phishing
HTML title does not match URL	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the program directory	System Summary
Creates files inside the user directory	System Summary	Masquerading
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Creates a directory in C:\Program Files	Compliance, System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://mariobadescu.tyb.xyz/join

Details

Name:	https://mariobadescu.tyb.xyz/join
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
Found iframes	Phishing	Drive-by Compromise
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

https://mariobadescu.tyb.xyz/

Details

Name:	https://mariobadescu.tyb.xyz/
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
Spawns processes	System Summary	Process Injection

https://auth.magic.link/send?params=eyJBUElfS0VZIjoicGtfbGl2ZV8zQUZBOEE5N0I3ODE2Njk0IiwiRE9NQUlOX09SSUdJTiI6Imh0dHBzOi8vbWFyaW9iYWRlc2N1LnR5Yi54eXoiLCJFVEhfTkVUV09SSyI6eyJycGNVcmwiOiJodHRwczovL2FwaS5hdmF4Lm5ldHdvcmsvZXh0L2JjL0MvcnBjIiwiY2hhaW5JZCI6NDMxMTR9LCJob3N0IjoiYXV0aC5tYWdpYy5saW5rIiwic2RrIjoibWFnaWMtc2RrIiwidmVyc2lvbiI6IjE5LjQuMCIsImxvY2FsZSI6ImVuX1VTIn0%3D

Details

Name:	https://auth.magic.link/send?params=eyJBUElfS0VZIjoicGtfbGl2ZV8zQUZBOEE5N0I3ODE2Njk0IiwiRE9NQUlOX09SSUdJTiI6Imh0dHBzOi8vbWFyaW9iYWRlc2N1LnR5Yi54eXoiLCJFVEhfTkVUV09SSyI6eyJycGNVcmwiOiJodHRwczovL2FwaS5hdmF4Lm5ldHdvcmsvZXh0L2JjL0MvcnBjIiwiY2hhaW5JZCI6NDMxMTR9LCJob3N0IjoiYXV0aC5tYWdpYy5saW5rIiwic2RrIjoibWFnaWMtc2RrIiwidmVyc2lvbiI6IjE5LjQuMCIsImxvY2FsZSI6ImVuX1VTIn0%3D
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
Found iframes	Phishing	Drive-by Compromise
HTML page contains hidden URLs or javascript code	Phishing
HTML page is missing a favicon	Phishing

https://auth.magic.link/send-legacy?params=eyJBUElfS0VZIjoicGtfbGl2ZV8zQUZBOEE5N0I3ODE2Njk0IiwiRE9NQUlOX09SSUdJTiI6Imh0dHBzOi8vbWFyaW9iYWRlc2N1LnR5Yi54eXoiLCJFVEhfTkVUV09SSyI6eyJycGNVcmwiOiJodHRwczovL2FwaS5hdmF4Lm5ldHdvcmsvZXh0L2JjL0MvcnBjIiwiY2hhaW5JZCI6NDMxMTR9LCJob3N0IjoiYXV0aC5tYWdpYy5saW5rIiwic2RrIjoibWFnaWMtc2RrIiwidmVyc2lvbiI6IjE5LjQuMCIsImxvY2FsZSI6ImVuX1VTIn0=

about:blank

https://auth.magic.link/placeholder-legacy-relayer-path

https://auth.magic.link/send/rpc/auth/magic_auth_login_with_email_otp/verify_otp_code?lang=en-US

Details

Name:	https://auth.magic.link/send/rpc/auth/magic_auth_login_with_email_otp/verify_otp_code?lang=en-US
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
Detected clear text password fields (password is not hidden)	Phishing
HTML page is missing a favicon	Phishing

Domains

Name

Malicious

mariobadescu.tyb.xyz

54.187.2.108

app.tyb.xyz

35.161.66.192

mparticle.map.fastly.net

151.101.130.133

fastly-tls12-bam.nr-data.net

162.247.243.29

d36n5zyyxsimg4.cloudfront.net

18.65.40.191

o1176044.ingest.sentry.io

34.120.195.249

s3-r-w.us-west-2.amazonaws.com

3.5.76.120

d1nio8jhji2fqt.cloudfront.net

3.161.82.118

events.launchdarkly.com

3.216.87.253

kms.us-west-2.amazonaws.com

52.94.182.204

scontent.xx.fbcdn.net

157.240.0.6

jssdks.mparticle.com

151.101.194.133

d296je7bbdd650.cloudfront.net

99.86.8.175

www.google.com

142.250.185.68

api.magic.link

104.18.22.227

api.segment.io

54.69.251.6

jssdkcdns.mparticle.com

151.101.2.133

browser-intake-datadoghq.com

3.233.152.234

js.intercomcdn.com

18.239.94.98

widget.intercom.io

13.224.189.18

auth.magic.link

104.18.23.227

clientstream-ga.launchdarkly.com

13.248.151.210

js-agent.newrelic.com

162.247.243.39

edge.fullstory.com

35.201.112.186

cdn.ethers.io

13.33.187.103

s-part-0039.t-0009.t-msedge.net

13.107.246.67

rs.fullstory.com

35.186.194.58

avalanche-mainnet.core.chainstack.com

104.18.4.35

assets.auth.magic.link

unknown

s.clarity.ms

unknown

cdn.segment.com

unknown

identity.mparticle.com

unknown

tyb-prod-collectibles-assets-bucket.s3.us-west-2.amazonaws.com

unknown

c.clarity.ms

unknown

clientstream.launchdarkly.com

unknown

websdk.appsflyer.com

unknown

app.launchdarkly.com

unknown

www.clarity.ms

unknown

connect.facebook.net

unknown

bam.nr-data.net

unknown

There are 30 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

54.187.2.108

mariobadescu.tyb.xyz

United States

35.161.66.192

app.tyb.xyz

United States

52.92.243.66

unknown

United States

142.250.186.67

unknown

United States

151.101.130.133

mparticle.map.fastly.net

United States

18.65.40.191

d36n5zyyxsimg4.cloudfront.net

United States

3.216.87.253

events.launchdarkly.com

United States

18.239.94.98

js.intercomcdn.com

United States

13.224.189.18

widget.intercom.io

United States

35.186.194.58

rs.fullstory.com

United States

3.5.76.120

s3-r-w.us-west-2.amazonaws.com

United States

192.168.2.4

unknown

151.101.130.217

unknown

United States

52.32.72.15

unknown

United States

18.65.40.222

unknown

United States

68.219.88.97

unknown

United States

3.161.82.118

d1nio8jhji2fqt.cloudfront.net

United States

151.101.66.217

unknown

United States

151.101.66.133

unknown

United States

35.155.246.37

unknown

United States

142.250.186.35

unknown

United States

142.250.185.68

www.google.com

United States

1.1.1.1

unknown

Australia

13.248.151.210

clientstream-ga.launchdarkly.com

United States

13.107.21.237

unknown

United States

142.250.185.232

unknown

United States

54.69.251.6

api.segment.io

United States

13.33.187.103

cdn.ethers.io

United States

239.255.255.250

unknown

Reserved

99.86.8.175

d296je7bbdd650.cloudfront.net

United States

104.18.23.227

auth.magic.link

United States

216.58.206.74

unknown

United States

13.107.246.67

s-part-0039.t-0009.t-msedge.net

United States

216.58.206.78

unknown

United States

192.168.2.16

unknown

52.94.182.204

kms.us-west-2.amazonaws.com

United States

3.33.235.18

unknown

United States

18.239.69.70

unknown

United States

157.240.0.6

scontent.xx.fbcdn.net

United States

64.233.166.84

unknown

United States

142.251.40.110

unknown

United States

151.101.194.217

unknown

United States

162.247.243.39

js-agent.newrelic.com

United States

104.18.22.227

api.magic.link

United States

142.250.184.206

unknown

United States

151.101.194.133

jssdks.mparticle.com

United States

3.233.152.234

browser-intake-datadoghq.com

United States

104.18.4.35

avalanche-mainnet.core.chainstack.com

United States

23.96.124.68

unknown

United States

2.19.122.221

unknown

European Union

142.250.185.170

unknown

United States

35.201.112.186

edge.fullstory.com

United States

151.101.2.217

unknown

United States

151.101.2.133

jssdkcdns.mparticle.com

United States

50.17.177.188

unknown

United States

162.247.243.29

fastly-tls12-bam.nr-data.net

United States

64.233.184.84

unknown

United States

34.120.195.249

o1176044.ingest.sentry.io

United States

There are 48 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://mariobadescu.tyb.xyz/

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://mariobadescu.tyb.xyz/

Files

URLs

Domains

IPs

IOC Report
https://mariobadescu.tyb.xyz/