compan.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6403_us | July 10, 2023, 8 a.m. | July 10, 2023, 8:04 a.m. |
-
-
11914415.exe C:\Users\test22\AppData\Local\Temp\11914415.exe
2376 -
meroplex.exe C:\Users\test22\AppData\Local\Temp\meroplex.exe
2920 -
-
researchprevailing.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\researchprevailing.exe
2032
-
-
lukumrahmat.exe C:\Users\test22\AppData\Local\Temp\lukumrahmat.exe
2040 -
cmd.exe "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit
2448-
PING.EXE ping 0
2724
-
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| iplogger.com | 148.251.234.93 | |
| carambasti.info | 193.42.110.193 | |
| api.ip.sb | 172.67.75.172 | |
| n57b30a.info | 94.140.112.52 | |
| files.catbox.moe | 108.181.20.35 | |
| b47n300.info | 94.140.112.52 |
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49175 172.67.75.172:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc |
|
TLSv1 192.168.56.103:49171 172.67.75.172:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc |
| file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
| file | C:\Program Files\Mozilla Firefox\firefox.exe |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://api.ip.sb/ip | ||||||
| request | GET http://carambasti.info/stat_os.php |
| request | GET http://carambasti.info/stats.php?company_id=1&lua=user |
| request | GET http://carambasti.info/wp-content/uploads/2021/10 |
| request | GET http://carambasti.info/function/v2tmp/useruploadetfilesun.php |
| request | GET http://carambasti.info/wp-content/uploads/2019/10 |
| request | GET http://carambasti.info/function/v2tmp/reporozofnc.php |
| request | GET http://carambasti.info/wp-content/uploads/2020/02 |
| request | GET http://carambasti.info/function/v2tmp/usmalber.php |
| request | GET http://carambasti.info/v2/doward.exe |
| request | GET https://api.ip.sb/ip |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
| file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\researchprevailiing.exe |
| file | C:\Users\test22\AppData\Local\Temp\11914415.exe |
| file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\researchprevailing.exe |
| file | C:\Users\test22\AppData\Local\Temp\rahmatlukum.exe |
| file | C:\Users\test22\AppData\Local\Temp\lukumrahmat.exe |
| file | C:\Users\test22\AppData\Local\Temp\meroplex.exe |
| cmdline | C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit |
| cmdline | "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit |
| file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\researchprevailing.exe |
| file | C:\Users\test22\AppData\Local\Temp\meroplex.exe |
| file | C:\Users\test22\AppData\Local\Temp\11914415.exe |
| section | {u'size_of_data': u'0x00014800', u'virtual_address': u'0x000fb000', u'entropy': 7.1313016412480055, u'name': u'.rsrc', u'virtual_size': u'0x0001473c'} | entropy | 7.13130164125 | description | A section with a high entropy has been found | |||||||||
| process | system |
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| cmdline | C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit |
| cmdline | ping 0 |
| cmdline | C:\Users\test22\AppData\Local\Temp\lukumrahmat.exe |
| cmdline | "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\compan.exe & exit |
| wmi | SELECT * FROM Win32_Processor |
| file | \??\SICE |
| file | \??\SIWVID |
| file | \??\NTICE |
| description | researchprevailing.exe tried to sleep 2728163 seconds, actually delayed analysis time by 2728163 seconds | |||
| registry | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion |
| registry | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion |
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 | reg_value | rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\" | ||||||
| file | C:\Users\test22\AppData\Local\Temp\compan.exe |
| file | C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml |
| file | C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml |
| wmi | SELECT * FROM Win32_VideoController |
| wmi | SELECT * FROM AntivirusProduct |
| wmi | SELECT * FROM Win32_OperatingSystem |
| wmi | SELECT * FROM Win32_Process Where SessionId='1' |
| wmi | SELECT * FROM AntiSpyWareProduct |
| wmi | SELECT * FROM FirewallProduct |
| wmi | SELECT * FROM Win32_DiskDrive |
| wmi | SELECT * FROM Win32_Processor |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
| process | compan.exe | useragent | Installed OK 1.0/3 | ||||||
| process | compan.exe | useragent | Install Soft Solutions 1.0/3 | ||||||
| process | compan.exe | useragent | Os_twflus | ||||||
| registry | HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
| registry | HKEY_CURRENT_USER\Software\Wine |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Trojan.GenericKD.68032555 |
| FireEye | Generic.mg.3fae3aac2be5c012 |
| ALYac | Trojan.GenericKD.68032555 |
| Cylance | unsafe |
| Sangfor | Infostealer.Win32.Agent.Vsxy |
| K7AntiVirus | Trojan ( 005850dc1 ) |
| Alibaba | Trojan:Script/Injector.e5ed94f2 |
| K7GW | Trojan ( 005850dc1 ) |
| Cybereason | malicious.4571ff |
| Arcabit | Trojan.Generic.D40E182B |
| Cyren | W64/ABRisk.MDUE-2354 |
| Symantec | ML.Attribute.HighConfidence |
| ESET-NOD32 | multiple detections |
| Cynet | Malicious (score: 100) |
| APEX | Malicious |
| Kaspersky | UDS:DangerousObject.Multi.Generic |
| BitDefender | Trojan.GenericKD.68032555 |
| Avast | FileRepMalware [Pws] |
| Tencent | Script.Trojan.Generic.Vimw |
| Emsisoft | Trojan.GenericKD.68032555 (B) |
| F-Secure | Heuristic.HEUR/AGEN.1319403 |
| DrWeb | Trojan.PWS.Steam.36278 |
| VIPRE | Trojan.GenericKD.68032555 |
| TrendMicro | TrojanSpy.Win64.VIDAR.YXDGGZ |
| McAfee-GW-Edition | BehavesLike.Win64.Dropper.th |
| Sophos | Mal/Generic-S |
| SentinelOne | Static AI - Suspicious PE |
| Webroot | W32.Trojan.Gen |
| Avira | HEUR/AGEN.1319403 |
| Microsoft | Trojan:Win32/Casdet!rfn |
| ZoneAlarm | UDS:DangerousObject.Multi.Generic |
| GData | Win64.Trojan.Agent.N2VAFF |
| Detected | |
| McAfee | Artemis!3FAE3AAC2BE5 |
| MAX | malware (ai score=81) |
| Malwarebytes | Backdoor.NetWiredRC.AutoIt.Generic |
| Panda | Trj/Chgt.AD |
| TrendMicro-HouseCall | TrojanSpy.Win64.VIDAR.YXDGGZ |
| Ikarus | Trojan.Win32.Obfuscated |
| AVG | FileRepMalware [Pws] |
| DeepInstinct | MALICIOUS |
| CrowdStrike | win/malicious_confidence_100% (W) |