Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.22603.20935.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.22603.20935.exe
Analysis ID:1618987
MD5:b0171126d76d2b7b8c428febc87a046d
SHA1:587735e11116e62d1e8fab5e6c35b86d61501484
SHA256:f0ece0a9dbe8adbc08ed4e7a189e64f0a33ddbc830403aee024abb848dfc7dc8
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

Score:76
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
May modify the system service descriptor table (often done to hook functions)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected WebBrowserPassView password recovery tool
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    Process Memory Space: SecuriteInfo.com.FileRepMalware.22603.20935.exe PID: 7356JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      No Sigma rule has matched
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: http://file.blackint3.com:88/openark/version.txtrequsetAvira URL Cloud: Label: malware
      Source: https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/Avira URL Cloud: Label: malware
      Source: http://file.blackint3.com:88/openark/credits.txtAvira URL Cloud: Label: malware
      Source: https://openark.blackint3.com/manuals/Avira URL Cloud: Label: malware
      Source: http://file.blackint3.com:88/openark/filesrepo_sourceSystemAvira URL Cloud: Label: malware
      Source: http://file.blackint3.com:88Avira URL Cloud: Label: malware
      Source: http://file.blackint3.com:88/openark/version.txtAvira URL Cloud: Label: malware
      Source: http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6Avira URL Cloud: Label: malware
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeVirustotal: Detection: 60%Perma Link
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeReversingLabs: Detection: 51%
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv64.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
      Source: Binary string: appid.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
      Source: Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv32.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
      Source: Binary string: appid.pdbGCTL source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp

      Networking

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 88
      Source: unknownNetwork traffic detected: HTTP traffic on port 88 -> 49731
      Source: global trafficTCP traffic: 192.168.2.4:49731 -> 222.211.226.110:88
      Source: global trafficHTTP traffic detected: GET /openark/version.txt HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-CH,*User-Agent: Mozilla/5.0Host: file.blackint3.com:88
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /openark/version.txt HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-CH,*User-Agent: Mozilla/5.0Host: file.blackint3.com:88
      Source: global trafficDNS traffic detected: DNS query: file.blackint3.com
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://bugreports.qt.io/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://bugreports.qt.io/Microsoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket_q_recei
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979694240.0000000005C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://file.blackint3.com:88
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://file.blackint3.com:88/openark/credits.txt
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://file.blackint3.com:88/openark/filesrepo_sourceSystem
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978552429.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979834816.0000000005DD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978629355.000000000534C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://file.blackint3.com:88/openark/version.txt
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://file.blackint3.com:88/openark/version.txtrequset
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.thawte.com0
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.android.google.cn/studio/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.android.google.cn/studio/9L
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeString found in binary or memory: https://github.com/BlackINT3
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977720447.0000000004EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/BlackINT3/OpenArk
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/BlackINT3/OpenArk)
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/BlackINT3/OpenArk/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/BlackINT3/OpenArk/releases
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978362061.00000000051B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/BlackINT3/symcn-site
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/BlackINT3F
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/BlackINT3OpenArk
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/hasherezade/pe-sieve
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://gomirrors.org/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gomirrors.org/%
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://mirrors.huaweicloud.com/java/jdk/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mirrors.huaweicloud.com/java/jdk/9L
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://openark.blackint3.com/manuals/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://registry.npmmirror.com/binary.html?path=python/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://registry.npmmirror.com/binary.html?path=python/7N
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.globalsign.com/repository/03
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/gui/file/
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/gui/file/VAddrPAddrFileSizeMemSizeAlignLinkInfoEntsizeTagFromBindDemangle
