Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for '41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04'

malicious

Threat Score: 100/100 AV Detection: 84% Labeled as: Trojan.Generic #banker #emotet

41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04

This report is generated from a file or URL submitted to this webservice on December 29th 2017 21:44:10 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v7.20 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Request Report Deletion

Incident Response

Risk Assessment

Spyware: POSTs files to a webserver
Persistence: Writes data to a remote process
Fingerprint: Reads the active computer name
Reads the cryptographic machine GUID

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 7
Anti-Detection/Stealthyness
- Tries to hide tracks of having downloaded a file from the internet
  
  details
  
  "<Input Sample>" opened "%WINDIR%\system32\wlanscreen.exe:Zone.Identifier" with delete access
  
  source
  
  API Call
  
  relevance
  
  7/10
External Systems
- Detected Emerging Threats Alert
  
  details
  
  Detected alert "ETPRO TROJAN W32/Emotet.v4 Checkin" (SID: 2827279, Rev: 5, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
  Detected alert "ETPRO TROJAN W32/Emotet.v4 Checkin 2" (SID: 2827580, Rev: 7, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
  Detected alert "ETPRO TROJAN W32/Emotet.v4 Checkin 3" (SID: 2828008, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
  
  source
  
  Suricata Alerts
  
  relevance
  
  10/10
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  38/66 Antivirus vendors marked sample as malicious (57% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  38/66 Antivirus vendors marked sample as malicious (57% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- The analysis spawned a process that was identified as malicious
  
  details
  
  38/66 Antivirus vendors marked spawned process "<Input Sample>" (PID: 3452) as malicious (classified as "Trojan.Emotet" with 57% detection rate)
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
Installation/Persistance
- Writes data to a remote process
  
  details
  
  "<Input Sample>" wrote 32 bytes to a remote process "C:\41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe" (Handle: 156)
  "<Input Sample>" wrote 52 bytes to a remote process "C:\41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe" (Handle: 156)
  "<Input Sample>" wrote 4 bytes to a remote process "C:\41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe" (Handle: 156)
  
  source
  
  API Call
  
  relevance
  
  6/10
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 16
Anti-Detection/Stealthyness
- Queries kernel debugger information
  
  details
  
  "<Input Sample>" at 00041110-00003452-00000105-95217525
  
  source
  
  API Call
  
  relevance
  
  6/10
Anti-Reverse Engineering
- PE file has unusual entropy sections
  
  details
  
  .text with unusual entropies 7.62372131957
  
  source
  
  Static Parser
  
  relevance
  
  10/10
Environment Awareness
- Reads the active computer name
  
  details
  
  "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
- Reads the cryptographic machine GUID
  
  details
  
  "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
External Systems
- Detected Emerging Threats Alert
  
  details
  
  Detected alert "ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1" (SID: 2018358, Rev: 7, Severity: 2) categorized as "Potentially Bad Traffic"
  
  source
  
  Suricata Alerts
  
  relevance
  
  10/10
General
- Opened the service control manager
  
  details
  
  "<Input Sample>" called "OpenSCManager" requesting access rights "0X6"
  
  source
  
  API Call
  
  relevance
  
  10/10
- POSTs files to a webserver
  
  details
  
  "POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 209.140.18.37:8080Content-Length: 372Connection: Keep-AliveCache-Control: no-cache" with no payload
  
  source
  
  Network Traffic
  
  relevance
  
  5/10
- Requested access to a system service
  
  details
  
  "<Input Sample>" called "OpenService" to access the "ALG" service
  
  source
  
  API Call
  
  relevance
  
  10/10
Installation/Persistance
- Creates new processes
  
  details
  
  "<Input Sample>" is creating a new process (Name: "C:\41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe", Handle: 156)
  
  source
  
  API Call
  
  relevance
  
  8/10
Network Related
- Found potential IP address in binary/memory
  
  details
  
  "209.140.18.37"
  
  source
  
  String
  
  relevance
  
  3/10
- Uses a User Agent typical for browsers, although no browser was ever launched
  
  details
  
  Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
System Destruction
- Marks file for deletion
  
  details
  
  "C:\41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe" marked "%WINDIR%\System32\wlanscreen.exe:Zone.Identifier" for deletion
  
  source
  
  API Call
  
  relevance
  
  10/10
- Opens file with deletion access rights
  
  details
  
  "<Input Sample>" opened "C:\41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe" with delete access
  "<Input Sample>" opened "%WINDIR%\system32\wlanscreen.exe:Zone.Identifier" with delete access
  
  source
  
  API Call
  
  relevance
  
  7/10
Unusual Characteristics
- Imports suspicious APIs
  
  details
  
  GetCommandLineA
  
  source
  
  Static Parser
  
  relevance
  
  1/10
- Installs hooks/patches the running process
  
  details
  
  "<Input Sample>" wrote bytes "4053157758581677186a1677653c17770000000000bfb7750000000056ccb775000000007ccab7750000000037683b756a2c1777d62d17770000000020693b750000000029a6b77500000000a48d3b7500000000f70eb77500000000" to virtual address "0x75AE1000" (part of module "NSI.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Informative 9
Environment Awareness
- Queries volume information
  
  details
  
  "<Input Sample>" queries volume information of "C:\" at 00041110-00003452-0000010C-93851937
  
  source
  
  API Call
  
  relevance
  
  2/10
- Queries volume information of an entire harddrive
  
  details
  
  "<Input Sample>" queries volume information of "C:\" at 00041110-00003452-0000010C-93851937
  
  source
  
  API Call
  
  relevance
  
  8/10
- Reads the registry for installed applications
  
  details
  
  "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\41211EADD2124022E54ACEC029C3E2D8D8C35D191955D5805472F201D0C2BE04.EXE")
  "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\41211EADD2124022E54ACEC029C3E2D8D8C35D191955D5805472F201D0C2BE04.EXE")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
General
- Contains PDB pathways
  
  details
  
  "eeeEEEerrR123\G.pdb"
  
  source
  
  String
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\M43A41700"
  "M43A41700"
  "\Sessions\1\BaseNamedObjects\Global\IC477DEE1"
  "\Sessions\1\BaseNamedObjects\Global\MC477DEE1"
  "Global\MC477DEE1"
  "Global\IC477DEE1"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Spawns new processes
  
  details
  
  Spawned process "<Input Sample>" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Connects to LPC ports
  
  details
  
  "<Input Sample>" connecting to "\ThemeApiPort"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Touches files in the Windows directory
  
  details
  
  "<Input Sample>" touched file "%WINDIR%\System32\en-US\setupapi.dll.mui"
  "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
  "<Input Sample>" touched file "%WINDIR%\System32\en-US\shell32.dll.mui"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
  "<Input Sample>" touched file "%WINDIR%\System32\rsaenh.dll"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
  
  source
  
  API Call
  
  relevance
  
  7/10
System Security
- Opens the Kernel Security Device Driver (KsecDD) of Windows
  
  details
  
  "<Input Sample>" opened "\Device\KsecDD"
  
  source
  
  API Call
  
  relevance
  
  10/10

File Details

All Details:

41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04

Filename: 41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04
Size: 124KiB (126976 bytes)
Type: peexe executable
Description: PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
: WINDOWS
SHA256
: 41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04
MD5
: 2259bead7bd71fcf56aee294fb54f4a8
SHA1
: 306506fdd8e91ca6613d0375de34cc6a04b21482
ssdeep
: 3072:5n4nMn0R4705ars1d13udp7Smm6LauFQ:5n4PzjAdlMc
imphash
: 982febcfd3b5a3e57c4255345c736c84
authentihash
: ab054716b8b68ce00e8eafcae649eb0016ff65c1dde53e5e9693dae282c68a73
PDB Pathway

Resources

Language
: ENGLISH
Icon

Visualization

Input File (PortEx)

Version Info

LegalCopyright: Microsoft Corporation. All rights reserved.
InternalName: qmgrprxy.dll
FileVersion: 7.5.7600.16385 (win7_rtm.090713-1255)
CompanyName: Microsoft Corporation
ProductName: Microsoft Windows Operating System
ProductVersion: 7.5.7600.16385
FileDescription: Background Intelligent Transfer Service Proxy
OriginalFilename: qmgrprxy.dll
Translation: 0x0409 0x04b0

Classification (TrID)

50.0% (.EXE) Generic Win/DOS Executable
49.9% (.EXE) DOS Executable Generic

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5	Characteristics
Name .text Entropy 7.62372131957 Virtual Address 0x1000 Virtual Size 0x19804 Raw Size 0x1a000 MD5 f08ea68a60f75cf53153fbb5cc9b3bed	.text	7.62372131957	0x1000	0x19804	0x1a000	f08ea68a60f75cf53153fbb5cc9b3bed	-
Name .data Entropy 1.70603270949 Virtual Address 0x1b000 Virtual Size 0x1460 Raw Size 0x1000 MD5 4ca9f56a3bb9f23b6b6d6a63a8d4fa68	.data	1.70603270949	0x1b000	0x1460	0x1000	4ca9f56a3bb9f23b6b6d6a63a8d4fa68	-
Name 6xOsN5y Entropy 1.41873713078 Virtual Address 0x1d000 Virtual Size 0x38a Raw Size 0x1000 MD5 148fa4aab3caf143700afff8d9662017	6xOsN5y	1.41873713078	0x1d000	0x38a	0x1000	148fa4aab3caf143700afff8d9662017	-
Name .rsrc Entropy 1.15102379134 Virtual Address 0x1e000 Virtual Size 0x428 Raw Size 0x1000 MD5 548eb3a6ae1ebcb8a4a6c05c7769568e	.rsrc	1.15102379134	0x1e000	0x428	0x1000	548eb3a6ae1ebcb8a4a6c05c7769568e	-
Name .reloc Entropy 1.21609394289 Virtual Address 0x1f000 Virtual Size 0x20c Raw Size 0x1000 MD5 dc0b795931cab9f30cf39f01632548cb	.reloc	1.21609394289	0x1f000	0x20c	0x1000	dc0b795931cab9f30cf39f01632548cb	-

File Resources

Details	Name	RVA	Size	Type	Language
Name RT_VERSION RVA 0x1e060 Size 0x3c8 Type data Language English	RT_VERSION	0x1e060	0x3c8	data	English

File Imports

GetSidSubAuthority

CreatePolyPolygonRgn

FlsFree

FreeConsole

GetCommandLineA

GetConsoleCP

GetConsoleOutputCP

GetCurrentProcess

GetEnvironmentStrings

GetEnvironmentStringsW

GetProcessHeap

SearchPathA

No API names/ordinals defined for this module import

OleSaveToStream

GetActiveObject

VectorFromBstr

SetupDiGetClassInstallParamsA

No API names/ordinals defined for this module import

GetCursorInfo

GetMessagePos

inet_addr

WSACleanup

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 2 processes in total.

Input Sample (PID: 3344) 38/66
- Input Sample (PID: 3452) 38/66 Hash Seen Before

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

Endpoint

Request

URL

Data

209.140.18.37:8080

POST

209.140.18.37/

POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 209.140.18.37:8080 Content-Length: 372 Connection: Keep-Alive Cache-Control: no-cache More Details

Format

Details

Request

POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 209.140.18.37:8080
Content-Length: 372
Connection: Keep-Alive
Cache-Control: no-cache

