Malware analysis SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065 Malicious activity

Add for printing

File name:	SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065
Full analysis:	https://app.any.run/tasks/d597c738-4b92-4475-a149-df177b3d5e83
Verdict:	Malicious activity
Threats:	GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails. Malware Trends Tracker >>>
Analysis date:	November 15, 2023, 07:46:54
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	loader gcleaner stealer onlylogger evasion whitesnake
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	DCA73D055E1BFC4466BC9AC6A4F4F90B
SHA1:	E63E7CB07F36D6583987EB5AF74F68320C901BB8
SHA256:	93F4F7DD1458EBC9CAA287FE4A81737A417A75AB8E3A4A150C5C907F87B51D11
SSDEEP:	196608:xKmT98xz/10NbNUKMfyN6ofcUoihFpou5vjMq1tCm:3TIyLfJlNfvQE/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe (PID: 2328)
- Create files in the Startup directory
  - CasPol.exe (PID: 2920)
- Drops the executable file immediately after the start
  - CasPol.exe (PID: 2920)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - vKIE4RSQtOrCmfs79KbAurqx.exe (PID: 1628)
  - Install.exe (PID: 2412)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - Install.exe (PID: 2708)
  - jsc.exe (PID: 2956)
- GCLEANER has been detected (SURICATA)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
- Steals credentials
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
- Uses Task Scheduler to run other applications
  - Install.exe (PID: 2708)
  - wlaIANC.exe (PID: 2480)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 848)
  - powershell.EXE (PID: 2828)
  - powershell.EXE (PID: 1068)
- ONLYLOGGER has been detected (YARA)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
- Actions looks like stealing of personal data
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - build.exe (PID: 2484)
  - wlaIANC.exe (PID: 2480)
- Starts CMD.EXE for self-deleting
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - build.exe (PID: 2484)
- Creates a writable file the system directory
  - wlaIANC.exe (PID: 2480)
- WHITESNAKE has been detected (SURICATA)
  - build.exe (PID: 2484)
SUSPICIOUS
- Reads the Internet Settings
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe (PID: 2328)
  - CasPol.exe (PID: 2920)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - Install.exe (PID: 2708)
  - 3478600521.exe (PID: 2300)
  - powershell.EXE (PID: 848)
  - jsc.exe (PID: 2956)
  - build.exe (PID: 2484)
  - powershell.EXE (PID: 2828)
  - powershell.EXE (PID: 1068)
- Starts POWERSHELL.EXE for commands execution
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe (PID: 2328)
- Script adds exclusion path to Windows Defender
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe (PID: 2328)
- Reads settings of System Certificates
  - CasPol.exe (PID: 2920)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - 3478600521.exe (PID: 2300)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - build.exe (PID: 2484)
- Process requests binary or script from the Internet
  - CasPol.exe (PID: 2920)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
- Connects to the server without a host name
  - CasPol.exe (PID: 2920)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
- Application launched itself
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 2472)
- Reads security settings of Internet Explorer
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - 3478600521.exe (PID: 2300)
- Checks Windows Trust Settings
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - 3478600521.exe (PID: 2300)
- Drops 7-zip archiver for unpacking
  - CasPol.exe (PID: 2920)
  - vKIE4RSQtOrCmfs79KbAurqx.exe (PID: 1628)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - build.exe (PID: 2484)
- Searches for installed software
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - build.exe (PID: 2484)
- Starts itself from another location
  - vKIE4RSQtOrCmfs79KbAurqx.exe (PID: 1628)
- Starts CMD.EXE for commands execution
  - forfiles.exe (PID: 2300)
  - forfiles.exe (PID: 2276)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - build.exe (PID: 2484)
  - wlaIANC.exe (PID: 2480)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 2276)
  - forfiles.exe (PID: 2300)
  - wlaIANC.exe (PID: 2480)
- Reads the BIOS version
  - Install.exe (PID: 2708)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2836)
  - cmd.exe (PID: 2084)
  - cmd.exe (PID: 1088)
  - cmd.exe (PID: 1680)
- The process executes via Task Scheduler
  - powershell.EXE (PID: 848)
  - wlaIANC.exe (PID: 2480)
  - powershell.EXE (PID: 2828)
  - powershell.EXE (PID: 1068)
- Executes as Windows Service
  - raserver.exe (PID: 2548)
  - raserver.exe (PID: 1724)
- Reads browser cookies
  - build.exe (PID: 2484)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 2304)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 2304)
- Checks for external IP
  - build.exe (PID: 2484)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 872)
- Accesses Microsoft Outlook profiles
  - build.exe (PID: 2484)
- Starts application with an unusual extension
  - cmd.exe (PID: 2304)
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 3044)
- Connects to unusual port
  - build.exe (PID: 2484)
INFO
- Reads the machine GUID from the registry
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe (PID: 2328)
  - CasPol.exe (PID: 2920)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - o6PwSriT1os7ikdesBhAxVo9.exe (PID: 2864)
  - Install.exe (PID: 2708)
  - 3478600521.exe (PID: 2300)
  - jsc.exe (PID: 2956)
  - build.exe (PID: 2484)
- Checks supported languages
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe (PID: 2328)
  - CasPol.exe (PID: 2920)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 2472)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - o6PwSriT1os7ikdesBhAxVo9.exe (PID: 2864)
  - vKIE4RSQtOrCmfs79KbAurqx.exe (PID: 1628)
  - Install.exe (PID: 2412)
  - Install.exe (PID: 2708)
  - 3478600521.exe (PID: 2300)
  - jsc.exe (PID: 2956)
  - build.exe (PID: 2484)
  - chcp.com (PID: 2396)
  - chcp.com (PID: 2008)
  - chcp.com (PID: 2992)
  - wlaIANC.exe (PID: 2480)
- Reads the computer name
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe (PID: 2328)
  - CasPol.exe (PID: 2920)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - o6PwSriT1os7ikdesBhAxVo9.exe (PID: 2864)
  - Install.exe (PID: 2708)
  - 3478600521.exe (PID: 2300)
  - jsc.exe (PID: 2956)
  - build.exe (PID: 2484)
- Reads Environment values
  - CasPol.exe (PID: 2920)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - build.exe (PID: 2484)
- Creates files or folders in the user directory
  - CasPol.exe (PID: 2920)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - build.exe (PID: 2484)
- Create files in a temporary directory
  - CasPol.exe (PID: 2920)
  - vKIE4RSQtOrCmfs79KbAurqx.exe (PID: 1628)
  - Install.exe (PID: 2412)
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - Install.exe (PID: 2708)
  - jsc.exe (PID: 2956)
- Checks proxy server information
  - JKsOjJsHpFYJQkU4BSnnhkFS.exe (PID: 364)
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
  - 3478600521.exe (PID: 2300)
- Reads CPU info
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
- Creates files in the program directory
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
- Reads product name
  - vLGsUt9SwXE2p7v4tsuKahV9.exe (PID: 1392)
- The executable file from the user directory is run by the CMD process
  - 3478600521.exe (PID: 2300)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

OnlyLogger

(PID) Process(364) JKsOjJsHpFYJQkU4BSnnhkFS.exe

C285.209.11.204

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2078:10:28 20:49:30+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	22699099
InitializedDataSize:	3072
UninitializedDataSize:	-
EntryPoint:	0x15a7c55
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.34.7.31
ProductVersionNumber:	4.34.7.31
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	aHuA
FileDescription:	UNeYOUU aCAEi EguQAiaS oVuCarAtOr.
FileVersion:	4.34.7.31
InternalName:	OiiqOuiMU
LegalCopyright:	© 2023 aHuA.
OriginalFileName:	iIAguUivUQ
ProductName:	eFiWORIwoFa
ProductVersion:	4.34.7.31
Comments:	INeCirekuF IwuWojamaDa oiEO EAuyAa OqaQiji EWaFUUaguQ OFiM owIte ehuauwOAia.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

123

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

364

"C:\Users\admin\Pictures\JKsOjJsHpFYJQkU4BSnnhkFS.exe"

C:\Users\admin\Pictures\JKsOjJsHpFYJQkU4BSnnhkFS.exe

JKsOjJsHpFYJQkU4BSnnhkFS.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\pictures\jksojjshpfyjqku4bsnnhkfs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

OnlyLogger

(PID) Process(364) JKsOjJsHpFYJQkU4BSnnhkFS.exe

C285.209.11.204

392

netsh wlan show networks mode=bssid

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

776

ping 127.0.0.1

C:\Windows\System32\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

TCP/IP Ping Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll

792

schtasks /run /I /tn "gEaPiQOru"

C:\Windows\SysWOW64\schtasks.exe

—

Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

—

taskeng.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

872

"C:\Windows\System32\cmd.exe" /c taskkill /im "JKsOjJsHpFYJQkU4BSnnhkFS.exe" /f & erase "C:\Users\admin\Pictures\JKsOjJsHpFYJQkU4BSnnhkFS.exe" & exit

C:\Windows\SysWOW64\cmd.exe

—

JKsOjJsHpFYJQkU4BSnnhkFS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

980

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1012

schtasks /CREATE /TN "gEaPiQOru" /SC once /ST 03:39:27 /F /RU "admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

—

Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

—

taskeng.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

1088

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

—

wlaIANC.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

14 275

Read events

13 875

Write events

400

Delete events

Modification events


(PID) Process:	(2328) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2328) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2328) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2328) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2920) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2920) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2920) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2920) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2920) CasPol.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1532) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2920	CasPol.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2920	CasPol.exe	C:\Users\admin\AppData\Local\O54z3nkA8gjvwdSwuxg87ZTj.exe		html
		MD5:FCAD815E470706329E4E327194ACC07C	SHA256:280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
2920	CasPol.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:3AA5F00651B400D369E523E1C3493B0B	SHA256:A2537AF69DD76BA2C0E8EBF1C4DE32E4141E77473A9D37E1E140E151B3479874
2920	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bIztxHENzH28dJAqE60jaSJU.bat		text
		MD5:E7FEAD8FE2946677E0EFD2886470C26E	SHA256:A7A8D1697760D7F156E88238286CA8DA8931FF33A97A1AC5574E68C1D447F910
1532	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:446DD1CF97EABA21CF14D03AEBC79F27	SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2920	CasPol.exe	C:\Users\admin\Pictures\vLGsUt9SwXE2p7v4tsuKahV9.exe		executable
		MD5:84AED54304D7A46EBA35445A213D1497	SHA256:94F5F9F95672D627048BC6EFF016AFA7D82ADB3D47E2684E67D2B9602E1BC229
2920	CasPol.exe	C:\Users\admin\Pictures\JKsOjJsHpFYJQkU4BSnnhkFS.exe		executable
		MD5:24B3D4228836A84011282DC5E1E61A12	SHA256:654A855DD88CBD6F1EF23E4C2BB2AADD4EFF4F7FAA97C9B8A5641525B7DD3128
2920	CasPol.exe	C:\Users\admin\Pictures\o6PwSriT1os7ikdesBhAxVo9.exe		executable
		MD5:E5BAE93915DC8877B7980232291C07BA	SHA256:7A47F0432901790C84B89615F9851A83B22B153BE54852AACDC6B892F76A25C5
2920	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LEMgaFEeoWRRrrJFzONDVvSU.bat		text
		MD5:476A1031192722A19D2763C85643F29F	SHA256:0DF227A44968A7991AFD9A1FAFA0F134A90DC0D851E2B55E1B64BCA1898FF29C
2920	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l6hIpfwiEZCRBZNjXPJvAseK.bat		text
		MD5:B888440C969CDBA51FC07C7252B970F3	SHA256:F2A6B99F2D54D94C5EBB172A8570E46630B8D38F87E493A77653DB89139E6059

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2920	CasPol.exe	GET	301	172.67.190.126:80	http://gobo16cl.top/build.exe	unknown	—	—	unknown
2920	CasPol.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/software/s5.exe	unknown	executable	326 Kb	unknown
364	JKsOjJsHpFYJQkU4BSnnhkFS.exe	GET	200	85.209.11.204:80	http://85.209.11.204/ip.php	unknown	text	12 b	unknown
2920	CasPol.exe	GET	200	23.32.238.219:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?39f81f5f7cbc2a80	unknown	compressed	61.6 Kb	unknown
364	JKsOjJsHpFYJQkU4BSnnhkFS.exe	GET	200	199.188.204.145:80	http://green-bubble.co.uk/hostsdreive.exe	unknown	executable	15.8 Mb	unknown
364	JKsOjJsHpFYJQkU4BSnnhkFS.exe	GET	200	199.188.204.145:80	http://green-bubble.co.uk/hostsdreive.exe	unknown	executable	15.8 Mb	unknown
364	JKsOjJsHpFYJQkU4BSnnhkFS.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/client/s51	unknown	text	38 b	unknown
364	JKsOjJsHpFYJQkU4BSnnhkFS.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/client/s52	unknown	binary	1 b	unknown
364	JKsOjJsHpFYJQkU4BSnnhkFS.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/client/s53	unknown	binary	1 b	unknown
364	JKsOjJsHpFYJQkU4BSnnhkFS.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/client/s54	unknown	binary	1 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2920	CasPol.exe	104.20.68.143:443	pastebin.com	CLOUDFLARENET	—	unknown
2920	CasPol.exe	85.209.11.204:80	—	LLC Baxet	RU	malicious
2920	CasPol.exe	111.90.146.230:80	—	Shinjiru Technology Sdn Bhd	MY	unknown
2920	CasPol.exe	172.67.216.81:443	flyawayaero.net	CLOUDFLARENET	US	unknown
2920	CasPol.exe	188.114.96.3:443	yip.su	CLOUDFLARENET	NL	unknown
2920	CasPol.exe	194.49.94.85:443	redirector.pm	Enes Koken	DE	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	104.20.68.143 172.67.34.170 104.20.67.143	shared
flyawayaero.net	172.67.216.81 104.21.93.225	malicious
redirector.pm	194.49.94.85	unknown
yip.su	188.114.96.3 188.114.97.3	whitelisted
gobo16cl.top	172.67.190.126 104.21.19.240	unknown
ctldl.windowsupdate.com	23.32.238.219 23.32.238.217 23.32.238.233 23.32.238.234 23.32.238.218 23.32.238.227 23.32.238.211 23.32.238.226 23.32.238.216	whitelisted
potatogoose.com	104.21.35.235 172.67.180.173	unknown
t.me	149.154.167.99	whitelisted
green-bubble.co.uk	199.188.204.145	unknown
bitbucket.org	104.192.141.1	shared

Threats

PID	Process	Class	Message
324	svchost.exe	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
324	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2920	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2920	CasPol.exe	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
2920	CasPol.exe	Potentially Bad Traffic	ET HUNTING Request to .TOP Domain with Minimal Headers
2920	CasPol.exe	A Network Trojan was detected	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2920	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2920	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2920	CasPol.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2920	CasPol.exe	Misc activity	ET INFO Packed Executable Download

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065

DCA73D055E1BFC4466BC9AC6A4F4F90B

E63E7CB07F36D6583987EB5AF74F68320C901BB8

93F4F7DD1458EBC9CAA287FE4A81737A417A75AB8E3A4A150C5C907F87B51D11

196608:xKmT98xz/10NbNUKMfyN6ofcUoihFpou5vjMq1tCm:3TIyLfJlNfvQE/

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Create files in the Startup directory

Drops the executable file immediately after the start

GCLEANER has been detected (SURICATA)

Steals credentials

Uses Task Scheduler to run other applications

Run PowerShell with an invisible window

ONLYLOGGER has been detected (YARA)

Actions looks like stealing of personal data

Starts CMD.EXE for self-deleting

Creates a writable file the system directory

WHITESNAKE has been detected (SURICATA)

SUSPICIOUS

Reads the Internet Settings

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Reads settings of System Certificates

Process requests binary or script from the Internet

Connects to the server without a host name

Application launched itself

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Drops 7-zip archiver for unpacking

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Searches for installed software

Starts itself from another location

Starts CMD.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

Reads the BIOS version

Uses REG/REGEDIT.EXE to modify registry

The process executes via Task Scheduler

Executes as Windows Service

Reads browser cookies

Uses NETSH.EXE to obtain data on the network

Using 'findstr.exe' to search for text patterns in files and output

Checks for external IP

Uses TASKKILL.EXE to kill process

Accesses Microsoft Outlook profiles

Starts application with an unusual extension

Connects to unusual port

INFO

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Reads Environment values

Creates files or folders in the user directory

Create files in a temporary directory

Checks proxy server information

Reads CPU info

Creates files in the program directory

Reads product name

The executable file from the user directory is run by the CMD process

Malware configuration

OnlyLogger

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

OnlyLogger

Information

Modules