Analysis Overview
SHA256
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
Threat Level: Known bad
The file 2d3e5a2a2243d788901fb182156f4031 was found to be: Known bad.
Malicious Activity Summary
Vidar
RedLine payload
RedLine
NullMixer
SmokeLoader
SectopRAT payload
SectopRAT
Nirsoft
Vidar Stealer
Loads dropped DLL
UPX packed file
ASPack v2.12-2.42
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 07:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 07:23
Reported
2024-01-03 17:44
Platform
win7-20231215-en
Max time kernel
1s
Max time network
150s
Command Line
Signatures
NullMixer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_3.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe
"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 408
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\liqian.exe
"C:\Users\Admin\AppData\Local\Temp\liqian.exe"
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_3.exe
sonia_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_5.exe
sonia_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_7.exe
sonia_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_1.exe
sonia_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_2.exe
sonia_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_4.exe
sonia_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 956
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sokiran.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| NL | 136.144.41.133:80 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | email.yg9.me | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | videoconvert-download38.xyz | udp |
| US | 8.8.8.8:53 | sergeevih43.tumblr.com | udp |
| US | 74.114.154.22:443 | sergeevih43.tumblr.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| IE | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 107.178.223.183:443 | videoconvert-download38.xyz | tcp |
| IE | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 107.178.223.183:443 | videoconvert-download38.xyz | tcp |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| NL | 136.144.41.201:80 | tcp | |
| US | 8.8.8.8:53 | uyg5wye.2ihsfa.com | udp |
| US | 13.248.169.48:80 | uyg5wye.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | ppcspb.com | udp |
| US | 8.8.8.8:53 | mebbing.com | udp |
| US | 8.8.8.8:53 | twcamel.com | udp |
| US | 107.178.223.183:443 | videoconvert-download38.xyz | tcp |
| US | 107.178.223.183:443 | videoconvert-download38.xyz | tcp |
| US | 8.8.8.8:53 | howdycash.com | udp |
| CA | 23.227.38.32:80 | howdycash.com | tcp |
| US | 107.178.223.183:443 | videoconvert-download38.xyz | tcp |
| US | 107.178.223.183:443 | videoconvert-download38.xyz | tcp |
| US | 107.178.223.183:443 | videoconvert-download38.xyz | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | lahuertasonora.com | udp |
| US | 8.8.8.8:53 | kpotiques.com | udp |
| US | 104.253.227.240:80 | kpotiques.com | tcp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| NL | 212.193.30.115:80 | tcp | |
| NL | 212.193.30.115:80 | tcp | |
| NL | 212.193.30.115:80 | tcp | |
| US | 13.248.169.48:80 | uyg5wye.2ihsfa.com | tcp |
| NL | 212.193.30.115:80 | tcp | |
| NL | 212.193.30.115:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 938386f79c5f46c6c06b1bf2a2d6aa92 |
| SHA1 | 73b3f9001cd9e6f6c6915e4e4793abfc2db8aa56 |
| SHA256 | 76f49a6e2f929bd46a3a3cb0752edcbfba5edbc435e93601efea79adabd75cdb |
| SHA512 | 895973de84e98814a1e9b28c1ba919ea6049512c0c43ed9fc66495f77034eedb71384e3ac8f697ae2483eaa331344763390313d4d5fda530704d1e7d25760382 |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 8c7d52a9e8f9537f865ecb1a67d642fa |
| SHA1 | cc554e957431f678c6895864b689ac1bd4bee94b |
| SHA256 | 4b5254d98a6461f9568ba6ff292c92b1fae643fa7b31e52e55a177be30e31527 |
| SHA512 | a4f6e79d8c788f6342654b84829cabbddb6a2085602e525440b9c495c971a81fb3cd371d20d50aea5bbf3311d495d6e8817a9d30066847915d718fb430708eea |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | c6ceb6d8ca7f5cf8da77e01af29c49c3 |
| SHA1 | f84e5a18016307fd895d520add4b27d183602a8b |
| SHA256 | 3d28c255eb311fced451d08caea9c586a9c97e20873f0ff34797d6ccf6c7fc67 |
| SHA512 | f2c06916fa46e039115a4e4f3fa66bbe24d0ed43b02ac5aa1dad8cfd0313279279106494816ea88dc92c78ab95689312bf524a913481c523443148c627aa4b2b |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 1572a2cb9432cc73740411e2dda1207c |
| SHA1 | 30f89134322ef297b27c24cc4d9689bdcbe4a636 |
| SHA256 | 64a8aeae9d19ffcb6d4a7c0f7c7682735dd8e0096d87853c0e530ecf645d8297 |