R

Raw Hex

     0 : 0A 00 27 00 00 00 0A 00 27 05 56 D5 08 00 45 00 [..'.....'.V...E.]
    10 : 02 C8 02 2B 40 00 80 06 19 9F C0 A8 38 0C D1 8C [...+@.......8...]
    20 : 12 25 F1 88 1F 90 B3 E3 30 1D 78 03 58 9E 50 18 [.%......0.x.X.P.]
    30 : 40 29 8B D0 00 00 50 4F 53 54 20 2F 20 48 54 54 [@)....POST / HTT]
    40 : 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E [P/1.1..User-Agen]
    50 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 [t: Mozilla/4.0 (]
    60 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 [compatible; MSIE]
    70 : 20 37 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 [ 7.0; Windows NT]
    80 : 20 36 2E 31 3B 20 54 72 69 64 65 6E 74 2F 34 2E [ 6.1; Trident/4.]
    90 : 30 3B 20 53 4C 43 43 32 3B 20 2E 4E 45 54 20 43 [0; SLCC2; .NET C]
    A0 : 4C 52 20 32 2E 30 2E 35 30 37 32 37 3B 20 2E 4E [LR 2.0.50727; .N]
    B0 : 45 54 20 43 4C 52 20 33 2E 35 2E 33 30 37 32 39 [ET CLR 3.5.30729]
    C0 : 3B 20 2E 4E 45 54 20 43 4C 52 20 33 2E 30 2E 33 [; .NET CLR 3.0.3]
    D0 : 30 37 32 39 3B 20 4D 65 64 69 61 20 43 65 6E 74 [0729; Media Cent]
    E0 : 65 72 20 50 43 20 36 2E 30 3B 20 2E 4E 45 54 34 [er PC 6.0; .NET4]
    F0 : 2E 30 43 3B 20 2E 4E 45 54 34 2E 30 45 29 0D 0A [.0C; .NET4.0E)..]
   100 : 48 6F 73 74 3A 20 32 30 39 2E 31 34 30 2E 31 38 [Host: 209.140.18]
   110 : 2E 33 37 3A 38 30 38 30 0D 0A 43 6F 6E 74 65 6E [.37:8080..Conten]
   120 : 74 2D 4C 65 6E 67 74 68 3A 20 33 37 32 0D 0A 43 [t-Length: 372..C]
   130 : 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D [onnection: Keep-]
   140 : 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F 6E [Alive..Cache-Con]
   150 : 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A [trol: no-cache..]
   160 : 0D 0A 52 19 9F 1E 04 BE C6 75 E3 5C 2B 84 E3 62 [..R......u.\+..b]
   170 : 5E 55 79 8F 7C DA 0D 59 2E D9 29 17 81 57 7F BD [^Uy.|..Y..)..W..]
   180 : 2F 16 CB 52 BE C6 83 1C 30 11 01 C0 37 A7 0F F8 [/..R....0...7...]
   190 : CC D1 0A 7D 16 AE 22 39 63 A2 68 8A B4 F3 D6 D8 [...}.."9c.h.....]
   1A0 : AF 44 4D A5 D1 4D 03 D3 D1 87 AC 16 A1 51 D8 9C [.DM..M.......Q..]
   1B0 : CA EE DB 7A A4 5D 7A 09 06 80 35 32 81 F5 6E 03 [...z.]z...52..n.]
   1C0 : C6 A6 1F 8E EA 8F 51 3C B2 F4 D4 ED 4C 22 41 2F [......Q<....L"A/]
   1D0 : 01 3C 44 ED CC 06 6D B1 B3 FB 7E 54 A9 A2 6E 97 [.<D...m...~T..n.]
   1E0 : A0 64 FD 7C B2 67 FE 4B 91 4F BA 49 79 AD 41 6C [.d.|.g.K.O.Iy.Al]
   1F0 : 9E 0D BC 24 02 0E 08 F2 74 5E F4 A3 CE 11 B5 6E [...$....t^.....n]
   200 : C7 51 D2 2B C3 0E A7 AE 98 CF C0 A6 33 0E F8 D5 [.Q.+........3...]
   210 : 62 3C 5A F9 8F 3E 76 83 6F 3C EB 46 DD AA AA AB [b<Z..>v.o<.F....]
   220 : 5C 78 67 A4 0B 5E D2 48 8F F3 44 C8 BE 1A 49 44 [\xg..^.H..D...ID]
   230 : 53 C6 B2 E0 19 F5 37 DA 40 7E 6E 98 03 19 F1 2E [S.....7.@~n.....]
   240 : 27 BB AC B3 5A 66 35 CA B5 E7 27 54 7D C2 0C 4E ['...Zf5...'T}..N]
   250 : 45 AF 4B 5E A9 19 B4 76 27 CB 7C E7 45 77 9F AF [E.K^...v'.|.Ew..]
   260 : BE 41 A7 02 CF E5 E5 A3 26 4F 17 5C 1C 8B 71 5D [.A......&O.\..q]]
   270 : 85 D9 D1 2F A7 A8 58 CA 4C 2A 8E 28 A5 36 4E 22 [.../..X.L*.(.6N"]
   280 : 51 AD FE 19 AD 55 7F 59 BA E2 EE 0F B1 29 C6 70 [Q....U.Y.....).p]
   290 : 62 C7 6D 5E 8F E5 5E 67 CD E0 AB 24 87 D6 51 6B [b.m^..^g...$..Qk]
   2A0 : 36 FF 2C 9D C1 0F 28 04 30 6A 47 BF F6 C3 34 98 [6.,...(.0jG...4.]
   2B0 : B6 9C E6 74 18 64 FA 8B DB FD 83 A5 76 19 7D B0 [...t.d......v.}.]
   2C0 : B7 DC BD 6A 2B 5A 10 3F 09 DD 6E 2B D3 29 33 69 [...j+Z.?..n+.)3i]
   2D0 : AA 1A A2 1C D8 7C [.....|]

