File name:	REF--REQUIRED--ORDER-CONFIRMATIONS.cmd
Full analysis:	https://app.any.run/tasks/5470e516-ed28-4053-a4f1-93c589de698c
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 30, 2025, 10:28:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	delphi m0yv sinkhole snake keylogger evasion stealer smtp netreactor truesight mal-driver
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, Unicode text, UTF-8 text, with very long lines (504), with CRLF line terminators
MD5:	05D564F76213F94C6013E2F5202FC1B8
SHA1:	0331BB25890D7188633716544BD4D27BF970F745
SHA256:	107F5B7D95B1D5DA610D6716545E5646F0C2B60E6E26E1BD835A862C6AFB3DEE
SSDEEP:	24576:Ya8rhD9oVoZdPTqp/lAGyC7lTQd5M77eaGYIcev3m0nA7RWELw2awORgyBBJaNuF:Ya8p9ooeiC7a5M77eUHz0D/h0GjLVTWG


(PID) Process:	(2144) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4132) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(3640) AnyDesk.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Lqsrhpvh
Value: C:\Users\Public\Lqsrhpvh.url
(PID) Process:	(4044) hvphrsqL.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hvphrsqL_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4044) hvphrsqL.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hvphrsqL_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4044) hvphrsqL.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hvphrsqL_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4044) hvphrsqL.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hvphrsqL_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4044) hvphrsqL.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hvphrsqL_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4044) hvphrsqL.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hvphrsqL_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4044) hvphrsqL.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hvphrsqL_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing

PID	Process	Filename		Type
3540	extrac32.exe	C:\Users\Public\phf.pif		executable
		MD5:A7A5B67EC704EAC6D6E6AF0489353F42	SHA256:BF072F9A6A15B550B13AE86A4FBD3FA809D2A13236847AE9FA9A68F41386106E
372	extrac32.exe	C:\Users\Public\awpha.pif		executable
		MD5:59BD6F822956E54CDEDD0C441372C289	SHA256:2F89115E1081C91BABAF2961CEF0BCF9C8F4EE803D3BE6E88ACE23B383FE7324
3640	AnyDesk.pif	C:\Users\Public\LqsrhpvhF.cmd		text
		MD5:F82AEB3B12F33250E404DF6EC873DD1D	SHA256:23B7417B47C7EFB96FB7CE395E325DC831AB2EE03EADDA59058D31BDBE9C1EA6
3640	AnyDesk.pif	C:\Windows \SysWOW64\svchost.pif		executable
		MD5:869640D0A3F838694AB4DFEA9E2F544D	SHA256:0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
2076	extrac32.exe	C:\Users\Public\alpha.pif		executable
		MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5	SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
2280	extrac32.exe	C:\Users\Public\alpha.pif		executable
		MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5	SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
5588	phf.pif	C:\Users\Public\Libraries\AnyDesk.pif		executable
		MD5:B465857AE91273991DD72307AF91A130	SHA256:9195F22B8899A2E762B0C3FB1E8C16841159644608B4FCA8A963C1D95ADAA365
3208	phf.pif	C:\Users\Public\AnyDesk.avi		text
		MD5:25033B898F4F4B7BADE231EB9AB4C4CE	SHA256:A403F7AEF97DC7C545FB1FF7B73E90741F22CAEC1972A38C273538BC4BF130D0
3640	AnyDesk.pif	C:\Users\Public\Libraries\Lqsrhpvh.mp3		executable
		MD5:F53FA44C7B591A2BE105344790543369	SHA256:BFC2EF3B404294FE2FA05A8B71C7F786B58519175B7202A69FE30F45E607FF1C
3640	AnyDesk.pif	C:\Windows \SysWOW64\NETUTILS.dll		executable
		MD5:3E09A81444C29DC7F3D8D2C79AF30D3A	SHA256:EAB451B09E71B7E508916C0445AD22FF68CCC3923E019A59208F9ED953C54240

