Windows Analysis Report
aMail_Ver1.exe

Overview

General Information

Sample name:	aMail_Ver1.exe
Analysis ID:	1430794
MD5:	06b0347315d3ab5385a0479134ec22cc
SHA1:	784d20632b7aa1c4d4c6a8f1c9597037ac94ab12
SHA256:	c9de15f068399626b8296c218150f31f1f9c0065442f0580cf1e3a9acad70464
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Compliance

Score:	49
Range:	0 - 100

Signatures

Installs new ROOT certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Compliance

Uses 32bit PE files

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: certificate valid

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr
Source:	Binary string: sfxcab.pdb source: vstor_redist[1].exe.0.dr, vstor_redist.exe.0.dr
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr

Spreading

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00318593 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose,		0_2_00318593
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034BCB5 FindFirstFileExW,		0_2_0034BCB5

Networking

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003254E2 URLDownloadToFileW,EnterCriticalSection,LeaveCriticalSection,CoInitialize,CoUninitialize,

0_2_003254E2

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe

Jump to behavior

Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: aMail_Ver1.exe, 00000000.00000002.366350837.000000000227A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comod
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: https://system.asite.com/aMail_Installer/TruePABegin
Source: aMail_Ver1.exe, 00000000.00000002.366084781.0000000000754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoullX64Bootstrapper

System Summary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034223E	0_2_0034223E
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034B312	0_2_0034B312
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00350340	0_2_00350340
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034246D	0_2_0034246D
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_003585F9	0_2_003585F9
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_003507EE	0_2_003507EE
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA59	0_2_0030BA59

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A29B appears 62 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A268 appears 37 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 00314375 appears 33 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A960 appears 43 times

Sample file is different than original file name gathered from version info

Source: aMail_Ver1.exe, 00000000.00000000.338200638.0000000000368000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe
Source: aMail_Ver1.exe	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe
Source: aMail_Ver1.exe.0.dr	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe

Uses 32bit PE files

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: sus29.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033404B __EH_prolog3_GS,SystemParametersInfoW,FindResourceW,LoadResource,LockResource,SizeofResource,CreateDialogIndirectParamW,CreateDialogParamW,MoveWindow,SetForegroundWindow,

0_2_0033404B

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Users\user\Desktop\aMail_Ver1.exe

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a

Source: aMail_Ver1.exe

Static PE information: certificate valid

Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: aMail_Ver1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr
Source:	Binary string: sfxcab.pdb source: vstor_redist[1].exe.0.dr, vstor_redist.exe.0.dr
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003247BB LoadLibraryW,GetProcAddress,GetProcAddress,

0_2_003247BB

PE file contains sections with non-standard names

Source: aMail_Ver1.exe	Static PE information: section name: .didat
Source: aMail_Ver1.exe.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A236 push ecx; ret	0_2_0033A249
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A9B0 push ecx; ret	0_2_0033A9C3
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA28 push esp; retn 0030h	0_2_0030BA51
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA59 push esp; retn 0030h	0_2_0030BA51

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe			Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\aMail_Ver1.exe TID: 2976

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00318593 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose,		0_2_00318593
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034BCB5 FindFirstFileExW,		0_2_0034BCB5

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_00336EA3 GetProcAddress,GetNativeSystemInfo,GetProcAddress,GetCurrentProcess,FreeLibrary,GetSystemInfo,

0_2_00336EA3

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033A701 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0033A701

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003247BB LoadLibraryW,GetProcAddress,GetProcAddress,

0_2_003247BB

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0034477A mov eax, dword ptr fs:[00000030h]

0_2_0034477A

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A701 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033A701
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033E854 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033E854
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A9F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0033A9F9

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0031513C ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,

0_2_0031513C

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033ABF6 cpuid

0_2_0033ABF6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_0034F0C0
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0034F18D
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_003477C6
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: IsValidCodePage,GetLocaleInfoW,	0_2_0034E842
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EAC9
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EB14
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_00347B6B
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EBAF
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0034EC40
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_0034EE90
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0034EFB9

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033A5FB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0033A5FB

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_00355503 GetVersion,GetEnvironmentVariableA,

0_2_00355503

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
windowsupdatebg.s.llnwi.net	68.142.107.4	true

Compliance

Uses 32bit PE files

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: certificate valid

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr
Source:	Binary string: sfxcab.pdb source: vstor_redist[1].exe.0.dr, vstor_redist.exe.0.dr
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr

Spreading

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00318593 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose,		0_2_00318593
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034BCB5 FindFirstFileExW,		0_2_0034BCB5

Networking

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003254E2 URLDownloadToFileW,EnterCriticalSection,LeaveCriticalSection,CoInitialize,CoUninitialize,

0_2_003254E2

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe

Jump to behavior

Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: aMail_Ver1.exe, 00000000.00000002.366350837.000000000227A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comod
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: https://system.asite.com/aMail_Installer/TruePABegin
Source: aMail_Ver1.exe, 00000000.00000002.366084781.0000000000754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoullX64Bootstrapper

System Summary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034223E	0_2_0034223E
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034B312	0_2_0034B312
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00350340	0_2_00350340
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034246D	0_2_0034246D
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_003585F9	0_2_003585F9
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_003507EE	0_2_003507EE
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA59	0_2_0030BA59

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A29B appears 62 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A268 appears 37 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 00314375 appears 33 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A960 appears 43 times

Sample file is different than original file name gathered from version info

Source: aMail_Ver1.exe, 00000000.00000000.338200638.0000000000368000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe
Source: aMail_Ver1.exe	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe
Source: aMail_Ver1.exe.0.dr	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe

Uses 32bit PE files

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: sus29.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033404B __EH_prolog3_GS,SystemParametersInfoW,FindResourceW,LoadResource,LockResource,SizeofResource,CreateDialogIndirectParamW,CreateDialogParamW,MoveWindow,SetForegroundWindow,

0_2_0033404B

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Users\user\Desktop\aMail_Ver1.exe

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a

Source: aMail_Ver1.exe

Static PE information: certificate valid

Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: aMail_Ver1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr
Source:	Binary string: sfxcab.pdb source: vstor_redist[1].exe.0.dr, vstor_redist.exe.0.dr
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003247BB LoadLibraryW,GetProcAddress,GetProcAddress,

0_2_003247BB

PE file contains sections with non-standard names

Source: aMail_Ver1.exe	Static PE information: section name: .didat
Source: aMail_Ver1.exe.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A236 push ecx; ret	0_2_0033A249
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A9B0 push ecx; ret	0_2_0033A9C3
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA28 push esp; retn 0030h	0_2_0030BA51
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA59 push esp; retn 0030h	0_2_0030BA51

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe			Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\aMail_Ver1.exe TID: 2976

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00318593 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose,		0_2_00318593
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034BCB5 FindFirstFileExW,		0_2_0034BCB5

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_00336EA3 GetProcAddress,GetNativeSystemInfo,GetProcAddress,GetCurrentProcess,FreeLibrary,GetSystemInfo,

0_2_00336EA3

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033A701 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0033A701

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003247BB LoadLibraryW,GetProcAddress,GetProcAddress,

0_2_003247BB

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0034477A mov eax, dword ptr fs:[00000030h]

0_2_0034477A

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A701 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033A701
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033E854 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033E854
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A9F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0033A9F9

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0031513C ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,

0_2_0031513C

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033ABF6 cpuid

0_2_0033ABF6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_0034F0C0
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0034F18D
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_003477C6
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: IsValidCodePage,GetLocaleInfoW,	0_2_0034E842
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EAC9
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EB14
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_00347B6B
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EBAF
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0034EC40
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_0034EE90
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0034EFB9

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033A5FB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0033A5FB

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_00355503 GetVersion,GetEnvironmentVariableA,

0_2_00355503

ID:	1430794
Product:	CloudBasic
Start time:	07:25:16
Start date:	24.04.2024
Sample:	aMail_Ver1.exe
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	06b0347315d3ab5385a0479134ec22cc
SHA1:	784d20632b7aa1c4d4c6a8f1c9597037ac94ab12
SHA256:	c9de15f068399626b8296c218150f31f1f9c0065442f0580cf1e3a9acad70464
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	A185854995666F7AC6D9ED740A4A50AF	FE4F04D869018A44C4A3212DEF2D9A54233DF6FD	5A2AB3209B30501CDD1ACFB711F1A2A35A5C10DFCCF6269A1FF6B40AE3BD8FF2
C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe	PE32 executable (GUI) Intel 80386, for MS Windows	CE0AADEC275A860B9A019212BEED8AE1	42C8FA5D8602FB3DE1DCCF67F0D0E15EC096EA88	1114C429F3DF2F7A337FF22EDAA7292A10201E71817EB4786A0662F9F08EEC8C
C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe	PE32 executable (GUI) Intel 80386, for MS Windows	06B0347315D3AB5385A0479134EC22CC	784D20632B7AA1C4D4C6A8F1C9597037AC94AB12	C9DE15F068399626B8296C218150F31F1F9C0065442F0580CF1E3A9ACAD70464
C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log	data	79613F1DEB3343D4288067678F7FCBEA	8CDF685480AAA490F9090F59449B3D78866AE91C	72AD884FF3F02B6934C41CBC020D8EBD87406A1474FD733C358B4BD4CCF79B39

Windows Analysis Report aMail_Ver1.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
aMail_Ver1.exe