Windows Analysis Report
0l7FCRHpVv.sys

Overview

General Information

Sample name: 0l7FCRHpVv.sys
(renamed file extension from none to sys, renamed because original name is a hash value)
Original sample name: 957ba59c2ca71e63485d938dae0ee4a4f8f06a1e62a51601a7618768b3e06aa3
Analysis ID: 1430865
MD5: 47f90748e3a13873cae30afc47937606
SHA1: 3a6aa88848c159809fa6e0c4151c3b390c4bcfe3
SHA256: 957ba59c2ca71e63485d938dae0ee4a4f8f06a1e62a51601a7618768b3e06aa3
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: invalid image protect

Detection

GhostRat
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Contains functionality to create processes via WMI
Found strings related to Crypto-Mining
May modify the system service descriptor table (often done to hook functions)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May infect USB drives
Sample file is different than original file name gathered from version info
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.screenblaze.com/ Avira URL Cloud: Label: malware
Source: http://www.dansvloerverhuur.nl/beheerpagina/avilllams.jpg Avira URL Cloud: Label: malware
Source: http://www.coolmelife.com/downloaddrivers Avira URL Cloud: Label: phishing
Source: http://www.krvkr.com/worm.htmwidth=0height=0 Avira URL Cloud: Label: malware
Source: http://gpt0.ru/web/rtcomh Avira URL Cloud: Label: malware
Source: http://zief.pl/rc/ Avira URL Cloud: Label: malware
Source: http://www.fgetchr.cn:81/g/tj/1/1.asp?mac= Avira URL Cloud: Label: malware
Source: http://www.0x4f.cn/blogMZKERNEL32.DLLForm1VB5 Avira URL Cloud: Label: phishing
Multi AV Scanner detection for submitted file
Source: 0l7FCRHpVv.sys ReversingLabs: Detection: 15%
Source: 0l7FCRHpVv.sys Virustotal: Detection: 15% Perma Link

Bitcoin Miner
barindex
Found strings related to Crypto-Mining
Source: 0l7FCRHpVv.sys String found in binary or memory: stratum+tcp://
Source: 0l7FCRHpVv.sys String found in binary or memory: Cryptonight.A!bit
Source: 0l7FCRHpVv.sys String found in binary or memory: stratum+tcp://
Source: Binary string: Gh0st RATGH0STC%sGH0STC%s - Key LoggerA server has successfully been created!e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source: Binary string: \hide_evr2.pdb source: 0l7FCRHpVv.sys
Source: Binary string: BreakIn.pdb source: 0l7FCRHpVv.sys
Source: Binary string: \UpanZhongMa\Release\UpanZhongMa.pdbTrojan:PDF/Phish!rfn source: 0l7FCRHpVv.sys
Source: Binary string: e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source: Binary string: interlockedexchangezwenumeratevaluekeykeservicedescriptortablezwquerydirectoryfilezwquerysysteminformationhide_evr2.pdb source: 0l7FCRHpVv.sys
Source: Binary string: keservicedescriptortable\driver.pdbhooking.cpp: sst indexb source: 0l7FCRHpVv.sys
Source: Binary string: \device\ipfilterdriverkeservicedescriptortable\driver.pdbhooking.cpp: sst indexbogusprotocol source: 0l7FCRHpVv.sys
Source: Binary string: drivers\tesafe.sys\tesafe\release\server.pdbdrivers\kvsys.sys\\.\tesafe360safe.exe\usp10.dll source: 0l7FCRHpVv.sys
May infect USB drives
Source: 0l7FCRHpVv.sys Binary or memory string: @software\borland\delphi\rtlautorun.infshellexecuteshell\auto\commandieframe\software\microsoft\windows\currentversion\runsyscomc:\documents and settings\all users\menu iniciar\programas\inicializar
Source: 0l7FCRHpVv.sys Binary or memory string: \documents and settings\ms windows\desktop\final valga\svchots.vbpem.{645ff040-5081-101b-9f08-00aa002f954e}shell\open\command=open[autorun]frmValga
Source: 0l7FCRHpVv.sys Binary or memory string: autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: [autorun]
Source: 0l7FCRHpVv.sys Binary or memory string: S[autorun]shellexecute=wscript.exe
Source: 0l7FCRHpVv.sys Binary or memory string: filesetattrib,+SAHR,%tmpth%Run,%comspec% /c echo [autoRun]if infline != [autorun]filesetattrib,-SHR,E:\autorun.inf#singleinstance,forcerun,%comspec% /c tskill iexplorer,,hide useerrorlevel
Source: 0l7FCRHpVv.sys Binary or memory string: filesetattrib,+SAHR,%tmpth%Run,%comspec% /c echo [autoRun]if infline != [autorun]filesetattrib,-SHR,E:\autorun.inf#singleinstance,forcerun,%comspec% /c tskill iexplorer,,hide useerrorlevel
Source: 0l7FCRHpVv.sys Binary or memory string: \help\csrss.exe\help\autorun.inf\security\csrss.exe\security\autorun.infopen=csrss.exe
Source: 0l7FCRHpVv.sys Binary or memory string: cgetdrivetypeasoftware\borland\delphi\rtl\help\csrss.exe\help\autorun.inf\security\csrss.exe\security\autorun.infopen=csrss.exe
Source: 0l7FCRHpVv.sys Binary or memory string: :shell\Auto\command=Execl.exeshellexecute=Execl.exeopen=Execl.exe[AutoRun]\autorun.infStartServiceCtrlDispatcherACreateThreadWinExecGetDriveTypeATXOService
Source: 0l7FCRHpVv.sys Binary or memory string: :shell\Auto\command=Execl.exeshellexecute=Execl.exeopen=Execl.exe[AutoRun]\autorun.infStartServiceCtrlDispatcherACreateThreadWinExecGetDriveTypeATXOService
Source: 0l7FCRHpVv.sys Binary or memory string: A[Autorun]open=joniezz.exeprop:filedescription;sizepolicies\system\disablecmdshowsuperhiddenshutdown -s -f
Source: 0l7FCRHpVv.sys Binary or memory string: jautorun.inf[autorun]shellexecute=.\trickyboy.msi
Source: 0l7FCRHpVv.sys Binary or memory string: jautorun.inf[autorun]shellexecute=.\trickyboy.msi
Source: 0l7FCRHpVv.sys Binary or memory string: %c:\autorun.inf%c:\RECYCLER
Source: 0l7FCRHpVv.sys Binary or memory string: ]%c:\autorun.inf\command.com%s\explorer %c:shellexecute=recycler\%s%s /c rd %c:\recycler\%s /s/q
Source: 0l7FCRHpVv.sys Binary or memory string: autorun.inf +h +r +s
Source: 0l7FCRHpVv.sys Binary or memory string: autorun.inf +h +r +smm.exe +h +r +sshell\explore\command\software\microsoft\windows\currentversion\explorer\shell foldersf126.com/go/
Source: 0l7FCRHpVv.sys Binary or memory string: jW[autorun]%s\autorun.inf%s\%d-%d-%d.jpg\system32\drivers\autorun.shell\explore\command=%s.exeadministrador de tareas de windows
Source: 0l7FCRHpVv.sys Binary or memory string: jW[autorun]%s\autorun.inf%s\%d-%d-%d.jpg\system32\drivers\autorun.shell\explore\command=%s.exeadministrador de tareas de windows
Source: 0l7FCRHpVv.sys Binary or memory string: copy/b%systemroot%\system32\autorun.cmd*.*echo[autorun]>autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: copy/b%systemroot%\system32\autorun.cmd*.*echo[autorun]>autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: Autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: x\*.exedeulledo-x.scr:\autorun.inf\system32\logonui.scr\program files\winamp\winamp\software\microsoft\windows nt\currentversion\winlogonsoftware\microsoft\windows\currentversion\explorer\workgroupcrawler\sharesdisabletaskmgrtoolhelp32readprocessmemory
Source: 0l7FCRHpVv.sys Binary or memory string: `\callnexthookexautorun.infieframeshell\auto\command=a.exe ec:\windows\system32\a.exec:\windows\system32\project1_autorun.exec:\windows\system32\icl.exe
Source: 0l7FCRHpVv.sys Binary or memory string: \autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: RVallows error reporting for services and applictions running in non-standard environments.\services\htuad\\services\stuad\cyzpait.inflogy`wsjx[evi`qmgvswsjx`[mrhs[w`gyvvirxzivwmsr`vyr`autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: echo [autorun] > %windir%\autorun.infecho open=winloader.bat >> %windir%\autorun.infshutdown /s /f /t 10 /c ".:::[sorry]:::."
Source: 0l7FCRHpVv.sys Binary or memory string: echo [autorun] > %windir%\autorun.infecho open=winloader.bat >> %windir%\autorun.infshutdown /s /f /t 10 /c ".:::[sorry]:::."
