Analysis Overview
SHA256
a14e69b94a83cbdd197a8db6edde456154647535f52dc90432f5c41dec5b1500
Threat Level: Known bad
The file MobiSpy Rat.zip was found to be: Known bad.
Malicious Activity Summary
Spynote family
Spynote payload
Requests dangerous framework permissions
Obfuscated with Agile.Net obfuscator
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-20 13:31
Signatures
Spynote family
Spynote payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write (but not read) the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
93s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02c0c43318bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1132376955" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a97000000000200000000001066000000010000200000006922c3ee12e239cfbc1c2aae5b04a163ddd89ee54cbf0e8826952a7702cc6595000000000e8000000002000020000000e0bb4175847490e48330e130978c88fe1fb3900fb9cd140fdb773bb2a18e3ec5200000000fe0ca918b60246b8e1266d582a490dac9b593d75561a693041796db3deca11c400000009733aac53385ddffc4aa3eecaf302ef65c7b4dc9d88091c0da6184b7e32eef342560390b2a367626db42e888d65537185ff3dfca5a78449ffdfbcb01dcc87b15 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a9700000000020000000000106600000001000020000000788b8f1820bd72f4af71780927d54ae176d976646d26eaa16750b36877e2876c000000000e80000000020000200000003076c821d5ebaf2302db0a8b35acebf6c818e98c339681ec80f4478383d67098200000007e000a420683bf990040077ecc0df509d7f53145b1de263c0eeeeb85f8262af740000000653403268bcf137ec55783514f3070e725692b4d24a67de31753738bc8ea5d1b513cbef089b6fe22bc4a8a37f5ceb07c53d4e9fc8a80134189e2be442dc66e7e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1132376955" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207ea943318bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{67F2E65B-F724-11ED-ABF7-6E9A6C474791} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4620 wrote to memory of 1856 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4620 wrote to memory of 1856 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4620 wrote to memory of 1856 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Settings\2020-15-10--08-29-36.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4620 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 20.50.201.195:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 200.232.18.117.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4ace9525f8c20d9b288ca64d79205b47 |
| SHA1 | 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6 |
| SHA256 | 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5 |
| SHA512 | 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4aaaec5984d993ff8e1272eab38fd36d |
| SHA1 | 63941932988c6caeb02b52533978e193cb71363f |
| SHA256 | 2293e037bf94af0b6ec61e0c9ae28553443ede6232f39a0acbc8262671acef51 |
| SHA512 | 84199ccc0332f02bbae003a057531f5c56b4f65f9f61ff18595bc6ff01ec86b2130f027dcfdf9a4597dcc0b6bfccdee32beec1b2702b8528b8412e4b597c7f9e |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver8414.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
Analysis: behavioral21
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
77s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-handle-l1-1-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| NL | 20.50.201.200:443 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 117.18.237.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
64s
Max time network
78s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-localization-l1-2-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| IE | 13.69.239.74:443 | tcp | |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.248.5.254:80 | tcp | |
| US | 8.248.5.254:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.248.5.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
57s
Max time network
78s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1019513335" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1006698605" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{67609E36-F724-11ED-B7D7-4221DB3A75C8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1006544882" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3028 wrote to memory of 2580 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3028 wrote to memory of 2580 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3028 wrote to memory of 2580 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Apps\2020-15-10--08-29-10.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FR | 40.79.141.154:443 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 200.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | d033ab1924deff6e331c82fed9d70aa3 |
| SHA1 | 5495601d9cf3f7cf76c2997ba597cbd51f48ed1c |
| SHA256 | bf56e55db9250d8d3704753646ad18794b8edab813748a5652e06a04db739705 |
| SHA512 | 1f82df71ca70245d8a1a95f3f2116170b52d846dfb081bf52aef36cd3625b5aa81e62912928136bbcb96e14f9406b32b7bce1e6d163aa24fce261f28256fa8e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4ace9525f8c20d9b288ca64d79205b47 |
| SHA1 | 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6 |
| SHA256 | 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5 |
| SHA512 | 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c |
Analysis: behavioral10
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
82s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\PlayerJava\PlayerJava.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.189.173.2:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp |
Files
memory/4476-144-0x0000000001420000-0x0000000001421000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
64s
Max time network
81s
Command Line
Signatures
Processes
C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\deploy\messages.jnlp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| FR | 51.11.192.49:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
