Malware Analysis Report

2025-01-23 12:35

Sample ID 230520-qr9pgace26
Target MobiSpy Rat.zip
SHA256 a14e69b94a83cbdd197a8db6edde456154647535f52dc90432f5c41dec5b1500
Tags
agilenet spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a14e69b94a83cbdd197a8db6edde456154647535f52dc90432f5c41dec5b1500

Threat Level: Known bad

The file MobiSpy Rat.zip was found to be: Known bad.

Malicious Activity Summary

agilenet spynote

Spynote family

Spynote payload

Requests dangerous framework permissions

Obfuscated with Agile.Net obfuscator

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-20 13:31

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write (but not read) the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

93s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Settings\2020-15-10--08-29-36.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02c0c43318bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1132376955" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a97000000000200000000001066000000010000200000006922c3ee12e239cfbc1c2aae5b04a163ddd89ee54cbf0e8826952a7702cc6595000000000e8000000002000020000000e0bb4175847490e48330e130978c88fe1fb3900fb9cd140fdb773bb2a18e3ec5200000000fe0ca918b60246b8e1266d582a490dac9b593d75561a693041796db3deca11c400000009733aac53385ddffc4aa3eecaf302ef65c7b4dc9d88091c0da6184b7e32eef342560390b2a367626db42e888d65537185ff3dfca5a78449ffdfbcb01dcc87b15 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a9700000000020000000000106600000001000020000000788b8f1820bd72f4af71780927d54ae176d976646d26eaa16750b36877e2876c000000000e80000000020000200000003076c821d5ebaf2302db0a8b35acebf6c818e98c339681ec80f4478383d67098200000007e000a420683bf990040077ecc0df509d7f53145b1de263c0eeeeb85f8262af740000000653403268bcf137ec55783514f3070e725692b4d24a67de31753738bc8ea5d1b513cbef089b6fe22bc4a8a37f5ceb07c53d4e9fc8a80134189e2be442dc66e7e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1132376955" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207ea943318bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{67F2E65B-F724-11ED-ABF7-6E9A6C474791} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Settings\2020-15-10--08-29-36.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4620 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 36.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 20.50.201.195:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.152.110.14:443 tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4ace9525f8c20d9b288ca64d79205b47
SHA1 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6
SHA256 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5
SHA512 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4aaaec5984d993ff8e1272eab38fd36d
SHA1 63941932988c6caeb02b52533978e193cb71363f
SHA256 2293e037bf94af0b6ec61e0c9ae28553443ede6232f39a0acbc8262671acef51
SHA512 84199ccc0332f02bbae003a057531f5c56b4f65f9f61ff18595bc6ff01ec86b2130f027dcfdf9a4597dcc0b6bfccdee32beec1b2702b8528b8412e4b597c7f9e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver8414.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Analysis: behavioral21

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

77s

Max time network

99s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-handle-l1-1-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-handle-l1-1-0.dll",#1

Network

Country Destination Domain Proto
US 40.125.122.151:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
NL 20.50.201.200:443 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 117.18.237.29:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

64s

Max time network

78s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-localization-l1-2-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-localization-l1-2-0.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
IE 13.69.239.74:443 tcp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.248.5.254:80 tcp
US 8.248.5.254:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.248.5.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

57s

Max time network

78s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Apps\2020-15-10--08-29-10.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1019513335" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1006698605" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{67609E36-F724-11ED-B7D7-4221DB3A75C8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1006544882" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Apps\2020-15-10--08-29-10.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FR 40.79.141.154:443 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d033ab1924deff6e331c82fed9d70aa3
SHA1 5495601d9cf3f7cf76c2997ba597cbd51f48ed1c
SHA256 bf56e55db9250d8d3704753646ad18794b8edab813748a5652e06a04db739705
SHA512 1f82df71ca70245d8a1a95f3f2116170b52d846dfb081bf52aef36cd3625b5aa81e62912928136bbcb96e14f9406b32b7bce1e6d163aa24fce261f28256fa8e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4ace9525f8c20d9b288ca64d79205b47
SHA1 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6
SHA256 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5
SHA512 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c

Analysis: behavioral10

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

82s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\PlayerJava\PlayerJava.jar"

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\PlayerJava\PlayerJava.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 160.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 13.107.4.50:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp

Files

memory/4476-144-0x0000000001420000-0x0000000001421000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

64s

Max time network

81s

Command Line

"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\deploy\messages.jnlp"

Signatures

N/A

Processes

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\deploy\messages.jnlp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
FR 51.11.192.49:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 52.242.101.226:443 tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

86s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\javaws.jar"

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\javaws.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 20.189.173.3:443 tcp
US 52.242.101.226:443 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 93.184.221.240:80 tcp
US 52.242.101.226:443 tcp

Files

memory/2764-143-0x00000000026B0000-0x00000000026B1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230221-en

Max time kernel

64s

Max time network

80s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\stub.apk"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\stub.apk"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 37.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.189.173.3:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

82s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\JAWTAccessBridge-64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\JAWTAccessBridge-64.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
IE 13.69.239.73:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

75s

Max time network

89s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-interlocked-l1-1-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-interlocked-l1-1-0.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 468 -p 4448 -ip 4448

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4448 -s 328

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
GB 51.104.15.252:443 tcp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

72s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned.exe

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1572 -ip 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 880

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
NL 84.53.175.11:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

memory/1572-133-0x0000000000C90000-0x0000000000F0A000-memory.dmp

memory/1572-134-0x0000000008160000-0x00000000081FC000-memory.dmp

memory/1572-135-0x00000000087B0000-0x0000000008D54000-memory.dmp

memory/1572-136-0x00000000082A0000-0x0000000008332000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

55s

Max time network

73s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\charsets.jar"

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\lib\charsets.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 160.145.190.20.in-addr.arpa udp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 134.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp

Files

memory/2844-143-0x0000000000A00000-0x0000000000A01000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:40

Platform

win10v2004-20230220-en

Max time kernel

85s

Max time network

101s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Apps\2020-15-10--08-29-17.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b1b24209a5b3c4ab603530fd8f378dc00000000020000000000106600000001000020000000db7a5e1783ade2a59923dd3c3c76e5b831bc03987748dc903e202ec1b2547e13000000000e8000000002000020000000dd314ed986230d1320ba43acde4d965b3bc2a3a140a19435f1ffbda774a3ebab20000000fef5b1af67b0044abd0acc1d79d927aa549ba73d15ff85821c9e35d49fb0ea7b40000000b8b25ded829cbca9c9a5dc9db15d79b7de7f674b65b7acabe126dfad8a3ef5387e99c184fedafdae35f2c19ca5b9049064af42652fc63b3a6b85fc54b19c338d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f24b4a318bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1382593465" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1382593465" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b1b24209a5b3c4ab603530fd8f378dc0000000002000000000010660000000100002000000067a02cdc0ca65a16818577aa7f0cab936ac506c172710f414835ce2acdac17d2000000000e800000000200002000000084ed948c7321be1678d5d2faaacb0dcbff89f845de0373c89f19b55b946cb14520000000b237abae7b71566e7d13e6da4ae5bfd9ac49333079602a037d148c2ae8e3bfd54000000099ba0a08f778fa5954652e37b88a459d4db0becc17d329ac6d8a4e38393fe01fc21b45876d7bb974a1d347688b5e1c90b8239aa22ca19a3cf1f79df93e54478a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6F1D43BB-F724-11ED-9156-EEF7611730E8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3025c449318bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\Apps\2020-15-10--08-29-17.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3276 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
IE 13.69.239.73:443 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

59s

Max time network

79s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\LocationManager\2020-15-10--08-28-57.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034144" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607cb474208bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1892994255" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000004791a47842881454383bf21afbd97768518c4849e838f27478c03b2be7d90f4c000000000e8000000002000020000000f92078b3e69531d2202f40e9340ac3032802544c62ed22d6f1c143c953c8ddac20000000c026a779cd14798b9f53f7744ec8be4cb760f77aa5db74517ad2eabd005457df40000000d4582a8e5ff39d9c2406ea3ee8b7ea6b0a025b55fdcc74c0c3030fe93b4a98869666a4511e96b5f29de894872bdaacfbfec0da409650516c4bb4bb10e694d0a0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034144" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000ed3d274c4f4fc0e4480033658705c65de9f0a5fda611e7f2fc80702bb766d03a000000000e8000000002000020000000d5e0753cec09e10a4abc8aec3df9fd9829ac613b6d3370371690a0192f14a5432000000045aed0c677b99d1bf5f7a025cf8d94562e4047d1f0c3709601001e29c0b268f84000000000883ede6b531001cf19f0bb12132af75d079d6c7770908d60c06439b1452cb517ce85bdc7a77b63dc4ed7240e3e798ca583d1c72905592a9bf10b82d0ff94c0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034144" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1943619924" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9AAB0373-F713-11ED-8FFF-42C2EBB090FB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1892994255" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3000ca74208bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Clients\MOBISPY_904137750387323\LocationManager\2020-15-10--08-28-57.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4076 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
GB 51.105.71.136:443 tcp
US 52.242.101.226:443 tcp
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4ace9525f8c20d9b288ca64d79205b47
SHA1 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6
SHA256 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5
SHA512 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 bf64c0b834a47ac68c1947954b031976
SHA1 0eadfe23070e9320c216b8947404c84c71fa5ee5
SHA256 39d2074c916d1f3dd89705a2973bbc187f39443f310bbe75f9a8a6b3c759a527
SHA512 685f6d039d9cb6ebbd3bd929bf0c68f9700ebf63a0969b1f66453f163debebf9df55a5c0df9685ae25ec7cd8a13f97aa439d6de24a9a35ae1d832618abf624f1

Analysis: behavioral9

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

65s

Max time network

81s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\stub1.apk"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\stub1.apk"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 13.69.109.130:443 tcp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

58s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\sS.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\sS.exe

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\sS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 52.242.101.226:443 tcp
NL 88.221.25.155:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
NL 178.79.208.1:80 tcp

Files

memory/1380-133-0x000002B79F5C0000-0x000002B79F5CC000-memory.dmp

memory/1380-134-0x000002B79F9F0000-0x000002B79FA00000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230221-en

Max time kernel

56s

Max time network

74s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-heap-l1-1-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-heap-l1-1-0.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 20.189.173.3:443 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:40

Platform

win10v2004-20230220-en

Max time kernel

72s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\Removeold.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\Removeold.exe

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\T\Removeold.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 209.197.3.8:80 tcp

Files

memory/1164-133-0x0000000000F20000-0x0000000000F2A000-memory.dmp

memory/1164-134-0x00000000058D0000-0x000000000596C000-memory.dmp

memory/1164-135-0x0000000005F20000-0x00000000064C4000-memory.dmp

memory/1164-136-0x0000000005A10000-0x0000000005AA2000-memory.dmp

memory/1164-137-0x0000000005A00000-0x0000000005A10000-memory.dmp

memory/1164-138-0x0000000005980000-0x000000000598A000-memory.dmp

memory/1164-139-0x0000000005C00000-0x0000000005C56000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

55s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-debug-l1-1-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-debug-l1-1-0.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 208 -p 2348 -ip 2348

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2348 -s 328

Network

Country Destination Domain Proto
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.168.112.67:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

59s

Max time network

75s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-errorhandling-l1-1-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-errorhandling-l1-1-0.dll",#1

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 39.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 139.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

61s

Max time network

80s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l1-2-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l1-2-0.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
IE 13.69.239.74:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:40

Platform

win10v2004-20230220-en

Max time kernel

61s

Max time network

109s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l1-1-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l1-1-0.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 456 -p 1492 -ip 1492

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1492 -s 328

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
IE 20.50.73.11:443 tcp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 160.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.21.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

63s

Max time network

80s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l2-1-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-file-l2-1-0.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

70s

Max time network

99s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-memory-l1-1-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-memory-l1-1-0.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.189.173.7:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:40

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned-Cleaned.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned-Cleaned.exe

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\MobiSpy-cleaned-Cleaned.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1964 -ip 1964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 772

Network

Country Destination Domain Proto
IE 20.50.80.210:443 tcp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 8.238.179.126:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp

Files

memory/1964-133-0x0000000000420000-0x00000000007EC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230221-en

Max time kernel

50s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\MobiSpy-cracked.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\MobiSpy-cracked.exe

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\MobiSpy-cracked.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x310 0x384

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.182.143.210:443 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
NL 173.223.113.164:443 tcp

Files

memory/4512-133-0x0000000000A60000-0x0000000000E54000-memory.dmp

memory/4512-134-0x00000000059D0000-0x0000000005A6C000-memory.dmp

memory/4512-135-0x0000000006020000-0x00000000065C4000-memory.dmp

memory/4512-136-0x0000000005A70000-0x0000000005B02000-memory.dmp

memory/4512-137-0x0000000003340000-0x0000000003350000-memory.dmp

memory/4512-138-0x0000000005980000-0x000000000598A000-memory.dmp

memory/4512-139-0x0000000005C60000-0x0000000005CB6000-memory.dmp

memory/4512-140-0x0000000003340000-0x0000000003350000-memory.dmp

memory/4512-141-0x0000000003340000-0x0000000003350000-memory.dmp

memory/4512-142-0x0000000003340000-0x0000000003350000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:40

Platform

win10v2004-20230220-en

Max time kernel

84s

Max time network

107s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Gsm\GSM.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Gsm\GSM.dll",#1

