VMRay Analyzer Report for Sample #117847
VMRay Analyzer
3.0.2
URI
www.vacanzaimmobiliare.it
Resolved_To
Address
185.81.4.56
URI
vacanzaimmobiliare.it
Resolved_To
Process
1
2404
nqmdwcixbxs.exe
1116
nqmdwcixbxs.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe
Child_Of
Process
2
2580
nqmdwcixbxs.exe
2404
nqmdwcixbxs.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Deleted
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
File
windows\microsoft.net\framework\v2.0.50727\config\machine.config
windows\microsoft.net\framework\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe.config
users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe.config
c:\
c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data
users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles.ini
users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles.ini
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\firefox\profiles.ini
ini
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\seamonkey\profiles.ini
users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\seamonkey\profiles.ini
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\mozilla\seamonkey\profiles.ini
ini
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\flock\browser\profiles.ini
users\5p5nrgjn0js halpmcxz\appdata\roaming\flock\browser\profiles.ini
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\flock\browser\profiles.ini
ini
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\flock\browser\signons3.txt
users\5p5nrgjn0js halpmcxz\appdata\roaming\flock\browser\signons3.txt
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\flock\browser\signons3.txt
txt
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\thunderbird\profiles.ini
users\5p5nrgjn0js halpmcxz\appdata\roaming\thunderbird\profiles.ini
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\thunderbird\profiles.ini
ini
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\filezilla\recentservers.xml
users\5p5nrgjn0js halpmcxz\appdata\roaming\filezilla\recentservers.xml
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\filezilla\recentservers.xml
xml
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\coreftp\sites.idx
users\5p5nrgjn0js halpmcxz\appdata\roaming\coreftp\sites.idx
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\coreftp\sites.idx
idx
File
users\5p5nrgjn0js halpmcxz\appdata\roaming\java
users\5p5nrgjn0js halpmcxz\appdata\roaming\java
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java
File
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe:zone.identifier
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE
Default Impersonation Level
WinRegistryKey
Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE
Default Namespace
Default Namespace
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductId
WinRegistryKey
Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE
DbgJITDebugLaunchSetting
DbgManagedDebugger
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER
Load
Load
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe
REG_SZ
WinRegistryKey
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
HKEY_CURRENT_USER
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
WinRegistryKey
Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER
WinRegistryKey
Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER
WinRegistryKey
Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER
WinRegistryKey
Software\Paltalk
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Vitalwerks\DUC
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER
WinRegistryKey
Software\DownloadManager\Passwords
HKEY_CURRENT_USER
WinRegistryKey
Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER
Host
WinRegistryKey
INVALID
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPort
WinRegistryKey
INVALID
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser
WinRegistryKey
INVALID
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPW
WinRegistryKey
INVALID
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesName
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander
HKEY_LOCAL_MACHINE
UninstallString
DNSRecord
www.vacanzaimmobiliare.it
Analyzed Sample #117847
Malware Artifacts
117847
Sample-ID: #117847
Job-ID: #288471
This sample was analyzed by VMRay Analyzer 3.0.2 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.3
Metadata of Sample File #117847
Submission-ID: #211753
5d4e22be32dce5474b61e0df305861f2c07b10ddadbc2dc937481c7d2b736c81exe
MD5
ef234f23724dc00e693bdb1b1218c1e8
SHA1
27f0ca2bf23aca5bf4c737480038f23c7eea5b96
SHA256
5d4e22be32dce5474b61e0df305861f2c07b10ddadbc2dc937481c7d2b736c81
Opened_By
Metadata of Analysis for Job-ID #288471
False
Timeout
True
149.009
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Device
VTI rule match with VTI rule score 3/5
vmray_hook_keyboard_by_setwinhook_api
Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes.
Monitors keyboard input
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\.net clr networking".
Creates system object
Network
VTI rule match with VTI rule score 1/5
vmray_request_dns_by_name
Resolves host name "www.vacanzaimmobiliare.it".
Performs DNS request
Network
VTI rule match with VTI rule score 3/5
vmray_read_net_adapter_addresses_by_api
Reads the network adapters' addresses by API.
Reads network adapter information
OS
VTI rule match with VTI rule score 5/5
vmray_delete_zone_identifier_by_delete_file
Tries to delete zone identifier of file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe".
Obscures a file's origin
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Google Chrome" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Mozilla Firefox" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "Mozilla Firefox" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Opera" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Yandex Browser" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_registry
Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "Safari" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_file
Trying to read sensitive data of application "SeaMonkey" by file.
Reads sensitive application data
Information Stealing
VTI rule match with VTI rule score 4/5
vmray_meta_classify_spyware_for_excessive_infosteal
Tries to read sensitive data of: SeaMonkey, Google Chrome, Mozilla Firefox, Opera, Yandex Browser, Internet Explorer / Edge.
Exhibits Spyware behavior
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "SeaMonkey" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Comodo Dragon" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Flock" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "Flock" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "Mozilla Thunderbird" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Maple Studio" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Chromium" by file.
Reads sensitive browser data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_mail_creds_by_registry
Trying to read sensitive data of mail application "Microsoft Outlook" by registry.
Reads sensitive mail data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_mail_creds_by_file
Trying to read sensitive data of mail application "Mozilla Thunderbird" by file.
Reads sensitive mail data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Possibly trying to gather information about application "Foxmail" by registry.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_mail_creds_by_file
Trying to read sensitive data of mail application "Opera Mail" by file.
Reads sensitive mail data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "Opera Mail" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_mail_creds_by_file
Trying to read sensitive data of mail application "Pocomail" by file.
Reads sensitive mail data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "Pocomail" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Possibly trying to gather information about application "Qualcomm Eudora" by registry.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_mail_creds_by_file
Trying to read sensitive data of mail application "The Bat!" by file.
Reads sensitive mail data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "The Bat!" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_ftp_creds_by_file
Trying to read sensitive data of ftp application "FileZilla" by file.
Reads sensitive ftp data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "FileZilla" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_ftp_creds_by_file
Trying to read sensitive data of ftp application "Ipswitch WS_FTP" by file.
Reads sensitive ftp data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "WS_FTP" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_registry
Trying to read sensitive data of application "WinSCP" by registry.
Reads sensitive application data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Possibly trying to gather information about application "WinSCP" by registry.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_ftp_creds_by_file
Trying to read sensitive data of ftp application "CoreFTP" by file.
Reads sensitive ftp data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "CoreFTP" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_file
Trying to read sensitive data of application "DynDNS" by file.
Reads sensitive application data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "DynDNS" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_ftp_creds_by_file
Trying to read sensitive data of ftp application "FlashFXP" by file.
Reads sensitive ftp data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "FlashFXP" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Possibly trying to gather information about application "Paltalk" by registry.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_file
Trying to read sensitive data of application "Pidgin" by file.
Reads sensitive application data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "Pidgin" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "SmartFTP" by file.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_ftp_creds_by_file
Trying to read sensitive data of ftp application "Total Commander" by file.
Reads sensitive ftp data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Possibly trying to gather information about application "No-IP DUC" by registry.
Possibly does reconnaissance
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_registry
Trying to read sensitive data of application "Internet Download Manager" by registry.
Reads sensitive application data
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_file
Trying to read sensitive data of application "jDownloader" by file.
Reads sensitive application data
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Possibly trying to gather information about application "jDownloader" by file.
Possibly does reconnaissance
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Gen:Variant.MSIL.Packy.1".
Malicious content was detected by heuristic scan
Network
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "185.81.4.56:80".
Connects to remote host
Network
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "185.81.4.56:443".
Connects to remote host
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "www.vacanzaimmobiliare.it/testla/WebPanel/post.php".
Connects to HTTP server
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "www.vacanzaimmobiliare.it/testla/WebPanel/post.php" is a known malicious URL.
Known malicious URL
Static
VTI rule match with VTI rule score 1/5
vmray_static_analysis_parser_error
Static analyzer was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.
Unparsable sections in file