Source: OatAFVzm15.exe |
Metadefender: Detection: 56% |
Perma Link |
Source: OatAFVzm15.exe |
ReversingLabs: Detection: 92% |
Source: 1.2.OatAFVzm15.exe.400000.0.unpack |
Avira: Label: TR/Spy.Gen |
Source: 1.0.OatAFVzm15.exe.400000.1.unpack |
Avira: Label: TR/Spy.Gen |
Source: 1.0.OatAFVzm15.exe.400000.0.unpack |
Avira: Label: TR/Spy.Gen |
Source: 1.0.OatAFVzm15.exe.400000.2.unpack |
Avira: Label: TR/Spy.Gen |
Source: OatAFVzm15.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: OatAFVzm15.exe |
String found in binary or memory: http://www.google.com/webhp |
Source: OatAFVzm15.exe |
String found in binary or memory: http://www.google.com/webhpbcU |
Source: Yara match |
File source: OatAFVzm15.exe, type: SAMPLE |
Source: Yara match |
File source: 1.0.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.OatAFVzm15.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.OatAFVzm15.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000000.249623287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.248127496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.644531481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.250108543.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR |
Source: Yara match |
File source: OatAFVzm15.exe, type: SAMPLE |
Source: Yara match |
File source: 1.0.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.OatAFVzm15.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.OatAFVzm15.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000000.249623287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.248127496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.644531481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.250108543.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR |
Source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR |
Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_ |
Source: OatAFVzm15.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR |
Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0 |
Source: C:\Users\user\Desktop\OatAFVzm15.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 212 |
Source: OatAFVzm15.exe |
Metadefender: Detection: 56% |
Source: OatAFVzm15.exe |
ReversingLabs: Detection: 92% |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AB9.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\OatAFVzm15.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: classification engine |
Classification label: mal76.bank.winEXE@2/4@0/0 |
Source: unknown |
Process created: C:\Users\user\Desktop\OatAFVzm15.exe "C:\Users\user\Desktop\OatAFVzm15.exe" |
Source: C:\Users\user\Desktop\OatAFVzm15.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 212 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess772 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: OatAFVzm15.exe |
Static PE information: real checksum: 0x2ea1b should be: 0x5069c |
Source: initial sample |
Static PE information: section where entry point is pointing to: .data |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OatAFVzm15.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\OatAFVzm15.exe |
Process queried: DebugPort |
Jump to behavior |
Source: OatAFVzm15.exe, 00000001.00000000.250108543.0000000000401000.00000020.00000001.01000000.00000003.sdmp |
Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroyunknownInstallDateSOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductId%s_%08X%08Xfatal_errorbcdfghklmnpqrstvwxzaeiouyGlobal\Local\:d |