Network

Country Destination Domain Proto
US 52.152.110.14:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 8.238.21.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 8.238.21.126:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230221-en

Max time kernel

46s

Max time network

66s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\Welcome.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0db5a37318bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705f7037318bd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000003262b6ba2df98f81ea2aeb5d9113d87cebf534068417d4b4993fa369606e41e1000000000e8000000002000020000000920e1560b343d438087b9f6f0f26abac0dd28c363a2653a96436e23434f9877d200000002596d7c97fae380a58cf69d20c4c76dbeb8280755d1c2fcc04203625de7003674000000093f0d8826c095a504f6640bbd111d9b5b7b01db12bcc6de5b9da425e4055aa6cd66af3de97a4a55623261e205d0c6902af6cbd51f8dda856c88a9139257944ad C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "894644775" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000f6fdef208df437bf37e711761996e3e1a861c8cd96e0e862f86380621cb55895000000000e8000000002000020000000e88cb8fc8e319c931fe2acbac0d611dd58b162d92e244b4aa105f589275fe10b2000000031547d826c78568ff5cba5c08edc155a846f96dd37f706f5eb8d65b4a704b191400000004a67f664783033ffe9515743a9bf1e5ef570312ebeba405772418f2107481225fd3ad890ed955cb94049d6e736f4f85e0bbd425c031823757b5af315f8b29c47 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EDCE5CE-F724-11ED-8227-7ED0DEFFEB6E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "894491006" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\Welcome.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4616 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
NL 173.223.113.131:80 www.microsoft.com tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 173.223.113.131:80 www.microsoft.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
IE 20.234.34.18:443 tcp
IE 20.234.34.18:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 191.94.239.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FR 20.40.136.238:443 tcp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 52.182.143.210:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
FR 20.40.136.238:443 tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4ace9525f8c20d9b288ca64d79205b47
SHA1 5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6
SHA256 0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5
SHA512 0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 565006695e39644210aec1df4089a31e
SHA1 dbc1bfe38633fdb900f5e11e985e7384973a6380
SHA256 26e41c8657434c52fb33ae5187b17ef0d05efebb6307957d0611d31d39a5e568
SHA512 d0de3213789e9e77b4f1a4e260bb5d3eb8aeeee21e8d49a3bb6cf387ee9d992df7faaeec7be0f85d3eb51cc85ec8ea92e35cfff107177fd5852cffdc7bf1d4ad

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2A8A.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Analysis: behavioral15

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

79s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-datetime-l1-1-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-datetime-l1-1-0.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

67s

Max time network

80s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-libraryloader-l1-1-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\java\bin\api-ms-win-core-libraryloader-l1-1-0.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 456 -p 552 -ip 552

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 552 -s 328

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:40

Platform

win10v2004-20230220-en

Max time kernel

81s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\SL.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\SL.exe

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\Resources\Imports\Payload\SL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 52.168.117.169:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp
US 8.247.210.254:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.247.210.254:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 222.79.74.40.in-addr.arpa udp
US 8.8.8.8:53 191.94.239.20.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp

Files

memory/1004-133-0x0000000000850000-0x00000000008B8000-memory.dmp

memory/1004-134-0x0000000005290000-0x000000000532C000-memory.dmp

memory/1004-135-0x00000000058E0000-0x0000000005E84000-memory.dmp

memory/1004-136-0x0000000005330000-0x00000000053C2000-memory.dmp

memory/1004-137-0x0000000005270000-0x000000000527A000-memory.dmp

memory/1004-138-0x0000000005490000-0x00000000054E6000-memory.dmp

memory/1004-139-0x0000000005540000-0x0000000005550000-memory.dmp

memory/1004-140-0x0000000005540000-0x0000000005550000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2023-05-20 13:30

Reported

2023-05-20 13:39

Platform

win10v2004-20230220-en

Max time kernel

58s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\ConfuserEx-Unpacker.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\ConfuserEx-Unpacker.exe

"C:\Users\Admin\AppData\Local\Temp\MobiSpy Rat\bin\ConfuserEx-Unpacker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
IE 20.190.159.4:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.152.110.14:443 tcp

Files

memory/3792-133-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

memory/3792-134-0x0000000003160000-0x000000000318C000-memory.dmp

memory/3792-135-0x00000000057C0000-0x00000000058DC000-memory.dmp

memory/3792-136-0x0000000003190000-0x00000000031AC000-memory.dmp

memory/3792-137-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/3792-138-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/3792-139-0x0000000005A60000-0x0000000005A70000-memory.dmp