Malware analysis EverSpy Ultimate Unpacked - Copy.rar Malicious activity

Add for printing

File name:	EverSpy Ultimate Unpacked - Copy.rar
Full analysis:	https://app.any.run/tasks/6130b71b-5608-447d-a338-0bce6aca9466
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 11, 2024, 19:32:39
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	telegram stealer stormkitty evasion exfiltration asyncrat rat
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	7CEA74158FFA610149B5B76B9CE29E5D
SHA1:	BD5BBD55F354B271015BE7B971DD3510064EE709
SHA256:	04D5C7486CF4962F52AC9173987C4AE53084A9329797F9E872D701943AF4A022
SSDEEP:	98304:/Ynz1/Hgu+4BNfWxWLFDou3biToRnoJF5j4GcvIhXWHhC320BIwXx3dyu4SJwbsk:DcFS50oBk3JJ7Rs63kuf2fN8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Steals credentials from Web Browsers
  - Evolution X Loader.exe (PID: 6992)
- Actions looks like stealing of personal data
  - Evolution X Loader.exe (PID: 6992)
- STORMKITTY has been detected (YARA)
  - Evolution X Loader.exe (PID: 6992)
- Stealers network behavior
  - Evolution X Loader.exe (PID: 6992)
- Attempting to use instant messaging service
  - Evolution X Loader.exe (PID: 6992)
- ASYNCRAT has been detected (MUTEX)
  - Evolution X Loader.exe (PID: 6992)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 2464)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
- Write to the desktop.ini file (may be used to cloak folders)
  - Evolution X Loader.exe (PID: 6992)
- Starts CMD.EXE for commands execution
  - Evolution X Loader.exe (PID: 6992)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 3360)
- Starts application with an unusual extension
  - cmd.exe (PID: 3360)
  - cmd.exe (PID: 6304)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 3360)
  - cmd.exe (PID: 6304)
- The process connected to a server suspected of theft
  - Evolution X Loader.exe (PID: 6992)
- Checks for external IP
  - Evolution X Loader.exe (PID: 6992)
  - svchost.exe (PID: 2256)
- Potential Corporate Privacy Violation
  - Evolution X Loader.exe (PID: 6992)
- Executable content was dropped or overwritten
  - RegAsm.exe (PID: 6440)
- Drops the executable file immediately after the start
  - RegAsm.exe (PID: 6440)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2464)
- Manual execution by a user
  - WinRAR.exe (PID: 2464)
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
  - ApkFix.exe (PID: 1344)
  - Evolution X.exe (PID: 2064)
  - payload.exe (PID: 1224)
- Dropped object may contain TOR URL's
  - WinRAR.exe (PID: 2464)
- Checks supported languages
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
  - chcp.com (PID: 2132)
  - chcp.com (PID: 4592)
  - ApkFix.exe (PID: 1344)
  - Evolution X.exe (PID: 2064)
  - RegAsm.exe (PID: 6440)
  - payload.exe (PID: 1224)
- Reads the computer name
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
  - ApkFix.exe (PID: 1344)
  - Evolution X.exe (PID: 2064)
  - RegAsm.exe (PID: 6440)
  - payload.exe (PID: 1224)
- Reads the machine GUID from the registry
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
  - ApkFix.exe (PID: 1344)
  - Evolution X.exe (PID: 2064)
  - payload.exe (PID: 1224)
- Reads Environment values
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
- Disables trace logs
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
- Checks proxy server information
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
- Reads the software policy settings
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
- Attempting to use instant messaging service
  - svchost.exe (PID: 2256)
  - Evolution X Loader 2.exe (PID: 4708)
  - Evolution X Loader.exe (PID: 6992)
- Creates files or folders in the user directory
  - Evolution X Loader.exe (PID: 6992)
- Create files in a temporary directory
  - Evolution X Loader.exe (PID: 6992)
  - RegAsm.exe (PID: 6440)
- Changes the display of characters in the console
  - chcp.com (PID: 2132)
  - chcp.com (PID: 4592)
- Reads CPU info
  - Evolution X Loader.exe (PID: 6992)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

StormKitty

(PID) Process(6992) Evolution X Loader.exe

C2 (1)127.0.0.1

Ports (3)6606

7707

8808

Credentials

Protocoltelegram

URLhttps://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send

Token6136383697:AAGfsDaDLMnRmxp7pg4J5BoUuPDhvYm_M10

ChatId1863892139

Version

BotnetDefault

Options

AutoRunfalse

MutexAsyncMutex_6SI8OkPnk

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...

Server_SignatureB/V3BUeYu10HTiTPmCXLqLTBnmwYEOinSL5L9EBUMNAAIaqtzGNvo5uy0BFrbrRaukmCUaas84RekvOxu9rDTharx8OjwxzGo6OoNNC5TemoZGE6G7LVXg181LlExXduQqKwNczYs6PK8C/1UfRZf0l1I3ZYE5vUXuPWxl5MZhuHBK663w6tpzni0Z9/061Ckbt5xqOXPiKlLCTyLwsLWnXwga9DlwjRpzNZwUlVVkj+YJay96Bssoh/Lw59N++3BeGJMqN/apXhLm4HCjOTKPj8cQRb2eNlBrLeKz2YO+3l...

Keys

AES33baad7fc5ff88a90432d49306410cd4ccf076637b30c5e986f32500f077b9b6

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

149

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1224

"C:\Users\admin\Desktop\Evolution X\payload.exe"

C:\Users\admin\Desktop\Evolution X\payload.exe

—

explorer.exe

User:

admin

Company:

spynote.us

Integrity Level:

MEDIUM

Description:

Payload

Exit code:

Version:

7.0.1.1

Modules

Images
c:\users\admin\desktop\evolution x\payload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1344

"C:\Users\admin\Desktop\Evolution X\ApkFix.exe"

C:\Users\admin\Desktop\Evolution X\ApkFix.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

ApkFix

Exit code:

Version:

7.0.1.1

Modules

Images
c:\users\admin\desktop\evolution x\apkfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2064

"C:\Users\admin\Desktop\Evolution X\Evolution X.exe"

C:\Users\admin\Desktop\Evolution X\Evolution X.exe

—

explorer.exe

User:

admin

Company:

Evolution X

Integrity Level:

MEDIUM

Description:

Evolution X

Exit code:

Version:

7.0.3.3

Modules

Images
c:\users\admin\desktop\evolution x\evolution x.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2132

chcp 65001

C:\Windows\SysWOW64\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2340

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2388

netsh wlan show profile

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2464

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Evolution X.7z" "C:\Users\admin\Desktop\Evolution X\"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3360

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\cmd.exe

—

Evolution X Loader.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4592

chcp 65001

C:\Windows\SysWOW64\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

11 286

Read events

11 242

Write events

Delete events

Modification events


(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\EverSpy Ultimate Unpacked - Copy.rar
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6544) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\WINDOWS\System32\acppage.dll,-6002
Value: Windows Batch File
(PID) Process:	(2464) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:

Add for printing

Executable files

Suspicious files

195

Text files

467

Unknown types

Dropped files

PID	Process	Filename		Type
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\CutiveMono.ttf		ttf
		MD5:2873A2747ABEDF74A31909E1BE5E23F9	SHA256:AE8AD180A0166369407284E62D02D8DAF6A5BD28D4064F0008023A84458840B9
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\Hurme Geometric Sans 3 W03 Rg.ttf		binary
		MD5:BAA223CE70692D6C7C620EDE6F841F29	SHA256:A71439EB2A02A713A07FC59C964A39EDE2DAF6EDFAFC3E440AF8AB0D691C207B
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\Hurme Geometric Sans 4 W00 Lt.ttf		binary
		MD5:8C7C5CEDB3DD34C518D04AB514DDFB92	SHA256:62AFE2D0F5627146C225957A0F91D649ED1893D33BE813D2AC7C5110B4F3EF29
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\Wingdings3.ttf		ttf
		MD5:9E2EE65661BEE40438D514FE592BFCF8	SHA256:AC9EE085920A3D8B076D5E0C61DC9DF42C4BAC28D1FC968344F9CEDDB3972F69
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\FiraCode-Light.ttf		binary
		MD5:A85EBFC3913AB6BC6A7B817FA627B904	SHA256:DBAEA44B044C9F6552D3ABFB4EB936F51A6871DC5421EF2BDE80730C82DBA442
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\Hurme Geometric Sans 4 W00 Obl.ttf		binary
		MD5:D4ED7B2A4E107926E104E6EEC0295987	SHA256:21E3D6B731A4EBF89FA2171500D97EEB1208B32AD6DA81281C82A97E8D807F0F
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\HurmeGeometricSans4.otf		otf
		MD5:DAD94707CC3F8EE40812D7AD7052F1D2	SHA256:66465F45AAC2639F4C300FB67DA1243447B115C5785C98CE51A93B51CA55D17A
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\icons\appInfo\activitie.png		image
		MD5:9E4245F7174A3A48F89E539C7B8B5D42	SHA256:5F2FD530BEF1ED8E627E445109E953DC42CEE0A63D9DE79BEE0E9A8743013B57
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\Hurme Geometric Sans 4 W00 Thin.ttf		binary
		MD5:ED24E555A430285DAD7079CBFBC81C92	SHA256:752AA90B1CC95E627268A10A7DEFA463DE14ADE1CFCF759C768EF76B5A40D0F7
2464	WinRAR.exe	C:\Users\admin\Desktop\Evolution X\Resources\fonts\DroidSansMonoSlashed.ttf		binary
		MD5:D5540FAA206983C791843A3A55E3CB98	SHA256:01550D67B4C7A8C113DA222A26F0E77F39D9FE2264369C7CC2D8F6962682BE35

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2068	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6880	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6928	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6992	Evolution X Loader.exe	GET	200	104.16.184.241:80	http://icanhazip.com/	unknown	—	—	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1128	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5040	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5336	SearchApp.exe	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2068	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2068	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 4.231.128.59	whitelisted
google.com	216.58.206.78	whitelisted
www.bing.com	2.23.209.149 2.23.209.140 2.23.209.141 2.23.209.135 2.23.209.150 2.23.209.189 2.23.209.130 2.23.209.177 2.23.209.179	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.138 20.190.160.20 40.126.32.76 40.126.32.136 40.126.32.134 40.126.32.140 40.126.32.133 20.190.160.17	whitelisted
th.bing.com	2.23.209.189 2.23.209.179 2.23.209.158 2.23.209.176 2.23.209.150 2.23.209.177 2.23.209.130 2.23.209.160 2.23.209.135	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted
arc.msn.com	20.199.58.43	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
4708	Evolution X Loader 2.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4708	Evolution X Loader 2.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
6992	Evolution X Loader.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
6992	Evolution X Loader.exe	Potential Corporate Privacy Violation	ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
6992	Evolution X Loader.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6992	Evolution X Loader.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
6992	Evolution X Loader.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6992	Evolution X Loader.exe	Misc activity	ET HUNTING Telegram API Certificate Observed

Add for printing

No debug info

General Info

EverSpy Ultimate Unpacked - Copy.rar

7CEA74158FFA610149B5B76B9CE29E5D

BD5BBD55F354B271015BE7B971DD3510064EE709

04D5C7486CF4962F52AC9173987C4AE53084A9329797F9E872D701943AF4A022

98304:/Ynz1/Hgu+4BNfWxWLFDou3biToRnoJF5j4GcvIhXWHhC320BIwXx3dyu4SJwbsk:DcFS50oBk3JJ7Rs63kuf2fN8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

STORMKITTY has been detected (YARA)

Stealers network behavior

Attempting to use instant messaging service

ASYNCRAT has been detected (MUTEX)

SUSPICIOUS

Process drops legitimate windows executable

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Write to the desktop.ini file (may be used to cloak folders)

Starts CMD.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Starts application with an unusual extension

Uses NETSH.EXE to obtain data on the network

The process connected to a server suspected of theft

Checks for external IP

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Drops the executable file immediately after the start

INFO

Executable content was dropped or overwritten

Manual execution by a user

Dropped object may contain TOR URL's

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Checks proxy server information

Reads the software policy settings

Attempting to use instant messaging service

Creates files or folders in the user directory

Create files in a temporary directory

Changes the display of characters in the console

Reads CPU info

Malware configuration

StormKitty

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files