Sample File: MD5 hash: dc1f1308759847a3e7161f284431cc5b SHA1 hash: 7eec4c3e46e3c39e21d0bec2897ce3da261310f9 SHA256 hash: 51e917806f84d3035b2d94cb3701b07ec47b3dc07a5b3e4dd38a5c552482a8bb SSDEEP hash: 49152:iBH1WCsqatXAeD8w+CV6INnAsg9rtpyIDEN:iBH1WvttAC4IFAsSC Filename(s): FeeLmebq987g92.exe Filetype: Windows Exe (x86-32) Mutex IOCs: 1135468555 Registry Key IOCs: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc HKEY_LOCAL_MACHINE\Hardware\description\System HKEY_LOCAL_MACHINE\Hardware\description\System\SystemBiosVersion HKEY_LOCAL_MACHINE\Hardware\description\System\VideoBiosVersion HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox HKEY_CURRENT_USER\Software\Valve\Steam HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName Domain IOCs: raw.githubusercontent.com u7320947p3.ha004.t.justns.ru IP IOCs: 151.101.112.133 185.22.155.51 URL IOCs: raw.githubusercontent.com/fkarelli/fjrusbftnf/master/nyun.txt u7320947p3.ha004.t.justns.ru/collect.php File IOCs: Filenames: C:\\Users\Public\AppData\Roaming\.purple\accounts.xml C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY C:\\Users\Default\AppData\Local\NordVPN C:\\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files C:\\Users\FD1HVy\AppData\Local\Application Data C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\MBPYOSOUSCHFUBMYIQE.DONGRRSRLTUTWRHX C:\\Users\FD1HVy\Documents\GTA San Andreas User Files\SAMP\chatlog.txt C:\\Users\Default\Documents\GTA San Andreas User Files\SAMP\USERDATA.DAT C:\\Users\Public\Documents\GTA San Andreas User Files\SAMP\USERDATA.DAT C:\\Users\Default.migrated\AppData\Roaming\Mozilla\Firefox\Profiles C:\\Users\FD1HVy\AppData\Roaming\discord\Local Storage\leveldb\ C:\\Users\Default\AppData\Roaming\FileZilla\sitemanager.xml C:\\Users\Default.migrated\AppData\Local\NordVPN C:\\Users\FD1HVy\AppData\Local\Adobe C:\\Users\FD1HVy\AppData\Local\Google C:\\Users\FD1HVy\AppData\Roaming C:\Users\FD1HVy\Desktop\FeeLmebq987g92.exe C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\TQTWTFWFSLNNKWQERGTK.IQTQ C:\\Users\Default.migrated\AppData\Roaming\FileZilla\sitemanager.xml C:\\Users\Public\Documents\GTA San Andreas User Files\SAMP\chatlog.txt C:\\Users\Default User\AppData\Local C:\\Users\Default User\AppData\Roaming\discord\Local Storage\leveldb\ C:\\Users\All Users\Documents\GTA San Andreas User Files\SAMP\chatlog.txt C:\\Users\Public\Desktop C:\\Users\All Users\Documents\GTA San Andreas User Files\SAMP\USERDATA.DAT C:\\Users\Default.migrated\AppData\Roaming\Psi+\profiles C:\\Users\All Users\AppData\Roaming\Authy Desktop\Local Storage\leveldb C:\\Users\Default.migrated\AppData\Roaming\discord\Local Storage\leveldb\ C:\\Users\Default User\AppData\Roaming\Psi+\profiles C:\\Users\Public\AppData\Roaming C:\\Users\Default User\AppData\Local\NordVPN C:\\Users\Public\AppData\Roaming\Psi+\profiles C:\\Users\All Users\Desktop C:\\Users\Default.migrated\AppData\Roaming C:\\Users\Default\Desktop C:\\Users\Public\AppData\Roaming\discord\Local Storage\leveldb\ C:\\Users\Public\AppData\Roaming\FileZilla\recentservers.xml C:\\Users\FD1HVy\AppData\Roaming\Authy Desktop\Local Storage\leveldb C:\\Users\Default\AppData\Roaming\Psi\profiles C:\\Users\Default.migrated\AppData\Roaming\.purple\accounts.xml C:\\Users\All Users\AppData\Roaming C:\\Users\Default User\AppData\Roaming\FileZilla\sitemanager.xml C:\\Users\Public\AppData\Roaming\Authy Desktop\Local Storage\leveldb C:\Windows\System32\VBoxService.exe C:\\Users\Default\AppData\Roaming\Psi+\profiles C:\\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Local State C:\\Users\Default\AppData\Roaming C:\\Users\Default User\AppData\Roaming\Psi\profiles C:\\Users\Default\AppData\Roaming\FileZilla\recentservers.xml C:\\Users C:\\Users\Default.migrated\Documents\GTA San Andreas User Files\SAMP\chatlog.txt C:\\Users\Default User\AppData\Roaming\.purple\accounts.xml C:\\Users\Default.migrated\AppData\Roaming\FileZilla\recentservers.xml C:\\Users\FD1HVy\AppData\Roaming\FileZilla\sitemanager.xml C:\\Users\All Users\AppData\Roaming\Psi\profiles C:\\Users\All Users C:\\Users\Default\Documents\GTA San Andreas User Files\SAMP\chatlog.txt C:\\Users\Default\AppData\Local\History C:\\Users\All Users\AppData\Roaming\Psi+\profiles C:\\Users\Default.migrated\AppData\Roaming\Authy Desktop\Local Storage\leveldb C:\\Users\Default\AppData\Roaming\Authy Desktop\Local Storage\leveldb C:\\Users\Default\AppData\Roaming\.purple\accounts.xml C:\\Users\Default User\Documents\GTA San Andreas User Files\SAMP\USERDATA.DAT System Paging File C:\\Users\Default\AppData\Roaming\Mozilla\Firefox\Profiles C:\\Users\Default\AppData\Local\Application Data C:\\Users\Public\AppData\Roaming\FileZilla\sitemanager.xml C:\\Users\Default User\AppData\Roaming\FileZilla\recentservers.xml C:\\Users\Default User\AppData\Roaming C:\\Users\Default\AppData\Roaming\discord\Local Storage\leveldb\ C:\\Users\Default.migrated\AppData\Roaming\Psi\profiles C:\\Users\All Users\AppData\Roaming\discord\Local Storage\leveldb\ C:\\Users\All Users\AppData\Roaming\FileZilla\sitemanager.xml C:\\Users\FD1HVy\AppData\Roaming\.purple\accounts.xml C:\\Users\Default.migrated\Documents\GTA San Andreas User Files\SAMP\USERDATA.DAT C:\\Users\Default\AppData\Local C:\\Users\Public\AppData\Local C:\\Users\Default User\Desktop C:\\Users\All Users\AppData\Roaming\Mozilla\Firefox\Profiles C:\\Users\Public\AppData\Local\NordVPN C:\\Users\All Users\AppData\Local\NordVPN C:\\Users\All Users\AppData\Roaming\.purple\accounts.xml C:\\Users\FD1HVy\AppData\Roaming\Psi+\profiles C:\\Users\Default User\Documents\GTA San Andreas User Files\SAMP\chatlog.txt C:\\Users\Default User C:\\Users\FD1HVy\AppData\Roaming\FileZilla\recentservers.xml C:\\Users\Public\AppData\Roaming\Mozilla\Firefox\Profiles C:\\Users\Default.migrated\Desktop C:\\Users\FD1HVy\AppData\Roaming\Psi\profiles C:\\Users\Default User\AppData\Roaming\Mozilla\Firefox\Profiles C:\\Users\All Users\AppData\Local C:\\Users\FD1HVy\AppData\Local\NordVPN C:\\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles C:\\Users\Default.migrated\AppData\Local C:\\Users\FD1HVy\Documents\GTA San Andreas User Files\SAMP\USERDATA.DAT C:\\Users\FD1HVy\Desktop C:\\Users\FD1HVy\AppData\Local C:\\Users\All Users\AppData\Roaming\FileZilla\recentservers.xml C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\VLECKIRDYJ.XSEDUSIPO C:\\Users\Default User\AppData\Roaming\Authy Desktop\Local Storage\leveldb C:\\Users\Public\AppData\Roaming\Psi\profiles MD5 hashes: ad1aaa9debdf1b9d15327c0b42c58dd7 dc1f1308759847a3e7161f284431cc5b e3a002935a782f75c8ac7f3f0505d7f2 5c2161fc7b16d12b45b3e53d56fad16a 164f4ab18544aae9d15a13d4515bd3dc c7acceb947c6f31e440601da7c1d0a49 5437864c133f53e6a43fc8678fee8ca9 SHA1 hashes: 06a317f3d6519cf226db3ab029a212293d318a1b 78c8d3bdd34ba554fd077b0a126f01c6e877b1ae 5ec603207a726efa249b6ef575b2d03c64e928fd e11b70bffbd937e26ea8daf60dc44fe062f9548b 383ed41171772885ecedac3639de19c6d4024b57 cf9d18451ad754195c6e6ccc4b4f012c0fb2c38f 7eec4c3e46e3c39e21d0bec2897ce3da261310f9 SHA256 hashes: 1342777f1973b91bb8fcc3c9d2f9305df4d470d1f865a14a109cc32ae294a4b8 037369299fe8f3e3755fd3d7b421ae7676b1d713d948a4bf02ac138aaea55748 cdad85eefaeee766286a12d8c4039c819a3515170da3070967a7f5198119b35a 912c041f1f45b8b817f94c84c15433a40463a8a56d6978cf08b7ed28996050a7 17078e9a7aeb495b6d7bbde03f42feefa2da78b13b8a10b4489a4c97ce1f46b8 51e917806f84d3035b2d94cb3701b07ec47b3dc07a5b3e4dd38a5c552482a8bb fcbf28e532103aee92e2e1d0ca8e96e7c1387fb6654566078362623a0c893129 SSDEEP hashes: 49152:iBH1WCsqatXAeD8w+CV6INnAsg9rtpyIDEN:iBH1WvttAC4IFAsSC 96:Ze3Zht6YnMvqI738Hsa/NTIdEFaEdUDSuKn8Y/qBOnxjyWTJereWb3Ds4Blr:ZkZLHMEhTJMb3D 6:q39NqxtFKGT+QcpSrQMnIIQTUrmSz3gDVUk5GUnKtZKdE7xRPzL72RHNx3Gsfoqj:U+xTKGvTlngBUiBns0dcz2Hz3RdXT 24576:aKb8EPDDkJBjWayuZaVlUebPUvnx7rtIgFHhPShe:aQRDjanZaVl7mnV5HhPr 48:T1L/ecVTgPOpEveoJZFrU1cQBAxPsuNfRlc9:FHSNDJAAvfbc 24:rid5UcYQ2yZTPaFpEvg3obNmQMOypv6UoF:+decYFgPOpEveoJNCoUc 24:LLUH0KL7G0TMJHUyyJtmCm0XKY6lOKQAE9V8MffD4fOzeCmly6Uwc6FZW:Uz+JH3yJUheCVE9V8MX0PFlNU12ZW