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977336600.00000000029ED000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOpenArk0 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: mem:////:[Ordinal: %08X] %04XIMAGE_REL_BASED_ABSOLUTEIMAGE_REL_BASED_HIGHLOWIMAGE_REL_BASED_HIGHIMAGE_REL_BASED_LOWIMAGE_REL_BASED_HIGHADJIMAGE_REL_BASED_DIR64IMAGE_REL_BASED_UNKNOWN&Edit FileExpandAllRVAVirtualSizeVirtualAddressSizeOfRawDataPointerToRawDataPointerToRelocationsPointerToLinenumbersNumberOfRelocationsNumberOfLinenumbersCharacteristicsOriginalFirstThunkTimeDateStampForwarderChainFirstThunkForwarderStringOrdinalAddressOfDataHintOrdinal HexFunctionAddressSizeOfBlockItemCountItemhttp://https://1onTextChanged(const QString&)%.2f MB | %.2f KB | %d BytesMemBaseFileVersionProductNameOriginalFileNameInternalNameFile VersionProductVersionProductNameLegalCopyrightOriginalFileNameInternalNameCompanyNameFileDescription(Hash:0x%X)ImageBaseOEPvc50 (5.0)vc60 (6.0)vc70 (2003)vc80 (2005)vc90 (2008)vc100 (2010)vc110 (2012)vc120 (2013)vc140 (2015)vc141 (2017)vc142 (2019)vc143 (2022)vc%d%dLinkerCompileTimePDB File%X %sCert OwnerCert SN%s (%s) %s0x0IMAGE_DOS_HEADERe_magice_cblpe_cpe_crlce_cparhdre_minalloce_maxalloce_sse_spe_csume_ipe_cse_lfarlce_ovnoe_oemide_oeminfoe_lfanew.PEIMAGE_NT_HEADERS64IMAGE_FILE_HEADER32FileHeaderIMAGE_FILE_HEADERMachineNumberOfSectionsPointerToSymbolTableNumberOfSymbolsSizeOfOptionalHeaderIMAGE_FILE_HEADER64OptionalHeaderMagicMajorLinkerVersionMinorLinkerVersionSizeOfCodeSizeOfInitializedDataSizeOfUninitializedDataAddressOfEntryPointBaseOfCodeSectionAlignmentFileAlignmentMajorOperatingSystemVersionMinorOperatingSystemVersionMajorImageVersionMinorImageVersionMajorSubsystemVersionMinorSubsystemVersionWin32VersionValueSizeOfImageSizeOfHeadersCheckSumSubsystemDllCharacteristicsSizeOfStackReserveSizeOfStackCommitSizeOfHeapReserveSizeOfHeapCommitLoaderFlagsNumberOfRvaAndSizesDataDirectory[]IMAGE_DATA_DIRECTORYIMAGE_DIRECTORY_ENTRY_EXPORTIMAGE_DIRECTORY_ENTRY_IMPORTIMAGE_DIRECTORY_ENTRY_RESOURCEIMAGE_DIRECTORY_ENTRY_EXCEPTIONIMAGE_DIRECTORY_ENTRY_SECURITYIMAGE_DIRECTORY_ENTRY_BASERELOCIMAGE_DIRECTORY_ENTRY_DEBUGIMAGE_DIRECTORY_ENTRY_ARCHITECTUREIMAGE_DIRECTORY_ENTRY_GLOBALPTRIMAGE_DIRECTORY_ENTRY_TLSIMAGE_DIRECTORY_ENTRY_LOAD_CONFIGIMAGE_DIRECTORY_ENTRY_BOUND_IMPORTIMAGE_DIRECTORY_ENTRY_IATIMAGE_DIRECTORY_ENTRY_DELAY_IMPORTIMAGE_DIRECTORY_ENTRY_COM_DESCRIPTORResourceExceptionSecurityBaseRelocArchitectureGlobalPtrConfigBoundImportIATDelayImport (%1)MinorVersionNumberOfFunctionsNumberOfNamesAddressOfFunctionsAddressOfNamesAddressOfNameOrdinalsSizeOfDataAddressOfRawDataNB10RSDS{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}AgeGUIDImageIDSymbolIDPDBMicrosoft Corporation%ls/%s/%s/%sPDB-CNPDB-MSBIN-CNBIN-MS vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOpenArkDrv.sys6 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameProductName\VarFileInfo\Translation\StringFileInfo\%04x%04x\ vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameappid.sysj% vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000000.1713539456.00000000029ED000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOpenArk0 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeBinary or memory string: OriginalFilenameOpenArk0 vs SecuriteInfo.com.FileRepMalware.22603.20935.exe
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.00000000024B2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: nna.nosciencehu.comtadaoka.osaka.jphayakawa.yamanashi.jpdnsalias.orgedu.saedu.sbedu.rsedu.sclib.id.usogori.fukuoka.jpnotogawa.shiga.jpedu.sdrepbody.aeroid.auedu.ruk12.nj.usloyalist.museumedu.rwedu.sgxyzmoka.tochigi.jpdynathome.netkimino.wakayama.jpedu.slnissanveterinaire.kmkokubunji.tokyo.jpedu.snos.hordaland.notm.kmartsandcrafts.museumis-a-musician.com*.kitakyushu.jpiitate.fukushima.jpedu.stav.iturayasu.chiba.jpedu.svflorida.museumninjaedu.synemuro.hokkaido.jpedu.tjs
      Source: classification engineClassification label: mal76.troj.evad.winEXE@1/7@1/1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeFile created: C:\Users\user\AppData\Roaming\OpenArkJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeVirustotal: Detection: 60%
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeReversingLabs: Detection: 51%
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: opengl32.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: glu32.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: wintab32.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeStatic file information: File size 10974208 > 1048576
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xa5d800
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv64.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
      Source: Binary string: appid.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
      Source: Binary string: D:\Code\OpenArk\src\OpenArk\res\driver\OpenArkDrv32.pdb source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
      Source: Binary string: appid.pdbGCTL source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmp
      Source: initial sampleStatic PE information: section name: UPX0
      Source: initial sampleStatic PE information: section name: UPX1

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: KeServiceDescriptorTable
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: KeServiceDescriptorTable
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 88
      Source: unknownNetwork traffic detected: HTTP traffic on port 88 -> 49731
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OLLYDBG/OLLYDBG.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CFF EXPLORER/CFF EXPLORER.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDBG/X64/WINDBG.EXE<
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER/X86/PROCESSHACKER.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON/PROCMON.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG/OLLYDBG.EXEH
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDBG/X86/WINDBG.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER2/FIDDLER.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER/X64/PROCESSHACKER.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG/X64/X64DBG.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: TCPDUMP/TCPDUMP.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSSUITE/PROCMON.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG/X64/WINDBG.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS/AUTORUNS.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TCPDUMP/TCPDUMP.EXEX
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X64DBG/X64/X64DBG.EXED
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER4/FIDDLER.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: API MONITOR/APIMONITOR-X86.EXE
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CFF EXPLORER/CFF EXPLORER.EXE#
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSSUITE/PROCMON.EXE5
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeWindow / User API: foregroundWindowGot 628Jump to behavior
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.000000000285C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exeProcess token adjusted: DebugJump to behavior
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %Y/%M/%D %H:%W:%S%d:%02d:%02d.%03d%.2f0.00-nan(ind)%0.2f MBCan't dump 64-bit process.Create dump ok.Create dump failed.QueryWorkingSet pid:%d, err:%dGetProcessPrivateWorkingSetpropertiesWriteFileDataWReadFileDataWread offset out of boundProgram ManagerProgmanapplication/octet-streamDownload failed, err:%1, msg:%2HttpDownload::<lambda_dcf5b1914fb29cf1126394837a0c8ec5>::operator ()FreeLibrary{8ECD1478-A24C-4427-8E9E-DE180B21183A}SeTakeOwnershipPrivilegeNtCreateFiledwmapi.dllDwmSetWindowAttribute

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.FileRepMalware.22603.20935.exe PID: 7356, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      1
      Process Injection
      1
      Masquerading
      1
      Credential API Hooking
      21
      Security Software Discovery
      Remote Services1
      Credential API Hooking
      11
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      1
      Virtualization/Sandbox Evasion
      LSASS Memory1
      Virtualization/Sandbox Evasion
      Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Process Injection
      Security Account Manager2
      Process Discovery
      SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput Capture12
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Software Packing
      LSA Secrets1
      Remote System Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain Credentials1
      File and Directory Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      System Information Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version
      No bigger version

      windows-stand
      SourceDetectionScannerLabelLink
      SecuriteInfo.com.FileRepMalware.22603.20935.exe60%VirustotalBrowse
      SecuriteInfo.com.FileRepMalware.22603.20935.exe51%ReversingLabsWin32.Exploit.CVE-2019-16098
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://file.blackint3.com:88/openark/version.txtrequset100%Avira URL Cloudmalware
      https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/100%Avira URL Cloudmalware
      http://file.blackint3.com:88/openark/credits.txt100%Avira URL Cloudmalware
      https://developer.android.google.cn/studio/0%Avira URL Cloudsafe
      https://openark.blackint3.com/manuals/100%Avira URL Cloudmalware
      http://bugreports.qt.io/Microsoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket_q_recei0%Avira URL Cloudsafe
      http://file.blackint3.com:88/openark/filesrepo_sourceSystem100%Avira URL Cloudmalware
      http://file.blackint3.com:88100%Avira URL Cloudmalware
      http://file.blackint3.com:88/openark/version.txt100%Avira URL Cloudmalware
      http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6100%Avira URL Cloudmalware
      https://developer.android.google.cn/studio/9L0%Avira URL Cloudsafe
      https://gomirrors.org/%0%Avira URL Cloudsafe
      https://gomirrors.org/0%Avira URL Cloudsafe

      Download Network PCAP: filteredfull

      NameIPActiveMaliciousAntivirus DetectionReputation
      file.blackint3.com
      222.211.226.110
      truefalse
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://file.blackint3.com:88/openark/version.txtrequsetSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: malware
        unknown
        http://ocsp.thawte.com0SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpfalse
          high
          https://openark.blackint3.com/manuals/https://github.com/BlackINT3/OpenArk/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          https://github.com/BlackINT3SecuriteInfo.com.FileRepMalware.22603.20935.exefalse
            high
            http://file.blackint3.com:88/openark/filesrepo_sourceSystemSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
            • Avira URL Cloud: malware
            unknown
            https://github.com/BlackINT3/symcn-siteSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978362061.00000000051B8000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://github.com/BlackINT3FSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpfalse
                high
                https://registry.npmmirror.com/binary.html?path=python/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                  high
                  https://developer.android.google.cn/studio/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.virustotal.com/gui/file/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                    high
                    http://bugreports.qt.io/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmpfalse
                      high
                      https://www.virustotal.com/gui/file/VAddrPAddrFileSizeMemSizeAlignLinkInfoEntsizeTagFromBindDemangleSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                        high
                        http://file.blackint3.com:88/openark/version.txtSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978552429.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979834816.0000000005DD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2978629355.000000000534C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        https://openark.blackint3.com/manuals/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        https://registry.npmmirror.com/binary.html?path=python/7NSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://file.blackint3.com:88SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2979694240.0000000005C99000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          https://github.com/BlackINT3/OpenArk/releasesSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005E91000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://cs-g2-crl.thawte.com/ThawteCSG2.crl0SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpfalse
                              high
                              http://file.blackint3.com:88/openark/credits.txtSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              http://crl.thawte.com/ThawtePCA.crl0SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002173000.00000040.00000001.01000000.00000003.sdmpfalse
                                high
                                https://github.com/BlackINT3/OpenArk/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                                  high
                                  http://bugreports.qt.io/Microsoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket_q_receiSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000002565000.00000040.00000001.01000000.00000003.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://github.com/BlackINT3/OpenArk)SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2980131512.0000000005EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://github.com/BlackINT3OpenArkSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                                      high
                                      https://github.com/hasherezade/pe-sieveSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                                        high
                                        http://file.blackint3.com:88/openark/beta/OpenArk64.exehttp://file.blackint3.com:88/openark/OpenArk6SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://gomirrors.org/%SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://gomirrors.org/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://github.com/BlackINT3/OpenArkSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977720447.0000000004EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://developer.android.google.cn/studio/9LSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://mirrors.huaweicloud.com/java/jdk/9LSecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2977434936.0000000002D87000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://mirrors.huaweicloud.com/java/jdk/SecuriteInfo.com.FileRepMalware.22603.20935.exe, 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmpfalse
                                              high
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              222.211.226.110
                                              file.blackint3.comChina
                                              4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1618987
                                              Start date and time:2025-02-19 12:21:22 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 4m 18s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:5
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              Detection:MAL
                                              Classification:mal76.troj.evad.winEXE@1/7@1/1
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              TimeTypeDescription
                                              06:22:17API Interceptor4684x Sleep call for process: SecuriteInfo.com.FileRepMalware.22603.20935.exe modified
                                              No context
                                              No context
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CHINANET-BACKBONENo31Jin-rongStreetCNzteGet hashmaliciousUnknownBrowse
                                              • 110.178.251.236
                                              z3hir.x86Get hashmaliciousMiraiBrowse
                                              • 60.189.236.199
                                              Hilix.ppc.elfGet hashmaliciousUnknownBrowse
                                              • 202.109.142.112
                                              Hilix.sh4.elfGet hashmaliciousUnknownBrowse
                                              • 171.95.182.160
                                              Hilix.x86.elfGet hashmaliciousUnknownBrowse
                                              • 59.175.154.149
                                              Hilix.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 49.82.207.112
                                              res.mips.elfGet hashmaliciousUnknownBrowse
                                              • 218.84.206.217
                                              Hilix.spc.elfGet hashmaliciousUnknownBrowse
                                              • 27.144.168.230
                                              Hilix.m68k.elfGet hashmaliciousUnknownBrowse
                                              • 121.8.97.202
                                              res.arm.elfGet hashmaliciousUnknownBrowse
                                              • 182.132.110.25
                                              No context
                                              No context
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File Type:Generic INItialization configuration [Preference]
                                              Category:dropped
                                              Size (bytes):69
                                              Entropy (8bit):4.308842348014033
                                              Encrypted:false
                                              SSDEEP:3:LGARGLe6x5EWWzvy+4GACR6iZy:TRGLegE3DeGRRQ
                                              MD5:631B0AC9CDF8CD5AECFD6C16EF9D5B60
                                              SHA1:A52BB78130B5AF5C40B89ED48C63F5A807BC458D
                                              SHA-256:444F29F2E400E733D7B29347B0F5215C92D2F9F68B1DEA7074B8D7713825D9FA
                                              SHA-512:7AE1242B5BA23C42B897876BC92656F7E7967B549B0510E142EF7B94C08A10CB764592366EA2FFFF6EF4A9F33F697852177FD1E9795601D26E49C9722F3023B5
                                              Malicious:false
                                              Reputation:low
                                              Preview:[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File Type:Generic INItialization configuration [Preference]
                                              Category:dropped
                                              Size (bytes):375
                                              Entropy (8bit):3.245155993003607
                                              Encrypted:false
                                              SSDEEP:6:TRGLegE3DeGRRbl1+QVHVHVHVHVHVUZAYyY0:TRPBz7V+QVHVHVHVHVHVpYL0
                                              MD5:B42AB878E382D1AF00A392DC27943E2A
                                              SHA1:5339AEDB22A71F4BF5785ACB477AC81B7155D4B5
                                              SHA-256:8FD7ACCF22D1E258BEBEAFB3E349F3FC4267451ECEA5FE7B2C95599202F64032
                                              SHA-512:8679246B094524CAD1246A8495800CA23ED5703D368FD8C94880CB3A1AAA8E7D02B757B9CFFA4D0CEA2AB5642A00D88DAA22DB00B3BB52A8F0317D466C547A0F
                                              Malicious:false
                                              Reputation:low
                                              Preview:[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"....[Main]..x=160..y=123..w=752..h=578..
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File Type:Generic INItialization configuration [Preference]
                                              Category:dropped
                                              Size (bytes):337
                                              Entropy (8bit):2.841873231884796
                                              Encrypted:false
                                              SSDEEP:3:LGARGLe6x5EWWzvy+4GACR6iZbll1L+YiVIV9VV9VV9VV9VV9VVT:TRGLegE3DeGRRbl1+QVHVHVHVHVHVT
                                              MD5:0AAFDB135812EFC6AFDB2C4FB8A8B652
                                              SHA1:24762D94029BAF47EAB1E5CD53D2BD8743A85BCF
                                              SHA-256:6575C8F3B8F11DA1FFBDFDDB4FF0C538634A682C9AB7790F7C5B305437983F14
                                              SHA-512:C52DB58C86434D698509D3B7F46937C55FD0051B4FF5217F1F97E8DC7C79A1CE5A56301500A96E04477992F3CEEC16B76E1510F84CC24DF3367C78BF8A6284F0
                                              Malicious:false
                                              Reputation:low
                                              Preview:[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"..
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File Type:Generic INItialization configuration [Preference]
                                              Category:dropped
                                              Size (bytes):361
                                              Entropy (8bit):3.092934518082738
                                              Encrypted:false
                                              SSDEEP:3:LGARGLe6x5EWWzvy+4GACR6iZbll1L+YiVIV9VV9VV9VV9VV9VVzMBdYUTVQy:TRGLegE3DeGRRbl1+QVHVHVHVHVHVUZN
                                              MD5:2504FC4322DFE507E6566905DB1730E4
                                              SHA1:F0A7CEF4110E94FDB6FB0DA2E2E24822DCC11C6A
                                              SHA-256:4664CF0450B1FD34E30DA7725FEAE5EB977AE3BAF40E3B2198B262752015D71D
                                              SHA-512:E55FD0F5A1561540DABA723DC901ED5EC4174B1FD3AB88E025A05D2B1DCA922D67D3676B54D0FD909093516BF9E1B8F1D626B528BC3F3F49E0CB616D27831B42
                                              Malicious:false
                                              Reputation:low
                                              Preview:[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"....[Main]..x=160..y=123..
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File Type:Generic INItialization configuration [Preference]
                                              Category:dropped
                                              Size (bytes):337
                                              Entropy (8bit):2.841873231884796
                                              Encrypted:false
                                              SSDEEP:3:LGARGLe6x5EWWzvy+4GACR6iZbll1L+YiVIV9VV9VV9VV9VV9VVT:TRGLegE3DeGRRbl1+QVHVHVHVHVHVT
                                              MD5:0AAFDB135812EFC6AFDB2C4FB8A8B652
                                              SHA1:24762D94029BAF47EAB1E5CD53D2BD8743A85BCF
                                              SHA-256:6575C8F3B8F11DA1FFBDFDDB4FF0C538634A682C9AB7790F7C5B305437983F14
                                              SHA-512:C52DB58C86434D698509D3B7F46937C55FD0051B4FF5217F1F97E8DC7C79A1CE5A56301500A96E04477992F3CEEC16B76E1510F84CC24DF3367C78BF8A6284F0
                                              Malicious:false
                                              Reputation:low
                                              Preview:[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..maintab_map2="0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0:0=0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"..
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File Type:Generic INItialization configuration [Preference]
                                              Category:dropped
                                              Size (bytes):69
                                              Entropy (8bit):4.308842348014033
                                              Encrypted:false
                                              SSDEEP:3:LGARGLe6x5EWWzvy+4GACR6iZy:TRGLegE3DeGRRQ
                                              MD5:631B0AC9CDF8CD5AECFD6C16EF9D5B60
                                              SHA1:A52BB78130B5AF5C40B89ED48C63F5A807BC458D
                                              SHA-256:444F29F2E400E733D7B29347B0F5215C92D2F9F68B1DEA7074B8D7713825D9FA
                                              SHA-512:7AE1242B5BA23C42B897876BC92656F7E7967B549B0510E142EF7B94C08A10CB764592366EA2FFFF6EF4A9F33F697852177FD1E9795601D26E49C9722F3023B5
                                              Malicious:false
                                              Reputation:low
                                              Preview:[Process]..include_tree=0..last_search=....[Preference]..main_tab=1..
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):22
                                              Entropy (8bit):4.1523912776298655
                                              Encrypted:false
                                              SSDEEP:3:l4zeAv8Ln:SqAELn
                                              MD5:988F38040ACB8CBCD2A249F3FB67E769
                                              SHA1:2A0248B0C7C2AF59FEBF99840AF0751CA3D232BC
                                              SHA-256:D69219785FBB0867D3D8F4F9F6EF8F1FFD5BEFD1A0B5F1CBBF71D6097B173B26
                                              SHA-512:29BC17AA7733A91EF2605BFA3FB75C837EFB954CD6D65A1D07C49156C31C852EF6F0EFA3C1139470F2395FBDF66F4156F6AB51F5CBF5544AA55E8033D0DABDC6
                                              Malicious:false
                                              Reputation:low
                                              Preview:7356.OpenArk.user-PC.
                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                              Entropy (8bit):7.904412434122235
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.66%
                                              • UPX compressed Win32 Executable (30571/9) 0.30%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              File size:10'974'208 bytes
                                              MD5:b0171126d76d2b7b8c428febc87a046d
                                              SHA1:587735e11116e62d1e8fab5e6c35b86d61501484
                                              SHA256:f0ece0a9dbe8adbc08ed4e7a189e64f0a33ddbc830403aee024abb848dfc7dc8
                                              SHA512:a276dc06f972fdd225ecde0ea10b7453bc5b043547e2fa503f3a5e0069b67bbb739a0f9577a2e4eed5356a60657e4c9d514cd5e194e812c29ed9f25f80eff25c
                                              SSDEEP:196608:Ojmc0j+aLEffJuZraaSzmjvSqIEsJUPT8qD55d9oX7xj20iYc:OjkjnQfJu4ayzHOPVDZiLx1i
                                              TLSH:1FB633D9203502A5F456BE35995DB8C78A4DBC326B4B21784F0EFA87C9F8ED1C119E0B
                                              File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........:...T...T...T.AY....T.AY..C.T.AY....T.ke....T.X.W...T.(:....T.X.Q.q.T.X.P...T.......T.......T...U.V.T.b.P...T.b.Q...T.B.P...T
                                              Icon Hash:0f334d4ccc4d338f
                                              Entrypoint:0x228c250
                                              Entrypoint Section:UPX1
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x67991C80 [Tue Jan 28 18:05:52 2025 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:05b5280fc0aa45daf9f05d564cf8cad4
                                              Instruction
                                              pushad
                                              mov esi, 0182F000h
                                              lea edi, dword ptr [esi-0142E000h]
                                              lea eax, dword ptr [edi+01D57E88h]
                                              push dword ptr [eax]
                                              mov dword ptr [eax], BF479A3Ah
                                              push eax
                                              push edi
                                              or ebp, FFFFFFFFh
                                              jmp 00007F57306B06A3h
                                              nop
                                              nop
                                              nop
                                              nop
                                              nop
                                              nop
                                              nop
                                              mov al, byte ptr [esi]
                                              inc esi
                                              mov byte ptr [edi], al
                                              inc edi
                                              add ebx, ebx
                                              jne 00007F57306B0699h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F57306B067Fh
                                              mov eax, 00000001h
                                              add ebx, ebx
                                              jne 00007F57306B0699h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc eax, eax
                                              add ebx, ebx
                                              jnc 00007F57306B069Dh
                                              jne 00007F57306B06BAh
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F57306B06B1h
                                              dec eax
                                              add ebx, ebx
                                              jne 00007F57306B0699h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc eax, eax
                                              jmp 00007F57306B0666h
                                              add ebx, ebx
                                              jne 00007F57306B0699h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc ecx, ecx
                                              jmp 00007F57306B06E4h
                                              xor ecx, ecx
                                              sub eax, 03h
                                              jc 00007F57306B06A3h
                                              shl eax, 08h
                                              mov al, byte ptr [esi]
                                              inc esi
                                              xor eax, FFFFFFFFh
                                              je 00007F57306B0707h
                                              sar eax, 1
                                              mov ebp, eax
                                              jmp 00007F57306B069Dh
                                              add ebx, ebx
                                              jne 00007F57306B0699h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F57306B065Eh
                                              inc ecx
                                              add ebx, ebx
                                              jne 00007F57306B0699h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F57306B0650h
                                              add ebx, ebx
                                              jne 00007F57306B0699h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc ecx, ecx
                                              add ebx, ebx
                                              jnc 00007F57306B0681h
                                              jne 00007F57306B069Bh
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              Programming Language:
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ C ] VS2015 UPD3.1 build 24215
                                              • [C++] VS2015 UPD3.1 build 24215
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1ea62ac0x418.rsrc
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e8d0000x192ac.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1ea66c40x18.rsrc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x1e8c4500x18UPX1
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1e8c6780x5cUPX1
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              UPX00x10000x142e0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              UPX10x142f0000xa5e0000xa5d80029d41181d43dc8c47ded0151260d472aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x1e8d0000x1a0000x1980062db613c9d128a1cc5f799d4fe313c72False0.16486672794117646data3.0950276952925364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x1e8d1f40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.10292203951259908
                                              RT_ICON0x1e9da200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.19768540387340577
                                              RT_ICON0x1ea1c4c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2753112033195021
                                              RT_ICON0x1ea41f80x1588Device independent bitmap graphic, 36 x 72 x 32, image size 5472EnglishUnited States0.3543178519593614
                                              RT_ICON0x1ea57840x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7819148936170213
                                              RT_GROUP_ICON0x1ea5bf00x4cdataEnglishUnited States0.8157894736842105
                                              RT_VERSION0x1ea5c400x2e0dataEnglishUnited States0.4891304347826087
                                              RT_MANIFEST0x1ea5f240x387XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (843), with CRLF line terminatorsEnglishUnited States0.48615725359911405
                                              DLLImport
                                              ADVAPI32.dllAddAce
                                              CRYPT32.dllCertOpenStore
                                              GDI32.dllBitBlt
                                              IMM32.dllImmNotifyIME
                                              IPHLPAPI.DLLSetTcpEntry
                                              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                              ntdll.dllNtCreateFile
                                              ole32.dllDoDragDrop
                                              OLEAUT32.dllCreateErrorInfo
                                              OPENGL32.dllglHint
                                              PSAPI.DLLQueryWorkingSet
                                              RPCRT4.dllUuidEqual
                                              SHELL32.dllSHGetMalloc
                                              SHLWAPI.dllSHDeleteKeyW
                                              USER32.dllGetDC
                                              VERSION.dllVerQueryValueW
                                              WINMM.dllPlaySoundW
                                              WS2_32.dll__WSAFDIsSet
                                              WTSAPI32.dllWTSFreeMemory
                                              DescriptionData
                                              CompanyNamehttps://github.com/BlackINT3
                                              FileDescriptionOpen Anti Rootkit for Windows Researchers
                                              FileVersion1.3.8.0
                                              LegalCopyrightBlackINT3 Copyright (C) 2019
                                              OriginalFilenameOpenArk
                                              ProductNameOpenArk
                                              ProductVersion1.3.8.0
                                              Translation0x0409 0x04b0
                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Download Network PCAP: filteredfull

                                              • Total Packets: 7
                                              • 88 undefined
                                              • 53 (DNS)
                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 19, 2025 12:22:22.506805897 CET4973188192.168.2.4222.211.226.110
                                              Feb 19, 2025 12:22:22.511845112 CET8849731222.211.226.110192.168.2.4
                                              Feb 19, 2025 12:22:22.511945009 CET4973188192.168.2.4222.211.226.110
                                              Feb 19, 2025 12:22:22.512301922 CET4973188192.168.2.4222.211.226.110
                                              Feb 19, 2025 12:22:22.517239094 CET8849731222.211.226.110192.168.2.4
                                              Feb 19, 2025 12:22:23.469533920 CET8849731222.211.226.110192.168.2.4
                                              Feb 19, 2025 12:22:23.469549894 CET8849731222.211.226.110192.168.2.4
                                              Feb 19, 2025 12:22:23.469624996 CET4973188192.168.2.4222.211.226.110
                                              Feb 19, 2025 12:23:29.219157934 CET8849731222.211.226.110192.168.2.4
                                              Feb 19, 2025 12:23:29.219295025 CET4973188192.168.2.4222.211.226.110
                                              Feb 19, 2025 12:23:29.219424009 CET4973188192.168.2.4222.211.226.110
                                              Feb 19, 2025 12:23:29.225416899 CET8849731222.211.226.110192.168.2.4
                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 19, 2025 12:22:22.124757051 CET5571353192.168.2.41.1.1.1
                                              Feb 19, 2025 12:22:22.494340897 CET53557131.1.1.1192.168.2.4
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Feb 19, 2025 12:22:22.124757051 CET192.168.2.41.1.1.10x8c9aStandard query (0)file.blackint3.comA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Feb 19, 2025 12:22:22.494340897 CET1.1.1.1192.168.2.40x8c9aNo error (0)file.blackint3.com222.211.226.110A (IP address)IN (0x0001)false
                                              • file.blackint3.com:88
                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449731222.211.226.110887356C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              TimestampBytes transferredDirectionData
                                              Feb 19, 2025 12:22:22.512301922 CET173OUTGET /openark/version.txt HTTP/1.1
                                              Connection: Keep-Alive
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-CH,*
                                              User-Agent: Mozilla/5.0
                                              Host: file.blackint3.com:88
                                              Feb 19, 2025 12:22:23.469533920 CET1236INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Wed, 19 Feb 2025 11:22:23 GMT
                                              Content-Type: text/plain
                                              Content-Length: 1125
                                              Connection: keep-alive
                                              Last-Modified: Tue, 28 Jan 2025 18:58:56 GMT
                                              ETag: "679928f0-465"
                                              Accept-Ranges: bytes
                                              Data Raw: 7b 0a 20 20 20 20 22 65 72 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 70 70 76 65 72 22 3a 20 22 31 2e 33 2e 38 22 2c 0a 20 20 20 20 22 61 70 70 62 64 22 3a 20 22 32 30 32 35 30 31 32 39 30 32 30 34 22 2c 0a 20 20 20 20 22 61 70 70 63 6c 22 3a 20 22 4c 53 44 6d 6c 4b 2f 6d 6a 49 48 70 6d 70 44 6f 75 71 76 6d 71 4b 48 6c 76 49 2f 76 76 49 7a 6c 6f 70 37 6c 69 71 42 43 5a 58 52 68 36 59 43 61 36 59 47 54 43 69 30 67 35 59 61 46 35 71 43 34 35 61 4b 65 35 62 79 36 37 37 79 61 35 70 61 77 35 61 4b 65 35 70 36 61 35 4c 69 2b 53 57 31 68 5a 32 56 57 5a 58 4a 70 5a 6d 6c 6a 59 58 52 70 62 32 34 76 51 6d 39 31 62 6d 52 7a 4c 30 74 6c 63 6d 35 6c 62 45 68 68 63 32 6a 6c 6d 35 37 6f 73 49 50 6b 75 36 58 6c 6a 34 70 46 55 46 4a 50 51 30 56 54 55 2b 53 2f 6f 65 61 42 72 2b 65 74 69 51 6f 74 49 4f 65 56 6a 4f 6d 64 6f 75 53 38 6d 4f 57 4d 6c 75 2b 38 6d 75 61 57 73 4f 57 69 6e 75 53 2f 6e 65 57 74 6d 4f 69 2f 68 2b 61 37 70 4f 57 4f 68 75 57 50 73 75 69 75 73 4f 57 39 6c 65 2b 38 6a 4f 57 4d 68 65 57 51 71 2b 69 2f [TRUNCATED]
                                              Data Ascii: { "err": 0, "appver": "1.3.8", "appbd": "202501290204", "appcl": "LSDmlK/mjIHpmpDouqvmqKHlvI/vvIzlop7liqBCZXRh6YCa6YGTCi0g5YaF5qC45aKe5by677ya5paw5aKe5p6a5Li+SW1hZ2VWZXJpZmljYXRpb24vQm91bmRzL0tlcm5lbEhhc2jlm57osIPku6Xlj4pFUFJPQ0VTU+S/oeaBr+etiQotIOeVjOmdouS8mOWMlu+8muaWsOWinuS/neWtmOi/h+a7pOWOhuWPsuiusOW9le+8jOWMheWQq+i/m+eoi+agkeetiQotIOeDremUruWKn+iDveS/ruWkje+8jOW3peWFt+W6k+aWsOWinuW3peWFtwotIEJVR+S/ruWkjeS7peWPiuS4gOS6m+acquaPkOWPiueahOWKn+iDvQotIOaWsOW5tOW/q+S5kCAyMDI1IPCfkI0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi0gU3VwcG9ydCBpbnZpc2libGUgbW9kZSBhbmQgYWRkZWQgYmV0YSBjaGFubmVsLgotIEltcG92ZWQga2VybmVsIG1hbmFnZXI6IEFkZGVkIGVudW0gSW1hZ2VWZXJpZmljYXRpb24vQm91bmRzL0tlcm5lbEhhc2ggY2FsbGJhY2tzIGFuZCBFUFJPQ0VTUyBpbmZvIGV0Yy4KLSBJbXByb3ZlZCBVSTogQWRkZWQgZmlsdGVyIGhpc3RvcnkgYW5kICBjb250YWluIHByb2Nlc3MgdHJlZSBldGMuCi0gRW51bSBob3RrZXkgZml4ZWQgIGFuZCBhZGRlZCBzb21lIHRvb2xzLgotIEJ1Z2ZpeGVkIGFuZCBhZGRlZCBzb21lIGZlYXR1cmVzIG5vdCBtZW50a


                                              Click to jump to process

                                              Click to jump to process

                                              • File
                                              • Registry
                                              • Network

                                              Click to dive into process behavior distribution

                                              Target ID:0
                                              Start time:06:22:17
                                              Start date:19/02/2025
                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.22603.20935.exe"
                                              Imagebase:0xb50000
                                              File size:10'974'208 bytes
                                              MD5 hash:B0171126D76D2B7B8C428FEBC87A046D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.2974248669.0000000001EE9000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                              No disassembly