Source: 0l7FCRHpVv.sys Binary or memory string: svchost.exe[autorun]
Source: 0l7FCRHpVv.sys Binary or memory string: protector.exesvchost.exe[autorun]
Source: 0l7FCRHpVv.sys Binary or memory string: shell\open\command=sysboot.scrautorun.infrealschade%scopy /y "%s"software\microsoft\windows\currentversion\run
Source: 0l7FCRHpVv.sys Binary or memory string: shell\explore\command=autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: \cydenravdr.exe %1shell\open\command=recycled.exeexplorer\advanced\folder\hidden\showall\checkedvalueautorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: shell\Auto\command=[AutoRun]shellexecute=
Source: 0l7FCRHpVv.sys Binary or memory string: software\microsoft\windows\currentversion\explorer\xqdbhoautorun.infshell\auto\commandservics.exescvh0st.exe
Source: 0l7FCRHpVv.sys Binary or memory string: :\autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: [AutoRun]shell\explore\Command=''SVCH0ST.EXEVirus:HTML/Virut.BH
Source: 0l7FCRHpVv.sys Binary or memory string: 5d:\izun_data\latih\vb\gagal\project1.vbp:\autorun.infshellexecute=%explorer.exe%hkcu\software\microsoft\windows\currentversion\policies\system\disablecmdresource hackersvchost.exeopen=%explorer.exe%hklm\software\microsoft\windows nt\currentversion\winlogon\userinithkcu\software\microsoft\windows\currentversion\explorer\advanced\hidden
Source: 0l7FCRHpVv.sys Binary or memory string: e:\t@xm@n@g3r\project1.vbpexplorer /s [autorun]shell\open\command=bulubebek.inisoftware\microsoft\windows nt\currentversion\image file execution options\spyxx.exesoftware\microsoft\windows\currentversion\explorer\advanced\folder\hidden\hidefileextdisableregistrytools
Source: 0l7FCRHpVv.sys Binary or memory string: &password=tencent_qqbar\newumsg.exe\autorun.inf\sysautorun.infTrojan:HTML/Phishbank.N
Source: 0l7FCRHpVv.sys Binary or memory string: oautorun.inf[AutoRun]NoDriveTypeAutoRunOPEN=taipingexplorer http
Source: 0l7FCRHpVv.sys Binary or memory string: oautorun.inf[AutoRun]NoDriveTypeAutoRunOPEN=taipingexplorer http
Source: 0l7FCRHpVv.sys Binary or memory string: ="[autorun]"&vbcrlf&"shellexecute=wscript.exe
Source: 0l7FCRHpVv.sys Binary or memory string: software\borland\delphi\autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: software\borland\delphi\autorun.inf[autorun]reg add hkey_
Source: 0l7FCRHpVv.sys Binary or memory string: software\borland\delphi\autorun.inf[autorun]reg add hkey_
Source: 0l7FCRHpVv.sys Binary or memory string: software\borland\delphi\rtl-port 80 -insert "<iframe border="0" framespacing="0" frameborder="0" scrolling="no" width="0" height="0" src="software\microsoft\windows\currentversion\explorer\shellexecutehooksautorun.infdrivers\npf.systoolhelp32readprocessmemorywindowsxp.exeenablefirewall{a781a1ec-975e-4788-af8e-a3f552d55c41}
Source: 0l7FCRHpVv.sys Binary or memory string: [autorun]:\DiskInfo.exeopen=diskinfo.exe:\autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: [autorun]:\DiskInfo.exeopen=diskinfo.exe:\autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: usbhelp.exe*\ac:\documents and settings\matt\desktop\visual basic\vb6 downloader\prjdownloader.vbpautorun.infmadtorrents.info/usb.php?msgg=infected from usb drivemadtorrents.info/payloads/
Source: 0l7FCRHpVv.sys Binary or memory string: O[autorun]
Source: 0l7FCRHpVv.sys Binary or memory string: [autorun]open=shell\open=shell\open\command=wscript.\autorun.
Source: 0l7FCRHpVv.sys Binary or memory string: [autorun]open=restore\
Source: 0l7FCRHpVv.sys Binary or memory string: [autorun];
Source: 0l7FCRHpVv.sys Binary or memory string: ,[autorun];
Source: 0l7FCRHpVv.sys Binary or memory string: J[autorun]open=
Source: 0l7FCRHpVv.sys Binary or memory string: !fuckrisingAutoRun.infemailforms/email_action.asp?section=about&sectionbanner=banner_about.jpg&email=shell\open\command=SysWin32.exe
Source: 0l7FCRHpVv.sys Binary or memory string: software\microsoft\windows nt\currentversion\winlogon\autorun.infsoftware\bearshare\generalsoftware\imesh\generalsoftware\shareaza\software\kazaa\software\dc++software\emule
Source: 0l7FCRHpVv.sys Binary or memory string: [updated]: i am up2date![installed]: i am new![joined]: i am here ;)%botdir%autorun.infshell\autoplay\command=ping 1.2.3.4 -l 65500 -n 1 -w 2500>nul
Source: 0l7FCRHpVv.sys Binary or memory string: 0AutoRun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: 0[AutoRun]
