Analysis Overview
SHA256
bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912
Threat Level: Known bad
The file a0e87c4b9483fae95f6f57946023d3e7 was found to be: Known bad.
Malicious Activity Summary
NullMixer
Vidar
SmokeLoader
Vidar Stealer
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Program crash
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-27 03:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-27 03:28
Reported
2024-01-07 13:34
Platform
win7-20231215-en
Max time kernel
0s
Max time network
149s
Command Line
Signatures
NullMixer
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_3.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe
"C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_5.exe
sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_7.exe
sahiba_7.exe
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
Triste.exe.com n
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_3.exe
sahiba_3.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 416
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_8.exe
sahiba_8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_4.exe
sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_2.exe
sahiba_2.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe
sahiba_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 964
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | XvFGsHKHPpgkvS.XvFGsHKHPpgkvS | udp |
| US | 8.8.8.8:53 | pcfixmy-download-96.xyz | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | shpak125.tumblr.com | udp |
| US | 74.114.154.18:443 | shpak125.tumblr.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 37.0.8.235:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pplzy.pw | udp |
| US | 8.8.8.8:53 | eurekabike.com | udp |
| US | 8.8.8.8:53 | file.ekkggr3.com | udp |
| US | 8.8.8.8:53 | www.invch.com | udp |
| US | 8.8.8.8:53 | g-farlab.com | udp |
| UA | 194.145.227.159:80 | tcp | |
| RU | 193.56.146.36:80 | tcp | |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 104.18.38.233:80 | crl.usertrust.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 160.153.249.159:443 | eurekabike.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | conceitosseg.com | udp |
| US | 8.8.8.8:53 | integrasidata.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| SG | 172.104.187.4:80 | integrasidata.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | ozentekstil.com | udp |
| TR | 89.19.30.75:80 | ozentekstil.com | tcp |
| US | 8.8.8.8:53 | finbelportal.com | udp |
| US | 8.8.8.8:53 | telanganadigital.com | udp |
| US | 192.64.119.13:80 | telanganadigital.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 136.144.41.201:80 | tcp | |
| US | 8.8.8.8:53 | www.telanganadigital.com | udp |
| DE | 91.195.240.19:80 | www.telanganadigital.com | tcp |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d772d6902200f5d4599a9b27d0d8f9e6 |
| SHA1 | 564eefb3fabe655b2fb51f492959b158cb20e12d |
| SHA256 | 7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17 |
| SHA512 | 6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36 |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 9b44481728f8fd6894874cf9171e81f1 |
| SHA1 | e36f10ea66dbf472629b73ed98595a850c9045a8 |
| SHA256 | d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada |
| SHA512 | cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5 |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 1aa73f76e15a9a8c7255cb9611b4b2ca |
| SHA1 | 7718f384523ddb84ac52eead8c3b14f5f80aa6d6 |
| SHA256 | 4c97ce65c393e5c917cf8704d9b35e0e034a75e5a7baa8326c534a7bedba04fe |
| SHA512 | f582003e4af18edca96ce2e4b6fae9187c245586dc1782e2af1ec1ebffc4e222a5b11627270dc8c57102d6e489f3bacd299caaa2cfe3c05ec26583bbddef398d |
memory/2716-68-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2716-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2716-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2716-81-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2716-85-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1820-130-0x0000000000E60000-0x0000000000E68000-memory.dmp
memory/1984-132-0x0000000000C20000-0x0000000000C46000-memory.dmp
memory/1984-149-0x00000000002D0000-0x00000000002EE000-memory.dmp
memory/1820-150-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1984-151-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2896-159-0x00000000004E0000-0x00000000005E0000-memory.dmp
memory/1984-158-0x000000001AE10000-0x000000001AE90000-memory.dmp
memory/1436-157-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1436-156-0x00000000021F0000-0x000000000228D000-memory.dmp
memory/1436-155-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/1820-154-0x000000001B200000-0x000000001B280000-memory.dmp
memory/2896-153-0x0000000000400000-0x000000000046B000-memory.dmp
memory/2896-152-0x00000000002D0000-0x00000000002D9000-memory.dmp
memory/2716-88-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2716-87-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2716-86-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2716-83-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2716-82-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2716-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2716-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2716-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2716-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2716-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2716-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2716-70-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2716-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2716-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2716-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2716-58-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2396-50-0x0000000002F40000-0x000000000305E000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe
| MD5 | 974260c778328260996faa74824f1cef |
| SHA1 | ed5aab39b5e9f3c3f70054d2bbbce74570a92c91 |
| SHA256 | a0e68d77cbc879c51b341c087507fdf4762a9a1071632f9cf6fd4f77ceae6262 |
| SHA512 | 065540d192593af6eb21eb43ce1d13309c8a11623be0843525294836b0227a74e443585eb0214a918cb1587309e1f8eaaa311227493e3d29f5920bc56e80cee8 |
\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe
| MD5 | 2374477610c8c4f47a83a5ba028abb59 |
| SHA1 | ac155fea47dfaa9f6e8a8e8f20c9b5442e0683b9 |
| SHA256 | 5fa7c251a656ab30e3814be14132bfa4a7320c405d6b632f24240b91e6ecb8ea |
| SHA512 | ee38567e57f7ada3117831ee416a2bc6395cf75032f0592ffe29db246a73d144b4c1419bb666d8e1950d0e0a79236dbc2c2e2109bca8d3f15496498934dea990 |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 3fccbfccf160a096f24e2aec7ca8e815 |
| SHA1 | 3db913dfc6184f8f62b3053f6d2f55eb903bc7a0 |
| SHA256 | 9d8c7d28012ce58e8cc85c0763f45e05471fc69ca4a98955b7a70a3e0589a352 |
| SHA512 | 3e3557b5f65a24cda49031b66cf0cec4ed419d4301963f3f7f78755228e0efa3d75635e07ed23e33e071e16318ad95457823f65ff07df42726134233207f2823 |
memory/1184-238-0x0000000002610000-0x0000000002625000-memory.dmp
memory/2896-239-0x0000000000400000-0x000000000046B000-memory.dmp
memory/1436-301-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2716-300-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2716-299-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2716-298-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2716-297-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2716-296-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2716-295-0x0000000000400000-0x000000000051E000-memory.dmp
memory/2484-305-0x0000000000090000-0x0000000000098000-memory.dmp
memory/1984-334-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2484-341-0x0000000000090000-0x0000000000098000-memory.dmp
memory/2484-339-0x0000000000090000-0x0000000000098000-memory.dmp
memory/2484-336-0x0000000000090000-0x0000000000098000-memory.dmp
memory/2484-335-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1820-366-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1436-371-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/1820-370-0x000000001B200000-0x000000001B280000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-27 03:28
Reported
2024-01-07 13:34
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
152s
Command Line
Signatures
NullMixer
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe
"C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_7.exe
sahiba_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_1.exe
sahiba_1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1128 -ip 1128
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_1.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_8.exe
sahiba_8.exe
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_3.exe
sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
Triste.exe.com n
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_5.exe
sahiba_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_6.exe
sahiba_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_4.exe
sahiba_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_2.exe
sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS472AE877\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS472AE877\setup_install.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | pcfixmy-download-96.xyz | udp |
| NL | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | XvFGsHKHPpgkvS.XvFGsHKHPpgkvS | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.96.141.3.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | shpak125.tumblr.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 74.114.154.18:443 | shpak125.tumblr.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.4.21.104.in-addr.arpa | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 44.137.20.3.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| GB | 96.17.178.209:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 305c00c540e5c010533765562d65c13e |
| SHA1 | aacc016e7852e78e73a26cc19e6aca30b4a1161a |
| SHA256 | bf1a789cc4befb3927cf39258e6111b2bbb8720b8e8d811daefdcd6a45500b4a |
| SHA512 | b1b86d6d8d62f8f7a9c12902da86ba54a651094360101810f6fb68937531caed8ac09973462cc9f20f0381da1b634049fb6ca0f6c5b74b57fae2c74bece7867a |
memory/1128-46-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1128-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1128-65-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1128-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1128-73-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1128-77-0x0000000000400000-0x000000000051E000-memory.dmp
memory/3188-95-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp
memory/1252-109-0x0000000002C00000-0x0000000002C1E000-memory.dmp
memory/1252-110-0x000000001BA00000-0x000000001BA10000-memory.dmp
memory/3188-107-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/1252-105-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp
memory/1252-96-0x0000000000C70000-0x0000000000C96000-memory.dmp
memory/3188-90-0x0000000000C50000-0x0000000000C58000-memory.dmp
memory/1128-117-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1128-119-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1128-127-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3980-128-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1968-126-0x0000000000400000-0x000000000046B000-memory.dmp
memory/1128-125-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1968-121-0x0000000000590000-0x0000000000599000-memory.dmp
memory/1968-118-0x00000000005C0000-0x00000000006C0000-memory.dmp
memory/1128-116-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3980-115-0x0000000002180000-0x000000000221D000-memory.dmp
memory/3980-114-0x0000000000520000-0x0000000000620000-memory.dmp
memory/1128-113-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1128-76-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1128-75-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1128-74-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1128-72-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1128-71-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1128-70-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1128-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1128-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1128-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1128-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1128-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1128-62-0x00000000007E0000-0x000000000086F000-memory.dmp
memory/1128-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1128-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3980-146-0x0000000002180000-0x000000000221D000-memory.dmp
memory/3980-145-0x0000000000400000-0x00000000004C0000-memory.dmp