| SHA512 | 024c9ad686d5d5ad522acc8860715fcdd479028694445290bb814f623ce8e6429a81eac5afb02e13a7efafe714e83d1c3c4c7dd64b2a4c0e87af5725a897e06e |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | e80fb71c9043b2750a85fd7614f7c8ab |
| SHA1 | a8c2933ebf39f6cb0199ee7d885c6f7fc76f50fb |
| SHA256 | 37e471f955a3ba92ba8691d85778fb80d0c2104eb83808cb2aed8717b359010e |
| SHA512 | 3b1dc5ed4667536369db4f919a271d395500e4ca88179a12b303a77920cbe20fb2c24c809eae2accb6ec82dc2b697e1479814fd9231dfe13452e7f9d27a02bdd |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 22af8065cddd43858d2d52069fb77cca |
| SHA1 | d33d74f357721f3dc5a9e174c53bff2bc5edf180 |
| SHA256 | b445658cbb124e55048cbc88137bfe255dc3bf319036fec74fdf5cb0ac46f80d |
| SHA512 | e0eedcc68e57c26759e9eef51f6883af4f2e8bf41056fe195cad456ea61de35c0c9228dc12f54d84c08a39eaa5c484a402a260054a4ebc96a7d08b337bf0f5af |
memory/2792-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2792-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2792-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2792-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1292-133-0x0000000002740000-0x0000000002841000-memory.dmp
memory/1292-134-0x0000000000770000-0x00000000007CD000-memory.dmp
memory/864-135-0x0000000000FB0000-0x0000000000FFC000-memory.dmp
memory/864-137-0x0000000000FB0000-0x0000000000FFC000-memory.dmp
memory/864-136-0x0000000001F40000-0x0000000001FB1000-memory.dmp
memory/1664-141-0x0000000001220000-0x00000000013E0000-memory.dmp
memory/1292-142-0x0000000000770000-0x00000000007CD000-memory.dmp
memory/1992-143-0x0000000000060000-0x00000000000AC000-memory.dmp
memory/2880-140-0x0000000000280000-0x00000000002E4000-memory.dmp
memory/1992-147-0x0000000000500000-0x0000000000571000-memory.dmp
memory/864-151-0x0000000001F40000-0x0000000001FB1000-memory.dmp
memory/2100-157-0x0000000000440000-0x000000000049B000-memory.dmp
memory/772-161-0x0000000000240000-0x000000000029B000-memory.dmp
memory/772-160-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2100-158-0x0000000000440000-0x000000000049B000-memory.dmp
memory/1260-167-0x0000000000570000-0x0000000000670000-memory.dmp
memory/1260-168-0x00000000004C0000-0x000000000055D000-memory.dmp
memory/2296-197-0x00000000003D0000-0x00000000003D9000-memory.dmp
memory/864-208-0x0000000001000000-0x000000000104C000-memory.dmp
memory/2252-212-0x00000000001B0000-0x00000000001D2000-memory.dmp
memory/3024-211-0x00000000007F0000-0x000000000084D000-memory.dmp
memory/3024-210-0x0000000002790000-0x0000000002891000-memory.dmp
memory/2252-213-0x000007FEF5790000-0x000007FEF617C000-memory.dmp
memory/864-218-0x0000000001000000-0x000000000104C000-memory.dmp
memory/2792-219-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2252-220-0x000000001AD70000-0x000000001ADF0000-memory.dmp
memory/2792-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/864-216-0x0000000001C30000-0x0000000001CA1000-memory.dmp
memory/1860-215-0x0000000000350000-0x00000000003AB000-memory.dmp
memory/2252-214-0x00000000003F0000-0x000000000040E000-memory.dmp
memory/864-206-0x0000000001C30000-0x0000000001CA1000-memory.dmp
memory/2896-205-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2296-202-0x0000000000400000-0x0000000000466000-memory.dmp
memory/864-203-0x0000000001000000-0x000000000104C000-memory.dmp
memory/2296-196-0x0000000000240000-0x0000000000340000-memory.dmp
memory/2792-195-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2792-194-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1260-171-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2792-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2792-76-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2792-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2792-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2792-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2792-67-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2792-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2792-58-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2792-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS4D468136\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
| MD5 | 7ceaa24847dc2b66a5e2f2da7b395006 |
| SHA1 | c0b5fa50074094de3386df7ca79d79913946f222 |
| SHA256 | 11136c8f014ae8480c66e4368367ec9b6e8b5fe15f183fc091328eba5113ba26 |
| SHA512 | 71569c0a6e8a91dc31f9b7cba3c4dc6a79292b4d52eab8b80ac656ec9fb26d8168ab12bd15a290f21cbe755a1bfeb561e384681442e2e7fade378ce46ecbac51 |
\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
| MD5 | 0b2577405545f91ec75e1bdaf181350e |
| SHA1 | ce1a36076306c08573e29b9e7bdf92164d566f84 |
| SHA256 | a89b9999f86cecf8ebe5c547168395e681878964788695e61bb7e4172ec3cf99 |
| SHA512 | 9dfe6405e12f7c08dbc0edbb17e97d926064e2f5dcd4e03e3c2cecb5d5eeee88337c91f489a9e51d9a870200806b4bd25691b71bd7ff74a3df8c365f026c79d6 |
memory/1204-259-0x0000000002EF0000-0x0000000002F06000-memory.dmp
memory/2296-260-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2792-318-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2100-323-0x0000000000440000-0x000000000049B000-memory.dmp
memory/1992-322-0x0000000000500000-0x0000000000571000-memory.dmp
memory/1260-321-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2792-315-0x0000000000400000-0x000000000051A000-memory.dmp
memory/2100-339-0x0000000000440000-0x000000000049B000-memory.dmp
memory/564-350-0x0000000000400000-0x000000000041E000-memory.dmp
memory/564-348-0x0000000000400000-0x000000000041E000-memory.dmp
memory/564-346-0x0000000000400000-0x000000000041E000-memory.dmp
memory/564-344-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/564-343-0x0000000000400000-0x000000000041E000-memory.dmp
memory/564-342-0x0000000000400000-0x000000000041E000-memory.dmp
memory/564-341-0x0000000000400000-0x000000000041E000-memory.dmp
memory/564-340-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1260-352-0x00000000004C0000-0x000000000055D000-memory.dmp
memory/1260-351-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2252-360-0x000007FEF5790000-0x000007FEF617C000-memory.dmp
memory/1860-361-0x0000000000350000-0x00000000003AB000-memory.dmp
memory/864-369-0x0000000001000000-0x000000000104C000-memory.dmp
memory/2252-370-0x000000001AD70000-0x000000001ADF0000-memory.dmp
memory/2252-457-0x000007FEF5790000-0x000007FEF617C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 07:23
Reported
2024-01-03 17:45
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
140s
Command Line
Signatures
NullMixer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rUNdlL32.eXe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe
"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_3.exe
sonia_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_5.exe
sonia_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\liqian.exe
"C:\Users\Admin\AppData\Local\Temp\liqian.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 544
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 608
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_4.exe
sonia_4.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe
sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_7.exe
sonia_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_2.exe
sonia_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_1.exe
sonia_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS84280507\setup_install.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5292 -ip 5292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3448 -ip 3448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1044
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sokiran.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 136.144.41.133:80 | tcp | |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 104.155.138.21:443 | tcp | |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| IE | 163.70.147.35:443 | www.facebook.com | tcp |
| IE | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | sergeevih43.tumblr.com | udp |
| US | 74.114.154.22:443 | sergeevih43.tumblr.com | tcp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| US | 104.155.138.21:443 | tcp | |
| US | 8.8.8.8:53 | uyg5wye.2ihsfa.com | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uyg5wye.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| IE | 20.82.154.241:443 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| NL | 136.144.41.201:80 | tcp | |
| US | 8.8.8.8:53 | ppcspb.com | udp |
| US | 8.8.8.8:53 | mebbing.com | udp |
| US | 8.8.8.8:53 | twcamel.com | udp |
| US | 104.155.138.21:443 | tcp | |
| US | 104.155.138.21:443 | tcp | |
| US | 8.8.8.8:53 | howdycash.com | udp |
| CA | 23.227.38.32:80 | howdycash.com | tcp |
| US | 104.155.138.21:443 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| GB | 87.248.205.0:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| NL | 212.193.30.115:80 | tcp | |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| FR | 20.199.58.43:443 | tcp | |
| FR | 20.199.58.43:443 | tcp | |
| FR | 20.199.58.43:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.201:80 | tcp | |
| GB | 96.17.178.201:80 | tcp | |
| NL | 212.193.30.115:80 | tcp | |
| GB | 96.17.178.201:80 | tcp | |
| IE | 20.166.126.56:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | ergerr3.top | udp |
| GB | 23.44.234.16:80 | tcp |
Files
memory/5020-62-0x0000000064940000-0x0000000064959000-memory.dmp
memory/5020-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/6040-87-0x0000000000840000-0x00000000008A4000-memory.dmp
memory/6132-88-0x00000000734E0000-0x0000000073C90000-memory.dmp
memory/6040-91-0x00000000734E0000-0x0000000073C90000-memory.dmp
memory/6132-85-0x00000000004D0000-0x0000000000690000-memory.dmp
memory/6132-133-0x00000000734E0000-0x0000000073C90000-memory.dmp
memory/1936-145-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1936-153-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2576-174-0x0000000000400000-0x000000000045B000-memory.dmp
memory/6012-154-0x0000000002A80000-0x0000000002A90000-memory.dmp
memory/5020-179-0x0000000000400000-0x000000000051A000-memory.dmp
memory/5020-180-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1324-188-0x0000000005A60000-0x0000000006078000-memory.dmp
memory/1324-197-0x00000000056B0000-0x00000000056EC000-memory.dmp
memory/1324-198-0x0000000005860000-0x0000000005870000-memory.dmp
memory/1324-199-0x00000000056F0000-0x000000000573C000-memory.dmp
memory/1324-194-0x0000000005610000-0x0000000005622000-memory.dmp
memory/5292-206-0x00000000006D0000-0x00000000006D9000-memory.dmp
memory/3448-210-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/5292-209-0x0000000000400000-0x0000000000466000-memory.dmp
memory/5292-208-0x0000000000790000-0x0000000000890000-memory.dmp
memory/1324-207-0x0000000006080000-0x000000000618A000-memory.dmp
memory/3448-205-0x00000000020C0000-0x000000000215D000-memory.dmp
memory/3448-201-0x00000000004E0000-0x00000000005E0000-memory.dmp
memory/6040-189-0x00000000734E0000-0x0000000073C90000-memory.dmp
memory/1324-191-0x00000000734E0000-0x0000000073C90000-memory.dmp
memory/5020-190-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5020-187-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/5020-183-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1324-182-0x0000000000400000-0x000000000041E000-memory.dmp
memory/5020-181-0x0000000064940000-0x0000000064959000-memory.dmp
memory/6012-146-0x0000000002A60000-0x0000000002A7E000-memory.dmp
memory/6012-135-0x0000000000AE0000-0x0000000000B02000-memory.dmp
memory/6012-137-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp
memory/2244-228-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2936-227-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2936-229-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2244-217-0x0000000000400000-0x0000000000422000-memory.dmp
memory/5020-68-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/5020-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5020-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5020-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5020-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5020-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5020-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5020-60-0x00000000007B0000-0x000000000083F000-memory.dmp
memory/5020-59-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5020-58-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5020-55-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/6012-237-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp
memory/3420-241-0x0000000002C80000-0x0000000002C96000-memory.dmp
memory/5292-244-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3448-246-0x00000000020C0000-0x000000000215D000-memory.dmp
memory/3448-245-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/1324-248-0x00000000734E0000-0x0000000073C90000-memory.dmp
memory/6012-247-0x0000000002A80000-0x0000000002A90000-memory.dmp
memory/1324-249-0x0000000005860000-0x0000000005870000-memory.dmp
C:\Users\Admin\AppData\Roaming\raeajir
| MD5 | 3c5befb2d5ea426202a35707016d4996 |
| SHA1 | bc0bfa794f196db39697ffc5d91cc4f331b0ebc4 |
| SHA256 | 1d8900c446e33374b82a8849eb66a0af2df370eec99864826e69c671745536dd |
| SHA512 | 40c3f5aaefb3154efd0a44931fb4c50b54db77da177d6926015359e6e5f2dd51cc11dbf0b90759bcc91300079372d5f9d9751972b1153ad8dbb990220166ebf3 |
memory/6012-254-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp