Sample File: MD5 hash: 6a2e9f2a8858ad64aeb84b533fea78d0 SHA1 hash: 87eee3af618e99ff2d50eed9d3296c049efd3a81 SHA256 hash: b933cb32689517aac6e459d33e9d8c7c8f31f0710008bfa09d9e91c2526826ef SSDEEP hash: 6144:2/qFbO4bGNqL43QWqqPheG/lCcC9msYwXEvEsdqthb5cC9msYwXEvEsdqthbOn:2/qPKQWJ3/2wsYwXFtlwsYwXFt4 Filename(s): ekati6482.exe Filetype: Windows Exe (x86-32) Mutex IOCs: Local\SM0:4524:120:WilError_01 Registry Key IOCs: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Excel\Security HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Excel\Security\NoControlPanel HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Excel\Security\Level HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Word\Security HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Word\Security\Level HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Excel\Security\CertificateRevocation HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Excel\Security\DisableScriptDebuggerIE HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Software\Microsoft\Windows\CurrentVersion\Run\EPRTest HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Excel\Security\NoSelectDownloadDir HKEY_CURRENT_USER\SOFTWARE\Malwarebytes\Ekati\Excel\Security\NoDesktop HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DNSLookupOrder HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Domain HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SearchList HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpSearchList HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_PERFORMANCE_DATA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType HKEY_CURRENT_USER HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh Domain IOCs: onion.net www.onion.net cdnjs.cloudflare.com IP IOCs: 217.194.236.100 192.168.0.1 URL IOCs: http://onion.net/bin/~logo/5024 http://onion.net/ http://onion.net/cms-und-mehr http://onion.net/ueber-uns/impressum http://onion.net/vision http://onion.net/ueber-uns/kontakt http://onion.net/e-commerce http://onion.net/karriere http://onion.net/events http://onion.net/sharepoint http://onion.net/community-edition //cdnjs.cloudflare.com/ajax/libs/cookieconsent2/1.0.10/cookieconsent.min.js http://onion.net/aktuelles http://onion.net/en http://onion.net/ueber-uns/sitemap File IOCs: Filenames: C:\Users\FD1HVy\Desktop\onc2pn4u4214.exe C:\Users\FD1HVy\Desktop\ekati.log vssadmin.exe C:\Users\FD1HVy\Desktop\redback.jpg C:\Users\FD1HVy\Desktop\ruby.log C:\Users\FD1HVy\Desktop\qq3d1t429055.exe C:\Users\FD1HVy\Desktop\diamond.log C:\Users\FD1HVy\Desktop\onion.jpg C:\Users\FD1HVy\Desktop C:\WINDOWS\system32\drivers\etc\hosts C:\Users\FD1HVy\AppData\Local\Temp\vacation.jpg.exe C:\Users\FD1HVy\Desktop\onc2pn4u4214.exe.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Users\FD1HVy\Desktop\ekati6482.exe C:\Users\FD1HVy\Desktop\iptest.html C:\Users\FD1HVy\Desktop\ekati6482.exe.config message.html C:\WINDOWS\SysWOW64\cmd.exe C:\WINDOWS\System32\MFC42u.dll MD5 hashes: 5ab6380c030384adba175b5bb5a35f94 df556fd667e79bb2afa291b93248e035 f75ccb0426877a511f7a8f69c53565ee 6a2e9f2a8858ad64aeb84b533fea78d0 9af3923cbd066908c83736cb8bfd7722 4d78de74c9853d7906bc2483d14be6b6 e51cefc8d6f3e4218499d2d6e6474690 84243e441ecfd8d9dde858ccfe54a009 0197e9c179065bb401d6844cd4b1549c 218b761bbdd58247e4f7f56b1e0bfcac eb7f85b858a97ff3c0c631dd42e95c6f 3688374325b992def12793500307566d eb70f217211aa5b21efad8f2110bac2b 816b5d59ce09ada5d3c98726f364020e b0df7396824b06d8c87586b9cd9cf790 42b6ce7b079a73188f5592525553415f SHA1 hashes: 59ac42e48513804f4093dde173f4cd1e8b1791db 5b413567b8bfcc6afe30ef6bf6f2d0feea628fef 506d62bfa86dc868fc40f0195c3da6d9b039abaf 4bed0823746a2a8577ab08ac8711b79770e48274 e876dfc9f35df9a79fd534eb9697be8978f9522f 795c5499ece1d7f928e1c91187a4dd1bde492cf5 201da65574e8b5a67a27465909fc05a8881dd38a e3b4f2b87108e4e0c435a891591f328ecdb3b9a0 867750b32fbc4f881de72e63c7585513abbfb641 4d05497087a9fce4caa4d7df07278ce02a343f49 2cf27aa4c7acbc794f5e8269a53e21be60d4671b 83fbf21acc384dda9fb1f9a0d71e307d2b4750dc 866429a8499bfbb39eaddef9963dcb62acb3be94 3b1da8f5fdfd42d5aef8b234e2f24c707cf01f6f e74133e22d62409258799ee4eb91911f87bcdaa0 87eee3af618e99ff2d50eed9d3296c049efd3a81 SHA256 hashes: fff02c7620ff0b5f23db5d455a5753595d337eff9e9bcab3cdf1d65059ff1c50 95d96f8efed45c7cf70073e5799f498958fd3e04111d7f20fa154812002dba22 28bd890355dadab160bdc6d812b6d26baa99e81ee3c104f33cf3b9009a8b36a2 fbd6fe4ce1648f597547c6afdd35ff066d6e731ca33b9dcaae214cb45320afcf 7bc5addc44d4e54611bae3cc5760c65b348e5c551ba4ca57599d6d812b34228a 2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085 a16e13bea79bf514b72d016b5f25ef84fafcbd5cd4b70ecff9fc94b21c936f2f d067842c0033cedfdb98e05e64dda4ce71d2f1e29906b6474df0f1f31846a84b 5eb0e5203d131ff7b0e7757e2d56635930ff3269e65762df595d5f72f841886b 2b28b9ea472f72174dc6deba3a701b365296ffd2681a5f5d80823983e7a31e8f da243bb628a3638f496cd6bf998c1c60dbc638342960e1ff090e4ecaaa61d224 db1771acc527e5918baaaec84826b30ba4c3185889c574ffa2d78fd845507cd4 8ec3faec81b3b70d29d16cc76a6d156e5cdad660180ec1634f3b9ce6e5470e3b 57c472091c4d5cdad04061b348eb69dd070f999f9a75f1bcffea28cea0b21602 b933cb32689517aac6e459d33e9d8c7c8f31f0710008bfa09d9e91c2526826ef 385c81e2f39118c97a42476227f8e6adefb1cfafc68be377ea5b48b49bf44060 SSDEEP hashes: 3:j6uVf34RelgG58yHDMMrA9/MPn:j6uVQR88E9Q0n 24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcp 192:osmrJKwROHjGJbWUxqNdMcJBHFqRzgCdCYs8MTax3DYnQ:IKwPxIMElqRMHlKUQ 3:j6uVf34Rel0ORfUPFYM16YMUIF3AunhKH9lg:j6uVQRGUWMtiF3Auncdi 384:9DZmRTlu5VohQOa8bUJ92lsrdjpJXBvvUDRf:GTlu5ehu8budpJx0Dp 48:0d+A955tcmnSEtp5JpNtNFxNKshBCL0k/Cv2e9j5PH5PD5P+fc0NJLAFkOcRL04v:lA9Dyi7THDuQk/q2e15PH5PD5Pm/2KgY 3:j6uVfw+/7/MLexhh:j6uVI+D/KU 24:Hy0QuyXHZWpuyIg6asuyEOg6d1uyBgr1uyLg6Duydg6+ZZaJuyHgyVR48Cuy5g6/:rQ7HZ+cd1Rdjd0HdDBd+ZZ2LtT4R1dfn 6:j6uVQR88E9Q02nuVOreoy587seCnuVO3R5XOvUGJnuVOGflC5Yv:HVBJ9suVNbxuVSX56uVvflCs 384:9DZmRTlu5VohQOa8bUJ92lsrdjpJXBvvU:GTlu5ehu8budpJx0 3072:5LD831qWqqP0pSkBvnI7/l87cCb6umsvw+vPX1JEvEsVT/qR4DQ:5L43QWqqPheG/lCcC9msYwXEvEsdqF 192:PS/d+OrgRQrKZpVvB4HxUfhoXpJK8CGVXZNQaYmyK/v6rxwlB:61lrnrOQHxUfhoXp/CaTL 3:8gkpmwn:8Hpmw 6144:2/qFbO4bGNqL43QWqqPheG/lCcC9msYwXEvEsdqthb5cC9msYwXEvEsdqthbOn:2/qPKQWJ3/2wsYwXFtlwsYwXFt4 192:3biJ1hpDRqz/fxv1MzKOlxaNbr2/1Mhsv87hwsYk:EtWB15KxaNb6G487atk 192:3biJ1hpDRqz/fxv1MzKOlxaNbr2/1Mhsv87hws:EtWB15KxaNb6G487a