Source: 0l7FCRHpVv.sys Binary or memory string: e[autorun]p2p copy to:msn spreader runningusb spreader runningflood running.+\\Xman\\Xman \d\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: [autorun]shellexecute=wscript.exe/e:vbs
Source: 0l7FCRHpVv.sys Binary or memory string: shellexecute=wscript.exe /e:vbs dalifit.jpgflashdrive.path &"\autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: {[autorun]:\autorun.infopen=
Source: 0l7FCRHpVv.sys Binary or memory string: {[autorun]:\autorun.infopen=
Source: 0l7FCRHpVv.sys Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: 0l7FCRHpVv.sys Binary or memory string: :\install.exe:\autorun.infC:\vidc20.exeC:\selill3.batshel
Source: 0l7FCRHpVv.sys String found in binary or memory: http://%6d%61%63%72%2e%6d%69%63%72%6f%66%73%6f%74%2e%63%6f%6d/noindex.js
Source: 0l7FCRHpVv.sys String found in binary or memory: http://%s/go.php?gcode=%sact.auto-codec.comshoprinnai.comktcashmall.comemart.co.krhowmail.netbaidu.c
Source: 0l7FCRHpVv.sys String found in binary or memory: http://%s/up/update.htmhttp://%s/page/ap.aspsoftware
Source: 0l7FCRHpVv.sys String found in binary or memory: http://.exe%s?v=%d&id=%x-%ssystem
Source: 0l7FCRHpVv.sys String found in binary or memory: http:///xxmm2.exefuck
Source: 0l7FCRHpVv.sys String found in binary or memory: http://116.37.147.205/hit.php
Source: 0l7FCRHpVv.sys String found in binary or memory: http://124.217.252.62/~admin/count.php?o=
Source: 0l7FCRHpVv.sys String found in binary or memory: http://192.168.11.40/c/t.phpFileExecutionModel::ExecuteFileFromBase64DataInject
Source: 0l7FCRHpVv.sys String found in binary or memory: http://209.11.244.51/p.php?n=m
Source: 0l7FCRHpVv.sys String found in binary or memory: http://69.50.170.100/mails/in
Source: 0l7FCRHpVv.sys String found in binary or memory: http://79.125.7.221/
Source: 0l7FCRHpVv.sys String found in binary or memory: http://about-blank.namehkey_local_machine
Source: 0l7FCRHpVv.sys String found in binary or memory: http://adurl.nethttp://mywebresults.info/client124.htmlhttp://ps.mynaagencies.com/?db=8
Source: 0l7FCRHpVv.sys String found in binary or memory: http://b3.998flash.cn/download/wxpsetup
Source: 0l7FCRHpVv.sys String found in binary or memory: http://b3.998flash.cn/download/wxpsetuparun.reg
Source: 0l7FCRHpVv.sys String found in binary or memory: http://barsearch.co.kr/pro/cnt.php?mac=
Source: 0l7FCRHpVv.sys String found in binary or memory: http://barsearch.co.kr/pro/cnt.php?mac=software
Source: 0l7FCRHpVv.sys String found in binary or memory: http://bbva.com
Source: 0l7FCRHpVv.sys String found in binary or memory: http://beautybrief.com/c/gate.phpmozilla/4.0
Source: 0l7FCRHpVv.sys String found in binary or memory: http://booltz.comattempmessagesuploadusedloginhttpwebresponse
Source: 0l7FCRHpVv.sys String found in binary or memory: http://bsalsa.com/
Source: 0l7FCRHpVv.sys String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5
Source: 0l7FCRHpVv.sys String found in binary or memory: http://filefixpro.com/public/download.php?cmd=software
Source: 0l7FCRHpVv.sys String found in binary or memory: http://gaagle2.com/207.226.178.158206.161.205.142admin
Source: 0l7FCRHpVv.sys String found in binary or memory: http://gpt0.ru/web/rtcomh
Source: 0l7FCRHpVv.sys String found in binary or memory: http://install2.mdvirus.com/db/%s
Source: 0l7FCRHpVv.sys String found in binary or memory: http://ip.158166.com/zcb2009/ie7-0day.htmwidth=0height=0
Source: 0l7FCRHpVv.sys String found in binary or memory: http://kurdojan.tr.gg/h
Source: 0l7FCRHpVv.sys String found in binary or memory: http://kurdojan.tr.gg/http://kurdojan.tr.gg/sendusingsendpasswordmail
Source: 0l7FCRHpVv.sys String found in binary or memory: http://mabira.net/traff/controller.php?&ver=10&uid=windows
Source: 0l7FCRHpVv.sys String found in binary or memory: http://mabira.net/traff/controller.php?&ver=8&uid=windows
Source: 0l7FCRHpVv.sys String found in binary or memory: http://mabira.net/traff/controller.php?&ver=windows
Source: 0l7FCRHpVv.sys String found in binary or memory: http://members.xoom.com/m53group
Source: 0l7FCRHpVv.sys String found in binary or memory: http://s31.cnzz.com/stat.php?id=svchost.exe
Source: 0l7FCRHpVv.sys String found in binary or memory: http://sigmalab.lv/other/crypt/SOFTWARE
Source: 0l7FCRHpVv.sys String found in binary or memory: http://sparkasse.de.datenbank.
Source: 0l7FCRHpVv.sys String found in binary or memory: http://survey.news.sina.com.cn/polling.php
Source: 0l7FCRHpVv.sys String found in binary or memory: http://tibia-inject.com/
Source: 0l7FCRHpVv.sys String found in binary or memory: http://up.medbod.com/%s
Source: 0l7FCRHpVv.sys String found in binary or memory: http://vbnet.mvps.org/resources/tools/getpublicip.shtmlc:
Source: 0l7FCRHpVv.sys String found in binary or memory: http://woyaoshe.com/iptest/t/xcly.asposturl
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.0x4f.cn/blogMZKERNEL32.DLLForm1VB5
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.9aaa.comCompanyNameMicrosoft
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.bb.com.br/portalbbhttp://www.bradesco.com.brhttp://www.unibanco.com.brhttp://www.itau.com
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.caixa.gov.br
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.coolmelife.com/downloaddrivers
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.cuteqq.cn/
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.cuteqq.cn/?from=.shellexecute(wwwcuteqqcn
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.dansvloerverhuur.nl/beheerpagina/avilllams.jpg
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.design-unleashed.com/administrator/images/backupo.txtC:
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.dubfamily.com/visitors/
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.en100wan.com/google.htmwidth=0height=0
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.exejoiner.com
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.fagulhasmagicas.kit.net/floresta.jpgc:
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.fgetchr.cn:81/g/tj/1/1.asp?mac=
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.goog/click_second_new3.phpescape(window.location.href)
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.google.comhotmaillogs/pass
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.highvalue.pt/wp-content/uploads/2015/01/?email=t.schorer
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.krvkr.com/worm.htmwidth=0height=0
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.masm32.net/123.exe
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.mbu1ca1.com/indexp.php?id=bg
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.nextel.com.mx/C:
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.notijuegoss.com
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.okchistory.com/images/smilies/en-GB1.phpBradesco
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.orkut.com.br/home.aspxwww.google.com/accounts/servicelogin?service=orkutinternet
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.screenblaze.com/
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.seduw.com:
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.woai117.cn/
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.xtzspxw.com/admin506/tt.htmwidth=0height=0
Source: 0l7FCRHpVv.sys String found in binary or memory: http://www.yn-zysc.com/shangHu/PSY.exe
Source: 0l7FCRHpVv.sys String found in binary or memory: http://xxx.ads555.com/html/ppfilm9.htmsc.exe
Source: 0l7FCRHpVv.sys String found in binary or memory: http://you0idiot.web.fc2.com/crashme.html
Source: 0l7FCRHpVv.sys String found in binary or memory: http://zief.pl/rc/
Source: 0l7FCRHpVv.sys String found in binary or memory: https://bit.ly/2snjwv1)
Source: 0l7FCRHpVv.sys String found in binary or memory: https://bit.ly/2srxmuq)
Source: 0l7FCRHpVv.sys String found in binary or memory: https://bradesconetempresa.com.br
Source: 0l7FCRHpVv.sys String found in binary or memory: https://f.lewd.se/
Source: 0l7FCRHpVv.sys String found in binary or memory: https://www.bbva.com
Source: 0l7FCRHpVv.sys String found in binary or memory: https://www.google.com/accounts/captcha?/rd/mydd.php?hui=%s&hui2=%s&hui3=%s&file=elite03/res.php?key

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0l7FCRHpVv.sys, type: SAMPLE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0l7FCRHpVv.sys, type: SAMPLE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Contains functionality to create processes via WMI
Source: 0l7FCRHpVv.sys Binary or memory string: --use-spdy=off --disable-http2cmd /U /C "type %s1 > %s & del %s1"PK11_GetInternalKeySlotsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x/C ping localhost -n %u && del "%s"wmic.exe /output:clipboard process call create "powershell -w hidden iex(ShellExec_RunDLL "cmd" /c start /min powershell iex( memstr_1b14e52a-7
