1.exe

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2021, 6:22 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://collector-gate03.xyz/collect.php

Performs some HTTP requests (2 events)

request	GET http://collector-node.us/u
request	POST http://collector-gate03.xyz/collect.php

Sends data using the HTTP POST Method (1 event)

request

POST http://collector-gate03.xyz/collect.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af2000 process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (2 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 12, 2021, 6:22 p.m.	snapshot_handle: 0x0000011c process_name: pw.exe process_identifier: 2540	1	1	0
Process32NextW June 12, 2021, 6:22 p.m.	snapshot_handle: 0x0000011c process_name: mobsync.exe process_identifier: 1068	1	1	0
Process32NextW June 12, 2021, 6:22 p.m.	snapshot_handle: 0x0000011c process_name: taskhost.exe process_identifier: 2036	1	1	0
Process32NextW June 12, 2021, 6:22 p.m.	snapshot_handle: 0x0000011c process_name: 1.exe process_identifier: 1080	1	1	0

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\wallet.dat
file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (10 events)

file	C:\Users\Default\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\Default User\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\Default\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\Public\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\Public\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\Default User\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\All Users\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\All Users\AppData\Roaming\FileZilla\recentservers.xml

Harvests information related to installed instant messenger clients (5 events)

file	C:\Users\All Users\AppData\Roaming\.purple\accounts.xml
file	C:\Users\Default User\AppData\Roaming\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Users\Default\AppData\Roaming\.purple\accounts.xml
file	C:\Users\Public\AppData\Roaming\.purple\accounts.xml

Network activity contains more than one unique useragent (2 events)

process	1.exe				useragent	JBJWN
process	1.exe				useragent	uploader

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Siggen2.64821
MicroWorld-eScan	Gen:Variant.Stealer.7
FireEye	Generic.mg.5a3eb1ba34e04f53
McAfee	GenericRXOM-OP!5A3EB1BA34E0
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.a34e04
BitDefenderTheta	Gen:NN.ZexaF.34738.VqW@auO7!xj
Cyren	W32/Agent.CTW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.Agent.PYU
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Malware.Zusy-9812688-0
Kaspersky	HEUR:Trojan-Spy.Win32.Bobik.gen
BitDefender	Gen:Variant.Stealer.7
NANO-Antivirus	Trojan.Win32.Bobik.iunqoq
Rising	Stealer.Agent!1.D401 (CLASSIC)
Ad-Aware	Gen:Variant.Stealer.7
TACHYON	Trojan-Spy/W32.Bobik.779776
Emsisoft	Gen:Variant.Stealer.7 (B)
Zillya	Trojan.Agent.Win32.2075725
McAfee-GW-Edition	BehavesLike.Win32.Generic.bh
Sophos	ML/PE-A
Ikarus	Trojan-Spy.Racoon
Jiangmin	TrojanSpy.Bobik.qz
MaxSecure	Trojan.Malware.74196578.susgen
Avira	HEUR/AGEN.1141176
Antiy-AVL	Trojan/Generic.ASMalwS.32A7E89
Microsoft	Trojan:Win32/Glupteba!ml
GData	Win32.Trojan.PSE.MG6FVH
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Stealer.R355109
VBA32	TrojanSpy.Bobik
MAX	malware (ai score=83)
Malwarebytes	Spyware.PasswordStealer
Tencent	Malware.Win32.Gencirc.10ce52dd
Yandex	TrojanSpy.Agent!KdSyOWNBWz8
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.PYU!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A