Windows Analysis Report SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | 4_2_007EC2B1 | |
Source: | Code function: | 9_2_02ADC231 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Code function: | 3_2_100010A0 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Rundll321 | Input Capture1 | Security Software Discovery1 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion11 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | Virtualization/Sandbox Evasion11 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | System Information Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
63% | Virustotal | Browse | ||
29% | Metadefender | Browse | ||
75% | ReversingLabs | Win32.Trojan.Spynoon | ||
100% | Avira | HEUR/AGEN.1142362 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File | ||
100% | Avira | HEUR/AGEN.1142362 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 483798 |
Start date: | 15.09.2021 |
Start time: | 14:01:58 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 33 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.winDLL@12/12@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13858 |
Entropy (8bit): | 3.765844462426622 |
Encrypted: | false |
SSDEEP: | 192:fmi/0oXXHBUZMX4jed+IqZnB/u7sfS274ItWcQ:uiBX3BUZMX4jeCJB/u7sfX4ItWcQ |
MD5: | 3ED7A7984B1D72B471DA0E7043463509 |
SHA1: | F8E074A9E2622E57ECE0CF307301B4A1637FCDFF |
SHA-256: | 4C6EE35311A4BF6998CDE482DC65BF2028D130DBAADD43D7621C07CD5ED3CF44 |
SHA-512: | 65E8EBE25FA190C22D52B7300DB3708775E3AD1F7048ABF0BEEAD6418E424E73C015AE6A82CA59EF7CF3AACA0C218377D1374302544123B87B887B31EDFE9D39 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13862 |
Entropy (8bit): | 3.7646929532943063 |
Encrypted: | false |
SSDEEP: | 192:fs50MiZ0oXTHBUZMX4jed+RGWGg/u7sfS274ItWc/:k59iXXTBUZMX4jeiQg/u7sfX4ItWc/ |
MD5: | F70484AB94473D4572E660A7CDEC2795 |
SHA1: | 7549F5212B9530CB66073143B7FCB0AD43624D2B |
SHA-256: | FB628AC0351E983C91DBC6E5EEE080F8F51C049B515F37DC89E15A1884CD1F75 |
SHA-512: | 9FFEA32902A227EB3169CCD11D224862AEB2619991355DD0FA559DE989B472BD01AFFFF405461A1B902BED772070F5B60CEF7AAA941A8A0D7C43463654C616E3 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13862 |
Entropy (8bit): | 3.765531692970136 |
Encrypted: | false |
SSDEEP: | 192:nril0oXxHBUZMX4jed+Vbu5w/u7sfS274ItWcb:rirXBBUZMX4jem8w/u7sfX4ItWcb |
MD5: | 957DD93B52A93018BA848FEE95FEA520 |
SHA1: | 88CE3424BAA4C3D818FB3D33DF9DD157840F1196 |
SHA-256: | 8F901762659EE347A4D1683D92173C0067CE1E55813CC87D7BA75F03A8DDDCB7 |
SHA-512: | 98DB885B24869E2468AFCE0E21B78A7B68F7EC270938ED3FDC3E143214845C372A7CCA45A078B4C528B62420ADEF8CE9562A69193F292985A27B670332AD59D0 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 49126 |
Entropy (8bit): | 2.111260583968291 |
Encrypted: | false |
SSDEEP: | 384:gL3EHVMwYt78K7k64Ran3V0qzJjz/nSqp:a3+YB8K7+O3VzJjz7 |
MD5: | F94493048247858777007EA2C9EE9FA6 |
SHA1: | 8A7E40F6AD4B29BE6B3762FFEAFB3B7347F379CF |
SHA-256: | 97670F13F9C4EADEB8F3D31F3720C4C6161F30E9418A9840335C7F26D3C43AE8 |
SHA-512: | 772C91D8C4F08299A6FDA1A3BF41B36C128BB6A2EF98EB1823541F7716AFCD0266F6CEEA03D3C895F5F222214CFED54C758CBBF7CC27C3118F77A1202F06F6E3 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 57762 |
Entropy (8bit): | 1.9592582376729129 |
Encrypted: | false |
SSDEEP: | 384:Rpt2zLdB1A+Zt4MBIWsUF7KP40gDrb3Wh:Rpt2+wyMBIWczgDrDi |
MD5: | EA863139A89FE4F931D481EB01F3244C |
SHA1: | D1808A00D230A2293FE72EB6033A61E26BB7229C |
SHA-256: | CFD4B6413BF2C181C48AF487D9395B33BA2565467EFFB45906DA5A1E28F230B9 |
SHA-512: | 162A2C67F4FBC7B14405F78040B7324B922DAC869B312717684AE5746E849A491BC5D932796EC27E43A8DAD2CE0F2737E46B77B20CE79D32EDE386737CEADF87 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8290 |
Entropy (8bit): | 3.695839717179838 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNisQ6q6Y++6sRgmfT+S/iCpr189bkCsfyMm:RrlsNiL6q6Yn66gmfT+SgkBfo |
MD5: | FB5B8ACCD619A3FF97F03654874A37B3 |
SHA1: | 0C756F2BB9F3AD96310CC04D8CE57729B09973AF |
SHA-256: | A90A7490683D9E2E5AB00109446C74789766BB5BBA6503DAAE44F67B305848C2 |
SHA-512: | 05612436B5209DCCBC2A5E805EEF718EBBBC8B4D8E081064895299D63B28FA2146BC2E66FDE0A0C0DFDD7CD76FE5C01962DF1441409C0CCC1FD85CC0DB91CED4 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8310 |
Entropy (8bit): | 3.6978120602526583 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNihX6F6YCB63xogmfT+S/iCprD89bkQsf0oMm:RrlsNix6F6YE63+gmfT+S2kjfv |
MD5: | C6D06049A05B964C8D7B6E9CAA8784FC |
SHA1: | D725016E2A8E21A728C84CC01EDB2367A7488247 |
SHA-256: | 800A8497ECCA8A4F4E9434439BA40A9FF0E4A43E3B7656AC6920529E6935D918 |
SHA-512: | 89D058B8DCBAE02CF0D882EB7D6A762490C25CA915DA6940CCC1441E72D9FAA9092B6B0957D9AD3F9EB9D574753448A14A80E91DEFF5499BE3D83DDE7B60D04F |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4670 |
Entropy (8bit): | 4.495306608627608 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsAJgtWI9dZWSC8B88fm8M4JCdsEZFoSV+q8/OU34SrS1d:uITfG2oSNHJ65O3DW1d |
MD5: | 95FFC24C14BD85C56BAEE2690A42D640 |
SHA1: | 013CA3D91F6AF76CC443C22E4EF2286278CE5446 |
SHA-256: | 2D12673FD19B5E2E5F4BD5E46A2E8C7049B5923FDE211096539C086CC02DCF8B |
SHA-512: | 260165E57DB7E87906AC18510F6FC6C3048794AD29F52F8472174B669E1471A41A2CFC5BA508833297B015DB26BA35A64E7518CB9C813C5FBF82D9037F4C2349 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4670 |
Entropy (8bit): | 4.493595461455166 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsAJgtWI9dZWSC8Bkw8fm8M4JCdsEZFHJ+q8/OUN4SrSchd:uITfG2oSN+NJ6NONDW4d |
MD5: | F05BBAA43305E52C22B638C626429CEE |
SHA1: | ADC413FB15971738D63DA3242A76A928736BA744 |
SHA-256: | BFFA763BD4699F69457D08DEDCF25380D22DB564F7B611F848DCEE4E1554C254 |
SHA-512: | 37D59A8D1C016A13ABB0AC6A84EFFA0313FC1A87A64283B7C7290B6EA8AB8F30B5AE2C943F364DD39B5B9FEBF21790A5FE6DA648AA9E4484340C4D17A70868B5 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 48630 |
Entropy (8bit): | 2.168934706666154 |
Encrypted: | false |
SSDEEP: | 192:ITtFi69fjyWtTrIjapH4PxS8Klx3AgyWuXH7PnF3Mw:48UfjyWtTrIGt78KlxwgfaTBMw |
MD5: | D293DE3E6419791ACB3147D0BDBD74EA |
SHA1: | F89CBE2F1FAE2AA59F75B1D52F7ECCC63F24123A |
SHA-256: | 663682751B538AB7631488CB3CB65F1BFC95EAA5C9A8B79563B60E4C8146E708 |
SHA-512: | 42A8ACB1C2AB0C2D7476FC72599304487483850A4DE51A9D849CD5D5F7E516AC20041181B796D80A595D0A00AB6DA83F051607D6397D0B99C57951C3B1234260 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8310 |
Entropy (8bit): | 3.699034045450217 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi5C6j6YC363xogmfT+S/iCprL89b7nbsf/50Opm:RrlsNic6j6Yi63+gmfT+Su7ngf/5Q |
MD5: | DC602782E7176C4B002E00452DD2C391 |
SHA1: | 3DE11A877794EE73A58FEDA02B54D3499AC2A54F |
SHA-256: | 90F82B5A981B11C582F567F432CBF5BE871D4ACBA3070F787CC820E7FA628953 |
SHA-512: | 582FD700461F563582D52EC19C608BC5DD874BBF92E1016AA0BFA40971B6C42362686DBF039B371629A3CDC963605903D56A80139C8D3CC461EF4E8272127635 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4670 |
Entropy (8bit): | 4.491960778876212 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsAJgtWI9dZWSC8Bz8fm8M4JCdsEZFy6+q8/OU7n4SrSWd:uITfG2oSNGJ6u6OjDWWd |
MD5: | 78390C2962AC5FEFE7967D1C6A1A3F96 |
SHA1: | F91E534E18D6D057D14D35DD2F44D0894FCFF98D |
SHA-256: | 73C05159ECCD1C8CD938CE71B9E7D731A323EA2A6E2E301A726397FC3608D9CC |
SHA-512: | 9BEB07049740E0C566EE7C386896708378F1E54D3409B7D679E59AC8F36FD360A934F97B53AEA73AB2B30BF9211958D0C550FB5D32B2956DC3875A9902967D42 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.102957541893627 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.Agent.FHBA.20741.dll |
File size: | 4608 |
MD5: | 4b59be3cef04547514828f8c6443ae20 |
SHA1: | bed0d3a622ca55a914ceaf885ebc2fb419e8a9eb |
SHA256: | b7ca395f51df95bd3d5b5b4a30a5c2381a9893f0d66aff011d605319d5c0ea7d |
SHA512: | 5aabf0b4b62e7ec664cc0787eac599fb507b2d79a9967e94244fedecbfd42205de00f29c567679e50247293e0067549e2a6c4b37fa943bf7609df2aa598383eb |
SSDEEP: | 48:iswv7jh9qy/njLFg2jSzhqh+hQaFLi/vMTapIZcCIIISwFIJfzm7W475d2:/wLqyHFgURgb+NUwFIJfzmW47r2 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O0K..^...^...^..E_...^..._...^..GZ...^..G^...^..G\...^.Rich..^.........PE..L...a..`...........!......................... ..... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10000000 |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, NX_COMPAT |
Time Stamp: | 0x60931161 [Wed May 5 21:42:57 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 8b1a65dc59feff9ba4c412ec478b377b |
Entrypoint Preview |
---|
Instruction |
---|
dec ebp |
pop edx |
nop |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [eax+eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2150 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2254 | 0xf0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2130 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x100 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2d6 | 0x400 | False | 0.498046875 | data | 4.58066088703 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0x840 | 0xa00 | False | 0.41171875 | data | 4.11239200133 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
ODBC32.dll | |
MSWSOCK.dll | inet_network, SetServiceA, EnumProtocolsW, GetServiceA |
AVIFIL32.dll | AVIStreamSetFormat, AVIMakeCompressedStream, AVIStreamReadFormat, AVISaveOptions, AVISave, EditStreamClone, AVIStreamInfoW |
MSVFW32.dll | ICCompressorFree, ICClose |
AVICAP32.dll | capGetDriverDescriptionW |
rtm.dll | MgmReleaseInterfaceOwnership, RtmGetNetworkCount, RtmBlockDeleteRoutes, MgmRegisterMProtocol, RtmCreateEnumerationHandle, RtmDequeueRouteChangeMessage |
mscms.dll | SetColorProfileElement, GetColorProfileElement, CreateColorTransformW, GetPS2ColorSpaceArray, SelectCMM, GetColorProfileElementTag, SetStandardColorSpaceProfileA, SpoolerCopyFileEvent, OpenColorProfileA |
USER32.dll | CreateMDIWindowW, LoadImageW, GetActiveWindow |
WINMM.dll | mmioSetInfo, midiInGetID, timeGetSystemTime, joyConfigChanged, mmioAscend |
urlmon.dll | GetSoftwareUpdateInfo, URLDownloadToCacheFileA, URLDownloadW, URLOpenStreamW, CreateURLMoniker, CoInternetParseUrl |
ole32.dll | CoInstall |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
uvlcopdlxoed | 1 | 0x100010a0 |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 15, 2021 14:03:03.824426889 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:03.850091934 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:03.858378887 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:03.887568951 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:06.672724009 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:06.698178053 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:22.927107096 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:22.970191002 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:42.226816893 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:42.269901991 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:42.302804947 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:42.329152107 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:42.932859898 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:42.974795103 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:43.478427887 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:43.509809017 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:43.531910896 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:43.569380045 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:43.858808994 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:43.922287941 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:44.414485931 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:44.453841925 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:44.905169964 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:44.931910992 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:45.465070009 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:45.491971970 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:46.455770016 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:46.522923946 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:47.626398087 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:47.651427984 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:03:49.126178026 CEST | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:03:49.155678988 CEST | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:04:00.758007050 CEST | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:04:00.792280912 CEST | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:04:20.368292093 CEST | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:04:20.404202938 CEST | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:04:32.741355896 CEST | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:04:32.785228968 CEST | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
Sep 15, 2021 14:04:34.609631062 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 15, 2021 14:04:34.652693033 CEST | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 14:02:56 |
Start date: | 15/09/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x970000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 14:02:56 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 14:02:56 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 14:02:57 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 14:03:00 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 14:03:00 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 14:03:00 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 14:03:04 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 100010A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97filememoryCOMMON
C-Code - Quality: 37% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|