Source: RFlc8JHObG.exe | Virustotal: Detection: 84% | Perma Link |
Source: RFlc8JHObG.exe | ReversingLabs: Detection: 88% |
Source: 1.2.RFlc8JHObG.exe.2bd0000.2.unpack | Avira: Label: TR/Kazy.MK |
Source: 1.2.RFlc8JHObG.exe.400000.0.unpack | Avira: Label: TR/Kazy.MK |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00409D29 CryptUnprotectData,LocalFree, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004123AB CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack |
Source: RFlc8JHObG.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: | Binary string: T:\fbgFd\faQgZ\bvjZalie\jRgyey\zBPowcgb.pdb source: RFlc8JHObG.exe |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004054D0 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0041652E PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004165E9 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0041404D select,recv, |
Source: RFlc8JHObG.exe | String found in binary or memory: http://www.internic.net/images/internic.gif |
Source: RFlc8JHObG.exe, 00000001.00000002.200757968.0000000002BD0000.00000004.00000001.sdmp | String found in binary or memory: http://www.internic.net/images/internic.gifbclih6h5h4h3h2h1divtdtrhrbr |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040ED74 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,PFXImportCertStore, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040E904 NtQueryInformationProcess,CloseHandle,NtCreateThread, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040E9BB NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00412A28 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040716E CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040D61F InitiateSystemShutdownExW,ExitWindowsEx, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00413E5D |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040168B |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004122B7 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02442209 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02457E13 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02459A29 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02442699 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_024590B3 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_024595E0 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0244266E |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02442F44 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0245AB1C |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_024413C7 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02459F88 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0245AC60 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02441000 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_024598C3 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0245B0E3 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0245890F |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0245A912 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0245A9BA |
Source: RFlc8JHObG.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: RFlc8JHObG.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal76.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040D4F4 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040760C CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004127D2 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040CC7E CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040A448 CoCreateInstance, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: RFlc8JHObG.exe | Virustotal: Detection: 84% |
Source: RFlc8JHObG.exe | ReversingLabs: Detection: 88% |
Source: | Binary string: T:\fbgFd\faQgZ\bvjZalie\jRgyey\zBPowcgb.pdb source: RFlc8JHObG.exe |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack .text:ER;.data:EW;.itext:R;.rsrc:R;.idata:R; vs .text:ER;.data:W;.reloc:R; |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00414CC6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00401915 push es; iretd |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00401FE1 push cs; iretd |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00401FAB push cs; ret |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_02447857 push esi; iretd |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_024445E5 pushfd ; iretd |
Source: initial sample | Static PE information: section name: .text entropy: 6.99040926415 |
Source: initial sample | Static PE information: section name: .data entropy: 7.18553169486 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0041652E PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004165E9 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_0040ED74 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,PFXImportCertStore, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00414CC6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004061F9 mov edx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00406532 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId, |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004145CF InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00411208 GetSystemTime,SystemTimeToFileTime, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004104D7 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00411230 GetTimeZoneInformation, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_004078CA GetProcAddress,GetVersionExW, |
Source: RFlc8JHObG.exe | Binary or memory string: S:(ML;;NRNWNX;;;LW) |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00414400 socket,bind,closesocket, |
Source: C:\Users\user\Desktop\RFlc8JHObG.exe | Code function: 1_2_00414164 socket,bind,listen,closesocket, |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.