Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.22603.20935.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.22603.20935.exe
Analysis ID:	1618987
MD5:	b0171126d76d2b7b8c428febc87a046d
SHA1:	587735e11116e62d1e8fab5e6c35b86d61501484
SHA256:	f0ece0a9dbe8adbc08ed4e7a189e64f0a33ddbc830403aee024abb848dfc7dc8
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Score:	76
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

May modify the system service descriptor table (often done to hook functions)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Yara detected WebBrowserPassView password recovery tool

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.22603.20935.exe (PID: 7356 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe" MD5: B0171126D76D2B7B8C428FEBC87A046D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: SecuriteInfo.com.FileRepMalware.22603.20935.exe PID: 7356	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://file.blackint3.com:88/openark/version.txtrequset	Avira URL Cloud: Label: malware
Source: https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/	Avira URL Cloud: Label: malware
Source: http://file.blackint3.com:88/openark/credits.txt	Avira URL Cloud: Label: malware
Source: https://openark.blackint3.com/manuals/	Avira URL Cloud: Label: malware
Source: http://file.blackint3.com:88/openark/filesrepo_sourceSystem	Avira URL Cloud: Label: malware
Source: http://file.blackint3.com:88	Avira URL Cloud: Label: malware
Source: http://file.blackint3.com:88/openark/version.txt	Avira URL Cloud: Label: malware
Source: http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe	Virustotal: Detection: 60%			Perma Link
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe	ReversingLabs: Detection: 51%

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv64.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: appid.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv32.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: appid.pdbGCTL source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 88
Source: unknown	Network traffic detected: HTTP traffic on port 88 -> 49731

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 222.211.226.110:88

Source: global traffic

HTTP traffic detected: GET /openark/version.txt HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-CH,*User-Agent: Mozilla/5.0Host: file.blackint3.com:88

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /openark/version.txt HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-CH,*User-Agent: Mozilla/5.0Host: file.blackint3.com:88

Source: global traffic

DNS traffic detected: DNS query: file.blackint3.com

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://bugreports.qt.io/Microsoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket_q_recei
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979694240.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://file.blackint3.com:88
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://file.blackint3.com:88/openark/credits.txt
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://file.blackint3.com:88/openark/filesrepo_sourceSystem
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978552429.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979834816.0000000005DD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978629355.000000000534C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://file.blackint3.com:88/openark/version.txt
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://file.blackint3.com:88/openark/version.txtrequset
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.android.google.cn/studio/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.android.google.cn/studio/9L
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe	String found in binary or memory: https://github.com/BlackINT3
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977720447.0000000004EAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/BlackINT3/OpenArk
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/BlackINT3/OpenArk)
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/BlackINT3/OpenArk/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/BlackINT3/OpenArk/releases
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978362061.00000000051B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/BlackINT3/symcn-site
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/BlackINT3F
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/BlackINT3OpenArk
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/hasherezade/pe-sieve
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gomirrors.org/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gomirrors.org/%
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mirrors.huaweicloud.com/java/jdk/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mirrors.huaweicloud.com/java/jdk/9L
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://openark.blackint3.com/manuals/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmmirror.com/binary.html?path=python/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://registry.npmmirror.com/binary.html?path=python/7N
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.virustotal.com/gui/file/
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.virustotal.com/gui/file/VAddrPAddrFileSizeMemSizeAlignLinkInfoEntsizeTagFromBindDemangle

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977336600.00000000029ED000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOpenArk0 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: mem:////:[Ordinal: %08X] %04XIMAGE_REL_BASED_ABSOLUTEIMAGE_REL_BASED_HIGHLOWIMAGE_REL_BASED_HIGHIMAGE_REL_BASED_LOWIMAGE_REL_BASED_HIGHADJIMAGE_REL_BASED_DIR64IMAGE_REL_BASED_UNKNOWN&Edit FileExpandAllRVAVirtualSizeVirtualAddressSizeOfRawDataPointerToRawDataPointerToRelocationsPointerToLinenumbersNumberOfRelocationsNumberOfLinenumbersCharacteristicsOriginalFirstThunkTimeDateStampForwarderChainFirstThunkForwarderStringOrdinalAddressOfDataHintOrdinal HexFunctionAddressSizeOfBlockItemCountItemhttp://https://1onTextChanged(const QString&)%.2f MB \| %.2f KB \| %d BytesMemBaseFileVersionProductNameOriginalFileNameInternalNameFile VersionProductVersionProductNameLegalCopyrightOriginalFileNameInternalNameCompanyNameFileDescription(Hash:0x%X)ImageBaseOEPvc50 (5.0)vc60 (6.0)vc70 (2003)vc80 (2005)vc90 (2008)vc100 (2010)vc110 (2012)vc120 (2013)vc140 (2015)vc141 (2017)vc142 (2019)vc143 (2022)vc%d%dLinkerCompileTimePDB File%X %sCert OwnerCert SN%s (%s) %s0x0IMAGE_DOS_HEADERe_magice_cblpe_cpe_crlce_cparhdre_minalloce_maxalloce_sse_spe_csume_ipe_cse_lfarlce_ovnoe_oemide_oeminfoe_lfanew.PEIMAGE_NT_HEADERS64IMAGE_FILE_HEADER32FileHeaderIMAGE_FILE_HEADERMachineNumberOfSectionsPointerToSymbolTableNumberOfSymbolsSizeOfOptionalHeaderIMAGE_FILE_HEADER64OptionalHeaderMagicMajorLinkerVersionMinorLinkerVersionSizeOfCodeSizeOfInitializedDataSizeOfUninitializedDataAddressOfEntryPointBaseOfCodeSectionAlignmentFileAlignmentMajorOperatingSystemVersionMinorOperatingSystemVersionMajorImageVersionMinorImageVersionMajorSubsystemVersionMinorSubsystemVersionWin32VersionValueSizeOfImageSizeOfHeadersCheckSumSubsystemDllCharacteristicsSizeOfStackReserveSizeOfStackCommitSizeOfHeapReserveSizeOfHeapCommitLoaderFlagsNumberOfRvaAndSizesDataDirectory[]IMAGE_DATA_DIRECTORYIMAGE_DIRECTORY_ENTRY_EXPORTIMAGE_DIRECTORY_ENTRY_IMPORTIMAGE_DIRECTORY_ENTRY_RESOURCEIMAGE_DIRECTORY_ENTRY_EXCEPTIONIMAGE_DIRECTORY_ENTRY_SECURITYIMAGE_DIRECTORY_ENTRY_BASERELOCIMAGE_DIRECTORY_ENTRY_DEBUGIMAGE_DIRECTORY_ENTRY_ARCHITECTUREIMAGE_DIRECTORY_ENTRY_GLOBALPTRIMAGE_DIRECTORY_ENTRY_TLSIMAGE_DIRECTORY_ENTRY_LOAD_CONFIGIMAGE_DIRECTORY_ENTRY_BOUND_IMPORTIMAGE_DIRECTORY_ENTRY_IATIMAGE_DIRECTORY_ENTRY_DELAY_IMPORTIMAGE_DIRECTORY_ENTRY_COM_DESCRIPTORResourceExceptionSecurityBaseRelocArchitectureGlobalPtrConfigBoundImportIATDelayImport (%1)MinorVersionNumberOfFunctionsNumberOfNamesAddressOfFunctionsAddressOfNamesAddressOfNameOrdinalsSizeOfDataAddressOfRawDataNB10RSDS{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}AgeGUIDImageIDSymbolIDPDBMicrosoft Corporation%ls/%s/%s/%sPDB-CNPDB-MSBIN-CNBIN-MS vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOpenArkDrv.sys6 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameProductName\VarFileInfo\Translation\StringFileInfo\%04x%04x\ vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameappid.sysj% vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000000.1713539456.00000000029ED000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOpenArk0 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe	Binary or memory string: OriginalFilenameOpenArk0 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.00000000024B2000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: nna.nosciencehu.comtadaoka.osaka.jphayakawa.yamanashi.jpdnsalias.orgedu.saedu.sbedu.rsedu.sclib.id.usogori.fukuoka.jpnotogawa.shiga.jpedu.sdrepbody.aeroid.auedu.ruk12.nj.usloyalist.museumedu.rwedu.sgxyzmoka.tochigi.jpdynathome.netkimino.wakayama.jpedu.slnissanveterinaire.kmkokubunji.tokyo.jpedu.snos.hordaland.notm.kmartsandcrafts.museumis-a-musician.com*.kitakyushu.jpiitate.fukushima.jpedu.stav.iturayasu.chiba.jpedu.svflorida.museumninjaedu.synemuro.hokkaido.jpedu.tjs

