Windows Analysis Report c3.dll
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"lang_id": "RU, CN", "RSA Public Key": "iZ+yu73sQgHWIoKVZvTBVFftBRzgg84Wo8cRK1WKzlYIyRSwRES+5puIFDGj4t/PJdO/J+rFd8Puk9xQXkAk5gtRJ+EiBjQZEhIJII9S4j9MojvldfnQXG4MCZq2vijykYOVQ/oipgSqNw946zszs4wFVrWAoZclk2bk1tyqtgqxkkj0TTwIXY2VfInsWFxD/3rDCluhcm6BGxwpQenf9WcO9HcjXScxWCVoj1xEKoz2EWs5Yz+47bMOX0XSfQdNTrhQDAWX7nAEEA6/oHUm46QdJTg5UtCf5yxbjwIgAf3SZboeJUyNSK7Q1WQQUlETGFBqUZa4n/YRWCQVzi42QoGrPxpP3LrDhlEYnFm7fQM=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "3500", "server": "580", "serpent_key": "GfG96RIHgUj8PvPF", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 1 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 4 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_6F252264 | |
Source: | Code function: | 3_2_6F252264 |
Source: | Code function: | 0_2_6F252485 | |
Source: | Code function: | 3_2_6F252485 |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Classification label: |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_6F252209 | |
Source: | Code function: | 0_2_6F252263 | |
Source: | Code function: | 0_2_6F263609 | |
Source: | Code function: | 0_2_6F2639D0 | |
Source: | Code function: | 0_2_6F264842 | |
Source: | Code function: | 0_2_6F260470 | |
Source: | Code function: | 0_2_6F26297E | |
Source: | Code function: | 0_2_6F261D20 | |
Source: | Code function: | 0_2_6F260D0A | |
Source: | Code function: | 0_2_6F28092D | |
Source: | Code function: | 0_2_6F28014E | |
Source: | Code function: | 3_2_6F252209 | |
Source: | Code function: | 3_2_6F252263 | |
Source: | Code function: | 3_2_6F263609 | |
Source: | Code function: | 3_2_6F2639D0 | |
Source: | Code function: | 3_2_6F264842 | |
Source: | Code function: | 3_2_6F260470 | |
Source: | Code function: | 3_2_6F26297E | |
Source: | Code function: | 3_2_6F261D20 | |
Source: | Code function: | 3_2_6F260D0A | |
Source: | Code function: | 3_2_6F28092D | |
Source: | Code function: | 3_2_6F28014E |
Source: | Code function: | 0_2_6F251F31 |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_6F27E20C | |
Source: | Code function: | 0_2_6F27E142 | |
Source: | Code function: | 0_2_6F27DD49 | |
Source: | Code function: | 3_2_6F27E20C | |
Source: | Code function: | 3_2_6F27E142 | |
Source: | Code function: | 3_2_6F27DD49 |
Source: | Code function: | 0_2_6F251F31 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_6F251566 | |
Source: | Code function: | 3_2_6F251566 |
Source: | Code function: | 0_2_6F25146C |
Source: | Code function: | 0_2_6F2517A7 |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Path Interception | Process Injection12 | Rundll321 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Software Packing2 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | System Information Discovery13 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
59% | Virustotal | Browse | ||
11% | Metadefender | Browse | ||
66% | ReversingLabs | Win32.Trojan.Wacatac | ||
100% | Avira | TR/AD.UrsnifDropper.mlwbg |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 498859 |
Start date: | 07.10.2021 |
Start time: | 15:53:27 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 8s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | c3.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.troj.winDLL@11/0@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.470808656519418 |
TrID: |
|
File name: | c3.dll |
File size: | 188928 |
MD5: | c309ec3264c7bf7c771cca5703e841fe |
SHA1: | 2af04c50d324bc6f42fe9714ea89cf300471c169 |
SHA256: | 616255c7f0697542e2a3e5e6b4834fffa5e56e7ede26612454674a9937d32a19 |
SHA512: | d8777b8436b00dbf0e6fc3c222ca63cc4b034886262a2950aed129b198280495e55c9ef107dff033f52c72109b28a90d28bd6ab362d98bb4037570f118d2f8ba |
SSDEEP: | 3072:qrvdO1LblP9WNrgFFxA9cHv3UgmvXIyLOM9LPm/wKrD3SzGamTdHJyrVoNXO47:qZgi8FTAuHPUl5SeTSnZuoN+4 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.p.z...z...z.......y.......k...<...j...<...j...z.......<.......<...n.......{...............{.......{...Richz...........PE..L.. |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1001a61 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x56F56CBB [Fri Mar 25 16:52:11 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 41b0070c0a9513aca3e2dec57678f6a0 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007F634CDF2447h |
call 00007F634CDF294Ch |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007F634CDF2303h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push ebp |
mov ebp, esp |
push dword ptr [ebp+08h] |
call 00007F634CDF2101h |
pop ecx |
pop ebp |
ret |
push ebp |
mov ebp, esp |
test byte ptr [ebp+08h], 00000001h |
push esi |
mov esi, ecx |
mov dword ptr [esi], 0101E2F8h |
je 00007F634CDF244Ch |
push 0000000Ch |
push esi |
call 00007F634CDF241Dh |
pop ecx |
pop ecx |
mov eax, esi |
pop esi |
pop ebp |
retn 0004h |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [0101E114h] |
push dword ptr [ebp+08h] |
call dword ptr [0101E110h] |
push C0000409h |
call dword ptr [0101E118h] |
push eax |
call dword ptr [0101E11Ch] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call 00007F634CDFD740h |
test eax, eax |
je 00007F634CDF2447h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [0102D338h], eax |
mov dword ptr [0102D334h], ecx |
mov dword ptr [0102D330h], edx |
mov dword ptr [0102D32Ch], ebx |
mov dword ptr [0102D328h], esi |
mov dword ptr [0102D324h], edi |
mov word ptr [0102D350h], ss |
mov word ptr [0102D344h], cs |
mov word ptr [eax], es |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2a380 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2a40c | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x40000 | 0x4e8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x41000 | 0x1524 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x29660 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x296b8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1e000 | 0x248 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1ccc6 | 0x1ce00 | False | 0.706642316017 | data | 6.80010328322 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x1e000 | 0xcc9e | 0xce00 | False | 0.591607251214 | COM executable for DOS | 5.46383270408 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x2b000 | 0x13744 | 0x2400 | False | 0.444227430556 | data | 4.46433641721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.gfids | 0x3f000 | 0x114 | 0x200 | False | 0.29296875 | data | 1.47141497128 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x40000 | 0x4e8 | 0x600 | False | 0.388671875 | data | 3.65070908006 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x41000 | 0x1524 | 0x1600 | False | 0.776278409091 | data | 6.55572681018 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x400a0 | 0x2c4 | data | English | United States |
RT_MANIFEST | 0x40368 | 0x17d | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | VirtualProtect, SetFilePointer, CreateFileW, GetFileAttributesW, Sleep, CloseHandle, GetFileSize, DeleteCriticalSection, CreateProcessW, CreateSemaphoreW, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, GetStringTypeW, GetFileType, GetStdHandle, GetProcessHeap, LCMapStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, HeapAlloc, HeapFree, GetModuleFileNameW, GetModuleHandleExW, ExitProcess, LoadLibraryExW, GetProcAddress, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, RtlUnwind, SetLastError, GetLastError, InterlockedFlushSList, RaiseException, EncodePointer, GetModuleHandleW, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, DecodePointer, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess |
ole32.dll | OleInitialize, OleUninitialize |
OLEAUT32.dll | VarUI1FromDate, VarCyFromBool, VarBoolFromR8, VarBstrFromUI1, VarFormatDateTime, VarCyFromUI1, VarCyFromI4, VarDiv, VarAnd, SafeArrayPtrOfIndex, VarBoolFromR4, VarCyFromI2, VarBstrFromR8, VarCyFromStr, VarBoolFromDate, VarBoolFromI4, VarDateFromR4, VarCyFromDate, VarUI1FromI2, VarUI1FromDisp, VarUI1FromI4, VarFormat, VarBoolFromI2, SysStringByteLen, VarFormatFromTokens, SysAllocStringByteLen, VarCyFromR4, VarCyFromDisp, VarBstrFromDisp, VarDateFromDisp, VarUI1FromStr, VarBoolFromUI1, VarDateFromUI1, VarBstrFromR4, VarBoolFromCy, VarDateFromI4, VarTokenizeFormatString, VarDateFromI2, VarMonthName, VarBstrFromI4, VarAdd, DispCallFunc, VarUI1FromBool, VariantChangeTypeEx, VarR8FromBool, VarBoolFromDisp, VarBstrFromBool, VarBstrFromI2, VarBstrFromCy, VarUI1FromR8, VarDateFromStr, VarUI1FromR4, VarFormatNumber, VarFormatPercent, VarDateFromR8, VarCyFromR8, VarDateFromCy, VarBoolFromStr, VarBstrFromDate, VarFormatCurrency, VarWeekdayName, VarDateFromBool, VarUI1FromCy |
oledlg.dll | OleUIUpdateLinksW, OleUIChangeIconA, OleUIPasteSpecialW, OleUIObjectPropertiesW, OleUIAddVerbMenuW |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
@Againkind@0 | 1 | 0x100daa0 |
@Consonanttime@8 | 2 | 0x100db70 |
@Nooncry@4 | 3 | 0x100dc90 |
@Westwas@4 | 4 | 0x100e6b0 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2004, Guess Over |
InternalName | Law.dll |
FileVersion | 4.7.8.542 |
CompanyName | Guess Over |
LegalTrademarks | Visit prove |
ProductName | Visit prove |
ProductVersion | 4.7.8.542 |
FileDescription | Visit prove |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:54:28 |
Start date: | 07/10/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x390000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 15:54:29 |
Start date: | 07/10/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:54:29 |
Start date: | 07/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2d0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 15:54:29 |
Start date: | 07/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2d0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 15:54:34 |
Start date: | 07/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2d0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 15:54:40 |
Start date: | 07/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2d0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 6F2517A7, Relevance: 15.1, APIs: 10, Instructions: 103threadsleepsynchronizationCOMMON
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F251E04, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F2515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
C-Code - Quality: 87% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F251D32, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 6F252485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F25146C, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F251566, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F252264, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 71% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F27DD49, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F27E142, Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F2517A7, Relevance: 15.1, APIs: 10, Instructions: 103threadsleepsynchronizationCOMMON
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F251E04, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F2515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
C-Code - Quality: 87% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F251D32, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 6F252485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F25146C, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |