Windows
Analysis Report
o6OaOfrAQs.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- o6OaOfrAQs.exe (PID: 6248 cmdline:
C:\Users\u ser\Deskto p\o6OaOfrA Qs.exe MD5: 049ECAD4587538C292E3EBEEE5947EB5) - o6OaOfrAQs.exe (PID: 5540 cmdline:
C:\Users\u ser\Deskto p\o6OaOfrA Qs.exe MD5: 049ECAD4587538C292E3EBEEE5947EB5) - WerFault.exe (PID: 4936 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 540 -s 204 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Loki Password Stealer (PWS), LokiBot | "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security |
Timestamp: | 192.168.11.20185.246.220.8549818802025381 03/17/23-20:49:57.296824 |
SID: | 2025381 |
Source Port: | 49818 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549818802024317 03/17/23-20:49:57.296824 |
SID: | 2024317 |
Source Port: | 49818 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549818802825766 03/17/23-20:49:57.296824 |
SID: | 2825766 |
Source Port: | 49818 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549818802024312 03/17/23-20:49:57.296824 |
SID: | 2024312 |
Source Port: | 49818 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549818802021641 03/17/23-20:49:57.296824 |
SID: | 2021641 |
Source Port: | 49818 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira URL Cloud: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Mutant created: |
Source: | File written: | Jump to behavior |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: |
Source: | Process created: |
Source: | Key value queried: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: |
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | File opened: |
Remote Access Functionality |
---|
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 2 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 1 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 2 Data from Local System | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 5 System Information Discovery | Distributed Component Object Model | 1 Clipboard Data | Scheduled Transfer | 13 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
29% | Virustotal | Browse | ||
51% | ReversingLabs | Win32.Trojan.Nemesis |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ruhsalgelisim.com | 85.95.248.49 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
85.95.248.49 | ruhsalgelisim.com | Turkey | 49467 | EUROTA-ASNEUROTAINTERNETSERVICESLTDTR | false | |
185.246.220.85 | unknown | Germany | 10753 | LVLT-10753US | true |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 829095 |
Start date and time: | 2023-03-17 20:47:29 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | o6OaOfrAQs.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/19@1/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, UserOOBEBroker.exe, backgroundTaskHost.exe, svchost.exe
- TCP Packets have been reduced to 100
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com, wdcp.microsoft.com
- Execution Graph export aborted for target o6OaOfrAQs.exe, PID 5540 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54 |
Entropy (8bit): | 4.838039816898156 |
Encrypted: | false |
SSDEEP: | 3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I |
MD5: | FB5EE2C0CAC332EC8390F50016EF0769 |
SHA1: | 11D9FB52FE5289140B9D52A38B56F99512B3A3A7 |
SHA-256: | C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631 |
SHA-512: | 87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.832316471889005 |
Encrypted: | false |
SSDEEP: | 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC |
MD5: | B0C77267F13B2F87C084FD86EF51CCFC |
SHA1: | F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3 |
SHA-256: | A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 |
SHA-512: | F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 47 |
Entropy (8bit): | 1.1262763721961973 |
Encrypted: | false |
SSDEEP: | 3:/lSllIEXln:AWE1 |
MD5: | D69FB7CE74DAC48982B69816C3772E4E |
SHA1: | B1C04CDB2567DC2B50D903B0E1D0D3211191E065 |
SHA-256: | 8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396 |
SHA-512: | 7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34016 |
Entropy (8bit): | 6.1021284380541925 |
Encrypted: | false |
SSDEEP: | 384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3 |
MD5: | 4FC7FC174E80C178225C2509027DF961 |
SHA1: | 9FF62413EC0DD462F5F016EBC804F1D736D24796 |
SHA-256: | 866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C |
SHA-512: | 29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Profetiske.Byg
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 297815 |
Entropy (8bit): | 6.803960139750454 |
Encrypted: | false |
SSDEEP: | 6144:J35PGszPFp+EB9h18KeMJwYQl/w+ByCHqLBmv:J3FGsz93N8Kp60Bg |
MD5: | 12DF13549A2F50FB06EAAC92D2F36C05 |
SHA1: | 5E1CD0421664E97B44B2C26960F4D298DAED0C99 |
SHA-256: | 4EE38AAF3380FB3D7C4F57800A1692175C1D772E3A11028874CF2D8F5DC599F2 |
SHA-512: | 6DD5811B457913D37B922904678A508A1762CDA447C195A660457B19D6302DB8E21586AFF0F22D41D73514CA926FEFE8554777EB558BD321ABF5B76C06527848 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Sankekort.Sch209
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 42836 |
Entropy (8bit): | 4.578518141395867 |
Encrypted: | false |
SSDEEP: | 768:AGQ+v3ebyf4b4Yv6Dub2I+MxA83BMUBaPqbIvcbYIrf:NQ+WApD42MxBMMaPqbZbYIrf |
MD5: | 3DAD0F9AF0356D18A46167665A352768 |
SHA1: | E5D083D2224DE4FC9105CB966CF3A53F9BB7D3C0 |
SHA-256: | 8A124F4091887491B8FABE0C0C694B95C2D76F68FB4E9292C59FA5971074899C |
SHA-512: | 7CD0CF5AF5B79A146F22A2D68CC3500AF6068F1BFA48B5730E2C2236201E4B6B7CCED4DBB9121A525F41FC63C07403D1CB40F9267FBF81C5FFC2CB4FA6221E98 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\pan-start-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 140 |
Entropy (8bit): | 5.529383944212929 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp |
MD5: | 4308BBBAB1DB146494AE5ABB07B8E6DB |
SHA1: | 58121574EEB070E26DDD75A964F3548E176E58A4 |
SHA-256: | EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828 |
SHA-512: | 41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\printer-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147 |
Entropy (8bit): | 5.834297280344084 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip |
MD5: | 38D787F55E22FB591135F9250CD259D4 |
SHA1: | 0E135B0E1CA49A6E43DB4CB7596FAEA022E23924 |
SHA-256: | 1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002 |
SHA-512: | 4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Idolatrous\Kaes\pt-br.txt
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9515 |
Entropy (8bit): | 5.04214621707661 |
Encrypted: | false |
SSDEEP: | 192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ |
MD5: | 7B02E1AE16E2E709D7C97DE560B4DBE9 |
SHA1: | 191A54644417F7D36F5CB4182DCDB3737D74BE51 |
SHA-256: | DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB |
SHA-512: | 4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Ravingly\Magnetoplasmadynamics\godsvognen\avatar-default-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 266 |
Entropy (8bit): | 4.986245244009802 |
Encrypted: | false |
SSDEEP: | 6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj |
MD5: | 8B727826F9D8C0C7C954EDE912CB0DEB |
SHA1: | 1518AA80747326B5353C22D32E57A33D61285119 |
SHA-256: | 0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334 |
SHA-512: | 0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\be.txt
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12193 |
Entropy (8bit): | 4.4720152705808935 |
Encrypted: | false |
SSDEEP: | 192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87 |
MD5: | 3C21135144AC7452E7DB66F0214F9D68 |
SHA1: | B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D |
SHA-256: | D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E |
SHA-512: | 0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\changes-allow-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 998 |
Entropy (8bit): | 5.186938379246791 |
Encrypted: | false |
SSDEEP: | 24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH |
MD5: | CB1EEE7BDB582B756D0F68EF02D6D96D |
SHA1: | 9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9 |
SHA-256: | 20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4 |
SHA-512: | E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\dotnet.api
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\ebook-reader.png
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 555 |
Entropy (8bit): | 7.499536740374189 |
Encrypted: | false |
SSDEEP: | 12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ |
MD5: | BFF011148B773FA44B9A9BB029E8CC52 |
SHA1: | F2B838927E320D12649CEFDEA3AFE383C6650D7C |
SHA-256: | B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653 |
SHA-512: | A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\emblem-photos-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 680 |
Entropy (8bit): | 5.109191824773878 |
Encrypted: | false |
SSDEEP: | 12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p |
MD5: | 379690952AAA576521D51249D404CBCD |
SHA1: | 61A8A95B0454422AA47379CF983B99FFDD839439 |
SHA-256: | EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8 |
SHA-512: | 35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\font-select-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 220 |
Entropy (8bit): | 6.546211943247282 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW |
MD5: | C84EE7522C124892455BB09DEBCF9340 |
SHA1: | AF87A2A5688346A3902762DD250328B7EF224620 |
SHA-256: | E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8 |
SHA-512: | 3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\network-wired-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144 |
Entropy (8bit): | 5.708279548998072 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp |
MD5: | 1ED278AD206D6EA33FF787DD326E0FC5 |
SHA1: | 8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46 |
SHA-256: | CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417 |
SHA-512: | 7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Unrivalled\Nonexhaustively\Snaffle\Stealthful\LogoCanary.png
Download File
Process: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16669 |
Entropy (8bit): | 7.836876926418697 |
Encrypted: | false |
SSDEEP: | 384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy |
MD5: | F80867A421C85C6E2865CF85FF7C4B02 |
SHA1: | C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48 |
SHA-256: | BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3 |
SHA-512: | 06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.56953186638099 |
TrID: |
|
File name: | o6OaOfrAQs.exe |
File size: | 335976 |
MD5: | 049ecad4587538c292e3ebeee5947eb5 |
SHA1: | 12aabeb19083dd114b7b94c836b031de3945d2c9 |
SHA256: | cf9a08d65a0b472b1ed84638a09d39d741f34e9cd2641092141a9bf1a5f796a6 |
SHA512: | 12092128f6b2f6ea6ab86a7b1812e550e598dfecd43a240bd1ffc0bd15ff9c24e3c9bb40a4273ad706b9a7a7ad890b1c708c42cc23ec359626f5024b36db03ce |
SSDEEP: | 6144:DDk9dhfzelxllPuHBXZOEz5hN4EAnKQo4N7kqZ7t+roIbvS:U9u3lWHBXZTENnKza7kqZ5+rh6 |
TLSH: | 7D6401913AE0D467FC5A4630CAA5E5F3D2A1FE04C916C18373647F6F7D322419922EBA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`......... |
Icon Hash: | 08c2b0d8cc64b046 |
Entrypoint: | 0x4031d6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 3abe302b6d9a1256e6a915429af4ffd2 |
Signature Valid: | false |
Signature Issuer: | E=Brooking183@Flydes25.Dyr, OU="Magtbalancerne Regnvejrsdagene Intensives ", O=Skizofren, L=Onalaska, S=Wisconsin, C=US |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | DE53E25C4A808A06A0CD944E65FB058D |
Thumbprint SHA-1: | B1DD19494EAA53E29C92E68EB19E33CFABB34DE0 |
Thumbprint SHA-256: | 12FF0462FE369CB81BB77B13ADFE3B705E7F71A5CFA614B370A8D6D63719C06F |
Serial: | 6CA44E753450CEC7C37D62FEA0B835456441D271 |
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004070A0h] |
call dword ptr [0040709Ch] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042370Ch], eax |
je 00007F2D696B3433h |
push ebx |
call 00007F2D696B650Ah |
cmp eax, ebx |
je 00007F2D696B3429h |
push 00000C00h |
call eax |
mov esi, 00407298h |
push esi |
call 00007F2D696B6486h |
push esi |
call dword ptr [00407098h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007F2D696B340Dh |
push 0000000Ah |
call 00007F2D696B64DEh |
push 00000008h |
call 00007F2D696B64D7h |
push 00000006h |
mov dword ptr [00423704h], eax |
call 00007F2D696B64CBh |
cmp eax, ebx |
je 00007F2D696B3431h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F2D696B3429h |
or byte ptr [0042370Fh], 00000040h |
push ebp |
call dword ptr [00407044h] |
push ebx |
call dword ptr [00407288h] |
mov dword ptr [004237D8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 0041ECC8h |
call dword ptr [00407178h] |
push 00409188h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x36000 | 0xa3c0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x51650 | 0xa18 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5f0d | 0x6000 | False | 0.6649169921875 | data | 6.450520423955375 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1248 | 0x1400 | False | 0.4275390625 | data | 5.007650149182371 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1a818 | 0x400 | False | 0.6376953125 | data | 5.129587811765307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x24000 | 0x12000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x36000 | 0xa3c0 | 0xa400 | False | 0.0760766006097561 | data | 1.8822021165260459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x36268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
RT_ICON | 0x365d0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States |
RT_DIALOG | 0x3fa78 | 0x144 | data | English | United States |
RT_DIALOG | 0x3fbc0 | 0x13c | data | English | United States |
RT_DIALOG | 0x3fd00 | 0x120 | data | English | United States |
RT_DIALOG | 0x3fe20 | 0x11c | data | English | United States |
RT_DIALOG | 0x3ff40 | 0xc4 | data | English | United States |
RT_DIALOG | 0x40008 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x40068 | 0x14 | data | English | United States |
RT_MANIFEST | 0x40080 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.11.20185.246.220.8549818802025381 03/17/23-20:49:57.296824 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49818 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549818802024317 03/17/23-20:49:57.296824 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49818 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549818802825766 03/17/23-20:49:57.296824 | TCP | 2825766 | ETPRO TROJAN LokiBot Checkin M2 | 49818 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549818802024312 03/17/23-20:49:57.296824 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49818 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549818802021641 03/17/23-20:49:57.296824 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49818 | 80 | 192.168.11.20 | 185.246.220.85 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 20:49:56.242620945 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.284706116 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.284915924 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.285419941 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.327553988 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.327625036 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.327786922 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.328250885 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.328422070 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.328454018 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.328489065 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.328602076 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.328623056 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.328660011 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.328690052 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.328716993 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.328803062 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.328804016 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.328862906 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.329441071 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.329514027 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.329803944 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.329803944 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.369924068 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370007992 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370086908 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.370193005 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.370542049 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370640993 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370733976 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370758057 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.370791912 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370829105 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.370870113 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370910883 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.370928049 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.370948076 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371073961 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371103048 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371146917 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371244907 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371280909 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371299028 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371427059 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371484041 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371480942 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371597052 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371630907 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371731043 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371805906 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371875048 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.371882915 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371941090 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.371956110 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.372016907 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.372036934 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.372117996 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.372208118 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.412204027 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.412328959 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.412415981 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.412473917 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.412476063 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.412564039 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.412564039 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.412612915 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.412628889 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.412705898 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.412827969 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.412878990 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.412889004 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413043976 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413098097 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413125992 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413213015 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413269043 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413285971 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413413048 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413433075 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413538933 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413583994 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413606882 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413690090 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413727045 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413727999 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413754940 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413826942 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.413834095 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413887024 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413969040 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.413974047 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.414127111 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.414132118 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.414268970 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.414275885 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.414421082 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.414427996 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.414493084 CET | 80 | 49817 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:49:56.414573908 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:49:56.414619923 CET | 49817 | 80 | 192.168.11.20 | 85.95.248.49 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 20:49:56.174714088 CET | 54475 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 20:49:56.236529112 CET | 53 | 54475 | 9.9.9.9 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 17, 2023 20:49:56.174714088 CET | 192.168.11.20 | 9.9.9.9 | 0xc6f2 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 17, 2023 20:49:56.236529112 CET | 9.9.9.9 | 192.168.11.20 | 0xc6f2 | No error (0) | 85.95.248.49 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 1 |
Start time: | 20:49:22 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 335976 bytes |
MD5 hash: | 049ECAD4587538C292E3EBEEE5947EB5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 4 |
Start time: | 20:49:43 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\o6OaOfrAQs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 335976 bytes |
MD5 hash: | 049ECAD4587538C292E3EBEEE5947EB5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 7 |
Start time: | 20:49:58 |
Start date: | 17/03/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x870000 |
File size: | 482640 bytes |
MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |