File name:	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140
Full analysis:	https://app.any.run/tasks/d0c70811-82fc-4174-9fcc-4a8bbeae6d7b
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 12, 2024, 11:25:42
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	sinkhole stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	57580717861CF2D29831BCA47DBD28AF
SHA1:	60C8010544272D3C96DCCA370CAF0A5A5195A9A7
SHA256:	E522D81EDD9529FBAD5835AC84F552FCEC18FD566E490457D8757E774CB1F140
SSDEEP:	6144:JReRVuS87roF5tI1hp6L19zz5lNk2M8+xaM38l6X:JYuS8RU1d5Cjxb+

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1999:07:15 04:00:44+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	7.14
CodeSize:	12288
InitializedDataSize:	203776
UninitializedDataSize:	369465
EntryPoint:	0x1000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	0.6.2.1
ProductVersionNumber:	3.9.0.5
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileVersion:	0.6.2.1
ProductVersion:	3.9.0.5
FileDescription:	erinaceidae
CompanyName:	Panda Security, S.L.
LegalCopyright:	opacate
ProductName:	exposed


(PID) Process:	(6836) e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	26b799fa
Value: C:\Users\admin\Desktop\e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe
(PID) Process:	(6836) e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6836) e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6836) e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6836) e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	write	Name:	d9486693a
Value: 1334609

PID	Process	Filename		Type
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[1].htm		html
		MD5:D57E3A550060F85D44A175139EA23021	SHA256:43EDF068D34276E8ADE4113D4D7207DE19FC98A2AE1C07298E593EDAE2A8774C
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[1].htm		html
		MD5:D57E3A550060F85D44A175139EA23021	SHA256:43EDF068D34276E8ADE4113D4D7207DE19FC98A2AE1C07298E593EDAE2A8774C
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[1].php		text
		MD5:32682312D17C7CBF18E73594F5570319	SHA256:E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\login[1].htm		html
		MD5:7A5DF79FBAAFF2C161C6E29461785403	SHA256:B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[2].htm		html
		MD5:D57E3A550060F85D44A175139EA23021	SHA256:43EDF068D34276E8ADE4113D4D7207DE19FC98A2AE1C07298E593EDAE2A8774C
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[1].php		text
		MD5:32682312D17C7CBF18E73594F5570319	SHA256:E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	—	5.79.71.225:80	http://gatyfus.com/login.php	unknown	—	—	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	200	18.208.156.248:80	http://vonypom.com/login.php	unknown	—	—	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	—	172.234.222.143:80	http://vojyqem.com/login.php	unknown	—	—	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	200	44.221.84.105:80	http://qetyfuv.com/login.php	unknown	—	—	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	404	23.253.46.64:80	http://gahyqah.com/login.php	unknown	—	—	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	301	188.114.96.3:80	http://qegyhig.com/login.php	unknown	—	—	whitelisted
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	404	208.100.26.245:80	http://lyvyxor.com/login.php	unknown	—	—	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	200	3.94.10.34:80	http://lymyxid.com/login.php	unknown	—	—	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	410	3.64.163.50:80	http://puzylyp.com/login.php	unknown	—	—	whitelisted
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	GET	200	44.221.84.105:80	http://vocyzit.com/login.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4132	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5796	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	184.86.251.13:80	www.bing.com	Akamai International B.V.	DE	whitelisted
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	172.234.222.143:80	vojyqem.com	Akamai International B.V.	US	unknown
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	44.221.84.105:80	qetyfuv.com	AMAZON-AES	US	unknown
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	5.79.71.225:80	gatyfus.com	LeaseWeb Netherlands B.V.	NL	malicious
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	18.208.156.248:80	vonypom.com	AMAZON-AES	US	unknown
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	23.253.46.64:80	gahyqah.com	RACKSPACE	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.185.78	whitelisted
www.bing.com	184.86.251.13 184.86.251.7 184.86.251.15 184.86.251.11 184.86.251.9 184.86.251.18 184.86.251.10 184.86.251.8 184.86.251.16	whitelisted
lygygin.com	—	unknown
vojyqem.com	172.234.222.143 172.234.222.138	unknown
gacyzuz.com	—	unknown
vocyruk.com	—	unknown
qedyfyq.com	—	unknown
qetyfuv.com	44.221.84.105	unknown
vowydef.com	—	unknown

PID	Process	Class	Message
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6836	e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

General Info

e522d81edd9529fbad5835ac84f552fcec18fd566e490457d8757e774cb1f140

57580717861CF2D29831BCA47DBD28AF

60C8010544272D3C96DCCA370CAF0A5A5195A9A7

E522D81EDD9529FBAD5835AC84F552FCEC18FD566E490457D8757E774CB1F140

6144:JReRVuS87roF5tI1hp6L19zz5lNk2M8+xaM38l6X:JYuS8RU1d5Cjxb+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Request for a sinkholed resource

Steals credentials

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

The process checks if it is being run in the virtual environment

The process verifies whether the antivirus software is installed

There is functionality for taking screenshot (YARA)

Checks Windows Trust Settings

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings