Windows Analysis Report
t90RvrDNvz.exe

Overview

General Information

Sample name:	t90RvrDNvz.exe renamed because original name is a hash value
Original sample name:	f660778402a3bb138486c84706d69a00ee03818437d6dac0fed4ea276561e84a.exe
Analysis ID:	1562121
MD5:	05ce896e3a0a78a9bf1f12a51d83d215
SHA1:	f7e32c1dc592e3c185fece729ebcc0266e86e0cc
SHA256:	f660778402a3bb138486c84706d69a00ee03818437d6dac0fed4ea276561e84a
Tags:	AdwareTechsnabexeTRADETRUSTLLCuser-JAMESWT_MHT
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Contains functionality to call native functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: t90RvrDNvz.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:50022 version: TLS 1.2

Source: t90RvrDNvz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49720 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49765 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49743 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49737 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49772 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49837 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49843 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49881 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49871 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49910 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49813 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49935 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49969 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49807 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49939 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49904 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50022 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49992 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49963 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49996 -> 18.213.123.165:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org

Source: global traffic	DNS traffic detected: DNS query: eth0.cdn-serveri2004-ns.shop
Source: global traffic	DNS traffic detected: DNS query: httpbin.org

Source: t90RvrDNvz.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: t90RvrDNvz.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: t90RvrDNvz.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: t90RvrDNvz.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: t90RvrDNvz.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: t90RvrDNvz.exe	String found in binary or memory: http://www.burnaware.com
Source: t90RvrDNvz.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3100967300.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/
Source: t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop//
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352772201.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/011t
Source: t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/3
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/Jt
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/O
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php)
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php3
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php7aU
Source: t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpCc
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpO
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpT
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpWc
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpkc
Source: t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.php
Source: t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpRS
Source: t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&del
Source: t90RvrDNvz.exe, 00000000.00000003.2352751790.000000000388C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.00000000038B1000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101382322.0000000003898000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352751790.000000000388C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10LocationETagAuthentication-InfoAgeAc
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10f
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.php
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.phpM
Source: t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/p
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10
Source: t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10gv
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10jD
Source: t90RvrDNvz.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:50022 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Code function: 0_2_0087C7BB NtQuerySystemInformation,		0_2_0087C7BB
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Code function: 0_2_0087C3EB NtDelayExecution,		0_2_0087C3EB

PE / OLE file has an invalid certificate

Source: t90RvrDNvz.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: t90RvrDNvz.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: t90RvrDNvz.exe, 00000000.00000002.3395384110.0000000004CBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe
Source: t90RvrDNvz.exe, 00000000.00000000.2144326512.0000000000B5D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe
Source: t90RvrDNvz.exe	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@3/2

Source: t90RvrDNvz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: t90RvrDNvz.exe

ReversingLabs: Detection: 18%

Source: t90RvrDNvz.exe	String found in binary or memory: Africa/Addis_Ababa
Source: t90RvrDNvz.exe	String found in binary or memory: Try to re-install the software.

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

File read: C:\Users\user\Desktop\t90RvrDNvz.exe

Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: t90RvrDNvz.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: t90RvrDNvz.exe

Static file information: File size 26869672 > 1048576

Source: t90RvrDNvz.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x53b800

Source: t90RvrDNvz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: t90RvrDNvz.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\t90RvrDNvz.exe TID: 7040

Thread sleep time: -270000s >= -30000s

Jump to behavior

Source: t90RvrDNvz.exe	Binary or memory string: 1998-2023 VMware, Inc.@
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7sP
Source: t90RvrDNvz.exe	Binary or memory string: CompanyNameVMware, Inc.F
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: t90RvrDNvz.exe	Binary or memory string: ProductNameVMware WorkstationP
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

NtDelayExecution: Indirect: 0x87C429

Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.213.123.165	httpbin.org	United States		14618	AMAZON-AESUS	false
172.67.204.237	eth0.cdn-serveri2004-ns.shop	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
eth0.cdn-serveri2004-ns.shop	172.67.204.237	true
ax-0001.ax-msedge.net	150.171.28.10	true
httpbin.org	18.213.123.165	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10	false	Avira URL Cloud: safe	unknown
https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: t90RvrDNvz.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:50022 version: TLS 1.2

Source: t90RvrDNvz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49720 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49765 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49743 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49737 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49772 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49837 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49843 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49881 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49871 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49910 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49813 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49935 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49969 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49807 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49939 -> 18.213.123.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49904 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50022 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49992 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49963 -> 172.67.204.237:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49996 -> 18.213.123.165:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org
Source: global traffic	HTTP traffic detected: GET /c2dm/WSVUCGSKHE7PDXHDBW27/api.php HTTP/1.1Connection: Keep-AliveHost: eth0.cdn-serveri2004-ns.shop
Source: global traffic	HTTP traffic detected: GET /drip?code=200&delay=2&duration=2&numbytes=10 HTTP/1.1Connection: Keep-AliveHost: httpbin.org

