Windows
Analysis Report
YofglD94L7.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- YofglD94L7.exe (PID: 7896 cmdline:
C:\Users\u ser\Deskto p\YofglD94 L7.exe MD5: A15368816DE1F0ED8B7BB687F8EF54A7) - YofglD94L7.exe (PID: 7916 cmdline:
C:\Users\u ser\Deskto p\YofglD94 L7.exe MD5: A15368816DE1F0ED8B7BB687F8EF54A7) - explorer.exe (PID: 3452 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- jefgchi (PID: 8152 cmdline:
C:\Users\u ser\AppDat a\Roaming\ jefgchi MD5: A15368816DE1F0ED8B7BB687F8EF54A7) - jefgchi (PID: 6060 cmdline:
C:\Users\u ser\AppDat a\Roaming\ jefgchi MD5: A15368816DE1F0ED8B7BB687F8EF54A7)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | URL Reputation: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Networking |
---|
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Network Connect: |
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | Command line argument: | ||
Source: | Command line argument: | ||
Source: | Command line argument: | ||
Source: | Command line argument: | ||
Source: | Command line argument: | ||
Source: | Command line argument: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File deleted: | Jump to behavior |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: |
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: | ||
Source: | Key enumerated: |
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Evasive API call chain: |
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Process information queried: |
Source: | Code function: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | System information queried: | ||
Source: | System information queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | File created: | Jump to dropped file |
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Network Connect: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Code function: |
Source: | Thread created: | ||
Source: | Thread created: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 512 Process Injection | 11 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 12 Virtualization/Sandbox Evasion | LSASS Memory | 421 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 2 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 1 Exploitation for Client Execution | Logon Script (Windows) | Logon Script (Windows) | 512 Process Injection | Security Account Manager | 12 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 112 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Deobfuscate/Decode Files or Information | NTDS | 3 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Hidden Files and Directories | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 12 Software Packing | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | 15 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 File Deletion | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
44% | ReversingLabs | |||
44% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
43% | ReversingLabs | |||
44% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | Virustotal | Browse | ||
19% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
host-file-host6.com | 194.50.153.68 | true | true |
| unknown |
host-host-file8.com | unknown | unknown | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.50.153.68 | host-file-host6.com | United Kingdom | 198526 | GAZ-IS-ASRU | true |
Joe Sandbox Version: | 37.1.0 Beryl |
Analysis ID: | 877009 |
Start date and time: | 2023-05-28 14:26:04 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 1 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | YofglD94L7.exe |
Original Sample Name: | a15368816de1f0ed8b7bb687f8ef54a7.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@6/2@4/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
14:27:05 | API Interceptor | |
14:27:33 | Task Scheduler |
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 282624 |
Entropy (8bit): | 6.606962847821293 |
Encrypted: | false |
SSDEEP: | 3072:MgzVrh9zwm5ZisWcVtnQTbwOw7bsDYR6Pd5gG+ZGvAgi:jzVbwiZL9VtQTb7w7IDu1GQ |
MD5: | A15368816DE1F0ED8B7BB687F8EF54A7 |
SHA1: | 6323221495834DC42128B64E07881913A62CD71A |
SHA-256: | AD357ADBA4C2B2A46057C65DC06FCBA8E2CCB41D157A88CB31DC29DB43CECF36 |
SHA-512: | E65F67F8344C8BB11FBF4F8DCE717463C5C8CF9C358BEFFCFA6DAA8816CB9FEDA7EE7947B90112B81F20FD7EF057884334B648CF9C52AB6420C9514460CC79AC |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.606962847821293 |
TrID: |
|
File name: | YofglD94L7.exe |
File size: | 282624 |
MD5: | a15368816de1f0ed8b7bb687f8ef54a7 |
SHA1: | 6323221495834dc42128b64e07881913a62cd71a |
SHA256: | ad357adba4c2b2a46057c65dc06fcba8e2ccb41d157a88cb31dc29db43cecf36 |
SHA512: | e65f67f8344c8bb11fbf4f8dce717463c5c8cf9c358beffcfa6daa8816cb9feda7ee7947b90112b81f20fd7ef057884334b648cf9c52ab6420c9514460cc79ac |
SSDEEP: | 3072:MgzVrh9zwm5ZisWcVtnQTbwOw7bsDYR6Pd5gG+ZGvAgi:jzVbwiZL9VtQTb7w7IDu1GQ |
TLSH: | 9A543A8396E2FC54ED678A729E2FC6E8761EF2508F59776922189A1F04703B2C173713 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.......|...c...|...c...|...c...Richb...................PE..L...Ptpb........... |
Icon Hash: | 4545554d5145691d |
Entrypoint: | 0x404dd9 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x62707450 [Tue May 3 00:16:16 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | d302e4ac3406067f8ed838633897aebb |
Instruction |
---|
call 00007EFDCC6D7A33h |
jmp 00007EFDCC6D30CDh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov ecx, dword ptr [esp+04h] |
test ecx, 00000003h |
je 00007EFDCC6D3276h |
mov al, byte ptr [ecx] |
add ecx, 01h |
test al, al |
je 00007EFDCC6D32A0h |
test ecx, 00000003h |
jne 00007EFDCC6D3241h |
add eax, 00000000h |
lea esp, dword ptr [esp+00000000h] |
lea esp, dword ptr [esp+00000000h] |
mov eax, dword ptr [ecx] |
mov edx, 7EFEFEFFh |
add edx, eax |
xor eax, FFFFFFFFh |
xor eax, edx |
add ecx, 04h |
test eax, 81010100h |
je 00007EFDCC6D323Ah |
mov eax, dword ptr [ecx-04h] |
test al, al |
je 00007EFDCC6D3284h |
test ah, ah |
je 00007EFDCC6D3276h |
test eax, 00FF0000h |
je 00007EFDCC6D3265h |
test eax, FF000000h |
je 00007EFDCC6D3254h |
jmp 00007EFDCC6D321Fh |
lea eax, dword ptr [ecx-01h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-02h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-03h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-04h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 20h |
mov eax, dword ptr [ebp+08h] |
push esi |
push edi |
push 00000008h |
pop ecx |
mov esi, 004012D8h |
lea edi, dword ptr [ebp-20h] |
rep movsd |
mov dword ptr [ebp-08h], eax |
mov eax, dword ptr [ebp+0Ch] |
pop edi |
mov dword ptr [ebp-04h], eax |
pop esi |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x28708 | 0x64 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x270000 | 0x17700 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x288000 | 0xde8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1220 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x30c8 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1d4 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x281c2 | 0x28200 | False | 0.7881924162772586 | data | 7.588227971051698 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x2a000 | 0x245844 | 0x1e00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x270000 | 0x17700 | 0x17800 | False | 0.3845786236702128 | DIY-Thermocam raw data (Lepton 3.x), scale -32383-32383, spot sensor temperature -0.000000, unit celsius, color scheme 0, calibration: offset 170141183460469231731687303715884105728.000000, slope 338285908496422218588534207645931798528.000000 | 4.2078074882893075 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x288000 | 0x3328 | 0x3400 | False | 0.22596153846153846 | data | 2.5254561443990666 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x2706d0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | ||
RT_ICON | 0x270d98 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x273340 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_ICON | 0x2737d8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
RT_ICON | 0x274680 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x274f28 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | ||
RT_ICON | 0x275490 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x277a38 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_ICON | 0x278ae0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | ||
RT_ICON | 0x279468 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_ICON | 0x279938 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
RT_ICON | 0x27a7e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x27b088 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | ||
RT_ICON | 0x27b750 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | ||
RT_ICON | 0x27bcb8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x27e260 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_ICON | 0x27f308 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_ICON | 0x27f7d8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
RT_ICON | 0x280680 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x280f28 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | ||
RT_ICON | 0x281490 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x283a38 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_ICON | 0x284ae0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | ||
RT_ICON | 0x285468 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_STRING | 0x285b70 | 0x6fa | data | ||
RT_STRING | 0x286270 | 0x6a8 | data | ||
RT_STRING | 0x286918 | 0x4b8 | data | ||
RT_STRING | 0x286dd0 | 0x1da | data | ||
RT_STRING | 0x286fb0 | 0x74c | data | ||
