Basic Information:
------------------------------------------
Target OS: Windows
Target Arch: Intel 32bit
File Type: PE32 Executable
Lang: C
Size: 2.9M
MD5SUM: d7c974338f6e092e32f7501701fa8a45
Test Environment:
- Any Run
 \
  |--> Windows 7 pro 32-bit

- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
  |--> MetaDefender
  |--> VirusTotal

- Tencent HABO
------------------------------------------

Functions:
------------------------------------
- Checking Windows Registry
 \
  |--> RegQueryValueExW
  |--> RegCloseKey
  |--> RegOpenKeyExW

- Manipulating or changing files
 \
  |--> CreateFileW
  |--> ReadFile
  |--> WriteFile
  |--> DeleteFileW
  |--> FindResourceW
  |--> SetFilePointer
  |--> GetModuleFileNameW
  |--> SetEndOfFile
  |--> GetFileSize
  |--> GetFileAttributesW
  |--> FindFirstFileW
  |--> SetSearchPathMode

- Evasion/Bypassing
 \
  |--> GetTickCount
  |--> SetProcessDEPPolicy

- Handling modules/resources
 \
  |--> LoadResource
  |--> LoadLibraryW
  |--> LoadLibraryExW
  |--> LoadStringW
  |--> SetDllDirectoryW
  |--> SafeDLLPath

- Getting information about keyboard
 \
  |--> GetKeyboardType

- Process functions
 \
  |--> VirtualAlloc
  |--> VirtualProtect
  |--> AdjustTokenPrivileges
  |--> GetProcAddress
  |--> ExitProcess
  |--> GetExitCodeProcess
  |--> CreateProcessW
  |--> OpenProcessToken
------------------------------------

Abilites:
-------------------------------------------------
- Changes settings of System certificates
- Actions looks like stealing of personal data
- Adds/modifies Windows certificates
- Reads internet explorer settings
- Reads Environment values
- Executable content was dropped or overwritten
- Reads Internet Cache Settings
- Downloads malicious files
 \
  |--> avastfreeantivirussetuponline.m.exe
   \
    |--> Downloads executable files from the Internet
     |
     \-> avast_free_antivirus_setup_online.exe
     \-> instup.exe
    |--> Application was dropped or rewritten from another process
    |--> Creates files in the Windows directory
    |--> Low-level read access rights to disk partition

-------------------------------------------------

Connections:
---------------------------------------------------
URL:
- https://sectigo.com/CPS0C
- http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
- http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
- http://ocsp.sectigo.com
- http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
- http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
- http://ocsp.usertrust.com
- http://cdn.bossgetirr.com
- http://support.bossgetirr.com
- http://www.bossgetirr.com
- http://ww2.bossgetirr.com/img/Jimomoromoj/Jimomoromoj_logo_080320.png
- http://ww2.bossgetirr.com/img/Tavasat/15Feb17/v2/EN.png
- http://ww2.bossgetirr.com/img/Sibarasawi/bg_comp.png
- http://ww2.bossgetirr.com/img/Sibarasawi/logo_comp.png
- http://ww2.bossgetirr.com/img/Sibarasawi/TPC_win_bg.png
- http://ww2.bossgetirr.com/img/Sibarasawi/TPC_img_bg.png
- http://ww2.bossgetirr.com/img/Vavavag/V2/EN.png
- http://ww2.bossgetirr.com/img/Webinebinec/teal_logo.png
- http://ww2.bossgetirr.com/img/Webinebinec/teal_logo_white.png
- http://ww2.bossgetirr.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16
- http://dev.bossgetirr.com/ofr/Solululadul/icut_v2_2
- http://dev.bossgetirr.com/ofr/Webinebinec/Webinebinec_Links_13Oct15
- http://ww2.bossgetirr.com/ofr/Solululadul/icut_v2_2
- http://dev.bossgetirr.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16
- http://dev.bossgetirr.com/ofr/Webinebinec/Webinebinec_Links_13Oct15


IP Addresses:
- 8.252.80.254
 \
  |--> Potentially malicious because malicious files comminucates this address
  |--> Alive host
  |--> Location => US, New Jersey
  |--> 80(http) open

- 34.246.131.106 [cdn.bossgetirr.com]
 \
  |--> Malicious
  |--> Alive host
  |--> Location => Ireland, Dublin
  |--> 80(http) open
  |--> ASN => AMAZON-02

- 52.19.168.111 [support.bossgetirr.com]
 \
  |--> Malicious
  |--> Alive host
  |--> Location => Ireland, Dublin
  |--> 80(http) open
  |--> ASN => AMAZON-02

- 94.31.29.128 [static.filehorse.com]
 \
  |--> Malicious
  |--> Alive host
  |--> Location => Netherlands, Amsterdam
  |--> 443(http) open
  |--> ASN => HIGHWINDS2

- 151.139.128.14 [ocsp.usertrust.com]
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => US, Ashburn
  |--> 80(http) open
  |--> ASN => HIGHWINDS3

- 52.49.214.75 [www.bossgetirr.com]
 \
  |--> Malicious
  |--> Alive host
  |--> Location => Ireland, Dublin
  |--> 80(http) open
  |--> ASN => AMAZON-02

- 192.96.201.161 [ww2.bossgetirr.com]
 \
  |--> Malicious
  |--> It downloads malicious binary files from this domain
  |--> Alive host
  |--> Location => US, Washington
  |--> 80(http) open
  |--> ASN => LEASEWEB-USA-WDC-01

- 46.166.187.59 [dev.bossgetirr.com]
 \
  |--> Suspicious
  |--> Alive host
  |--> Location => Netherlands, Roosendaal
  |--> 80(http) open
  |--> ASN => NFORCE

- 104.20.117.116 [www.filehorse.com]
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => US, Ashburn
  |--> 443(http) open
  |--> ASN => CLOUDFLARENET

- 93.184.220.29 [ocsp.digicert.com]
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => UK, London
  |--> 80(http) open
  |--> ASN => EDGECAST

- 23.53.40.26 [officecdn.microsoft.com.edgesuite.net]
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => Germany, Frankfurt am Main
  |--> 80(http) open
  |--> ASN => AKAMAI-ASN1
---------------------------------------------------

Detected by:
-----------------------------------------
- VirusTotal
 \
  |--> 27/72

- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
   \-> Not Detected
   /
  |--> MetaDefender
   \-> %36
   /
  |--> VirusTotal
   \-> %37

- Scan reports
 \
  |--> Any Run
   \-> https://app.any.run/tasks/baab7732-b5c6-4165-9241-c89b9630ed6d
   /
  |--> Hybrid Analysis
   \-> https://www.hybrid-analysis.com/sample/6a9871e3bc8ae84ee83ee1149e73454f9fdd42dd553a8753b14a26707d2a2ccc
   /
  |--> VirusTotal
   \-> https://www.virustotal.com/gui/file/6a9871e3bc8ae84ee83ee1149e73454f9fdd42dd553a8753b14a26707d2a2ccc/detection
-----------------------------------------

Linked DLL Files:
---------------------------------
- kernel32.dll
- user32.dll
- oleaut32.dll
- advapi32.dll
- comctl32.dll
---------------------------------

Used Tools During Tests:
----------------------------------------------
- Qu1cksc0pe
 \
  |--> https://github.com/CYB3RMX/Qu1cksc0pe

- Sandbox Environments
 \
  |--> https://www.virustotal.com
  |--> https://www.hybrid-analysis.com
  |--> https://app.any.run

- Strings
- Rabin2
----------------------------------------------