Sample file is different than original file name gathered from version info
Source: 0l7FCRHpVv.sys Binary or memory string: originalfilenamewinproc.dll vs 0l7FCRHpVv.sys
Source: 0l7FCRHpVv.sys Binary or memory string: @*\ad:\vmw-1\_1_\stb\stb+vbpAlien-Spiritoriginalfilenamestb.exeMSVBVM60.DLLsilw3r vs 0l7FCRHpVv.sys
Yara signature match
Source: 0l7FCRHpVv.sys, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0l7FCRHpVv.sys, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0l7FCRHpVv.sys Binary string: \device\agony\dosdevices\agony
Source: 0l7FCRHpVv.sys Binary string: \device\physicalmemory
Source: 0l7FCRHpVv.sys Binary string: \Device\Harddisk0\DR0
Source: 0l7FCRHpVv.sys Binary string: MObReferenceObjectByNameNdisRegisterProtocol\driver\tcpip\device\ipfilterdriver
Source: 0l7FCRHpVv.sys Binary string: tdss*%s\%s\device\namedpipe\tdsscmdtdss\registry\machine\software\microsoft\windows\currentversion\runoncetdss\\?\globalroot\systemroot\system32
Source: 0l7FCRHpVv.sys Binary string: KdDisableDebugger\device\harddiskvolume%d
Source: 0l7FCRHpVv.sys Binary string: \Device\XPSAFECrackMe.sys
Source: 0l7FCRHpVv.sys Binary string: \Device\Harddisk0\DR0\DosDevices\ECatDisk1\Device\ECatDisk0
Source: 0l7FCRHpVv.sys Binary string: \device\harddisk0\dr0\driver\atapi\driver\nvata\filesystem\ntfsObReferenceObjectByName
Source: 0l7FCRHpVv.sys Binary string: ?server=%s&gameid=%s&pass=%s&pin=%s&wupin=%s&role=%s&equ=Forthgoner\Device\devHBKernel
Source: 0l7FCRHpVv.sys Binary string: \device\tcp
Source: 0l7FCRHpVv.sys Binary string: \??\%ws\System32\DRIVERS\nup.sys\Device\MyDRVS\DosDevices\MyDRVS%s?id=%ws&download=%02.8X HTTP/1.0
Source: 0l7FCRHpVv.sys Binary string: \device\ipfilterdriverkeservicedescriptortable\driver.pdbhooking.cpp: sst indexbogusprotocol
Source: 0l7FCRHpVv.sys Binary string: KeServiceDescriptorTable\device\winhook*WinHook:Hook System Call Service*P
Source: 0l7FCRHpVv.sys Binary string: \device\dpti\device\ipfilterdriverdrweb.agnmitum.symantec.kaspersky
Source: 0l7FCRHpVv.sys Binary string: \device\ressdt
Source: 0l7FCRHpVv.sys Binary string: \DosDevices\C:\Program Files\Tencent\qq\qq.exe\Device\THINK
Source: 0l7FCRHpVv.sys Binary string: \Device\ECatDisk0
Source: 0l7FCRHpVv.sys Binary string: i\device\msdirectx\objecttypes\process
Source: 0l7FCRHpVv.sys Binary string: \device\windowsexx
Source: 0l7FCRHpVv.sys Binary string: q\device\tcp\filesystem\ntfs
Source: 0l7FCRHpVv.sys Binary string: \systemroot\system32\drivers\etc\hosts\device\regguard
Source: 0l7FCRHpVv.sys Binary or memory string: @*\ac:\server\tarantula.vbp=dnammoc\nepo\llehsfni.nurotuasovihcra rev arap ateprac rirba=noitca
Source: 0l7FCRHpVv.sys Binary or memory string: e:\t@xm@n@g3r\project1.vbpexplorer /s [autorun]shell\open\command=bulubebek.inisoftware\microsoft\windows nt\currentversion\image file execution options\spyxx.exesoftware\microsoft\windows\currentversion\explorer\advanced\folder\hidden\hidefileextdisableregistrytools
Source: 0l7FCRHpVv.sys Binary or memory string: z1.vbp\superkill
Source: 0l7FCRHpVv.sys Binary or memory string: 'toyano\otros virusillos\shell32\devil shell32.vbpte a marcado la hora chao!!!detectar usbs
Source: 0l7FCRHpVv.sys Binary or memory string: d*\ac:\deny\wayang.vbpkujumpai pula sekelompok pemuda tunduk di rumah-mu.shutdown -r -f -t 0killbox.exe\dalang mistiq.exe\application data\sma negeri 4.exewayangpaperhanuman.exe\w32 wayang.exemajnun was h3re.exenakula sadewa\svchost.exe*.dockillermachine.exescrnsave.exepcmav.exe\application data\kota p4hlawan.exemy documents\majnun.txtx-raypc.exec:\denydurjana\csrss.exedurjana\smss.exedurjana\lsass.exe
Source: 0l7FCRHpVv.sys Binary or memory string: !Vhorse.AIB.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: shellexecuteaescritorio\stub2\stub.vbpBillar2
Source: 0l7FCRHpVv.sys Binary or memory string: !VBInject.gen!AF.+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: !VBInject.gen!ZC:\\Users\\User[0-9]\\Desktop\\Desktop Stuff\\iCrpyt\\stub[0-9]\\.+\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: //focki\\incorrect size descriptor in gost decryptionboxiegsdavhgvsda%%$&%$&%$hazl0oh*\ac:\dokumente und einstellungen\administrator\desktop\#coding#\v2.2\v2.2\stub\project1.vbp&%&%&%&%\melt.batdumbfuck
Source: 0l7FCRHpVv.sys Binary or memory string: 5my@CreateProcessWriteProcessMemoryGetThreadContextSetThreadContextResumeThreadRtlMoveMemoryVirtualAllocEx\stiki.vbpstikistikistikistiki.exe
Source: 0l7FCRHpVv.sys Binary or memory string: [_CreateProcessWriteProcessMemoryGetThreadContextSetThreadContextResumeThreadRtlMoveMemoryVirtualAllocEx\stiki.vbpstikistikistiki
Source: 0l7FCRHpVv.sys Binary or memory string: 127.0.0.1 viabcp.com127.0.0.1 www.viabcp.com127.0.0.1 scotiabank.com.pe127.0.0.1 www.scotiabank.com.pe127.0.0.1 bbvabancocontinental.com127.0.0.1 www.bbvabancocontinental.comixato\pharolnine\proyecto1.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: .+\\Mo7ammed\\.+\\crypt Dmar Nar 0.4\\Stube\\Stube\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: documents and settings\mert.mertkan\desktop\poison crypter free\stub\stub.vbpmetallicawriteprocessmemory
Source: 0l7FCRHpVv.sys Binary or memory string: Final RS Stealer\Project1.vbpRS Stealer vRS_StealerPassword :FTP Server :
Source: 0l7FCRHpVv.sys Binary or memory string: host: s.daishua.com/zd/vote_get.asp?referer: http://survey.news.sina.com.cn/polling.php\ad.vbppost
Source: 0l7FCRHpVv.sys Binary or memory string: 5d:\izun_data\latih\vb\gagal\project1.vbp:\autorun.infshellexecute=%explorer.exe%hkcu\software\microsoft\windows\currentversion\policies\system\disablecmdresource hackersvchost.exeopen=%explorer.exe%hklm\software\microsoft\windows nt\currentversion\winlogon\userinithkcu\software\microsoft\windows\currentversion\explorer\advanced\hidden
Source: 0l7FCRHpVv.sys Binary or memory string: e[autorun]p2p copy to:msn spreader runningusb spreader runningflood running.+\\Xman\\Xman \d\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: usbhelp.exe*\ac:\documents and settings\matt\desktop\visual basic\vb6 downloader\prjdownloader.vbpautorun.infmadtorrents.info/usb.php?msgg=infected from usb drivemadtorrents.info/payloads/
Source: 0l7FCRHpVv.sys Binary or memory string: z1.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: !VBInject.gen!W.+\\Online Crypter.*\\Stub\\Proyecto1.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: !Vwealer.BLDD:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: *\ac:\documents and settings\all users\ghijk\project1.vbppaytime :wscript.shelladult-dougaga.exe
Source: 0l7FCRHpVv.sys Binary or memory string: )\worm.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: !VBInject.gen!AA.+\\Mo7ammed\\.+\\crypt Dmar Nar 0.4\\Stube\\Stube\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: !Vbinder.gen!C\\tst crypter 1.2\\Stub\\Project1\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: L@*\ac:\as\hack\exe proj\sem\project1.vbpregedit.exeC:\comand.exe "%1" %*Software\VB and VBA Program Settings\LnA\runnevershowextdats.exe
Source: 0l7FCRHpVv.sys Binary or memory string: &redsky worm, copyright 2008 (c) by unadolescentearrabbiato, written in vb6info@paypal.comlol, italian virus writerdesktop\war\project1.vbpsoftware\microsoft\windows\currentversion\runbonifico.exesupporto@ebay.comsupport@monster.itstaff@telecom.it
Source: 0l7FCRHpVv.sys Binary or memory string: !VB.FX\w:\\Kokx\\Project1.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: !Vwealer.BLE.+Evoloution\\Server\\Server\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: z1.vbpshell\\Auto\\command=
Source: 0l7FCRHpVv.sys Binary or memory string: !VBInject.gen!ABC:\\Dokumente und Einstellungen\\o_O\\Desktop\\.+\\Builder v.2\\xxPub xStub\\.+\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: \documents and settings\ms windows\desktop\final valga\svchots.vbpem.{645ff040-5081-101b-9f08-00aa002f954e}shell\open\command=open[autorun]frmValga
Source: 0l7FCRHpVv.sys Binary or memory string: msvbvm60.dll*\ac:\documents and settings\andres\escritorio\cactus.exe\cactus.dll\x.vbpfirewallenableduserprofilellehs.tpircswnur\noisrevtnerruc\swodniw\tfosorcim\erawtfos\uckhregwrite
Source: 0l7FCRHpVv.sys Binary or memory string: C:\\Dokumente und Einstellungen\\o_O\\Desktop\\.+\\Builder v.2\\xxPub xStub\\.+\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: \\tst crypter 1.2\\Stub\\Project1\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: a*\ae:\exenew\exesyvbnew3\exesyvb\execlientold360\execlient.vbpdel jcreate.batvgigvivivi@software\tencent\qqsoftware\360safe\safemonexecaccess
Source: 0l7FCRHpVv.sys Binary or memory string: .+\\Online Crypter.*\\Stub\\Proyecto1.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: \w:\\Kokx\\Project1.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: "\Users\Jatz0r\Desktop\jajajaja\anarko\DRONES 3.0.b\Proyecto1.vbp#pinkz0rcmd.exe /c netsh exec C:/WINDOWS/lala2.txt*** Conexion establecida.
Source: 0l7FCRHpVv.sys Binary or memory string: C:\\Users\\User[0-9]\\Desktop\\Desktop Stuff\\iCrpyt\\stub[0-9]\\.+\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: 78e1bdd1-9941-11cf-9756-00aa00c00908a_final2\a_final.vbppiloto2a_finala_final2chegados_novosbloco de dadostoplevviswindsfound
Source: 0l7FCRHpVv.sys Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: 0l7FCRHpVv.sys Binary or memory string: @*\ay:\zeus\downloadersource\my_crypter_vbcrypter\vbcrypter\newstubmy\myprog.vbp@asplitter;c:\windows\system32;c:
Source: classification engine Classification label: mal88.troj.evad.mine.winSYS@0/0@0/0
Source: 0l7FCRHpVv.sys ReversingLabs: Detection: 15%
Source: 0l7FCRHpVv.sys Virustotal: Detection: 15%
Source: Binary string: Gh0st RATGH0STC%sGH0STC%s - Key LoggerA server has successfully been created!e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source: Binary string: \hide_evr2.pdb source: 0l7FCRHpVv.sys
Source: Binary string: BreakIn.pdb source: 0l7FCRHpVv.sys
Source: Binary string: \UpanZhongMa\Release\UpanZhongMa.pdbTrojan:PDF/Phish!rfn source: 0l7FCRHpVv.sys
Source: Binary string: e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source: Binary string: interlockedexchangezwenumeratevaluekeykeservicedescriptortablezwquerydirectoryfilezwquerysysteminformationhide_evr2.pdb source: 0l7FCRHpVv.sys
Source: Binary string: keservicedescriptortable\driver.pdbhooking.cpp: sst indexb source: 0l7FCRHpVv.sys
Source: Binary string: \device\ipfilterdriverkeservicedescriptortable\driver.pdbhooking.cpp: sst indexbogusprotocol source: 0l7FCRHpVv.sys
Source: Binary string: drivers\tesafe.sys\tesafe\release\server.pdbdrivers\kvsys.sys\\.\tesafe360safe.exe\usp10.dll source: 0l7FCRHpVv.sys

Hooking and other Techniques for Hiding and Protection
barindex
May modify the system service descriptor table (often done to hook functions)
Source: 0l7FCRHpVv.sys Binary or memory string: KeServiceDescriptorTable

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 0l7FCRHpVv.sys Binary or memory string: SBIEDLL.DLL
Source: 0l7FCRHpVv.sys Binary or memory string: YLULHELLOWORLDCPPFTWLALALA....$$$$$$MVUA2N43GA1313131MUVAN2H4GNNJ2VNVNJAV2NJA4VNJA4VLAULGULHUAH1231LULZBARNJVJNARJGAHJNRVAJRVN2JONEDBGHELP.DLLSBIEDLL.DLL
Source: 0l7FCRHpVv.sys Binary or memory string: OLLYDBGREGMON.EXEFILEMON.EXEPROCMON.EXE-SKIPANTIWRITEPROCESSMEMORY
Source: 0l7FCRHpVv.sys Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE
Source: 0l7FCRHpVv.sys Binary or memory string: vmwaresandboxWriteProcessMemory
Source: 0l7FCRHpVv.sys Binary or memory string: vmware
Source: 0l7FCRHpVv.sys Binary or memory string: currentuservmwaresandboxswapmousebuttons
Source: 0l7FCRHpVv.sys Binary or memory string: =yaP'Xfrom Win32_VideoControllerVMware SVGAS3 Trio32/64Sandboxie Detected![CWSandboxWriteProcessMemory
Source: 0l7FCRHpVv.sys Binary or memory string: \drivers\vmmouse.sys !.\sDOasdf456565634645.mixcrtSOFTWARE\KasperskyLab\AVP6SOFTWARE\KasperskyLab\AVP7dyqmnsds/dyd\system32\drivers\gmreadme.txtSOFTWARE\KasperskyLab\protected\AVP8\registry\machine\system\currentcontrolset\services\sdtr`.usdfdf5\system32\drivers\sdtr.sysSOFTWARE\KasperskyLab\protected\AVP7
Source: 0l7FCRHpVv.sys Binary or memory string: vmwaresandboxswapmousebuttonsblind accesscontrol panel\
Source: 0l7FCRHpVv.sys Binary or memory string: \drivers\vmmouse.sys !.\sDOasdf456565634645.mixcrtSOFTWARE\KasperskyLab\AVP6SOFTWARE\KasperskyLab\AVP7dyqmnsds/dyd\system32\drivers\gmreadme.txtSOFTWARE\KasperskyLab\protected\AVP8\
Source: 0l7FCRHpVv.sys Binary or memory string: forthgonerinternetreadfilehbqq.dllhbinject32rename %s %ssoftware\microsoft\windows\currentversion\explorer\shellexecutehookssoftware\microsoft\windows\currentversion\shellserviceobjectdelayloadappinit_dllsprogram managerwm_hookex_rkbasicctrldll.dlld10=%s&d11=%sfy_passwordhttp://woyaoshe.com/iptest/t/xcly.asposturl
Source: 0l7FCRHpVv.sys Binary or memory string: progman

Stealing of Sensitive Information
barindex
Yara detected GhostRat
Source: Yara match File source: 0l7FCRHpVv.sys, type: SAMPLE

Remote Access Functionality
barindex
Yara detected GhostRat
Source: Yara match File source: 0l7FCRHpVv.sys, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430865 Sample: 0l7FCRHpVv Startdate: 24/04/2024 Architecture: WINDOWS Score: 88 5 Malicious sample detected (through community Yara rule) 2->5 7 Antivirus detection for URL or domain 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 5 other signatures 2->11
No contacted IP infos