RT_GROUP_ICON | 0x2858d0 | 0x68 | data | ||
RT_GROUP_ICON | 0x27f770 | 0x68 | data | ||
RT_GROUP_ICON | 0x2737a8 | 0x30 | data | ||
RT_GROUP_ICON | 0x2798d0 | 0x68 | data | ||
RT_VERSION | 0x285938 | 0x234 | data |
DLL | Import |
---|---|
KERNEL32.dll | GetModuleHandleW, GetTickCount, IsBadReadPtr, GetConsoleAliasesLengthA, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, CreateJobObjectA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, SleepEx, GetLongPathNameA, VirtualAlloc, EnterCriticalSection, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, AttachConsole, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle |
USER32.dll | CharLowerBuffA |
GDI32.dll | GetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW |
ADVAPI32.dll | MapGenericMask |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 28, 2023 14:27:33.230834007 CEST | 49699 | 80 | 192.168.2.3 | 194.50.153.68 |
May 28, 2023 14:27:33.255489111 CEST | 80 | 49699 | 194.50.153.68 | 192.168.2.3 |
May 28, 2023 14:27:33.255640030 CEST | 49699 | 80 | 192.168.2.3 | 194.50.153.68 |
May 28, 2023 14:27:33.288640976 CEST | 49699 | 80 | 192.168.2.3 | 194.50.153.68 |
May 28, 2023 14:27:33.288698912 CEST | 49699 | 80 | 192.168.2.3 | 194.50.153.68 |
May 28, 2023 14:27:33.313499928 CEST | 80 | 49699 | 194.50.153.68 | 192.168.2.3 |
May 28, 2023 14:27:33.410356998 CEST | 80 | 49699 | 194.50.153.68 | 192.168.2.3 |
May 28, 2023 14:27:33.410481930 CEST | 49699 | 80 | 192.168.2.3 | 194.50.153.68 |
May 28, 2023 14:27:33.412591934 CEST | 49699 | 80 | 192.168.2.3 | 194.50.153.68 |
May 28, 2023 14:27:33.437330008 CEST | 80 | 49699 | 194.50.153.68 | 192.168.2.3 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 28, 2023 14:27:33.203741074 CEST | 52387 | 53 | 192.168.2.3 | 8.8.8.8 |
May 28, 2023 14:27:33.223833084 CEST | 53 | 52387 | 8.8.8.8 | 192.168.2.3 |
May 28, 2023 14:27:34.652285099 CEST | 56924 | 53 | 192.168.2.3 | 8.8.8.8 |
May 28, 2023 14:27:35.692795038 CEST | 56924 | 53 | 192.168.2.3 | 8.8.8.8 |
May 28, 2023 14:27:36.739690065 CEST | 56924 | 53 | 192.168.2.3 | 8.8.8.8 |
May 28, 2023 14:27:38.697307110 CEST | 53 | 56924 | 8.8.8.8 | 192.168.2.3 |
May 28, 2023 14:27:38.697369099 CEST | 53 | 56924 | 8.8.8.8 | 192.168.2.3 |
May 28, 2023 14:27:40.777638912 CEST | 53 | 56924 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
May 28, 2023 14:27:40.777764082 CEST | 192.168.2.3 | 8.8.8.8 | cff6 | (Port unreachable) | Destination Unreachable |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
May 28, 2023 14:27:33.203741074 CEST | 192.168.2.3 | 8.8.8.8 | 0xa05a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 28, 2023 14:27:34.652285099 CEST | 192.168.2.3 | 8.8.8.8 | 0x7ae7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 28, 2023 14:27:35.692795038 CEST | 192.168.2.3 | 8.8.8.8 | 0x7ae7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 28, 2023 14:27:36.739690065 CEST | 192.168.2.3 | 8.8.8.8 | 0x7ae7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
May 28, 2023 14:27:33.223833084 CEST | 8.8.8.8 | 192.168.2.3 | 0xa05a | No error (0) | 194.50.153.68 | A (IP address) | IN (0x0001) | false | ||
May 28, 2023 14:27:38.697307110 CEST | 8.8.8.8 | 192.168.2.3 | 0x7ae7 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
May 28, 2023 14:27:38.697369099 CEST | 8.8.8.8 | 192.168.2.3 | 0x7ae7 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
May 28, 2023 14:27:40.777638912 CEST | 8.8.8.8 | 192.168.2.3 | 0x7ae7 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 0 |
Start time: | 14:26:59 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\Desktop\YofglD94L7.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 282624 bytes |
MD5 hash: | A15368816DE1F0ED8B7BB687F8EF54A7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 14:26:59 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\Desktop\YofglD94L7.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 282624 bytes |
MD5 hash: | A15368816DE1F0ED8B7BB687F8EF54A7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 2 |
Start time: | 14:27:04 |
Start date: | 28/05/2023 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff69fe90000 |
File size: | 3933184 bytes |
MD5 hash: | AD5296B280E8F522A8A897C96BAB0E1D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 14:27:33 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\AppData\Roaming\jefgchi |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 282624 bytes |
MD5 hash: | A15368816DE1F0ED8B7BB687F8EF54A7 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Target ID: | 6 |
Start time: | 14:27:35 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\AppData\Roaming\jefgchi |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 282624 bytes |
MD5 hash: | A15368816DE1F0ED8B7BB687F8EF54A7 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |