Windows Analysis Report a3.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"lang_id": "RU, CN", "RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 6 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Code function: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Last function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | Path Interception | Process Injection3 | Masquerading1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection3 | LSASS Memory | Process Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Account Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing23 | NTDS | System Owner/User Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | File and Directory Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery33 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
79% | Virustotal | Browse | ||
89% | ReversingLabs | Win32.Trojan.MintDreidel | ||
100% | Avira | TR/Crypt.Agent.dffnu | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1108168 | Download File | ||
100% | Avira | TR/Crypt.Agent.dffnu | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
api5.feen007.at | 87.106.18.141 | true | true |
| unknown |
windowsupdate.s.llnwi.net | 178.79.242.0 | true | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
87.106.18.141 | api5.feen007.at | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 498881 |
Start date: | 07.10.2021 |
Start time: | 16:18:07 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 8s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | a3.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@4/14@1/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
87.106.18.141 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
windowsupdate.s.llnwi.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ONEANDONE-ASBrauerstrasse48DE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29272 |
Entropy (8bit): | 1.7701344643347803 |
Encrypted: | false |
SSDEEP: | 96:r/ZJZR12RW2qWRW2131tRW213yUfRW213ygIFMRW213kGgwbRW2A3kGg4B:r/ZJZX241W4Yt46f4tFM4Kb4ZB |
MD5: | FE7E0B15BF69E7D5E77D3E4CBC8FD844 |
SHA1: | 88CF8FE6080E43CAF86E3289743F3F0F6F0264A9 |
SHA-256: | 2260FAEE56EC919ED892395000AEA687299096CB658CD36CFD8709A16EA9EA54 |
SHA-512: | B0EB02579A0154EE33E4FE04D273D1492F90C495AE6678AE32805E0B2354838B2B5D5AB4BACDC1B15E48489918D74EEC91ACF158F72E16DC57C3848192AAB800 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28124 |
Entropy (8bit): | 1.9146205589171772 |
Encrypted: | false |
SSDEEP: | 48:IwMGcpr1Gwpa5G4pQNGrapbSGGQpBuGHHpc7TGUp8HGzYpmmGGop7k8qiPDqz3dH:rQZfQb6tBS+j92VWlMN9TC1dlTlCTA |
MD5: | 5E3115DE41A4E4B1B521C97AC18813C5 |
SHA1: | 891FA9D6745C7F0C1810B79B0915968E9F4C2930 |
SHA-256: | 5F7C6F8FD48463FF43A349F5101C4A0DA17ADFB15C2B00903B64A78101A559D7 |
SHA-512: | C88D3CBD0ABDF060A8AC7E0549C6425650D1647E8D803702AB616AED2F36126F2879EB76B57C529D916C065D97611E19B9406D125C0320294FF7C2A3FB50D0D7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 656 |
Entropy (8bit): | 5.088938170870811 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxOE01OnWimI002EtM3MHdNMNxOE01OnWimI00ObVbkEtMb:2d6NxON1OSZHKd6NxON1OSZ76b |
MD5: | CFAA0C1E504623245FDEFC9528A298E2 |
SHA1: | 34F63675582E23949D70A2D4D1A4E1CC8C0B790A |
SHA-256: | 365DBA991887E73B5B2DB0DF9A477F6455760ED25A77A251C3BE2AEEDF692C7E |
SHA-512: | BF29CFCA96818EECC3E2AFCB328E3BB4481820AFF1DC8612314F72179290E75E325BF2D9F497147047CD6C3993183936023B4D6728D2D642495E9D31500169E6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 653 |
Entropy (8bit): | 5.065104180080743 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxe2krnWimI002EtM3MHdNMNxe2krnWimI00Obkak6EtMb:2d6NxrGSZHKd6NxrGSZ7Aa7b |
MD5: | A176224E43E9EDDBFE494818028EE7AB |
SHA1: | 3BB8B696F63C85AF1C0E94960D84ED6E6D6A0635 |
SHA-256: | 9FA1C7C516CC55D0872EA1334262A8C10BD054A2EEF71B43E1186719383F09B5 |