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	303	142.250.185.78:443	https://drive.google.com/uc?export=download&id=1t9mWFr1AZhmKSOSp19tOMCH5dYI3hB2N	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4044	hvphrsqL.pif	POST	200	18.141.10.107:80	http://ssbzmoy.biz/d	unknown	—	—	malicious
4044	hvphrsqL.pif	POST	200	54.244.188.177:80	http://pywolwnvd.biz/fyasgrqndgaklklg	unknown	—	—	malicious
4044	hvphrsqL.pif	GET	200	193.122.130.0:80	http://checkip.dyndns.org/	unknown	—	—	malicious
4044	hvphrsqL.pif	POST	200	44.221.84.105:80	http://npukfztj.biz/msovyetpappwa	unknown	—	—	malicious
4044	hvphrsqL.pif	GET	200	193.122.130.0:80	http://checkip.dyndns.org/	unknown	—	—	malicious
4044	hvphrsqL.pif	POST	200	54.244.188.177:80	http://cvgrf.biz/xeo	unknown	—	—	unknown
4044	hvphrsqL.pif	POST	302	72.52.178.23:80	http://przvgke.biz/bxswjufnymfimff	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
—	—	92.123.104.21:443	www.bing.com	Akamai International B.V.	DE	unknown
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	unknown
4712	MoUsoCoreWorker.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
4712	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3640	AnyDesk.pif	142.250.185.110:443	drive.google.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
www.bing.com	92.123.104.21 92.123.104.17 92.123.104.19 92.123.104.16 92.123.104.20 92.123.104.26 92.123.104.23 92.123.104.27 92.123.104.18	whitelisted
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.181.238	unknown
crl.microsoft.com	2.16.164.106 2.16.164.104 2.16.164.105 2.16.164.107 2.16.164.91 2.16.164.89 2.16.164.74 2.16.164.99 2.16.164.112	whitelisted
www.microsoft.com	23.35.229.160	unknown
drive.google.com	142.250.185.110	unknown
drive.usercontent.google.com	142.250.185.193	unknown
pywolwnvd.biz	54.244.188.177	malicious
ssbzmoy.biz	18.141.10.107	malicious
checkip.dyndns.org	193.122.130.0 132.226.247.73 193.122.6.168 158.101.44.242 132.226.8.169	shared

PID	Process	Class	Message
4044	hvphrsqL.pif	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
4044	hvphrsqL.pif	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
4044	hvphrsqL.pif	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
4044	hvphrsqL.pif	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2192	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
4044	hvphrsqL.pif	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
4044	hvphrsqL.pif	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2192	svchost.exe	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
4044	hvphrsqL.pif	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI

General Info

REF--REQUIRED--ORDER-CONFIRMATIONS.cmd

05D564F76213F94C6013E2F5202FC1B8

0331BB25890D7188633716544BD4D27BF970F745

107F5B7D95B1D5DA610D6716545E5646F0C2B60E6E26E1BD835A862C6AFB3DEE

24576:Ya8rhD9oVoZdPTqp/lAGyC7lTQd5M77eaGYIcev3m0nA7RWELw2awORgyBBJaNuF:Ya8p9ooeiC7a5M77eUHz0D/h0GjLVTWG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Starts PowerShell from an unusual location

Changes the autorun value in the registry

GENERIC has been found (auto)

M0YV mutex has been found

Steals credentials from Web Browsers

SNAKEKEYLOGGER has been detected (SURICATA)

Actions looks like stealing of personal data

M0YV has been detected (YARA)

SUSPICIOUS

Likely accesses (executes) a file from the Public directory

Drops a file with a rarely used extension (PIF)

Executable content was dropped or overwritten

Starts application with an unusual extension

Starts itself from another location

Starts a Microsoft application from unusual location

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

There is functionality for taking screenshot (YARA)

Executing commands from ".cmd" file

Drops a system driver (possible attempt to evade defenses)

Process drops legitimate windows executable

Checks Windows Trust Settings

Checks for external IP

Connects to SMTP port

The process verifies whether the antivirus software is installed

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

Checks proxy server information

Compiled with Borland Delphi (YARA)

Reads the software policy settings

The sample compiled with english language support

Process checks Powershell version

Create files in a temporary directory

Reads the machine GUID from the registry

Reads Environment values

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Creates files or folders in the user directory

Disables trace logs

.NET Reactor protector has been detected

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information