Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1546019
MD5: ab7d13fd2200b07c2bc9fe3b3f7cc837
SHA1: 22943e1fbf9c32a3bb716a002de1a8e598bbf169
SHA256: 17b7ba466ce248a1f9a337d4e6a7ab092a6bb2608246c08a348b525c8e3a9311
Tags: exeuser-Bitsight
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.file.exe.2674e120000.0.raw.unpack Malware Configuration Extractor: Meduza Stealer {"C2 url": "109.172.94.66", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "Ipa", "links": "", "port": 15666}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E193430 CryptUnprotectData,LocalFree, 0_2_000002674E193430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E157F90 CryptUnprotectData,LocalFree, 0_2_000002674E157F90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E193730 CryptProtectData,LocalFree, 0_2_000002674E193730
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1DB78C FindClose,FindFirstFileExW,GetLastError, 0_2_000002674E1DB78C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1DB83C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_000002674E1DB83C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A24F0 GetLogicalDriveStringsW, 0_2_000002674E1A24F0
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.7:49699 -> 109.172.94.66:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.7:49699 -> 109.172.94.66:15666
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49699 -> 109.172.94.66:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SUMTEL-AS-RIPEMoscowRussiaRU SUMTEL-AS-RIPEMoscowRussiaRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.7:49699 -> 109.172.94.66:15666
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49733
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:54363
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.94.66
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A0420 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,Concurrency::cancel_current_task, 0_2_000002674E1A0420
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: file.exe, 00000000.00000002.1323248860.000002674C6DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/=
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49700 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A0CE0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 0_2_000002674E1A0CE0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A5080 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle, 0_2_000002674E1A5080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A57C0 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_000002674E1A57C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F66C0 NtQuerySystemInformation, 0_2_000002674E1F66C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F66D0 NtAllocateVirtualMemory, 0_2_000002674E1F66D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F66F0 NtQueryObject, 0_2_000002674E1F66F0
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A0420 0_2_000002674E1A0420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1AA190 0_2_000002674E1AA190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A31C0 0_2_000002674E1A31C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E164320 0_2_000002674E164320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15EF90 0_2_000002674E15EF90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19A050 0_2_000002674E19A050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E150EE0 0_2_000002674E150EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19FBE0 0_2_000002674E19FBE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A7C28 0_2_000002674E1A7C28
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A0CE0 0_2_000002674E1A0CE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15CD10 0_2_000002674E15CD10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A19A0 0_2_000002674E1A19A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1BE994 0_2_000002674E1BE994
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E182B50 0_2_000002674E182B50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A27A0 0_2_000002674E1A27A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1DB83C 0_2_000002674E1DB83C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15D860 0_2_000002674E15D860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15E8F0 0_2_000002674E15E8F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1C25B4 0_2_000002674E1C25B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1515D0 0_2_000002674E1515D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A8610 0_2_000002674E1A8610
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B83D0 0_2_000002674E1B83D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B640C 0_2_000002674E1B640C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E126480 0_2_000002674E126480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E191470 0_2_000002674E191470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E18E570 0_2_000002674E18E570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E17B1C0 0_2_000002674E17B1C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1DE1A8 0_2_000002674E1DE1A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1581E0 0_2_000002674E1581E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1CB230 0_2_000002674E1CB230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E177230 0_2_000002674E177230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15C230 0_2_000002674E15C230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E18E250 0_2_000002674E18E250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E199330 0_2_000002674E199330
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F6368 0_2_000002674E1F6368
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E189FA0 0_2_000002674E189FA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19BFA0 0_2_000002674E19BFA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B9FA4 0_2_000002674E1B9FA4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E127010 0_2_000002674E127010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15205E 0_2_000002674E15205E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1700B9 0_2_000002674E1700B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1260C0 0_2_000002674E1260C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B4100 0_2_000002674E1B4100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15B110 0_2_000002674E15B110
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F6140 0_2_000002674E1F6140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19E143 0_2_000002674E19E143
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1C013C 0_2_000002674E1C013C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F6160 0_2_000002674E1F6160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19E153 0_2_000002674E19E153
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F6168 0_2_000002674E1F6168
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B5DC4 0_2_000002674E1B5DC4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1C2DB8 0_2_000002674E1C2DB8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E193E10 0_2_000002674E193E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E16CE50 0_2_000002674E16CE50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E185F10 0_2_000002674E185F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E18DF30 0_2_000002674E18DF30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1C0BBC 0_2_000002674E1C0BBC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B5BDC 0_2_000002674E1B5BDC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E18DC00 0_2_000002674E18DC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E151C00 0_2_000002674E151C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E197BF0 0_2_000002674E197BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E17CC5D 0_2_000002674E17CC5D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E191C50 0_2_000002674E191C50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B6CA4 0_2_000002674E1B6CA4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E159D69 0_2_000002674E159D69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B59F4 0_2_000002674E1B59F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1C9A74 0_2_000002674E1C9A74
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1BFABC 0_2_000002674E1BFABC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A5B10 0_2_000002674E1A5B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1917A0 0_2_000002674E1917A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B679C 0_2_000002674E1B679C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A57C0 0_2_000002674E1A57C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1477B0 0_2_000002674E1477B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1C2830 0_2_000002674E1C2830
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E18E8A0 0_2_000002674E18E8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E18D900 0_2_000002674E18D900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E126900 0_2_000002674E126900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1BF60C 0_2_000002674E1BF60C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E196650 0_2_000002674E196650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E190690 0_2_000002674E190690
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E16E6D9 0_2_000002674E16E6D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E149760 0_2_000002674E149760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1E274C 0_2_000002674E1E274C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E146770 0_2_000002674E146770
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000002674E152030 appears 46 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000002674E14D7E0 appears 50 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000002674E156CA0 appears 41 times
Source: classification engine Classification label: mal92.troj.spyw.winEXE@1/0@1/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A6F60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 0_2_000002674E1A6F60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15E8F0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_000002674E15E8F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E190885 CoCreateInstance, 0_2_000002674E190885
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963E617C0C4
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 2640384 > 1048576
Source: file.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x247600
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15D860 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_000002674E15D860
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19F8C0 push rsp; ret 0_2_000002674E19F8C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19F8C4 push rsp; ret 0_2_000002674E19F8C5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19F8B8 push rsp; ret 0_2_000002674E19F8B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19F8BC push rsp; ret 0_2_000002674E19F8BD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19F8B4 push rsp; ret 0_2_000002674E19F8B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19F8C8 push rsp; ret 0_2_000002674E19F8C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E19F8CC push rsp; ret 0_2_000002674E19F8CD
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E197910 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle, 0_2_000002674E197910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1DB78C FindClose,FindFirstFileExW,GetLastError, 0_2_000002674E1DB78C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1DB83C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_000002674E1DB83C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A24F0 GetLogicalDriveStringsW, 0_2_000002674E1A24F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B86B8 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 0_2_000002674E1B86B8
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323193385.000002674C6D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A57C0 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_000002674E1A57C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B0D38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000002674E1B0D38
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1DD7B0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_000002674E1DD7B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E15D860 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_000002674E15D860
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1F62E0 SetUnhandledExceptionFilter, 0_2_000002674E1F62E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1B0D38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000002674E1B0D38
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E196650 ShellExecuteW, 0_2_000002674E196650
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_000002674E1F6398
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_000002674E1DB400
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_000002674E1BD53C
Source: C:\Users\user\Desktop\file.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_000002674E1C8364
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_000002674E1BCFF8
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_000002674E1C8D98
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_000002674E1C8BBC
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_000002674E1C86B0
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_000002674E1C8780
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1CF11C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_000002674E1CF11C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A12C0 GetUserNameW, 0_2_000002674E1A12C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000002674E1A27A0 GetTimeZoneInformation, 0_2_000002674E1A27A0

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: file.exe PID: 3812, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 0.2.file.exe.2674e120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2674e120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1323509145.000002674E120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3812, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum\wallets
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash\wallets
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Source: file.exe, 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: file.exe PID: 3812, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 0.2.file.exe.2674e120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2674e120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1323368752.000002674DF30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1323509145.000002674E120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3812, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546019 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 92 10 api.ipify.org 2->10 16 Suricata IDS alerts for network traffic 2->16 18 Found malware configuration 2->18 20 Yara detected CredGrabber 2->20 22 2 other signatures 2->22 6 file.exe 6 2->6         started        signatures3 process4 dnsIp5 12 109.172.94.66, 15666, 49699 SUMTEL-AS-RIPEMoscowRussiaRU Russian Federation 6->12 14 api.ipify.org 104.26.13.205, 443, 49700 CLOUDFLARENETUS United States 6->14 24 Tries to steal Mail credentials (via file / registry access) 6->24 26 Found many strings related to Crypto-Wallets (likely being stolen) 6->26 28 Tries to harvest and steal browser information (history, passwords, etc) 6->28 30 Tries to harvest and steal Bitcoin Wallet information 6->30 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.172.94.66
 unknown Russian Federation
41691 SUMTEL-AS-RIPEMoscowRussiaRU true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown