File name:

2.bin

Full analysis: https://app.any.run/tasks/ac7eea3e-1440-4e63-9bec-6e4ebaa19c19
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 06, 2022, 02:18:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
stealer
vidar
ransomware
stop
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C446EE98C9E32B2E74297AD71AB05182

SHA1:

5004A79D3D49B339D8B5248CE59C68E43C616BE7

SHA256:

A36EBD8A548DB06BACD9BDC7F5C71619CA17C30C0A349AD62997A49CEA714001

SSDEEP:

12288:nu+NX43o5MK4ypyQkiHK/MNv75JHjeJdcbm8CmTy1Dc7VS:nuCXaYawyQkiq/MNjrydcbm+W147U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • 2.bin.exe (PID: 928)
    • Application was dropped or rewritten from another process

      • build2.exe (PID: 3932)
      • build2.exe (PID: 2084)
      • build3.exe (PID: 2272)
      • mstsca.exe (PID: 3596)
    • Drops the executable file immediately after the start

      • 2.bin.exe (PID: 1812)
      • build3.exe (PID: 2272)
    • Steals credentials from Web Browsers

      • build2.exe (PID: 2084)
    • Loads dropped or rewritten executable

      • build2.exe (PID: 2084)
    • VIDAR was detected

      • build2.exe (PID: 2084)
    • Stop is detected

      • 2.bin.exe (PID: 1812)
      • 2.bin.exe (PID: 3276)
    • Renames files like ransomware

      • 2.bin.exe (PID: 3276)
  • SUSPICIOUS

    • Reads the Internet Settings

      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 1812)
      • build2.exe (PID: 2084)
      • 2.bin.exe (PID: 3276)
    • Application launched itself

      • 2.bin.exe (PID: 1752)
      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 2772)
      • build2.exe (PID: 3932)
      • 2.bin.exe (PID: 3240)
    • Reads security settings of Internet Explorer

      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 1812)
      • build2.exe (PID: 2084)
      • 2.bin.exe (PID: 3276)
    • Reads settings of System Certificates

      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 1812)
      • build2.exe (PID: 2084)
      • 2.bin.exe (PID: 3276)
    • Checks Windows Trust Settings

      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 1812)
      • build2.exe (PID: 2084)
      • 2.bin.exe (PID: 3276)
    • Adds/modifies Windows certificates

      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 1812)
    • Executable content was dropped or overwritten

      • 2.bin.exe (PID: 1812)
      • build3.exe (PID: 2272)
    • Process requests binary or script from the Internet

      • 2.bin.exe (PID: 1812)
    • Connects to the server without a host name

      • build2.exe (PID: 2084)
    • Reads browser cookies

      • build2.exe (PID: 2084)
    • Searches for installed software

      • build2.exe (PID: 2084)
    • Executes via Task Scheduler

      • 2.bin.exe (PID: 3240)
      • mstsca.exe (PID: 3596)
  • INFO

    • Checks supported languages

      • 2.bin.exe (PID: 1752)
      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 2772)
      • 2.bin.exe (PID: 1812)
      • build2.exe (PID: 3932)
      • build2.exe (PID: 2084)
      • build3.exe (PID: 2272)
      • 2.bin.exe (PID: 3240)
      • 2.bin.exe (PID: 3276)
      • mstsca.exe (PID: 3596)
    • Checks proxy server information

      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 1812)
      • build2.exe (PID: 2084)
      • 2.bin.exe (PID: 3276)
    • Reads the computer name

      • 2.bin.exe (PID: 928)
      • 2.bin.exe (PID: 1812)
      • build2.exe (PID: 2084)
      • 2.bin.exe (PID: 3276)
    • Drops a file that was compiled in debug mode

      • 2.bin.exe (PID: 1812)
    • Dropped object may contain Bitcoin addresses

      • 2.bin.exe (PID: 1812)
      • build3.exe (PID: 2272)
    • Manual execution by a user

      • mmc.exe (PID: 2392)
      • mmc.exe (PID: 1400)
      • NOTEPAD.EXE (PID: 3696)
      • explorer.exe (PID: 904)
    • Reads product name

      • build2.exe (PID: 2084)
    • Reads Environment values

      • build2.exe (PID: 2084)
    • Creates files in the program directory

      • build2.exe (PID: 2084)
    • Reads CPU info

      • build2.exe (PID: 2084)
    • Reads the CPU's name

      • build2.exe (PID: 2084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2021-Dec-10 18:23:41
Debug artifacts:
  • C:\rusisamuxocamu\pufotahof_yumiya_hajijosenoyaji\moci.pdb

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 224

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2021-Dec-10 18:23:41
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
106604
107008
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.34312
.data
114688
711432
600576
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99271
.rsrc
827392
102488
102912
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.51886

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.33895
1736
UNKNOWN
UNKNOWN
RT_ICON
2
5.47765
1384
UNKNOWN
UNKNOWN
RT_ICON
3
5.08275
4264
UNKNOWN
UNKNOWN
RT_ICON
4
5.44877
1128
UNKNOWN
UNKNOWN
RT_ICON
5
5.72523
2216
UNKNOWN
UNKNOWN
RT_ICON
6
5.98694
1736
UNKNOWN
UNKNOWN
RT_ICON
7
5.89149
1384
UNKNOWN
UNKNOWN
RT_ICON
8
5.11653
4264
UNKNOWN
UNKNOWN
RT_ICON
9
4.66394
2440
UNKNOWN
UNKNOWN
RT_ICON
10
4.73079
1128
UNKNOWN
UNKNOWN
RT_ICON

Imports

GDI32.dll
KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
19
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start 2.bin.exe no specs 2.bin.exe icacls.exe no specs 2.bin.exe #STOP 2.bin.exe build2.exe no specs #VIDAR build2.exe build3.exe schtasks.exe no specs mmc.exe no specs mmc.exe cmd.exe no specs timeout.exe no specs 2.bin.exe no specs #STOP 2.bin.exe explorer.exe no specs mstsca.exe no specs schtasks.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1752"C:\Users\admin\Desktop\2.bin.exe" C:\Users\admin\Desktop\2.bin.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
928"C:\Users\admin\Desktop\2.bin.exe" C:\Users\admin\Desktop\2.bin.exe
2.bin.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mpr.dll
3740icacls "C:\Users\admin\AppData\Local\9855fbd7-a07d-4cee-9a4a-f22e2e0924f3" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exe2.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2772"C:\Users\admin\Desktop\2.bin.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\Desktop\2.bin.exe
2.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1812"C:\Users\admin\Desktop\2.bin.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\Desktop\2.bin.exe
2.bin.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
3932"C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe" C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe2.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\webio.dll
2084"C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe" C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe
build2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
2272"C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build3.exe" C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build3.exe
2.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build3.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3100/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe"C:\Windows\System32\schtasks.exebuild3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1400"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
Total events
17 551
Read events
17 334
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
64
Text files
80
Unknown types
21

Dropped files

PID
Process
Filename
Type
9282.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:C51850A96D359A09A3A3A2249C52A92D
SHA256:D66175EC867BEE8F450F2F3AD05D9D161384241244E6D5CF791A608DD31EF175
9282.bin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].jsonbinary
MD5:B4D45C480058D08F9A042E5441513E28
SHA256:6AA178C9C7B0E58CCAC7442D7D151D280395F22A879482CB7C70471E97F666A3
9282.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:7EE127CA3EC760DE382CD8C22D7798D7
SHA256:C8217D61D80B8A3FAD13B68088960EAFDFAE9681FFDBC73D647647F41E5E1F7A
18122.bin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\build2[1].exeexecutable
MD5:B9212DED69FAE1FA1FB5D6DB46A9FB76
SHA256:7A087C1BCD038C61DDB0F634F9B21E6DB9BED59842F19ADEDA48B49ACB20E16F
18122.bin.exeC:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exeexecutable
MD5:B9212DED69FAE1FA1FB5D6DB46A9FB76
SHA256:7A087C1BCD038C61DDB0F634F9B21E6DB9BED59842F19ADEDA48B49ACB20E16F
2084build2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:E564CAB61E382406F4D7E9EBDCA3F2CA
SHA256:9B67206021B63E35A55FE2B95B9263FD514099F4E4BD0E3FEF0F4A33D1C69028
9282.bin.exeC:\Users\admin\AppData\Local\9855fbd7-a07d-4cee-9a4a-f22e2e0924f3\2.bin.exeexecutable
MD5:C446EE98C9E32B2E74297AD71AB05182
SHA256:A36EBD8A548DB06BACD9BDC7F5C71619CA17C30C0A349AD62997A49CEA714001
2084build2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30der
MD5:E4FD10C588A13A7F8482D95E13DE3B15
SHA256:C0D03C7EC2A9782ACFAC7D0C31249475FAEB8AEC71970DDC2CBE1734EC01B80F
18122.bin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].jsonbinary
MD5:B4D45C480058D08F9A042E5441513E28
SHA256:6AA178C9C7B0E58CCAC7442D7D151D280395F22A879482CB7C70471E97F666A3
9282.bin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02binary
MD5:D48B813E981157A2861B5A0D9913CBDB
SHA256:CD458A5E57EAC4D9BD172B213733877D1698F9D04F6C1A5DBE47F608DA98E56B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
14
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2084
build2.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D
US
der
1.74 Kb
whitelisted
1812
2.bin.exe
GET
200
211.59.14.90:80
http://uaery.top/dl/build2.exe
KR
executable
258 Kb
malicious
2084
build2.exe
GET
200
168.119.167.188:80
http://168.119.167.188/567493352647.zip
DE
compressed
3.47 Mb
malicious
928
2.bin.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
2084
build2.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
2084
build2.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
928
2.bin.exe
GET
200
104.18.32.68:80
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
US
der
978 b
whitelisted
1812
2.bin.exe
GET
200
31.167.245.32:80
http://fresherlights.com/test1/get.php?pid=6E3AAB7CB29BC9495DFDE01272C66F39&first=true
SA
binary
558 b
malicious
2084
build2.exe
GET
200
168.119.167.188:80
http://168.119.167.188/517
DE
text
233 b
malicious
1812
2.bin.exe
GET
200
200.46.66.71:80
http://fresherlights.com/files/1/build3.exe
PA
executable
9.50 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
928
2.bin.exe
172.64.155.188:80
ocsp.comodoca.com
CLOUDFLARENET
US
suspicious
928
2.bin.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
1812
2.bin.exe
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
928
2.bin.exe
104.18.32.68:80
ocsp.comodoca.com
CLOUDFLARENET
suspicious
928
2.bin.exe
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
1812
2.bin.exe
211.59.14.90:80
uaery.top
SK Broadband Co Ltd
KR
malicious
3276
2.bin.exe
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
2084
build2.exe
192.124.249.24:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
1812
2.bin.exe
200.46.66.71:80
fresherlights.com
Cable Onda
PA
malicious
200.46.66.71:80
fresherlights.com
Cable Onda
PA
malicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 162.0.217.254
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
crl.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
uaery.top
  • 211.59.14.90
  • 211.171.233.126
  • 210.182.29.70
  • 175.119.10.231
  • 222.236.49.123
  • 175.126.109.15
  • 211.119.84.112
  • 187.212.179.75
  • 181.94.48.228
  • 123.213.233.194
malicious
fresherlights.com
  • 200.46.66.71
  • 31.167.245.32
  • 109.102.255.230
  • 190.117.75.91
  • 211.119.84.111
  • 175.120.254.9
  • 190.140.74.43
  • 201.124.230.1
  • 109.98.58.98
  • 195.158.3.162
malicious
t.me
  • 149.154.167.99
whitelisted
ocsp.godaddy.com
  • 192.124.249.24
  • 192.124.249.36
  • 192.124.249.23
  • 192.124.249.22
  • 192.124.249.41
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
928
2.bin.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
1812
2.bin.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1812
2.bin.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
1812
2.bin.exe
A Network Trojan was detected
ET TROJAN Potential Dridex.Maldoc Minimal Executable Request
1812
2.bin.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
1812
2.bin.exe
A Network Trojan was detected
ET TROJAN Win32/Vodkagats Loader Requesting Payload
1812
2.bin.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
1812
2.bin.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn