Windows
Analysis Report
HfJLn9erXb.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- HfJLn9erXb.exe (PID: 8604 cmdline:
C:\Users\u ser\Deskto p\HfJLn9er Xb.exe MD5: 049ECAD4587538C292E3EBEEE5947EB5) - HfJLn9erXb.exe (PID: 2912 cmdline:
C:\Users\u ser\Deskto p\HfJLn9er Xb.exe MD5: 049ECAD4587538C292E3EBEEE5947EB5) - WerFault.exe (PID: 6848 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 912 -s 136 8 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Loki Password Stealer (PWS), LokiBot | "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
Timestamp: | 192.168.11.20185.246.220.8549802802024317 03/17/23-20:59:19.936439 |
SID: | 2024317 |
Source Port: | 49802 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549802802024312 03/17/23-20:59:19.936439 |
SID: | 2024312 |
Source Port: | 49802 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549802802825766 03/17/23-20:59:19.936439 |
SID: | 2825766 |
Source Port: | 49802 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549802802021641 03/17/23-20:59:19.936439 |
SID: | 2021641 |
Source Port: | 49802 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.246.220.8549802802025381 03/17/23-20:59:19.936439 |
SID: | 2025381 |
Source Port: | 49802 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Mutant created: |
Source: | File written: | Jump to behavior |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: |
Source: | Process created: |
Source: | Key value queried: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | File opened: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 2 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 1 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 2 Data from Local System | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 5 System Information Discovery | Distributed Component Object Model | 1 Clipboard Data | Scheduled Transfer | 13 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
51% | ReversingLabs | Win32.Trojan.Nemesis | ||
54% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ruhsalgelisim.com | 85.95.248.49 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
85.95.248.49 | ruhsalgelisim.com | Turkey | 49467 | EUROTA-ASNEUROTAINTERNETSERVICESLTDTR | false | |
185.246.220.85 | unknown | Germany | 10753 | LVLT-10753US | true |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 829104 |
Start date and time: | 2023-03-17 20:56:49 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 14m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | HfJLn9erXb.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/19@1/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe, UsoClient.exe
- TCP Packets have been reduced to 100
- Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target HfJLn9erXb.exe, PID 2912 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54 |
Entropy (8bit): | 4.838039816898156 |
Encrypted: | false |
SSDEEP: | 3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I |
MD5: | FB5EE2C0CAC332EC8390F50016EF0769 |
SHA1: | 11D9FB52FE5289140B9D52A38B56F99512B3A3A7 |
SHA-256: | C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631 |
SHA-512: | 87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.832316471889005 |
Encrypted: | false |
SSDEEP: | 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC |
MD5: | B0C77267F13B2F87C084FD86EF51CCFC |
SHA1: | F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3 |
SHA-256: | A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 |
SHA-512: | F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 47 |
Entropy (8bit): | 1.1262763721961973 |
Encrypted: | false |
SSDEEP: | 3:/lSllIEXln:AWE1 |
MD5: | D69FB7CE74DAC48982B69816C3772E4E |
SHA1: | B1C04CDB2567DC2B50D903B0E1D0D3211191E065 |
SHA-256: | 8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396 |
SHA-512: | 7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34016 |
Entropy (8bit): | 6.1021284380541925 |
Encrypted: | false |
SSDEEP: | 384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3 |
MD5: | 4FC7FC174E80C178225C2509027DF961 |
SHA1: | 9FF62413EC0DD462F5F016EBC804F1D736D24796 |
SHA-256: | 866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C |
SHA-512: | 29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Profetiske.Byg
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 297815 |
Entropy (8bit): | 6.803960139750454 |
Encrypted: | false |
SSDEEP: | 6144:J35PGszPFp+EB9h18KeMJwYQl/w+ByCHqLBmv:J3FGsz93N8Kp60Bg |
MD5: | 12DF13549A2F50FB06EAAC92D2F36C05 |
SHA1: | 5E1CD0421664E97B44B2C26960F4D298DAED0C99 |
SHA-256: | 4EE38AAF3380FB3D7C4F57800A1692175C1D772E3A11028874CF2D8F5DC599F2 |
SHA-512: | 6DD5811B457913D37B922904678A508A1762CDA447C195A660457B19D6302DB8E21586AFF0F22D41D73514CA926FEFE8554777EB558BD321ABF5B76C06527848 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Sankekort.Sch209
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 42836 |
Entropy (8bit): | 4.578518141395867 |
Encrypted: | false |
SSDEEP: | 768:AGQ+v3ebyf4b4Yv6Dub2I+MxA83BMUBaPqbIvcbYIrf:NQ+WApD42MxBMMaPqbZbYIrf |
MD5: | 3DAD0F9AF0356D18A46167665A352768 |
SHA1: | E5D083D2224DE4FC9105CB966CF3A53F9BB7D3C0 |
SHA-256: | 8A124F4091887491B8FABE0C0C694B95C2D76F68FB4E9292C59FA5971074899C |
SHA-512: | 7CD0CF5AF5B79A146F22A2D68CC3500AF6068F1BFA48B5730E2C2236201E4B6B7CCED4DBB9121A525F41FC63C07403D1CB40F9267FBF81C5FFC2CB4FA6221E98 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\pan-start-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 140 |
Entropy (8bit): | 5.529383944212929 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp |
MD5: | 4308BBBAB1DB146494AE5ABB07B8E6DB |
SHA1: | 58121574EEB070E26DDD75A964F3548E176E58A4 |
SHA-256: | EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828 |
SHA-512: | 41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\printer-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147 |
Entropy (8bit): | 5.834297280344084 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip |
MD5: | 38D787F55E22FB591135F9250CD259D4 |
SHA1: | 0E135B0E1CA49A6E43DB4CB7596FAEA022E23924 |
SHA-256: | 1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002 |
SHA-512: | 4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Idolatrous\Kaes\pt-br.txt
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9515 |
Entropy (8bit): | 5.04214621707661 |
Encrypted: | false |
SSDEEP: | 192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ |
MD5: | 7B02E1AE16E2E709D7C97DE560B4DBE9 |
SHA1: | 191A54644417F7D36F5CB4182DCDB3737D74BE51 |
SHA-256: | DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB |
SHA-512: | 4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Ravingly\Magnetoplasmadynamics\godsvognen\avatar-default-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 266 |
Entropy (8bit): | 4.986245244009802 |
Encrypted: | false |
SSDEEP: | 6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj |
MD5: | 8B727826F9D8C0C7C954EDE912CB0DEB |
SHA1: | 1518AA80747326B5353C22D32E57A33D61285119 |
SHA-256: | 0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334 |
SHA-512: | 0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\be.txt
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12193 |
Entropy (8bit): | 4.4720152705808935 |
Encrypted: | false |
SSDEEP: | 192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87 |
MD5: | 3C21135144AC7452E7DB66F0214F9D68 |
SHA1: | B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D |
SHA-256: | D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E |
SHA-512: | 0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\changes-allow-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 998 |
Entropy (8bit): | 5.186938379246791 |
Encrypted: | false |
SSDEEP: | 24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH |
MD5: | CB1EEE7BDB582B756D0F68EF02D6D96D |
SHA1: | 9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9 |
SHA-256: | 20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4 |
SHA-512: | E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\dotnet.api
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\ebook-reader.png
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 555 |
Entropy (8bit): | 7.499536740374189 |
Encrypted: | false |
SSDEEP: | 12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ |
MD5: | BFF011148B773FA44B9A9BB029E8CC52 |
SHA1: | F2B838927E320D12649CEFDEA3AFE383C6650D7C |
SHA-256: | B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653 |
SHA-512: | A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\emblem-photos-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 680 |
Entropy (8bit): | 5.109191824773878 |
Encrypted: | false |
SSDEEP: | 12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p |
MD5: | 379690952AAA576521D51249D404CBCD |
SHA1: | 61A8A95B0454422AA47379CF983B99FFDD839439 |
SHA-256: | EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8 |
SHA-512: | 35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\font-select-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 220 |
Entropy (8bit): | 6.546211943247282 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW |
MD5: | C84EE7522C124892455BB09DEBCF9340 |
SHA1: | AF87A2A5688346A3902762DD250328B7EF224620 |
SHA-256: | E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8 |
SHA-512: | 3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\network-wired-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144 |
Entropy (8bit): | 5.708279548998072 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp |
MD5: | 1ED278AD206D6EA33FF787DD326E0FC5 |
SHA1: | 8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46 |
SHA-256: | CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417 |
SHA-512: | 7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Unrivalled\Nonexhaustively\Snaffle\Stealthful\LogoCanary.png
Download File
Process: | C:\Users\user\Desktop\HfJLn9erXb.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16669 |
Entropy (8bit): | 7.836876926418697 |
Encrypted: | false |
SSDEEP: | 384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy |
MD5: | F80867A421C85C6E2865CF85FF7C4B02 |
SHA1: | C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48 |
SHA-256: | BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3 |
SHA-512: | 06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.56953186638099 |
TrID: |
|
File name: | HfJLn9erXb.exe |
File size: | 335976 |
MD5: | 049ecad4587538c292e3ebeee5947eb5 |
SHA1: | 12aabeb19083dd114b7b94c836b031de3945d2c9 |
SHA256: | cf9a08d65a0b472b1ed84638a09d39d741f34e9cd2641092141a9bf1a5f796a6 |
SHA512: | 12092128f6b2f6ea6ab86a7b1812e550e598dfecd43a240bd1ffc0bd15ff9c24e3c9bb40a4273ad706b9a7a7ad890b1c708c42cc23ec359626f5024b36db03ce |
SSDEEP: | 6144:DDk9dhfzelxllPuHBXZOEz5hN4EAnKQo4N7kqZ7t+roIbvS:U9u3lWHBXZTENnKza7kqZ5+rh6 |
TLSH: | 7D6401913AE0D467FC5A4630CAA5E5F3D2A1FE04C916C18373647F6F7D322419922EBA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`......... |
Icon Hash: | 08c2b0d8cc64b046 |
Entrypoint: | 0x4031d6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 3abe302b6d9a1256e6a915429af4ffd2 |
Signature Valid: | false |
Signature Issuer: | E=Brooking183@Flydes25.Dyr, OU="Magtbalancerne Regnvejrsdagene Intensives ", O=Skizofren, L=Onalaska, S=Wisconsin, C=US |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | DE53E25C4A808A06A0CD944E65FB058D |
Thumbprint SHA-1: | B1DD19494EAA53E29C92E68EB19E33CFABB34DE0 |
Thumbprint SHA-256: | 12FF0462FE369CB81BB77B13ADFE3B705E7F71A5CFA614B370A8D6D63719C06F |
Serial: | 6CA44E753450CEC7C37D62FEA0B835456441D271 |
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004070A0h] |
call dword ptr [0040709Ch] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042370Ch], eax |
je 00007FA97059E073h |
push ebx |
call 00007FA9705A114Ah |
cmp eax, ebx |
je 00007FA97059E069h |
push 00000C00h |
call eax |
mov esi, 00407298h |
push esi |
call 00007FA9705A10C6h |
push esi |
call dword ptr [00407098h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007FA97059E04Dh |
push 0000000Ah |
call 00007FA9705A111Eh |
push 00000008h |
call 00007FA9705A1117h |
push 00000006h |
mov dword ptr [00423704h], eax |
call 00007FA9705A110Bh |
cmp eax, ebx |
je 00007FA97059E071h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007FA97059E069h |
or byte ptr [0042370Fh], 00000040h |
push ebp |
call dword ptr [00407044h] |
push ebx |
call dword ptr [00407288h] |
mov dword ptr [004237D8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 0041ECC8h |
call dword ptr [00407178h] |
push 00409188h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x36000 | 0xa3c0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x51650 | 0xa18 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5f0d | 0x6000 | False | 0.6649169921875 | data | 6.450520423955375 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1248 | 0x1400 | False | 0.4275390625 | data | 5.007650149182371 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1a818 | 0x400 | False | 0.6376953125 | data | 5.129587811765307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x24000 | 0x12000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x36000 | 0xa3c0 | 0xa400 | False | 0.0760766006097561 | data | 1.8822021165260459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x36268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
RT_ICON | 0x365d0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States |
RT_DIALOG | 0x3fa78 | 0x144 | data | English | United States |
RT_DIALOG | 0x3fbc0 | 0x13c | data | English | United States |
RT_DIALOG | 0x3fd00 | 0x120 | data | English | United States |
RT_DIALOG | 0x3fe20 | 0x11c | data | English | United States |
RT_DIALOG | 0x3ff40 | 0xc4 | data | English | United States |
RT_DIALOG | 0x40008 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x40068 | 0x14 | data | English | United States |
RT_MANIFEST | 0x40080 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.11.20185.246.220.8549802802024317 03/17/23-20:59:19.936439 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49802 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549802802024312 03/17/23-20:59:19.936439 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49802 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549802802825766 03/17/23-20:59:19.936439 | TCP | 2825766 | ETPRO TROJAN LokiBot Checkin M2 | 49802 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549802802021641 03/17/23-20:59:19.936439 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49802 | 80 | 192.168.11.20 | 185.246.220.85 |
192.168.11.20185.246.220.8549802802025381 03/17/23-20:59:19.936439 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49802 | 80 | 192.168.11.20 | 185.246.220.85 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 20:59:17.882953882 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.884468079 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.926943064 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.927155972 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.928247929 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.970037937 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.974704027 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.974900007 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.975447893 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.975519896 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.975660086 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.975795031 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.975795031 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.975904942 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.975996971 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.976087093 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.976142883 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.976171970 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.976231098 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.976269007 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.976329088 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:18.976335049 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.976403952 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:18.976511002 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.016927004 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.016976118 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.017230988 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.018229961 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.018277884 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.018404961 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.018404961 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.018515110 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.018558025 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.018759012 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.019373894 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.019419909 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.019608021 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.019623995 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.019679070 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.019730091 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.019830942 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.019870043 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.019968987 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.020008087 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.020052910 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.020090103 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.020126104 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.020353079 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.020384073 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.020433903 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.020549059 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.020648956 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.020739079 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.059221983 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.059319973 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.059377909 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.059433937 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.059453011 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.059521914 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.059623957 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.059782028 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.060463905 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.060560942 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.060620070 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.060698032 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.060733080 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.060751915 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.060791016 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.060844898 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.060903072 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.060905933 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.061070919 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.061120033 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.061170101 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.061417103 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.061604023 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.061774969 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.061860085 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.061928034 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.062057972 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.062093973 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.062107086 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.062211990 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.062289953 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.062321901 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.062473059 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.062473059 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.062524080 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.062683105 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.062753916 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.062870026 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.062887907 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.063028097 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.063091993 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.063224077 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.063230991 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.063379049 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.063426018 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Mar 17, 2023 20:59:19.063541889 CET | 80 | 49801 | 85.95.248.49 | 192.168.11.20 |
Mar 17, 2023 20:59:19.063590050 CET | 49801 | 80 | 192.168.11.20 | 85.95.248.49 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 20:59:17.661098003 CET | 60369 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 20:59:17.877599955 CET | 53 | 60369 | 9.9.9.9 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 17, 2023 20:59:17.661098003 CET | 192.168.11.20 | 9.9.9.9 | 0xa637 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 17, 2023 20:59:17.877599955 CET | 9.9.9.9 | 192.168.11.20 | 0xa637 | No error (0) | 85.95.248.49 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 2 |
Start time: | 20:58:43 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\HfJLn9erXb.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 335976 bytes |
MD5 hash: | 049ECAD4587538C292E3EBEEE5947EB5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 7 |
Start time: | 20:59:04 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\HfJLn9erXb.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 335976 bytes |
MD5 hash: | 049ECAD4587538C292E3EBEEE5947EB5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 18 |
Start time: | 20:59:21 |
Start date: | 17/03/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3e0000 |
File size: | 482640 bytes |
MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |