Malware analysis SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942 Malicious activity

Add for printing

File name:	SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942
Full analysis:	https://app.any.run/tasks/8d0b9de6-3d10-42b5-8776-66ee98b6547e
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 09, 2023, 05:28:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir loader gcleaner stealc stealer rhadamanthys amadey botnet onlylogger phishing smoke neoreklami
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	65ACBF192DDEF924085504F07E559AD7
SHA1:	991FFA6FAE12E521118BF1800FB9D534037C04FC
SHA256:	CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8
SSDEEP:	6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - explorer.exe (PID: 1944)
- Create files in the Startup directory
  - CasPol.exe (PID: 2844)
- Drops the executable file immediately after the start
  - CasPol.exe (PID: 2844)
  - o9kOQt6dAsZEYb9XTfo7zLZf.exe (PID: 2268)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - 0013737115.exe (PID: 2484)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
  - Install.exe (PID: 2992)
  - Utsysc.exe (PID: 2472)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
  - Install.exe (PID: 1728)
  - updater.exe (PID: 3008)
- STEALC has been detected (SURICATA)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Connects to the CnC server
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - explorer.exe (PID: 1944)
- GCLEANER has been detected (SURICATA)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Runs injected code in another process
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1788)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Steals credentials
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- RHADAMANTHYS has been detected (SURICATA)
  - dialer.exe (PID: 1680)
- Uses Task Scheduler to run other applications
  - Utsysc.exe (PID: 2472)
  - Install.exe (PID: 1728)
  - explorer.exe (PID: 1944)
  - jlBQQYw.exe (PID: 2892)
- Changes the autorun value in the registry
  - Utsysc.exe (PID: 2472)
- AMADEY has been detected (SURICATA)
  - Utsysc.exe (PID: 2472)
- Steals credentials from Web Browsers
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- Starts CMD.EXE for self-deleting
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- ONLYLOGGER has been detected (YARA)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 2600)
  - powershell.EXE (PID: 1828)
  - powershell.EXE (PID: 2576)
- Actions looks like stealing of personal data
  - dllhost.exe (PID: 1672)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
  - jlBQQYw.exe (PID: 2892)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Unusual connection from system programs
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
  - rundll32.exe (PID: 1180)
  - rundll32.exe (PID: 2772)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 1944)
- Modifies hosts file to block updates
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
- Creates a writable file the system directory
  - powershell.exe (PID: 1172)
  - jlBQQYw.exe (PID: 2892)
- Neoreklami has been detected
  - jlBQQYw.exe (PID: 2892)
SUSPICIOUS
- Script adds exclusion path to Windows Defender
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - explorer.exe (PID: 1944)
- Starts POWERSHELL.EXE for commands execution
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - 0013737115.exe (PID: 2484)
  - Utsysc.exe (PID: 2472)
  - cmd.exe (PID: 2424)
  - Install.exe (PID: 1728)
  - powershell.EXE (PID: 2600)
  - rundll32.exe (PID: 2788)
  - powershell.exe (PID: 308)
  - rundll32.exe (PID: 2280)
  - Utsysc.exe (PID: 2820)
  - rundll32.exe (PID: 2772)
  - rundll32.exe (PID: 1180)
  - Utsysc.exe (PID: 1172)
  - powershell.EXE (PID: 1828)
  - powershell.EXE (PID: 2576)
- Reads settings of System Certificates
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Connects to the server without a host name
  - CasPol.exe (PID: 2844)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Process requests binary or script from the Internet
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - Utsysc.exe (PID: 2472)
- Application launched itself
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 3068)
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1632)
  - explorer.exe (PID: 1944)
  - evhtujv (PID: 364)
- Reads security settings of Internet Explorer
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Checks Windows Trust Settings
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Connects to unusual port
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - dialer.exe (PID: 1680)
  - dllhost.exe (PID: 1672)
  - explorer.exe (PID: 1040)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Searches for installed software
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - dllhost.exe (PID: 1672)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 1680)
- Starts CMD.EXE for commands execution
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - forfiles.exe (PID: 2548)
  - forfiles.exe (PID: 1228)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - explorer.exe (PID: 1944)
  - jlBQQYw.exe (PID: 2892)
- The process drops Mozilla's DLL files
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Starts itself from another location
  - 0013737115.exe (PID: 2484)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
- Process drops legitimate windows executable
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- The process drops C-runtime libraries
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Drops 7-zip archiver for unpacking
  - CasPol.exe (PID: 2844)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
- Reads browser cookies
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Reads the BIOS version
  - Install.exe (PID: 1728)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 2548)
  - forfiles.exe (PID: 1228)
  - jlBQQYw.exe (PID: 2892)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2564)
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 312)
  - cmd.exe (PID: 1192)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 2668)
- Loads DLL from Mozilla Firefox
  - dllhost.exe (PID: 1672)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- Accesses Microsoft Outlook profiles
  - dllhost.exe (PID: 1672)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- The process executes via Task Scheduler
  - powershell.EXE (PID: 2600)
  - Utsysc.exe (PID: 2820)
  - evhtujv (PID: 364)
  - jlBQQYw.exe (PID: 2892)
  - powershell.EXE (PID: 1828)
  - Utsysc.exe (PID: 1172)
  - powershell.EXE (PID: 2576)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 1940)
  - rundll32.exe (PID: 2040)
- Uses NETSH.EXE to obtain data on the network
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- Starts SC.EXE for service management
  - cmd.exe (PID: 1844)
  - cmd.exe (PID: 2892)
- Executes as Windows Service
  - updater.exe (PID: 3008)
  - raserver.exe (PID: 2848)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 392)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 1716)
  - cmd.exe (PID: 3068)
- The Powershell connects to the Internet
  - powershell.exe (PID: 1172)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 3008)
- Unusual connection from system programs
  - powershell.exe (PID: 1172)
- Starts application with an unusual extension
  - evhtujv (PID: 364)
INFO
- Reads the machine GUID from the registry
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - 0013737115.exe (PID: 2484)
  - iXINopQIc8EtXdM1c7vsbmzh.exe (PID: 2516)
  - Utsysc.exe (PID: 2472)
  - Install.exe (PID: 1728)
- Checks supported languages
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1632)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 3068)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - Q9yM42KmSsUdQCLfj0rBuk2R.exe (PID: 2620)
  - AppLaunch.exe (PID: 1784)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - o9kOQt6dAsZEYb9XTfo7zLZf.exe (PID: 2268)
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1788)
  - FQWtLzA7ZBFGcslKu0INSzgX.exe (PID: 2972)
  - iXINopQIc8EtXdM1c7vsbmzh.exe (PID: 2516)
  - 0013737115.exe (PID: 2484)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
  - Utsysc.exe (PID: 2472)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
  - Install.exe (PID: 2992)
  - Install.exe (PID: 1728)
  - updater.exe (PID: 3008)
  - Utsysc.exe (PID: 2820)
  - jlBQQYw.exe (PID: 2892)
  - Utsysc.exe (PID: 1172)
  - evhtujv (PID: 364)
  - evhtujv (PID: 2788)
- Reads the computer name
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - FQWtLzA7ZBFGcslKu0INSzgX.exe (PID: 2972)
  - 0013737115.exe (PID: 2484)
  - Utsysc.exe (PID: 2472)
  - iXINopQIc8EtXdM1c7vsbmzh.exe (PID: 2516)
  - Install.exe (PID: 1728)
- Reads Environment values
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Create files in a temporary directory
  - CasPol.exe (PID: 2844)
  - o9kOQt6dAsZEYb9XTfo7zLZf.exe (PID: 2268)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - 0013737115.exe (PID: 2484)
  - Utsysc.exe (PID: 2472)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
  - Install.exe (PID: 2992)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
  - Install.exe (PID: 1728)
- Creates files or folders in the user directory
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - Utsysc.exe (PID: 2472)
  - explorer.exe (PID: 1944)
- Checks proxy server information
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - Utsysc.exe (PID: 2472)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
  - rundll32.exe (PID: 2772)
  - rundll32.exe (PID: 1180)
- Reads product name
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Reads CPU info
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Creates files in the program directory
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
- The executable file from the user directory is run by the CMD process
  - 0013737115.exe (PID: 2484)
- Manual execution by a user
  - dllhost.exe (PID: 1672)
- Drops the executable file immediately after the start
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

