Malware analysis streetfighterchampioneditionmodapk10.7z Malicious activity

Add for printing

File name:	streetfighterchampioneditionmodapk10.7z
Full analysis:	https://app.any.run/tasks/9aa73338-574f-4709-a641-bc31c6685dd0
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Socks5systemz is a botnet that utilizes its infection capabilities to establish a network of compromised devices. These devices are then used to forward malicious traffic. The criminals behind this malware sell access to the infected endpoints to other threat actors. Socks5systemz maintains control over thousands of devices and communicates with them using specific commands. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	September 23, 2024, 21:20:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion privateloader opendir loader lumma stealer stealc amadey botnet cryptbot goinjector crypto-regex vidar netreactor miner risepro themida socks5systemz proxy
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	42C5B96710B44E6633B29931BCD007DD
SHA1:	EA28EA5598EACBF76F7343FE5211AF6C639FE7E9
SHA256:	8ECA52205588A09366DEC52820CBC53EEDC1C7F019199AEB79C844BB3BA3DC80
SSDEEP:	98304:h6yGCEOOtJi4L1ZNMgkvTAT7zyPufnJdPrkBJiWcQWeGWss234B10YgWx23UfDmc:ejvFmt2H/UkxWAMKzktjH9d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - Fbi.pif (PID: 6872)
- PRIVATELOADER has been detected (SURICATA)
  - Fbi.pif (PID: 6872)
- GOINJECTOR has been detected (YARA)
  - E8kw24SF9bXjiO878PSV1RZ7.exe (PID: 2976)
- Connects to the CnC server
  - Fbi.pif (PID: 6872)
  - RegAsm.exe (PID: 3036)
  - axplong.exe (PID: 6528)
  - _OKL_rdYhkp6NL8Y3h7cLxYv.exe (PID: 6960)
  - RegAsm.exe (PID: 4044)
- CRYPTBOT has been detected (YARA)
  - _OKL_rdYhkp6NL8Y3h7cLxYv.exe (PID: 6960)
- Uses Task Scheduler to run other applications
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 3936)
  - _OKL_rdYhkp6NL8Y3h7cLxYv.exe (PID: 6960)
- Uses Task Scheduler to autorun other applications
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 3936)
- LUMMA has been detected (SURICATA)
  - RegAsm.exe (PID: 2360)
  - RegAsm.exe (PID: 6756)
  - RegAsm.exe (PID: 6616)
  - RegAsm.exe (PID: 2352)
- STEALC has been detected (SURICATA)
  - RegAsm.exe (PID: 3036)
- VIDAR has been detected (YARA)
  - RegAsm.exe (PID: 6844)
- Stealers network behavior
  - RegAsm.exe (PID: 3036)
  - RegAsm.exe (PID: 2360)
  - RegAsm.exe (PID: 6756)
  - RegAsm.exe (PID: 6616)
  - RegAsm.exe (PID: 4044)
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 3936)
  - RegAsm.exe (PID: 2352)
- AMADEY has been detected (YARA)
  - axplong.exe (PID: 6528)
- AMADEY has been detected (SURICATA)
  - axplong.exe (PID: 6528)
- CRYPTBOT has been detected (SURICATA)
  - _OKL_rdYhkp6NL8Y3h7cLxYv.exe (PID: 6960)
- VIDAR has been detected (SURICATA)
  - RegAsm.exe (PID: 4044)
- MINER has been detected (SURICATA)
  - svchost.exe (PID: 2256)
- RISEPRO has been detected (SURICATA)
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 3936)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6496)
  - appFile.exe (PID: 1884)
  - Fbi.pif (PID: 6872)
- Application launched itself
  - WinRAR.exe (PID: 6496)
  - cmd.exe (PID: 6528)
  - Fbi.pif (PID: 3108)
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 32)
- Executing commands from a ".bat" file
  - appFile.exe (PID: 1884)
- Starts CMD.EXE for commands execution
  - appFile.exe (PID: 1884)
  - cmd.exe (PID: 6528)
  - RegAsm.exe (PID: 3036)
  - RegAsm.exe (PID: 4044)
- Get information on the list of running processes
  - cmd.exe (PID: 6528)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 6528)
- Starts application with an unusual extension
  - cmd.exe (PID: 6528)
  - Fbi.pif (PID: 3108)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 6528)
  - Fbi.pif (PID: 6872)
  - A2NAbIXy9Z6yruVmQGAlV1pf.exe (PID: 1948)
  - A2NAbIXy9Z6yruVmQGAlV1pf.tmp (PID: 5112)
  - nikkitosscreenrecorder32_64.exe (PID: 1332)
  - z70byU47OReWCAPhaCCsQeQ4.exe (PID: 1920)
  - RegAsm.exe (PID: 3036)
  - gHu5dWyTTLuGLFgCYrTqlruK.exe (PID: 3812)
  - orpqcnvisucm.exe (PID: 7052)
  - RegAsm.exe (PID: 4044)
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 3936)
  - BFHIJEBKEB.exe (PID: 6392)
  - IDSM.exe (PID: 6416)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 6528)
- The executable file from the user directory is run by the CMD process
  - Fbi.pif (PID: 3108)
- Potential Corporate Privacy Violation
  - Fbi.pif (PID: 6872)
  - svchost.exe (PID: 2256)
  - RegAsm.exe (PID: 3036)
  - RegAsm.exe (PID: 4044)
- Checks for external IP
  - svchost.exe (PID: 2256)
  - Fbi.pif (PID: 6872)
  - IDSM.exe (PID: 6416)
- Checks Windows Trust Settings
  - Fbi.pif (PID: 6872)
- Connects to the server without a host name
  - Fbi.pif (PID: 6872)
- Process requests binary or script from the Internet
  - Fbi.pif (PID: 6872)
- Starts itself from another location
  - z70byU47OReWCAPhaCCsQeQ4.exe (PID: 1920)
  - BFHIJEBKEB.exe (PID: 6392)
  - IDSM.exe (PID: 6416)
- Process drops legitimate windows executable
  - A2NAbIXy9Z6yruVmQGAlV1pf.tmp (PID: 5112)
  - RegAsm.exe (PID: 3036)
- The process drops C-runtime libraries
  - A2NAbIXy9Z6yruVmQGAlV1pf.tmp (PID: 5112)
  - RegAsm.exe (PID: 3036)
- The process drops Mozilla's DLL files
  - RegAsm.exe (PID: 3036)
- Found regular expressions for crypto-addresses (YARA)
  - E8kw24SF9bXjiO878PSV1RZ7.exe (PID: 2976)
  - service123.exe (PID: 368)
- There is functionality for communication over UDP network (YARA)
  - E8kw24SF9bXjiO878PSV1RZ7.exe (PID: 2976)
- Uses powercfg.exe to modify the power settings
  - gHu5dWyTTLuGLFgCYrTqlruK.exe (PID: 3812)
  - orpqcnvisucm.exe (PID: 7052)
- Starts SC.EXE for service management
  - gHu5dWyTTLuGLFgCYrTqlruK.exe (PID: 3812)
- Executes as Windows Service
  - orpqcnvisucm.exe (PID: 7052)
- Drops a system driver (possible attempt to evade defenses)
  - orpqcnvisucm.exe (PID: 7052)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 6432)
- Contacting a server suspected of hosting an CnC
  - RegAsm.exe (PID: 3036)
  - axplong.exe (PID: 6528)
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 3936)
- The process executes via Task Scheduler
  - axplong.exe (PID: 2340)
  - service123.exe (PID: 5516)
  - axplong.exe (PID: 2352)
  - service123.exe (PID: 4688)
- Crypto Currency Mining Activity Detected
  - svchost.exe (PID: 2256)
INFO
- Create files in a temporary directory
  - appFile.exe (PID: 1884)
- The process uses the downloaded file
  - WinRAR.exe (PID: 6592)
  - WinRAR.exe (PID: 6496)
  - appFile.exe (PID: 1884)
- Checks supported languages
  - appFile.exe (PID: 1884)
  - Fbi.pif (PID: 3108)
  - Fbi.pif (PID: 6872)
- Reads the computer name
  - appFile.exe (PID: 1884)
  - Fbi.pif (PID: 3108)
  - Fbi.pif (PID: 6872)
- Process checks computer location settings
  - appFile.exe (PID: 1884)
  - Fbi.pif (PID: 6872)
- Manual execution by a user
  - appFile.exe (PID: 1884)
- Reads mouse settings
  - Fbi.pif (PID: 3108)
- Reads the machine GUID from the registry
  - Fbi.pif (PID: 6872)
- Creates files or folders in the user directory
  - Fbi.pif (PID: 6872)
- Reads the software policy settings
  - Fbi.pif (PID: 6872)
- Checks proxy server information
  - Fbi.pif (PID: 6872)
- .NET Reactor protector has been detected
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 32)
  - JxqyWseDoMtfooURak7ZGdG9.exe (PID: 3936)
- Themida protector has been detected
  - axplong.exe (PID: 6528)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

CryptBot

(PID) Process(6960) _OKL_rdYhkp6NL8Y3h7cLxYv.exe

C2 (1)tventyvf20vs.top

Strings (364)/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f

RmGetList

WinHttpReadDataEx

GetModuleHandleA

strtod

ExtractFilesA

log.txt

shlwapi.dll

WinHttpSendRequest

DISPLAY

swprintf_s

DuplicateHandle

WaitForSingleObject

LocalAlloc

CreateDirectoryW

RmRegisterResources

Files

RegEnumKeyExA

GetSystemInfo

SHCreateMemStream

FindFirstFileNameA

winhttp.dll

Process32FirstW

GetDiskFreeSpaceExA

VirtualProtect

LocalFree

GdipGetImageEncoders

InternetConnectW

HttpSendRequestW

An error occurred while starting the application (0xc000007b). To exit the application, click OK.

FindClose

PathIsDirectoryA

UserProfile

GetCurrentThread

GetThreadId

realloc

WriteConsoleA

HeapSize

VirtualFree

Apps

GetFileAttributesW

CloseHandle

GdipLoadImageFromFile

wininet.dll

htons

HeapFree

winsqlite3.dll

InternetCrackUrlW

InternetOpenW

LocalAppData

CreateProcessW

wprintf

GlobalMemoryStatusEx

StrStrIA

SetErrorMode

msvcrt.dll

"encrypted_key":"

OpenThread

ole32.dll

\qDUWTLsorM

IsWow64Process

RmEndSession

GetCurrentDirectoryA

CreateRemoteThread

HttpQueryInfoA

vswprintf

HTTPS

PathIsDirectoryW

GetDIBits

CreateRemoteThreadEx

FCIFlushFolder

GdipCreateBitmapFromHBITMAP

\ServiceData\Clip.au3

gdiplus.dll

HttpQueryInfoW

GetObjectA

gdi32.dll

RemoveDirectoryA

/index.php

CoUninitialize

GetComputerNameA

URLOpenBlockingStreamW

FileTimeToSystemTime

calloc

GetFileAttributesA

advapi32.dll

ReadFile

RegQueryInfoKeyA

InternetConnectA

inet_addr

LoadLibraryExA

InternetOpenA

GetDiskFreeSpaceExW

LoadLibraryW

NULL

socket

printf

CreateDirectoryA

Extract

GetNativeSystemInfo

tventyvf20vs.top

SystemTimeToFileTime

FindFirstFileW

GdipGetImageEncodersSize

FindNextFileA

RegQueryValueExW

sprintf_s

\ServiceData\Clip.exe

IsWow64Process2

SaveImageToStream

WinHttpQueryOption

GetSystemMetrics

ReadConsoleA

SetFilePointer

MoveFileA

_swprintf

crypt32.dll

_snwprintf_s

CopyFileExA

HeapReAlloc

GetTickCount64

WriteConsoleW

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

HeapAlloc

GetLogicalDriveStringsW

ShellExecuteW

advpack.dll

StrStrIW

recvfrom

\ServiceData

ReleaseDC

BitBlt

free

kernel32.dll

curl/8.0.1

CopyFileExW

GetDeviceCaps

GetEnvironmentVariableW

RegQueryValueExA

GetCurrentDirectoryW

bind

WriteFile

GetBitmapBits

FreeLibrary

GetSystemWow64DirectoryW

InternetOpenUrlA

/zip.php

RmStartSession

InternetCrackUrlA

ComSpec

WinHttpQueryHeaders

GetCurrentProcess

atoi

MultiByteToWideChar

rstrtmgr.dll

LoadLibraryA

swprintf

FindFirstFileA

WideCharToMultiByte

FindFirstFileNameW

PathFileExistsW

vsnprintf

_snwprintf

VirtualAlloc

shell32.dll

UserID.txt

PathFileExistsA

CreateFileA

clock

GetLocaleInfoA

MessageBoxA

Process32NextW

ReleaseMutex

SHUnicodeToAnsi

ExitProcess

ExpandEnvironmentStringsA

wsprintfA

DeleteObject

SHAnsiToUnicode

AppData

GetModuleFileNameA

WinHttpSetOption

Others

CreateFileW

CreateFileMappingA

CreateMutexA

IsBadReadPtr

sprintf

CoInitialize

closesocket

GetLogicalDriveStringsA

ReadConsoleW

DPAPI

GetEnvironmentVariableA

SleepEx

HTTP

GetComputerNameW

MoveFileExW

GetTimeZoneInformation

EnumDisplaySettingsW

FindNextFileNameA

RegQueryInfoKeyW

CreateToolhelp32Snapshot

IStream_Read

WinHttpCloseHandle

IStream_Size

WinHttpAddRequestHeaders

GetCommandLineW

WinExec

RtlGetVersion

GetModuleFileNameExA

GetFileAttributesExW

VirtualProtectEx

Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko

URLDownloadToFileW

VirtualFreeEx

CreateMutexW

User's Computer Information.txt

FileTimeToDosDateTime

analforeverlovyu.top

IStream_Reset

Process32FirstA

WinHttpConnect

GetFileInformationByHandle

Browsers

GetProcAddress

URLDownloadToFileA

CopyFileA

GetVolumeInformationA

_vscwprintf

_wtoi

GdiplusShutdown

CreateThread

Process32NextA

QueryPerformanceCounter

StretchBlt

GetModuleHandleExW

GetTempPathW

UnmapViewOfFile

RegCloseKey

GetLocaleInfoW

MapViewOfFile

End.txt

GetProcessId

send

_vscprintf

GetCommandLineA

WinHttpCrackUrl

GetUserNameA

FindFirstFileExW

SHGetFolderPathW

GetProcessHeap

GetFileSize

DeleteFileA

GetTempFileNameW

ExitThread

user32.dll

CreateStreamOnHGlobal

InternetCloseHandle

GetLocalTime

WinHttpReadData

GetTickCount

RegOpenKeyExW

TerminateProcess

wnsprintfA

FCIAddFile

OpenProcess

LoadLibraryExW

WSACleanup

GetTempPathA

SelectObject

GdipSaveImageToStream

/v1/upload.php

Debug.txt

GetModuleFileNameW

DeleteDC

CopyFileW

WinHttpReceiveResponse

$CREEN.JPEG

SHGetFolderPathA

GdipSaveImageToFile

RegEnumKeyExW

GetDriveTypeW

ExpandEnvironmentStringsW

WSAStartup

WSAGetLastError

FindNextFileW

InternetReadFileExW

CreateCompatibleBitmap

GetUserDefaultLocaleName

GdiplusStartup

VirtualAllocEx

abs

GetModuleHandleW

FindNextFileNameW

RemoveDirectoryW

_snprintf

HeapCreate

FCICreate

FCIDestroy

MoveFileW

GET

Wallets

ntdll.dll

CreateCompatibleDC

cabinet.dll

GetUserNameW

listen

SetFilePointerEx

CreateFileMappingW

RegOpenKeyExA

recv

GetModuleFileNameExW

DeleteFileW

FCIFlushCabinet

POST

FindFirstFileExA

ScreenShot.jpeg

ws2_32.dll

Content-Length: %lu

InternetOpenUrlW

HttpOpenRequestW

Desktop

ShellExecuteA

GetDriveTypeA

GetFileAttributesExA

InternetReadFile

WinHttpOpen

InternetReadFileExA

ExtractFilesW

GetSystemDirectoryA

CryptUnprotectData

GetLastError

CreateDCW

HttpOpenRequestA

GetFileSizeEx

GetTempFileNameA

URLOpenBlockingStreamA

GetObjectW

GetKeyboardLayoutList

GetSystemDirectoryW

wsprintfW

MessageBoxW

CreateProcessA

GetVolumeInformationW

isspace

GetModuleHandleExA

GetSystemWow64DirectoryA

System Error

CreateDCA

malloc

WinHttpOpenRequest

EnumDisplaySettingsA

Sleep

Temp

HttpSendRequestA

wnsprintfW

LkgwUi

GetConsoleMode

/gate.php

GetExitCodeThread

MoveFileExA

urlmon.dll

Vidar

(PID) Process(6844) RegAsm.exe

C2https://t.me/ae5ed

URLhttps://steamcommunity.com/profiles/76561199780418869

RC40123456789ABCDEF

Amadey

(PID) Process(6528) axplong.exe

C2185.215.113.16

URLhttp://185.215.113.16/Jo89Ku7d/index.php

Version4.41

Options

Drop directory44111dbc49

Drop nameaxplong.exe

Strings (119)VideoID

st=s

id:

" Content-Type: application/octet-stream

2022

exe

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

-unicode-

<d>

Doctor Web

AVG

4.41

dll

Main

Norton

185.215.113.16

" && ren

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

&unit=

/Plugins/

cred.dll

ProgramData\

rundll32.exe

cmd

vs:

DefaultSettings.XResolution

random

?scr=1

GetNativeSystemInfo

axplong.exe

%-lu

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

og:

Powershell.exe

" && timeout 1 && del

/quiet

AVAST Software

360TotalSecurity

dm:

Comodo

Sophos

GET

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

lv:

Rem

Content-Disposition: form-data; name="data"; filename="

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Bitdefender

DefaultSettings.YResolution

un:

https://

SYSTEM\ControlSet001\Services\BasicDisplay\Video

shutdown -s -t 0

ProductName

sd:

"taskkill /f /im "

&& Exit"

Panda Security

http://

POST

Content-Type: application/x-www-form-urlencoded

ComputerName

------

0123456789

CurrentBuild

rundll32

cred.dll|clip.dll|

.jpg

clip.dll

kernel32.dll

:::

S-%lu-

WinDefender

ar:

Kaspersky Lab

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

\App

SOFTWARE\Microsoft\Windows NT\CurrentVersion

44111dbc49

\0000

-%lu

os:

-executionpolicy remotesigned -File "

ESET

------

pc:

+++

Content-Type: multipart/form-data; boundary=----

av:

cmd /C RMDIR /s/q

ps1

Programs

%USERPROFILE%

zip

<c>

bi:

msi

Startup

Avira

shell32.dll

/Jo89Ku7d/index.php

abcdefghijklmnopqrstuvwxyz0123456789-_

2016

2019

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

235

Monitored processes

107

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

C:\Users\admin\Documents\iofolko5\JxqyWseDoMtfooURak7ZGdG9.exe

Fbi.pif

User:

admin

Company:

V7sYNJPJiw0OZ

Integrity Level:

HIGH

Description:

BotClient

Exit code:

Version:

3.9.2.3

Modules

Images
c:\users\admin\documents\iofolko5\jxqywsedomtfoourak7zgdg9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

368

"C:\Users\admin\AppData\Local\Temp\service123.exe"

C:\Users\admin\AppData\Local\Temp\service123.exe

_OKL_rdYhkp6NL8Y3h7cLxYv.exe

User:

admin

Integrity Level:

HIGH

644

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

adminAFBKKFBAEG.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

736

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

936

"C:\ProgramData\JEHIJDGIEB.exe"

C:\ProgramData\JEHIJDGIEB.exe

—

RegAsm.exe

User:

admin

Company:

Production subsumption

Integrity Level:

HIGH

Description:

protestations wonk separationist

Exit code:

Version:

1.0.0.0

Modules

Images
c:\programdata\jehijdgieb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1128

findstr /V "RenderingAnywhereBedfordRemained" Studied

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1236

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

schtasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1332

"C:\Users\admin\AppData\Local\Nikkitos Screen Recorder\nikkitosscreenrecorder32_64.exe" -i

C:\Users\admin\AppData\Local\Nikkitos Screen Recorder\nikkitosscreenrecorder32_64.exe

A2NAbIXy9Z6yruVmQGAlV1pf.tmp

User:

admin

Company:

DX Software

Integrity Level:

HIGH

Description:

DX Media Station

Version:

2.4.9.23

Modules

Images
c:\users\admin\appdata\local\nikkitos screen recorder\nikkitosscreenrecorder32_64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll

1344

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1384

schtasks /create /f /RU "admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

—

JxqyWseDoMtfooURak7ZGdG9.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

20 183

Read events

20 082

Write events

Delete events

Modification events


(PID) Process:	(6496) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6496) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\streetfighterchampioneditionmodapk10.7z
(PID) Process:	(6496) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6496) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6496) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6496) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6592) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6592) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6592) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\streetfighterchampioneditionmodapk10.7z
(PID) Process:	(6592) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Rar$DIa6496.25011\675.7z

Add for printing

Executable files

Suspicious files

890

Text files

147

Unknown types

Dropped files

PID	Process	Filename		Type
6496	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6496.25011\675.7z		—
		MD5:—	SHA256:—
6592	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6592.25950\appFile.exe		—
		MD5:—	SHA256:—
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Studied		binary
		MD5:94DE7AA90AEB275DBDB8D6008DB714C2	SHA256:94254CF2FAA6D7A4FAF0DA538AABA447248EFD7F3A09C4B57A617598262BEA03
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Expectations		binary
		MD5:9A81EF0267A24CFAED899700185A0220	SHA256:6A581593533463D5EB392A1407EC687BF458090F153FABB7B7459E50477E049D
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Lauren		binary
		MD5:B4B4CE8BFDB6AB313434FFAEA1E24098	SHA256:520B89AAADE3A3FD174D36CACECCC493DE8D92AE0494EB635C04933FE4E86BE6
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Continuously		binary
		MD5:F54EB0E54B777D12F3DEEDF2FED342CF	SHA256:6F390507CEB8701E7304678174BD9B9BE07BC4FC2106E961EA9574D896313603
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Chorus		binary
		MD5:F446E0BACEFA10F6003888C9088F0BFB	SHA256:5B61C5A176F61B4AE0A291D53CBFC41266CA8D7A74CCDF769C001852903340D7
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Learn		binary
		MD5:DCC58514C1D78F1012CB469955D72E05	SHA256:8ACF684697C0A9CBEEC5FE4FED3BDB513051FC79CEC6B860A0B086DE2FCFD63D
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Flags		binary
		MD5:FEAE943CBD3156CC8FCA5D83053163AB	SHA256:A8189BCC025BD66585170F659B6ED05A77C86B718C5E64AA2EBDFE0DC9F09E5C
1884	appFile.exe	C:\Users\admin\AppData\Local\Temp\Reflected		binary
		MD5:D01B20D06CAF95D4AEABE3F6FAE033E2	SHA256:EA41B712818D30FDF3782C348135865A956D9990D5DE48CB31EAF8804D7F27D4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

547

TCP/UDP connections

140

DNS requests

Threats

699

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5376	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6176	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6800	SIHClient.exe	GET	200	2.17.245.133:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6872	Fbi.pif	HEAD	200	194.116.215.195:80	http://194.116.215.195/File.exe	unknown	—	—	unknown
6872	Fbi.pif	POST	200	45.91.200.135:80	http://45.91.200.135/api/wp-admin.php	unknown	—	—	unknown
6800	SIHClient.exe	GET	200	2.17.245.133:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6872	Fbi.pif	HEAD	404	179.43.188.227:80	http://240922164748184.tyr.zont16.com/f/fikbam0922184.exe	unknown	—	—	unknown
6872	Fbi.pif	HEAD	200	147.45.44.104:80	http://147.45.44.104/revada/66f16eabb7054_ttt.exe#rrr	unknown	—	—	suspicious
6872	Fbi.pif	POST	200	45.91.200.135:80	http://45.91.200.135/api/wp-admin.php	unknown	—	—	unknown
6872	Fbi.pif	GET	200	45.91.200.135:80	http://45.91.200.135/api/wp-ping.php	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6176	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4044	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.42.65.88:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	92.123.104.9:443	—	Akamai International B.V.	DE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6176	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6176	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 20.73.194.208	whitelisted
google.com	172.217.16.206	whitelisted
www.microsoft.com	95.101.149.131 2.17.245.133	whitelisted
login.live.com	20.190.159.73 20.190.159.71 20.190.159.2 40.126.31.69 20.190.159.68 40.126.31.73 40.126.31.67 40.126.31.71	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	13.85.23.86	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
VPIsLXYpbVZEi.VPIsLXYpbVZEi	—	unknown
nexusrules.officeapps.live.com	52.111.227.11	whitelisted
api64.ipify.org	173.231.16.77 104.237.62.213	unknown

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6872	Fbi.pif	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
6872	Fbi.pif	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
6872	Fbi.pif	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6872	Fbi.pif	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6872	Fbi.pif	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6872	Fbi.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6872	Fbi.pif	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
6872	Fbi.pif	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host

4 ETPRO signatures available at the full report

Add for printing

Process	Message
z70byU47OReWCAPhaCCsQeQ4.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

streetfighterchampioneditionmodapk10.7z

42C5B96710B44E6633B29931BCD007DD

EA28EA5598EACBF76F7343FE5211AF6C639FE7E9

8ECA52205588A09366DEC52820CBC53EEDC1C7F019199AEB79C844BB3BA3DC80

98304:h6yGCEOOtJi4L1ZNMgkvTAT7zyPufnJdPrkBJiWcQWeGWss234B10YgWx23UfDmc:ejvFmt2H/UkxWAMKzktjH9d

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

PRIVATELOADER has been detected (SURICATA)

GOINJECTOR has been detected (YARA)

Connects to the CnC server

CRYPTBOT has been detected (YARA)

Uses Task Scheduler to run other applications

Uses Task Scheduler to autorun other applications

LUMMA has been detected (SURICATA)

STEALC has been detected (SURICATA)

VIDAR has been detected (YARA)

Stealers network behavior

AMADEY has been detected (YARA)

AMADEY has been detected (SURICATA)

CRYPTBOT has been detected (SURICATA)

VIDAR has been detected (SURICATA)

MINER has been detected (SURICATA)

RISEPRO has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

Starts application with an unusual extension

Executable content was dropped or overwritten

Drops a file with a rarely used extension (PIF)

The executable file from the user directory is run by the CMD process

Potential Corporate Privacy Violation

Checks for external IP

Checks Windows Trust Settings

Connects to the server without a host name

Process requests binary or script from the Internet

Starts itself from another location

Process drops legitimate windows executable

The process drops C-runtime libraries

The process drops Mozilla's DLL files

Found regular expressions for crypto-addresses (YARA)

There is functionality for communication over UDP network (YARA)

Uses powercfg.exe to modify the power settings

Starts SC.EXE for service management

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Uses TIMEOUT.EXE to delay execution

Contacting a server suspected of hosting an CnC

The process executes via Task Scheduler

Crypto Currency Mining Activity Detected

INFO

Create files in a temporary directory

The process uses the downloaded file

Checks supported languages

Reads the computer name

Process checks computer location settings

Manual execution by a user

Reads mouse settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

.NET Reactor protector has been detected

Themida protector has been detected

Malware configuration

CryptBot

Vidar

Amadey

Static information

TRiD

Video and screenshots