SHA-512: | 5E33C03EA206206B1ADDEDBCB34B6CD3DBC7F7FE44D6541494825CC69CA5CBAE9B76319754D66E96625540B77CFE52A12776FBB92466EDA12F5584959FA4036F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 662 |
Entropy (8bit): | 5.10663851901763 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxvL01OnWimI002EtM3MHdNMNxvL01OnWimI00ObmZEtMb:2d6Nxvg1OSZHKd6Nxvg1OSZ7mb |
MD5: | 4CF1FB8C2B6628E509091716B3DDD46B |
SHA1: | 05911E9D90643C2EAD2FF98E816149F44A679638 |
SHA-256: | 5DF8D0CD00CCB850F5E85088F93E3FE2970A554B55A05B0C505BDD97C52F1B39 |
SHA-512: | 911D2B3A5889CA10CB012813E622A754009F7160F417B22B1534B46550B1E32DFF636D21BE76AC9C81E9A096BFA7D34A889AFD89AAB4FCD91F8E67762A4AD5C2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 647 |
Entropy (8bit): | 5.055361901508745 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxiJKInWimI002EtM3MHdNMNxiJKInWimI00Obd5EtMb:2d6NxuKISZHKd6NxuKISZ7Jjb |
MD5: | 074BD65CAD3A43806997D815CCD310BB |
SHA1: | 1D281442E0BA47A74363EC75B47D2E88B53CBF4A |
SHA-256: | 1104831873D15DBE0D741CF5E1E484E7177573C254D4AEE37C05C5A7AEE69AB5 |
SHA-512: | E53EDDE4294E9924EA58D744EB8039A130FED6C07C9A6688BFD674B46450ACD1029E01897BDAC1FE3933A52221B7B1703C2984BFA2D39BF123742A707C9E3FFD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 656 |
Entropy (8bit): | 5.1159885561659975 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxhGw01OnWimI002EtM3MHdNMNxhGw01OnWimI00Ob8K075EtMb:2d6NxQR1OSZHKd6NxQR1OSZ7YKajb |
MD5: | 82E6B249A578988E85BC7C6ED57C0168 |
SHA1: | 6AECCC4307830A7F3A27FA2951F7FD67F187FC3E |
SHA-256: | DAF909323DD36C6BE68B420AF15E76EDD67D773F0299C89D1E6D67F8994531C0 |
SHA-512: | 8D4DA2B26EDD870619340AAF8BF4E28D9EF830D68461873A693FAD618694811955299A19E2409FD7C302BB63BDF8E90686F5E366DF47F29A91567E31970939A7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 653 |
Entropy (8bit): | 5.037015661281331 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNx0nJKInWimI002EtM3MHdNMNx0nJKInWimI00ObxEtMb:2d6Nx0JKISZHKd6Nx0JKISZ7nb |
MD5: | 3CFC651E6983F1197503C958A59FF72E |
SHA1: | 4B3F879C0E9841AB266A2A323B2CFB4B3E5C98D7 |
SHA-256: | E5870E5F72EAEFC0405F0C9047F081A280F5B27A073E19E003B6B86ECB04724D |
SHA-512: | C3A360FEC4BEECF1DC433411E44241E42C1ABBB723EA66E331890E94FF983884D02C21B2C740FB357C716B0F3BF035394610484C186CF8A30234716B309AC6BD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 656 |
Entropy (8bit): | 5.080777529981643 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxxJKInWimI002EtM3MHdNMNxxJKInWimI00Ob6Kq5EtMb:2d6NxzKISZHKd6NxzKISZ7ob |
MD5: | 3870B225A953FACDECF806D3F27F01DA |
SHA1: | 03D41945033C8FBABEFA7AA1F843B8A5E7C965FD |
SHA-256: | AF22888DDE910384C19551EB62DBCE6248C221DC754B5D92A6F6403A97D4640E |
SHA-512: | BB547ECB7646A86BE073328A1F0613FA4BBF71A80890E4D6F5315FE83741D3F0E636DE846EE34A643F4F81DD87AEC7E7E7607B36A1ABB05918EB90F9D1F625C9 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 659 |
Entropy (8bit): | 5.0563074196705715 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxcrnWimI002EtM3MHdNMNxcrnWimI00ObVEtMb:2d6NxOSZHKd6NxOSZ7Db |
MD5: | 5BDD08733FEABBBE890D0028FAAF5E1F |
SHA1: | 98092E7531A9AC8B40BBD01FE6D28C16965B8310 |
SHA-256: | 68C63C7F3078AB225D4916AB8C767C6D002DC05C3949E4634942BEE8F94D13E6 |
SHA-512: | 31548A010931122325CFBAE97AF82E69E0F02C4E46DA9A44162A8C0EF4500DCDA5571844EC990858000683B9335EB6DECCF8DCE44F5B5294227C6628867D35A7 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 653 |
Entropy (8bit): | 5.044181719856586 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxfnrnWimI002EtM3MHdNMNxfnrnWimI00Obe5EtMb:2d6NxzSZHKd6NxzSZ7ijb |
MD5: | CF8F543F877CB266D950DF963AD9406D |
SHA1: | 2E90F1248ABF3DB1845E63828242689BDBD51B4E |
SHA-256: | 88626A4E7C44B0CF6131273949CD910FE4630AADD0DAB67202C378E5C04F3A68 |
SHA-512: | D375CBDF23EA8D4DFA03C8BA3BAFBFF2099C7F6761D67CAA0575F4D57DABDE743E9B786E8FE9A79CC06D3C011D5A7562518D45E70420778BBA01ECF56665810B |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 89 |
Entropy (8bit): | 4.422630656681361 |
Encrypted: | false |
SSDEEP: | 3:oVXUYzYTM7W8JOGXnEYzYTMZun:o9UYzYTVqEYzYTV |
MD5: | F03B712BE3FF150E4E2EE180114CF20A |
SHA1: | 9988A53E02D5F481CF62E78FB21BF0AC679802F7 |
SHA-256: | B1E47CABBB3103F18B9086625A9F71696259DA30AFC2E93495A635F4D3144BC4 |
SHA-512: | 92F036490D547FD9A9A7B9002606F43B8E9FE24A9207C58D2DA8F37F436CDC7947E0174DF723C9E49FE79FE237C276BB4C0C5816117EC85866D3E7B37F0B6C5D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40121 |
Entropy (8bit): | 0.667681657124394 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+XZbSmImRk8ILiPDqz3dYnk8ILiPDqz3dYok8ILiPDqz3dYF:kBqoxKAuvScS+XZbS54i2CMi2Cni2C4 |
MD5: | C941466D3B30985EA0EADE7426D7C846 |
SHA1: | 0039736FA9FE41B250A33377E7DBDA2FE4DDC78A |
SHA-256: | 07B1ACFB47135B97D5B07089B000260C617FECD4F0B264FF1534E238D5B54CA2 |
SHA-512: | 5DDA6E800F0DF705AE01D515076007313BBDC54FC5ADB6A7EF4E3FFB46CACDE1C500B7F5084F67801DC95FCD115D2CC273070A75F135063237C6E7884F1822F3 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12933 |
Entropy (8bit): | 0.40915964020179696 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9loRYF9loRg9lWRW2V3ygV3kGx:kBqoIRrRNRW2V3ygV3kGx |
MD5: | E2C3A9A25DE0C27EE85FE33712B018AF |
SHA1: | AA9D7BFBC164748490A7D2C2BE569342C9AA5533 |
SHA-256: | F7D913F2D4C405BA40C9B13A585F17EE2C356742D445C79C6FF718EC460472DA |
SHA-512: | 11161E5C98C4C12E82DE923268277DE352FEFE35F49F6E8D9EA9069E6C83E3AEFCA13220EE59333E2171A16F1ABDD6212D198A9D6B15D278071BD4C79D692DE7 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.835334743621618 |
TrID: |
|
File name: | a3.exe |
File size: | 179712 |
MD5: | 0cc6d274cd84b593210168f51fcd38cd |
SHA1: | 666fc3963609f4aff528b9a32f7516feebaa6ddf |
SHA256: | a3bdb9880bf419f2023e4015545c6c72835dbc5c68cd14fd81d35220bf9449fa |
SHA512: | 7983ed74b0fc4d75f384433aa9d07354275c9565988cc0d7b3e5c5cfac3bb2fac2bf690dfb8dd2cbc1e25132c72b52bfea05cdf605b61c18c24f10e85fd62fb9 |
SSDEEP: | 3072:fgUV+UgG7cL89xoF+bhyExjSaftm34X/ifmA0XHDI5C4:YG+Y7cL89x/bUExPf437ul8I4 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T...T...T....V..T....G..T....@..T.......T...T..)T....I..T....Q..T....W..T....R..T..Rich.T..........................PE..L.. |
File Icon |
---|
Icon Hash: | a8b0f8d84868687c |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x404423 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x5D7CADF0 [Sat Sep 14 09:08:00 2019 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 08b3bdf9cc3930ac93565a943e8ad0e4 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007FB26C9B1B79h |
jmp 00007FB26C9AC82Eh |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
xor ecx, ecx |
cmp eax, dword ptr [00426128h+ecx*8] |
je 00007FB26C9AC9C5h |
inc ecx |
cmp ecx, 2Dh |
jc 00007FB26C9AC9A3h |
lea ecx, dword ptr [eax-13h] |
cmp ecx, 11h |
jnbe 00007FB26C9AC9C0h |
push 0000000Dh |
pop eax |
pop ebp |
ret |
mov eax, dword ptr [0042612Ch+ecx*8] |
pop ebp |
ret |
add eax, FFFFFF44h |
push 0000000Eh |
pop ecx |
cmp ecx, eax |
sbb eax, eax |
and eax, ecx |
add eax, 08h |
pop ebp |
ret |
call 00007FB26C9B09B9h |
test eax, eax |
jne 00007FB26C9AC9B8h |
mov eax, 00426290h |
ret |
add eax, 08h |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 4Ch |
mov eax, dword ptr [004262A8h] |
xor eax, ebp |
mov dword ptr [ebp-04h], eax |
push ebx |
xor ebx, ebx |
push esi |
mov esi, dword ptr [ebp+08h] |
push edi |
mov dword ptr [ebp-2Ch], ebx |
mov dword ptr [ebp-1Ch], ebx |
mov dword ptr [ebp-20h], ebx |
mov dword ptr [ebp-28h], ebx |
mov dword ptr [ebp-24h], ebx |
mov dword ptr [ebp-4Ch], esi |
mov dword ptr [ebp-48h], ebx |
cmp dword ptr [esi+14h], ebx |
je 00007FB26C9ACCCCh |
lea eax, dword ptr [esi+04h] |
cmp dword ptr [eax], ebx |
jne 00007FB26C9AC9D2h |
push eax |
movzx eax, word ptr [esi+30h] |
push 00001004h |
push eax |
lea eax, dword ptr [ebp-4Ch] |
push ebx |
push eax |
call 00007FB26C9B1D5Dh |
add esp, 14h |
test eax, eax |
jne 00007FB26C9ACC7Dh |
push 00000004h |
call 00007FB26C9AE99Eh |
push 00000002h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x25f50 | 0x58 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25424 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2dd8000 | 0x5c30 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x20000 | 0x1e8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1e014 | 0x1e200 | False | 0.726424727697 | data | 7.38003707514 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x20000 | 0x5fa8 | 0x6000 | False | 0.459879557292 | data | 5.59572231923 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x26000 | 0x2db17d8 | 0x1a00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x2dd8000 | 0x5c30 | 0x5e00 | False | 0.376329787234 | data | 4.1399689351 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
AFX_DIALOG_LAYOUT | 0x2dd9f20 | 0x2 | data | ||
AFX_DIALOG_LAYOUT | 0x2dd9f18 | 0x2 | data | ||
AFX_DIALOG_LAYOUT | 0x2dd9f28 | 0x2 | data | ||
RT_CURSOR | 0x2dd9f30 | 0x130 | data | ||
RT_CURSOR | 0x2dda060 | 0xf0 | data | ||
RT_CURSOR | 0x2dda150 | 0x10a8 | data | ||
RT_CURSOR | 0x2ddb228 | 0xea8 | dBase III DBT, version number 0, next free block index 40, 1st item "\251\317" | ||
RT_CURSOR | 0x2ddc0d0 | 0x8a8 | dBase III DBT, version number 0, next free block index 40, 1st item "\251\317" | ||
RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Iran |
RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Afganistan |
RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Tajikistan |
RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Uzbekistan |
RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Iran |
RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Afganistan |
RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Tajikistan |
RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Uzbekistan |
RT_STRING | 0x2ddcaa8 | 0x46e | data | ||
RT_STRING | 0x2ddcf18 | 0x4b6 | data | ||
RT_STRING | 0x2ddd3d0 | 0x5b4 | data | ||
RT_STRING | 0x2ddd988 | 0x2a4 | data | ||
RT_GROUP_CURSOR | 0x2ddb1f8 | 0x30 | data | ||
RT_GROUP_CURSOR | 0x2ddc978 | 0x22 | data | ||
RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Iran |
RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Afganistan |
RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Tajikistan |
RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Uzbekistan |
RT_VERSION | 0x2ddc9a0 | 0x104 | data | ||
None | 0x2dd9ed8 | 0xa | data | ||
None | 0x2dd9ee8 | 0xa | data | ||
None | 0x2dd9ec8 | 0xa | data | ||
None | 0x2dd9ef8 | 0xa | data | ||
None | 0x2dd9f08 | 0xa | data |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | SetVolumeLabelA, SetDefaultCommConfigA, CreateMutexW, lstrlenA, WritePrivateProfileStructA, CopyFileExW, TlsGetValue, MoveFileExA, _llseek, GetNumberOfConsoleInputEvents, FindResourceExW, CallNamedPipeA, DeleteVolumeMountPointA, WriteTapemark, InterlockedIncrement, ReadConsoleA, CompareFileTime, WaitForSingleObject, InterlockedCompareExchange, _lclose, SetTapeParameters, GetModuleHandleW, VirtualFree, WriteFile, GlobalAlloc, Sleep, LeaveCriticalSection, GetFileAttributesW, WriteConsoleW, GetOverlappedResult, GetACP, DeactivateActCtx, GetPrivateProfileSectionNamesW, IsDBCSLeadByteEx, GetProcAddress, GetTapeStatus, BeginUpdateResourceW, CreateNamedPipeA, LocalLock, IsValidCodePage, SearchPathA, SetFileApisToOEM, GetLocalTime, LoadLibraryA, SetCalendarInfoW, IsSystemResumeAutomatic, GetProfileStringA, WriteProfileSectionW, SetNamedPipeHandleState, EnumDateFormatsA, GetThreadPriority, WaitCommEvent, LoadLibraryExA, ContinueDebugEvent, VirtualProtect, PurgeComm, ScrollConsoleScreenBufferA, OpenSemaphoreW, GetVersionExA, DeleteFileW, DebugBreak, FindActCtxSectionStringW, GetSystemTime, lstrcpyW, GetLastError, GetSystemDefaultLangID, WideCharToMultiByte, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, GetCPInfo, RtlUnwind, RaiseException, LCMapStringW, LCMapStringA, GetStringTypeW, HeapAlloc, HeapCreate, VirtualAlloc, HeapReAlloc, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, ExitProcess, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, HeapSize, GetOEMCP, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, GetModuleHandleA |
GDI32.dll | GetBoundsRect |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
_geek@8 | 1 | 0x41a2d0 |
_gekkko@8 | 2 | 0x41a2c0 |
Version Infos |
---|
Description | Data |
---|---|
FileV | 1.0.2.26 |
Translations | 0x0218 0x07a1 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Farsi | Iran | |
Farsi | Afganistan | |
Farsi | Tajikistan | |
Farsi | Uzbekistan |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
10/07/21-16:19:35.183837 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
10/07/21-16:19:35.183837 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 7, 2021 16:19:35.160347939 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:35.161183119 CEST | 49750 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:35.180584908 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
Oct 7, 2021 16:19:35.180737972 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:35.181255102 CEST | 80 | 49750 | 87.106.18.141 | 192.168.2.3 |
Oct 7, 2021 16:19:35.181380033 CEST | 49750 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:35.183836937 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:35.204199076 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
Oct 7, 2021 16:19:35.229631901 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
Oct 7, 2021 16:19:35.229722023 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:35.598839998 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:35.644711971 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
Oct 7, 2021 16:19:35.645252943 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:36.514163017 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Oct 7, 2021 16:19:36.514230967 CEST | 49750 | 80 | 192.168.2.3 | 87.106.18.141 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 7, 2021 16:19:35.113707066 CEST | 64021 | 53 | 192.168.2.3 | 8.8.8.8 |
Oct 7, 2021 16:19:35.146023989 CEST | 53 | 64021 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Oct 7, 2021 16:19:35.113707066 CEST | 192.168.2.3 | 8.8.8.8 | 0xbd3b | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Oct 7, 2021 16:19:35.146023989 CEST | 8.8.8.8 | 192.168.2.3 | 0xbd3b | No error (0) | 87.106.18.141 | A (IP address) | IN (0x0001) | ||
Oct 7, 2021 16:19:51.258573055 CEST | 8.8.8.8 | 192.168.2.3 | 0xd3f6 | No error (0) | 178.79.242.0 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49751 | 87.106.18.141 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Oct 7, 2021 16:19:35.183836937 CEST | 1286 | OUT | |
Oct 7, 2021 16:19:35.229631901 CEST | 1286 | IN | |
Oct 7, 2021 16:19:35.598839998 CEST | 1286 | OUT | |
Oct 7, 2021 16:19:35.644711971 CEST | 1286 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 16:19:10 |
Start date: | 07/10/2021 |
Path: | C:\Users\user\Desktop\a3.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 179712 bytes |
MD5 hash: | 0CC6D274CD84B593210168F51FCD38CD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 16:19:31 |
Start date: | 07/10/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e4150000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:19:32 |
Start date: | 07/10/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1140000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|