OnlyLogger

(PID) Process(2728) D8CyX1GPoa6iBwqhMctvb7Yb.exe

C285.209.11.204

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (49.4)
.scr	\|	Windows screen saver (23.4)
.dll	\|	Win32 Dynamic Link Library (generic) (11.7)
.exe	\|	Win32 Executable (generic) (8)
.exe	\|	Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:07 19:07:31+01:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	433075
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x6bbad
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.34.311.48
ProductVersionNumber:	6.34.311.48
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	IWaYiCOgA
FileDescription:	AvOvEma AKiJoAaGI eUUwUNaAiwE AKeuIkiv EVAfA uzUlaLu edayu OLEPuP.
FileVersion:	6.34.311.48
InternalName:	AnAZUXoX
LegalCopyright:	© 2023 IWaYiCOgA.
OriginalFileName:	aEoJOoA
ProductName:	iEOKapuooy
ProductVersion:	6.34.311.48
Comments:	OhaOOb UhiVoVi uTInusA IPok EDeHiI isedOcOj aOExIV oqIJeNeu IrOraIExU.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

184

Monitored processes

104

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

272

schtasks /run /I /tn "gnCnaXtVw"

C:\Windows\SysWOW64\schtasks.exe

—

jlBQQYw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

304

sc stop UsoSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

312

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

—

jlBQQYw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

364

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Power Settings Command-Line Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

364

C:\Users\admin\AppData\Roaming\evhtujv

—

taskeng.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\evhtujv
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

392

"C:\Windows\System32\cmd.exe" /c taskkill /im "D8CyX1GPoa6iBwqhMctvb7Yb.exe" /f & erase "C:\Users\admin\Pictures\D8CyX1GPoa6iBwqhMctvb7Yb.exe" & exit

C:\Windows\SysWOW64\cmd.exe

—

D8CyX1GPoa6iBwqhMctvb7Yb.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1040

C:\Windows\explorer.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\temp\fmuxutjjwbws.tmp
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll

1172

sc stop bits

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1062

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

Add for printing

Total events

29 900

Read events

29 375

Write events

524

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2672	powershell.exe	C:\Users\admin\AppData\Local\Temp\izu5bmia.3cv.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2844	CasPol.exe	C:\Users\admin\AppData\Local\Temp\TarA551.tmp		binary
		MD5:9441737383D21192400ECA82FDA910EC	SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
2844	CasPol.exe	C:\Users\admin\AppData\Local\DUvvCKVjlPtPSXZwoSFOyVAM.exe		executable
		MD5:4956D7A8E55535818CDF4B4CAE2F5D9D	SHA256:41B4E573F2950C49813A6596319399C0BCDC12CC881AF60918DE5BE0AB35C249
2844	CasPol.exe	C:\Users\admin\Pictures\RWlihhQI7QHeNvZRPl4C0WZD.exe		html
		MD5:FCAD815E470706329E4E327194ACC07C	SHA256:280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
2844	CasPol.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:FBE74E047A8FAAF5BE871C72184213BC	SHA256:6592FC26FCB110DF2D7367AA1DEBE907F285B12C209757E8FADF7EF98841BB62
2844	CasPol.exe	C:\Users\admin\AppData\Local\Temp\CabA53F.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2844	CasPol.exe	C:\Users\admin\AppData\Local\Temp\TarA540.tmp		binary
		MD5:9441737383D21192400ECA82FDA910EC	SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
2844	CasPol.exe	C:\Users\admin\AppData\Local\Temp\CabA550.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2672	powershell.exe	C:\Users\admin\AppData\Local\Temp\0jge00tx.azp.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2672	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:446DD1CF97EABA21CF14D03AEBC79F27	SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

116

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2844	CasPol.exe	GET	—	5.42.67.10:80	http://5.42.67.10/setupdownload.exe	unknown	—	—	unknown
2844	CasPol.exe	GET	—	194.49.94.67:80	http://194.49.94.67/files/My2.exe	unknown	—	—	unknown
2800	LgZETwjBuyt3U7y3AtTrHm4V.exe	GET	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	—	—	unknown
2844	CasPol.exe	GET	200	95.214.26.28:80	http://galandskiyher5.com/downloads/toolspub1.exe	unknown	executable	318 Kb	unknown
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4e8985cacbd3f720	unknown	compressed	61.6 Kb	unknown
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56e02b563dbccaec	unknown	compressed	61.6 Kb	unknown
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7ac514a272f19814	unknown	compressed	61.6 Kb	unknown
2844	CasPol.exe	GET	301	185.26.182.111:80	http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767	unknown	html	162 b	unknown
2844	CasPol.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/software/s5.exe	unknown	executable	387 Kb	unknown
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a8f56d5b3bea9253	unknown	compressed	61.6 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2844	CasPol.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2844	CasPol.exe	85.209.11.204:80	—	LLC Baxet	RU	malicious
2844	CasPol.exe	172.67.180.173:443	potatogoose.com	CLOUDFLARENET	US	unknown
2844	CasPol.exe	172.67.216.81:443	flyawayaero.net	CLOUDFLARENET	US	unknown
2844	CasPol.exe	95.140.236.128:80	ctldl.windowsupdate.com	LLNW	US	unknown
2844	CasPol.exe	194.49.94.85:443	632432.space	Enes Koken	DE	unknown
2844	CasPol.exe	104.21.32.208:443	lycheepanel.info	CLOUDFLARENET	—	unknown
2844	CasPol.exe	194.49.94.67:80	—	Enes Koken	DE	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	172.67.34.170 104.20.68.143 104.20.67.143	shared
flyawayaero.net	172.67.216.81 104.21.93.225	unknown
gobo11fc.top	89.191.234.21	unknown
632432.space	194.49.94.85	malicious
galandskiyher5.com	95.214.26.28	malicious
lycheepanel.info	104.21.32.208 172.67.187.122	unknown
net.geo.opera.com	185.26.182.111 185.26.182.112	whitelisted
globalsystemperu.com	179.61.12.110	unknown
yip.su	188.114.97.3 188.114.96.3	whitelisted
potatogoose.com	172.67.180.173 104.21.35.235	malicious

Threats

PID	Process	Class	Message
324	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
324	svchost.exe	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2844	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2844	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2844	CasPol.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
2844	CasPol.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2844	CasPol.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2844	CasPol.exe	Misc activity	ET INFO Packed Executable Download
2844	CasPol.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2844	CasPol.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

13 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942

65ACBF192DDEF924085504F07E559AD7

991FFA6FAE12E521118BF1800FB9D534037C04FC

CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8

6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Create files in the Startup directory

Drops the executable file immediately after the start

STEALC has been detected (SURICATA)

Connects to the CnC server

GCLEANER has been detected (SURICATA)

Runs injected code in another process

Application was injected by another process

Steals credentials

RHADAMANTHYS has been detected (SURICATA)

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

AMADEY has been detected (SURICATA)

Steals credentials from Web Browsers

Starts CMD.EXE for self-deleting

ONLYLOGGER has been detected (YARA)

Run PowerShell with an invisible window

Actions looks like stealing of personal data

Unusual connection from system programs

SMOKE has been detected (SURICATA)

Modifies hosts file to block updates

Creates a writable file the system directory

Neoreklami has been detected

SUSPICIOUS

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Reads the Internet Settings

Reads settings of System Certificates

Connects to the server without a host name

Process requests binary or script from the Internet

Application launched itself

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Connects to unusual port

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Searches for installed software

The process checks if it is being run in the virtual environment

Starts CMD.EXE for commands execution

The process drops Mozilla's DLL files

Starts itself from another location

Process drops legitimate windows executable

The process drops C-runtime libraries

Drops 7-zip archiver for unpacking

Reads browser cookies

Reads the BIOS version

Found strings related to reading or modifying Windows Defender settings

Uses REG/REGEDIT.EXE to modify registry

Uses TIMEOUT.EXE to delay execution

Loads DLL from Mozilla Firefox

Accesses Microsoft Outlook profiles

The process executes via Task Scheduler

Uses RUNDLL32.EXE to load library

Uses NETSH.EXE to obtain data on the network

Starts SC.EXE for service management

Executes as Windows Service

Uses TASKKILL.EXE to kill process

Uses powercfg.exe to modify the power settings

The Powershell connects to the Internet

Drops a system driver (possible attempt to evade defenses)

Unusual connection from system programs

Starts application with an unusual extension

INFO

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Reads Environment values

Create files in a temporary directory

Creates files or folders in the user directory

Checks proxy server information