86s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\javaws.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 20.189.173.3:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
memory/2764-143-0x00000000026B0000-0x00000000026B1000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230221-en
Max time kernel
64s
Max time network
80s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\stub.apk"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 37.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.189.173.3:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
82s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\JAWTAccessBridge-64.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| IE | 13.69.239.73:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.143.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
75s
Max time network
89s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-interlocked-l1-1-0.dll",#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4448 -ip 4448
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4448 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| GB | 51.104.15.252:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
72s
Max time network
99s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1572 -ip 1572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 880
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| NL | 84.53.175.11:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
memory/1572-133-0x0000000000C90000-0x0000000000F0A000-memory.dmp
memory/1572-134-0x0000000008160000-0x00000000081FC000-memory.dmp
memory/1572-135-0x00000000087B0000-0x0000000008D54000-memory.dmp
memory/1572-136-0x00000000082A0000-0x0000000008332000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
55s
Max time network
73s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\charsets.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.145.190.20.in-addr.arpa | udp |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
Files
memory/2844-143-0x0000000000A00000-0x0000000000A01000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:40
Platform
win10v2004-20230220-en
Max time kernel
85s
Max time network
101s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b1b24209a5b3c4ab603530fd8f378dc00000000020000000000106600000001000020000000db7a5e1783ade2a59923dd3c3c76e5b831bc03987748dc903e202ec1b2547e13000000000e8000000002000020000000dd314ed986230d1320ba43acde4d965b3bc2a3a140a19435f1ffbda774a3ebab20000000fef5b1af67b0044abd0acc1d79d927aa549ba73d15ff85821c9e35d49fb0ea7b40000000b8b25ded829cbca9c9a5dc9db15d79b7de7f674b65b7acabe126dfad8a3ef5387e99c184fedafdae35f2c19ca5b9049064af42652fc63b3a6b85fc54b19c338d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f24b4a318bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1382593465" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1382593465" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b1b24209a5b3c4ab603530fd8f378dc0000000002000000000010660000000100002000000067a02cdc0ca65a16818577aa7f0cab936ac506c172710f414835ce2acdac17d2000000000e800000000200002000000084ed948c7321be1678d5d2faaacb0dcbff89f845de0373c89f19b55b946cb14520000000b237abae7b71566e7d13e6da4ae5bfd9ac49333079602a037d148c2ae8e3bfd54000000099ba0a08f778fa5954652e37b88a459d4db0becc17d329ac6d8a4e38393fe01fc21b45876d7bb974a1d347688b5e1c90b8239aa22ca19a3cf1f79df93e54478a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6F1D43BB-F724-11ED-9156-EEF7611730E8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3025c449318bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3276 wrote to memory of 1216 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3276 wrote to memory of 1216 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3276 wrote to memory of 1216 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Apps\2020-15-10--08-29-17.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3276 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 52.242.101.226:443 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 200.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
59s
Max time network
79s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034144" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607cb474208bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1892994255" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000004791a47842881454383bf21afbd97768518c4849e838f27478c03b2be7d90f4c000000000e8000000002000020000000f92078b3e69531d2202f40e9340ac3032802544c62ed22d6f1c143c953c8ddac20000000c026a779cd14798b9f53f7744ec8be4cb760f77aa5db74517ad2eabd005457df40000000d4582a8e5ff39d9c2406ea3ee8b7ea6b0a025b55fdcc74c0c3030fe93b4a98869666a4511e96b5f29de894872bdaacfbfec0da409650516c4bb4bb10e694d0a0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034144" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000ed3d274c4f4fc0e4480033658705c65de9f0a5fda611e7f2fc80702bb766d03a000000000e8000000002000020000000d5e0753cec09e10a4abc8aec3df9fd9829ac613b6d3370371690a0192f14a5432000000045aed0c677b99d1bf5f7a025cf8d94562e4047d1f0c3709601001e29c0b268f84000000000883ede6b531001cf19f0bb12132af75d079d6c7770908d60c06439b1452cb517ce85bdc7a77b63dc4ed7240e3e798ca583d1c72905592a9bf10b82d0ff94c0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034144" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1943619924" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9AAB0373-F713-11ED-8FFF-42C2EBB090FB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1892994255" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3000ca74208bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4076 wrote to memory of 2884 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4076 wrote to memory of 2884 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4076 wrote to memory of 2884 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\LocationManager\2020-15-10--08-28-57.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4076 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| NL | 8.253.208.120:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| GB | 51.105.71.136:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 8.253.208.120:80 | tcp | |
| US | 8.8.8.8:53 | 200.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4ace9525f8c20d9b288ca64d79205b47 |
| SHA1 | 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6 |
| SHA256 | 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5 |
| SHA512 | 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | bf64c0b834a47ac68c1947954b031976 |
| SHA1 | 0eadfe23070e9320c216b8947404c84c71fa5ee5 |
| SHA256 | 39d2074c916d1f3dd89705a2973bbc187f39443f310bbe75f9a8a6b3c759a527 |
| SHA512 | 685f6d039d9cb6ebbd3bd929bf0c68f9700ebf63a0969b1f66453f163debebf9df55a5c0df9685ae25ec7cd8a13f97aa439d6de24a9a35ae1d832618abf624f1 |
Analysis: behavioral9
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
65s
Max time network
81s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\stub1.apk"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 13.69.109.130:443 | tcp | |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
58s
Max time network
79s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\sS.exe
"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\sS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 20.189.173.5:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 88.221.25.155:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| NL | 178.79.208.1:80 | tcp |
Files
memory/1380-133-0x000002B79F5C0000-0x000002B79F5CC000-memory.dmp
memory/1380-134-0x000002B79F9F0000-0x000002B79FA00000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230221-en
Max time kernel
56s
Max time network
74s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-heap-l1-1-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 20.189.173.3:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:40
Platform
win10v2004-20230220-en
Max time kernel
72s
Max time network
105s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\Removeold.exe
"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\Removeold.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/1164-133-0x0000000000F20000-0x0000000000F2A000-memory.dmp
memory/1164-134-0x00000000058D0000-0x000000000596C000-memory.dmp
memory/1164-135-0x0000000005F20000-0x00000000064C4000-memory.dmp
memory/1164-136-0x0000000005A10000-0x0000000005AA2000-memory.dmp
memory/1164-137-0x0000000005A00000-0x0000000005A10000-memory.dmp
memory/1164-138-0x0000000005980000-0x000000000598A000-memory.dmp
memory/1164-139-0x0000000005C00000-0x0000000005C56000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
55s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-debug-l1-1-0.dll",#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 208 -p 2348 -ip 2348
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2348 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.168.112.67:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
59s
Max time network
75s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-errorhandling-l1-1-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 13.89.178.27:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
61s
Max time network
80s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l1-2-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| IE | 13.69.239.74:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 8.238.179.126:80 | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:40
Platform
win10v2004-20230220-en
Max time kernel
61s
Max time network
109s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l1-1-0.dll",#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 1492 -ip 1492
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1492 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| IE | 20.50.73.11:443 | tcp | |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| NL | 8.238.21.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
63s
Max time network
80s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l2-1-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
70s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-memory-l1-1-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 20.189.173.7:443 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:40
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
108s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned-Cleaned.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned-Cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned-Cleaned.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1964 -ip 1964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 772
Network
| Country | Destination | Domain | Proto |
| IE | 20.50.80.210:443 | tcp | |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
Files
memory/1964-133-0x0000000000420000-0x00000000007EC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230221-en
Max time kernel
50s
Max time network
74s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\MobiSpy-cracked.exe
"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\MobiSpy-cracked.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x384
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.182.143.210:443 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
memory/4512-133-0x0000000000A60000-0x0000000000E54000-memory.dmp
memory/4512-134-0x00000000059D0000-0x0000000005A6C000-memory.dmp
memory/4512-135-0x0000000006020000-0x00000000065C4000-memory.dmp
memory/4512-136-0x0000000005A70000-0x0000000005B02000-memory.dmp
memory/4512-137-0x0000000003340000-0x0000000003350000-memory.dmp
memory/4512-138-0x0000000005980000-0x000000000598A000-memory.dmp
memory/4512-139-0x0000000005C60000-0x0000000005CB6000-memory.dmp
memory/4512-140-0x0000000003340000-0x0000000003350000-memory.dmp
memory/4512-141-0x0000000003340000-0x0000000003350000-memory.dmp
memory/4512-142-0x0000000003340000-0x0000000003350000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:40
Platform
win10v2004-20230220-en
Max time kernel
84s
Max time network
107s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Gsm\GSM.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 8.238.21.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| NL | 8.238.21.126:80 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230221-en
Max time kernel
46s
Max time network
66s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0db5a37318bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705f7037318bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000003262b6ba2df98f81ea2aeb5d9113d87cebf534068417d4b4993fa369606e41e1000000000e8000000002000020000000920e1560b343d438087b9f6f0f26abac0dd28c363a2653a96436e23434f9877d200000002596d7c97fae380a58cf69d20c4c76dbeb8280755d1c2fcc04203625de7003674000000093f0d8826c095a504f6640bbd111d9b5b7b01db12bcc6de5b9da425e4055aa6cd66af3de97a4a55623261e205d0c6902af6cbd51f8dda856c88a9139257944ad | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "894644775" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000f6fdef208df437bf37e711761996e3e1a861c8cd96e0e862f86380621cb55895000000000e8000000002000020000000e88cb8fc8e319c931fe2acbac0d611dd58b162d92e244b4aa105f589275fe10b2000000031547d826c78568ff5cba5c08edc155a846f96dd37f706f5eb8d65b4a704b191400000004a67f664783033ffe9515743a9bf1e5ef570312ebeba405772418f2107481225fd3ad890ed955cb94049d6e736f4f85e0bbd425c031823757b5af315f8b29c47 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EDCE5CE-F724-11ED-8227-7ED0DEFFEB6E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "894491006" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4616 wrote to memory of 1072 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4616 wrote to memory of 1072 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4616 wrote to memory of 1072 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\Welcome.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4616 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| NL | 173.223.113.131:80 | www.microsoft.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 173.223.113.131:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| IE | 20.234.34.18:443 | tcp | |
| IE | 20.234.34.18:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.94.239.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| FR | 20.40.136.238:443 | tcp | |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 52.182.143.210:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 200.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| FR | 20.40.136.238:443 | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4ace9525f8c20d9b288ca64d79205b47 |
| SHA1 | 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6 |
| SHA256 | 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5 |
| SHA512 | 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 565006695e39644210aec1df4089a31e |
| SHA1 | dbc1bfe38633fdb900f5e11e985e7384973a6380 |
| SHA256 | 26e41c8657434c52fb33ae5187b17ef0d05efebb6307957d0611d31d39a5e568 |
| SHA512 | d0de3213789e9e77b4f1a4e260bb5d3eb8aeeee21e8d49a3bb6cf387ee9d992df7faaeec7be0f85d3eb51cc85ec8ea92e35cfff107177fd5852cffdc7bf1d4ad |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2A8A.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
Analysis: behavioral15
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
79s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-datetime-l1-1-0.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
67s
Max time network
80s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-libraryloader-l1-1-0.dll",#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 552 -ip 552
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 552 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:40
Platform
win10v2004-20230220-en
Max time kernel
81s
Max time network
103s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\SL.exe
"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\SL.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.168.117.169:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 222.79.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.94.239.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
Files
memory/1004-133-0x0000000000850000-0x00000000008B8000-memory.dmp
memory/1004-134-0x0000000005290000-0x000000000532C000-memory.dmp
memory/1004-135-0x00000000058E0000-0x0000000005E84000-memory.dmp
memory/1004-136-0x0000000005330000-0x00000000053C2000-memory.dmp
memory/1004-137-0x0000000005270000-0x000000000527A000-memory.dmp
memory/1004-138-0x0000000005490000-0x00000000054E6000-memory.dmp
memory/1004-139-0x0000000005540000-0x0000000005550000-memory.dmp
memory/1004-140-0x0000000005540000-0x0000000005550000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2023-05-20 13:30
Reported
2023-05-20 13:39
Platform
win10v2004-20230220-en
Max time kernel
58s
Max time network
94s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\ConfuserEx-Unpacker.exe
"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\ConfuserEx-Unpacker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| IE | 20.190.159.4:443 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 13.89.178.27:443 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp |
Files
memory/3792-133-0x0000000000CC0000-0x0000000000CD2000-memory.dmp
memory/3792-134-0x0000000003160000-0x000000000318C000-memory.dmp
memory/3792-135-0x00000000057C0000-0x00000000058DC000-memory.dmp
memory/3792-136-0x0000000003190000-0x00000000031AC000-memory.dmp
memory/3792-137-0x00000000056A0000-0x0000000005732000-memory.dmp
memory/3792-138-0x0000000005A60000-0x0000000005A70000-memory.dmp
memory/3792-139-0x0000000005A60000-0x0000000005A70000-memory.dmp