Source: global traffic	DNS traffic detected: DNS query: eth0.cdn-serveri2004-ns.shop
Source: global traffic	DNS traffic detected: DNS query: httpbin.org

Source: t90RvrDNvz.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: t90RvrDNvz.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: t90RvrDNvz.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: t90RvrDNvz.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: t90RvrDNvz.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: t90RvrDNvz.exe	String found in binary or memory: http://www.burnaware.com
Source: t90RvrDNvz.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3100967300.00000000038A3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/
Source: t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop//
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352772201.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/011t
Source: t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/3
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/Jt
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/O
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php)
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php3
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.php7aU
Source: t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpCc
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpO
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpT
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpWc
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpkc
Source: t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.php
Source: t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003891000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eth0.cdn-serveri2004-ns.shop:443/c2dm/WSVUCGSKHE7PDXHDBW27/api.phpRS
Source: t90RvrDNvz.exe, 00000000.00000003.2850913461.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2726605271.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&del
Source: t90RvrDNvz.exe, 00000000.00000003.2352751790.000000000388C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3394956509.00000000038B1000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101382322.0000000003898000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3101051028.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2352751790.000000000388C000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217990402.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10LocationETagAuthentication-InfoAgeAc
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10f
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.php
Source: t90RvrDNvz.exe, 00000000.00000002.3394956509.0000000003874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/drip?code=200&delay=2&duration=2&numbytes=10i.phpM
Source: t90RvrDNvz.exe, 00000000.00000003.2976278142.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.2608626914.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/p
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10
Source: t90RvrDNvz.exe, 00000000.00000003.3217883623.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10gv
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org:443/drip?code=200&delay=2&duration=2&numbytes=10jD
Source: t90RvrDNvz.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.213.123.165:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.237:443 -> 192.168.2.6:50022 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Code function: 0_2_0087C7BB NtQuerySystemInformation,		0_2_0087C7BB
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Code function: 0_2_0087C3EB NtDelayExecution,		0_2_0087C3EB

PE / OLE file has an invalid certificate

Source: t90RvrDNvz.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: t90RvrDNvz.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: t90RvrDNvz.exe, 00000000.00000002.3395384110.0000000004CBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe
Source: t90RvrDNvz.exe, 00000000.00000000.2144326512.0000000000B5D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe
Source: t90RvrDNvz.exe	Binary or memory string: OriginalFilenamevmdbCOM.DLLF vs t90RvrDNvz.exe

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@3/2

Source: t90RvrDNvz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: t90RvrDNvz.exe

ReversingLabs: Detection: 18%

Source: t90RvrDNvz.exe	String found in binary or memory: Africa/Addis_Ababa
Source: t90RvrDNvz.exe	String found in binary or memory: Try to re-install the software.

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

File read: C:\Users\user\Desktop\t90RvrDNvz.exe

Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: t90RvrDNvz.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: t90RvrDNvz.exe

Static file information: File size 26869672 > 1048576

Source: t90RvrDNvz.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x53b800

Source: t90RvrDNvz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: t90RvrDNvz.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\t90RvrDNvz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\t90RvrDNvz.exe TID: 7040

Thread sleep time: -270000s >= -30000s

Jump to behavior

Source: t90RvrDNvz.exe	Binary or memory string: 1998-2023 VMware, Inc.@
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7sP
Source: t90RvrDNvz.exe	Binary or memory string: CompanyNameVMware, Inc.F
Source: t90RvrDNvz.exe, 00000000.00000003.2237692616.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: t90RvrDNvz.exe	Binary or memory string: ProductNameVMware WorkstationP
Source: t90RvrDNvz.exe, 00000000.00000002.3392308126.0000000000E91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

NtDelayExecution: Indirect: 0x87C429

Jump to behavior

Source: C:\Users\user\Desktop\t90RvrDNvz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1562121
Product:	CloudBasic
Start time:	08:32:10
Start date:	25.11.2024
Sample:	t90RvrDNvz.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	05ce896e3a0a78a9bf1f12a51d83d215
SHA1:	f7e32c1dc592e3c185fece729ebcc0266e86e0cc
SHA256:	f660778402a3bb138486c84706d69a00ee03818437d6dac0fed4ea276561e84a
Filetype:	Win64 Executable GUI (202006/5) 92.64%

Windows Analysis Report
t90RvrDNvz.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report t90RvrDNvz.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
t90RvrDNvz.exe