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/7@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

File created: C:\Users\user\AppData\Roaming\OpenArk

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe	Virustotal: Detection: 60%
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe	ReversingLabs: Detection: 51%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: wintab32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe

Static file information: File size 10974208 > 1048576

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xa5d800

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv64.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: appid.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv32.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: appid.pdbGCTL source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KeServiceDescriptorTable

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 88
Source: unknown	Network traffic detected: HTTP traffic on port 88 -> 49731

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OLLYDBG/OLLYDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CFF EXPLORER/CFF EXPLORER.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG/X64/WINDBG.EXE<
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER/X86/PROCESSHACKER.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON/PROCMON.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG/OLLYDBG.EXEH
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG/X86/WINDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER2/FIDDLER.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER/X64/PROCESSHACKER.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: X64DBG/X64/X64DBG.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: TCPDUMP/TCPDUMP.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSSUITE/PROCMON.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINDBG/X64/WINDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS/AUTORUNS.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP/TCPDUMP.EXEX
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG/X64/X64DBG.EXED
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER4/FIDDLER.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: API MONITOR/APIMONITOR-X86.EXE
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CFF EXPLORER/CFF EXPLORER.EXE#
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSINTERNALSSUITE/PROCMON.EXE5

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

Window / User API: foregroundWindowGot 628

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.000000000285C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

System information queried: CodeIntegrityInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

Process token adjusted: Debug

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Y/%M/%D %H:%W:%S%d:%02d:%02d.%03d%.2f0.00-nan(ind)%0.2f MBCan't dump 64-bit process.Create dump ok.Create dump failed.QueryWorkingSet pid:%d, err:%dGetProcessPrivateWorkingSetpropertiesWriteFileDataWReadFileDataWread offset out of boundProgram ManagerProgmanapplication/octet-streamDownload failed, err:%1, msg:%2HttpDownload::<lambda_dcf5b1914fb29cf1126394837a0c8ec5>::operator ()FreeLibrary{8ECD1478-A24C-4427-8E9E-DE180B21183A}SeTakeOwnershipPrivilegeNtCreateFiledwmapi.dllDwmSetWindowAttribute

Stealing of Sensitive Information

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.22603.20935.exe PID: 7356, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 Credential API Hooking	21 Security Software Discovery	Remote Services	1 Credential API Hooking	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepMalware.22603.20935.exe	60%	Virustotal		Browse
SecuriteInfo.com.FileRepMalware.22603.20935.exe	51%	ReversingLabs	Win32.Exploit.CVE-2019-16098

Source	Detection	Scanner	Label
http://file.blackint3.com:88/openark/version.txtrequset	100%	Avira URL Cloud	malware
https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/	100%	Avira URL Cloud	malware
http://file.blackint3.com:88/openark/credits.txt	100%	Avira URL Cloud	malware
https://developer.android.google.cn/studio/	0%	Avira URL Cloud	safe
https://openark.blackint3.com/manuals/	100%	Avira URL Cloud	malware
http://bugreports.qt.io/Microsoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket_q_recei	0%	Avira URL Cloud	safe
http://file.blackint3.com:88/openark/filesrepo_sourceSystem	100%	Avira URL Cloud	malware
http://file.blackint3.com:88	100%	Avira URL Cloud	malware
http://file.blackint3.com:88/openark/version.txt	100%	Avira URL Cloud	malware
http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6	100%	Avira URL Cloud	malware
https://developer.android.google.cn/studio/9L	0%	Avira URL Cloud	safe
https://gomirrors.org/%	0%	Avira URL Cloud	safe
https://gomirrors.org/	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
file.blackint3.com	222.211.226.110	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://file.blackint3.com:88/openark/version.txtrequset	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.thawte.com0	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	false		high
https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/BlackINT3	SecuriteInfo.com.FileRepMalware.22603.20935.exe	false		high
http://file.blackint3.com:88/openark/filesrepo_sourceSystem	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/BlackINT3/symcn-site	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978362061.00000000051B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/BlackINT3F	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	false		high
https://registry.npmmirror.com/binary.html?path=python/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false		high
https://developer.android.google.cn/studio/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.virustotal.com/gui/file/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false		high
http://bugreports.qt.io/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmp	false		high
https://www.virustotal.com/gui/file/VAddrPAddrFileSizeMemSizeAlignLinkInfoEntsizeTagFromBindDemangle	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false		high
http://file.blackint3.com:88/openark/version.txt	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978552429.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979834816.0000000005DD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978629355.000000000534C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://openark.blackint3.com/manuals/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://registry.npmmirror.com/binary.html?path=python/7N	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false		high
http://file.blackint3.com:88	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979694240.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/BlackINT3/OpenArk/releases	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005E91000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cs-g2-crl.thawte.com/ThawteCSG2.crl0	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	false		high
http://file.blackint3.com:88/openark/credits.txt	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.thawte.com/ThawtePCA.crl0	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp	false		high
https://github.com/BlackINT3/OpenArk/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false		high
http://bugreports.qt.io/Microsoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket_q_recei	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/BlackINT3/OpenArk)	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/BlackINT3OpenArk	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false		high
https://github.com/hasherezade/pe-sieve	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false		high
http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://gomirrors.org/%	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gomirrors.org/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/BlackINT3/OpenArk	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977720447.0000000004EAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://developer.android.google.cn/studio/9L	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mirrors.huaweicloud.com/java/jdk/9L	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mirrors.huaweicloud.com/java/jdk/	SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
222.211.226.110	file.blackint3.com	China		4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1618987
Start date and time:	2025-02-19 12:21:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepMalware.22603.20935.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/7@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:22:17	API Interceptor	4684x Sleep call for process: SecuriteInfo.com.FileRepMalware.22603.20935.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINANET-BACKBONENo31Jin-rongStreetCN	zte	Get hash	malicious	Unknown	Browse	110.178.251.236
	z3hir.x86	Get hash	malicious	Mirai	Browse	60.189.236.199
	Hilix.ppc.elf	Get hash	malicious	Unknown	Browse	202.109.142.112
	Hilix.sh4.elf	Get hash	malicious	Unknown	Browse	171.95.182.160
	Hilix.x86.elf	Get hash	malicious	Unknown	Browse	59.175.154.149
	Hilix.arm7.elf	Get hash	malicious	Mirai	Browse	49.82.207.112
	res.mips.elf	Get hash	malicious	Unknown	Browse	218.84.206.217
	Hilix.spc.elf	Get hash	malicious	Unknown	Browse	27.144.168.230
	Hilix.m68k.elf	Get hash	malicious	Unknown	Browse	121.8.97.202
	res.arm.elf	Get hash	malicious	Unknown	Browse	182.132.110.25

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
File Type:	Generic INItialization configuration [Preference]
Category:	dropped
Size (bytes):	69
Entropy (8bit):	4.308842348014033
Encrypted:	false
SSDEEP:	3:LGARGLe6x5EWWzvy+4GACR6iZy:TRGLegE3DeGRRQ
MD5:	631B0AC9CDF8CD5AECFD6C16EF9D5B60
SHA1:	A52BB78130B5AF5C40B89ED48C63F5A807BC458D
SHA-256:	444F29F2E400E733D7B29347B0F5215C92D2F9F68B1DEA7074B8D7713825D9FA
SHA-512:	7AE1242B5BA23C42B897876BC92656F7E7967B549B0510E142EF7B94C08A10CB764592366EA2FFFF6EF4A9F33F697852177FD1E9795601D26E49C9722F3023B5
Malicious:	false
Reputation:	low
Preview:	[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.Nl7356

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
File Type:	Generic INItialization configuration [Preference]
Category:	dropped
Size (bytes):	375
Entropy (8bit):	3.245155993003607
Encrypted:	false
SSDEEP:	6:TRGLegE3DeGRRbl1+QVHVHVHVHVHVUZAYyY0:TRPBz7V+QVHVHVHVHVHVpYL0
MD5:	B42AB878E382D1AF00A392DC27943E2A
SHA1:	5339AEDB22A71F4BF5785ACB477AC81B7155D4B5
SHA-256:	8FD7ACCF22D1E258BEBEAFB3E349F3FC4267451ECEA5FE7B2C95599202F64032
SHA-512:	8679246B094524CAD1246A8495800CA23ED5703D368FD8C94880CB3A1AAA8E7D02B757B9CFFA4D0CEA2AB5642A00D88DAA22DB00B3BB52A8F0317D466C547A0F
Malicious:	false
Reputation:	low
Preview:	[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"....[Main]..x=160..y=123..w=752..h=578..

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.Uh7356

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
File Type:	Generic INItialization configuration [Preference]
Category:	dropped
Size (bytes):	337
Entropy (8bit):	2.841873231884796
Encrypted:	false
SSDEEP:	3:LGARGLe6x5EWWzvy+4GACR6iZbll1L+YiVIV9VV9VV9VV9VV9VVT:TRGLegE3DeGRRbl1+QVHVHVHVHVHVT
MD5:	0AAFDB135812EFC6AFDB2C4FB8A8B652
SHA1:	24762D94029BAF47EAB1E5CD53D2BD8743A85BCF
SHA-256:	6575C8F3B8F11DA1FFBDFDDB4FF0C538634A682C9AB7790F7C5B305437983F14
SHA-512:	C52DB58C86434D698509D3B7F46937C55FD0051B4FF5217F1F97E8DC7C79A1CE5A56301500A96E04477992F3CEEC16B76E1510F84CC24DF3367C78BF8A6284F0
Malicious:	false
Reputation:	low
Preview:	[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"..

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.Ya7356

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
File Type:	Generic INItialization configuration [Preference]
Category:	dropped
Size (bytes):	361
Entropy (8bit):	3.092934518082738
Encrypted:	false
SSDEEP:	3:LGARGLe6x5EWWzvy+4GACR6iZbll1L+YiVIV9VV9VV9VV9VV9VVzMBdYUTVQy:TRGLegE3DeGRRbl1+QVHVHVHVHVHVUZN
MD5:	2504FC4322DFE507E6566905DB1730E4
SHA1:	F0A7CEF4110E94FDB6FB0DA2E2E24822DCC11C6A
SHA-256:	4664CF0450B1FD34E30DA7725FEAE5EB977AE3BAF40E3B2198B262752015D71D
SHA-512:	E55FD0F5A1561540DABA723DC901ED5EC4174B1FD3AB88E025A05D2B1DCA922D67D3676B54D0FD909093516BF9E1B8F1D626B528BC3F3F49E0CB616D27831B42
Malicious:	false
Reputation:	low
Preview:	[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"....[Main]..x=160..y=123..

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.em7356

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
File Type:	Generic INItialization configuration [Preference]
Category:	dropped
Size (bytes):	337
Entropy (8bit):	2.841873231884796
Encrypted:	false
SSDEEP:	3:LGARGLe6x5EWWzvy+4GACR6iZbll1L+YiVIV9VV9VV9VV9VV9VVT:TRGLegE3DeGRRbl1+QVHVHVHVHVHVT
MD5:	0AAFDB135812EFC6AFDB2C4FB8A8B652
SHA1:	24762D94029BAF47EAB1E5CD53D2BD8743A85BCF
SHA-256:	6575C8F3B8F11DA1FFBDFDDB4FF0C538634A682C9AB7790F7C5B305437983F14
SHA-512:	C52DB58C86434D698509D3B7F46937C55FD0051B4FF5217F1F97E8DC7C79A1CE5A56301500A96E04477992F3CEEC16B76E1510F84CC24DF3367C78BF8A6284F0
Malicious:	false
Reputation:	low
Preview:	[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"..

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.gq7356

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
File Type:	Generic INItialization configuration [Preference]
Category:	dropped
Size (bytes):	69
Entropy (8bit):	4.308842348014033
Encrypted:	false
SSDEEP:	3:LGARGLe6x5EWWzvy+4GACR6iZy:TRGLegE3DeGRRQ
MD5:	631B0AC9CDF8CD5AECFD6C16EF9D5B60
SHA1:	A52BB78130B5AF5C40B89ED48C63F5A807BC458D
SHA-256:	444F29F2E400E733D7B29347B0F5215C92D2F9F68B1DEA7074B8D7713825D9FA
SHA-512:	7AE1242B5BA23C42B897876BC92656F7E7967B549B0510E142EF7B94C08A10CB764592366EA2FFFF6EF4A9F33F697852177FD1E9795601D26E49C9722F3023B5
Malicious:	false
Reputation:	low
Preview:	[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.lock

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	22
Entropy (8bit):	4.1523912776298655
Encrypted:	false
SSDEEP:	3:l4zeAv8Ln:SqAELn
MD5:	988F38040ACB8CBCD2A249F3FB67E769
SHA1:	2A0248B0C7C2AF59FEBF99840AF0751CA3D232BC
SHA-256:	D69219785FBB0867D3D8F4F9F6EF8F1FFD5BEFD1A0B5F1CBBF71D6097B173B26
SHA-512:	29BC17AA7733A91EF2605BFA3FB75C837EFB954CD6D65A1D07C49156C31C852EF6F0EFA3C1139470F2395FBDF66F4156F6AB51F5CBF5544AA55E8033D0DABDC6
Malicious:	false
Reputation:	low
Preview:	7356.OpenArk.user-PC.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.904412434122235
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.FileRepMalware.22603.20935.exe
File size:	10'974'208 bytes
MD5:	b0171126d76d2b7b8c428febc87a046d
SHA1:	587735e11116e62d1e8fab5e6c35b86d61501484
SHA256:	f0ece0a9dbe8adbc08ed4e7a189e64f0a33ddbc830403aee024abb848dfc7dc8
SHA512:	a276dc06f972fdd225ecde0ea10b7453bc5b043547e2fa503f3a5e0069b67bbb739a0f9577a2e4eed5356a60657e4c9d514cd5e194e812c29ed9f25f80eff25c
SSDEEP:	196608:Ojmc0j+aLEffJuZraaSzmjvSqIEsJUPT8qD55d9oX7xj20iYc:OjkjnQfJu4ayzHOPVDZiLx1i
TLSH:	1FB633D9203502A5F456BE35995DB8C78A4DBC326B4B21784F0EFA87C9F8ED1C119E0B
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........:...T...T...T.AY....T.AY..C.T.AY....T.ke....T.X.W...T.(:....T.X.Q.q.T.X.P...T.......T.......T...U.V.T.b.P...T.b.Q...T.B.P...T

File Icon


Icon Hash:	0f334d4ccc4d338f

Static PE Info

General

Entrypoint:	0x228c250
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67991C80 [Tue Jan 28 18:05:52 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	05b5280fc0aa45daf9f05d564cf8cad4

Entrypoint Preview

Instruction
pushad
mov esi, 0182F000h
lea edi, dword ptr [esi-0142E000h]
lea eax, dword ptr [edi+01D57E88h]
push dword ptr [eax]
mov dword ptr [eax], BF479A3Ah
push eax
push edi
or ebp, FFFFFFFFh
jmp 00007F57306B06A3h
nop
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F57306B0699h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F57306B067Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F57306B0699h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F57306B069Dh
jne 00007F57306B06BAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F57306B06B1h
dec eax
add ebx, ebx
jne 00007F57306B0699h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F57306B0666h
add ebx, ebx
jne 00007F57306B0699h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F57306B06E4h
xor ecx, ecx
sub eax, 03h
jc 00007F57306B06A3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F57306B0707h
sar eax, 1
mov ebp, eax
jmp 00007F57306B069Dh
add ebx, ebx
jne 00007F57306B0699h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F57306B065Eh
inc ecx
add ebx, ebx
jne 00007F57306B0699h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F57306B0650h
add ebx, ebx
jne 00007F57306B0699h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F57306B0681h
jne 00007F57306B069Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2015 UPD3.1 build 24215
[C++] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ea62ac	0x418	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e8d000	0x192ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ea66c4	0x18	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1e8c450	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1e8c678	0x5c	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x142e000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x142f000	0xa5e000	0xa5d800	29d41181d43dc8c47ded0151260d472a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e8d000	0x1a000	0x19800	62db613c9d128a1cc5f799d4fe313c72	False	0.16486672794117646	data	3.0950276952925364	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1e8d1f4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.10292203951259908
RT_ICON	0x1e9da20	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.19768540387340577
RT_ICON	0x1ea1c4c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2753112033195021
RT_ICON	0x1ea41f8	0x1588	Device independent bitmap graphic, 36 x 72 x 32, image size 5472	English	United States	0.3543178519593614
RT_ICON	0x1ea5784	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7819148936170213
RT_GROUP_ICON	0x1ea5bf0	0x4c	data	English	United States	0.8157894736842105
RT_VERSION	0x1ea5c40	0x2e0	data	English	United States	0.4891304347826087
RT_MANIFEST	0x1ea5f24	0x387	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (843), with CRLF line terminators	English	United States	0.48615725359911405

Imports

DLL	Import
ADVAPI32.dll	AddAce
CRYPT32.dll	CertOpenStore
GDI32.dll	BitBlt
IMM32.dll	ImmNotifyIME
IPHLPAPI.DLL	SetTcpEntry
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
ntdll.dll	NtCreateFile
ole32.dll	DoDragDrop
OLEAUT32.dll	CreateErrorInfo
OPENGL32.dll	glHint
PSAPI.DLL	QueryWorkingSet
RPCRT4.dll	UuidEqual
SHELL32.dll	SHGetMalloc
SHLWAPI.dll	SHDeleteKeyW
USER32.dll	GetDC
VERSION.dll	VerQueryValueW
WINMM.dll	PlaySoundW
WS2_32.dll	__WSAFDIsSet
WTSAPI32.dll	WTSFreeMemory

Version Infos

Description	Data
CompanyName	https://github.com/BlackINT3
FileDescription	Open Anti Rootkit for Windows Researchers
FileVersion	1.3.8.0
LegalCopyright	BlackINT3 Copyright (C) 2019
OriginalFilename	OpenArk
ProductName	OpenArk
ProductVersion	1.3.8.0
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 7
• 88 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 12:22:22.506805897 CET	49731	88	192.168.2.4	222.211.226.110
Feb 19, 2025 12:22:22.511845112 CET	88	49731	222.211.226.110	192.168.2.4
Feb 19, 2025 12:22:22.511945009 CET	49731	88	192.168.2.4	222.211.226.110
Feb 19, 2025 12:22:22.512301922 CET	49731	88	192.168.2.4	222.211.226.110
Feb 19, 2025 12:22:22.517239094 CET	88	49731	222.211.226.110	192.168.2.4
Feb 19, 2025 12:22:23.469533920 CET	88	49731	222.211.226.110	192.168.2.4
Feb 19, 2025 12:22:23.469549894 CET	88	49731	222.211.226.110	192.168.2.4
Feb 19, 2025 12:22:23.469624996 CET	49731	88	192.168.2.4	222.211.226.110
Feb 19, 2025 12:23:29.219157934 CET	88	49731	222.211.226.110	192.168.2.4
Feb 19, 2025 12:23:29.219295025 CET	49731	88	192.168.2.4	222.211.226.110
Feb 19, 2025 12:23:29.219424009 CET	49731	88	192.168.2.4	222.211.226.110
Feb 19, 2025 12:23:29.225416899 CET	88	49731	222.211.226.110	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 12:22:22.124757051 CET	55713	53	192.168.2.4	1.1.1.1
Feb 19, 2025 12:22:22.494340897 CET	53	55713	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 19, 2025 12:22:22.124757051 CET	192.168.2.4	1.1.1.1	0x8c9a	Standard query (0)	file.blackint3.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 19, 2025 12:22:22.494340897 CET	1.1.1.1	192.168.2.4	0x8c9a	No error (0)	file.blackint3.com		222.211.226.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.blackint3.com:88

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	222.211.226.110	88	7356	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 12:22:22.512301922 CET	173	OUT	GET /openark/version.txt HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip, deflate Accept-Language: en-CH,* User-Agent: Mozilla/5.0 Host: file.blackint3.com:88
Feb 19, 2025 12:22:23.469533920 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Feb 2025 11:22:23 GMT Content-Type: text/plain Content-Length: 1125 Connection: keep-alive Last-Modified: Tue, 28 Jan 2025 18:58:56 GMT ETag: "679928f0-465" Accept-Ranges: bytes Data Raw: 7b 0a 20 20 20 20 22 65 72 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 70 70 76 65 72 22 3a 20 22 31 2e 33 2e 38 22 2c 0a 20 20 20 20 22 61 70 70 62 64 22 3a 20 22 32 30 32 35 30 31 32 39 30 32 30 34 22 2c 0a 20 20 20 20 22 61 70 70 63 6c 22 3a 20 22 4c 53 44 6d 6c 4b 2f 6d 6a 49 48 70 6d 70 44 6f 75 71 76 6d 71 4b 48 6c 76 49 2f 76 76 49 7a 6c 6f 70 37 6c 69 71 42 43 5a 58 52 68 36 59 43 61 36 59 47 54 43 69 30 67 35 59 61 46 35 71 43 34 35 61 4b 65 35 62 79 36 37 37 79 61 35 70 61 77 35 61 4b 65 35 70 36 61 35 4c 69 2b 53 57 31 68 5a 32 56 57 5a 58 4a 70 5a 6d 6c 6a 59 58 52 70 62 32 34 76 51 6d 39 31 62 6d 52 7a 4c 30 74 6c 63 6d 35 6c 62 45 68 68 63 32 6a 6c 6d 35 37 6f 73 49 50 6b 75 36 58 6c 6a 34 70 46 55 46 4a 50 51 30 56 54 55 2b 53 2f 6f 65 61 42 72 2b 65 74 69 51 6f 74 49 4f 65 56 6a 4f 6d 64 6f 75 53 38 6d 4f 57 4d 6c 75 2b 38 6d 75 61 57 73 4f 57 69 6e 75 53 2f 6e 65 57 74 6d 4f 69 2f 68 2b 61 37 70 4f 57 4f 68 75 57 50 73 75 69 75 73 4f 57 39 6c 65 2b 38 6a 4f 57 4d 68 65 57 51 71 2b 69 2f [TRUNCATED] Data Ascii: { "err": 0, "appver": "1.3.8", "appbd": "202501290204", "appcl": "LSDmlK/mjIHpmpDouqvmqKHlvI/vvIzlop7liqBCZXRh6YCa6YGTCi0g5YaF5qC45aKe5by677ya5paw5aKe5p6a5Li+SW1hZ2VWZXJpZmljYXRpb24vQm91bmRzL0tlcm5lbEhhc2jlm57osIPku6Xlj4pFUFJPQ0VTU+S/oeaBr+etiQotIOeVjOmdouS8mOWMlu+8muaWsOWinuS/neWtmOi/h+a7pOWOhuWPsuiusOW9le+8jOWMheWQq+i/m+eoi+agkeetiQotIOeDremUruWKn+iDveS/ruWkje+8jOW3peWFt+W6k+aWsOWinuW3peWFtwotIEJVR+S/ruWkjeS7peWPiuS4gOS6m+acquaPkOWPiueahOWKn+iDvQotIOaWsOW5tOW/q+S5kCAyMDI1IPCfkI0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi0gU3VwcG9ydCBpbnZpc2libGUgbW9kZSBhbmQgYWRkZWQgYmV0YSBjaGFubmVsLgotIEltcG92ZWQga2VybmVsIG1hbmFnZXI6IEFkZGVkIGVudW0gSW1hZ2VWZXJpZmljYXRpb24vQm91bmRzL0tlcm5lbEhhc2ggY2FsbGJhY2tzIGFuZCBFUFJPQ0VTUyBpbmZvIGV0Yy4KLSBJbXByb3ZlZCBVSTogQWRkZWQgZmlsdGVyIGhpc3RvcnkgYW5kICBjb250YWluIHByb2Nlc3MgdHJlZSBldGMuCi0gRW51bSBob3RrZXkgZml4ZWQgIGFuZCBhZGRlZCBzb21lIHRvb2xzLgotIEJ1Z2ZpeGVkIGFuZCBhZGRlZCBzb21lIGZlYXR1cmVzIG5vdCBtZW50a

Statistics

CPU Usage

• SecuriteInfo.com.FileRepMalware.22603.20935.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.FileRepMalware.22603.20935.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	06:22:17
Start date:	19/02/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe"
Imagebase:	0xb50000
File size:	10'974'208 bytes
MD5 hash:	B0171126D76D2B7B8C428FEBC87A046D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.22603.20935.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\OpenArk\openark.ini (copy)

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.Nl7356

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.Uh7356

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.Ya7356

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.em7356

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.gq7356

C:\Users\user\AppData\Roaming\OpenArk\openark.ini.lock

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.22603.20935.exe