Suricata Alerts

Event	Category	Description	SID
local -> 209.140.18.37:8080 (TCP)	A Network Trojan was detected	ETPRO TROJAN W32/Emotet.v4 Checkin	2827279
local -> 209.140.18.37:8080 (TCP)	A Network Trojan was detected	ETPRO TROJAN W32/Emotet.v4 Checkin 2	2827580
local -> 209.140.18.37:8080 (TCP)	A Network Trojan was detected	ETPRO TROJAN W32/Emotet.v4 Checkin 3	2828008
local -> 209.140.18.37:8080 (TCP)	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	2018358

ET rules applied using Suricata. Find out more about proofpoint ET Intelligence here.

Extracted Strings

Download All Memory Strings (3.4KiB)

"slw"n:2^

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

-w_._.

Ansi based on Image Processing (screen_0.png)

.text

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

0 0$0,0004080P0T0X0\0`0h0l0p0t0

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

0____,,

Ansi based on Image Processing (screen_0.png)

0C3#$GGG

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

1 1$1(1@1D1H1L1P1X1\1`1d1|1

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

1Xu_<Xu

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe , 00040576-00003344.00000000.41080.0013D000.00000002.mdmp)

2024282<2@2H2L2P2T2l2p2t2x2|2

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

209.140.18.37

Ansi based on PCAP Processing (PCAP)

3 3$3(3,30383<3@3D3\3`3d3h3l3t3x3|3

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

3%1vva

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

4 4(4,40444L4P4T4

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

5E;P>?d?

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

5U".m]*vZAg

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

6C13C4D

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

6xOsN5y

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

7.5.7600.16385

Unicode based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

7.5.7600.16385 (win7_rtm.090713-1255)

Unicode based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

7Cv#Z

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

:\:d:p:|:

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

;x6O'

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

??????????

Ansi based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

?????????????

Ansi based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

????????????????

Ansi based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

???????_????????

Ansi based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

@.reloc

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

@.rsrc

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

\ThemeApiPort

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

_,____L_L,,_,_

Ansi based on Image Processing (screen_0.png)

__,;,

Ansi based on Image Processing (screen_0.png)

__,___V_'___,,_;=L@__,_,,,

Ansi based on Image Processing (screen_0.png)

_____?'?M_L_

Ansi based on Image Processing (screen_0.png)

_________,,

Ansi based on Image Processing (screen_0.png)

__r?m?_?_?___,_q_?_,,m,_??mu_n?__?_v__,,,_,,

Ansi based on Image Processing (screen_0.png)

__yBR

Ansi based on Image Processing (screen_0.png)

_J_m_m,,,

Ansi based on Image Processing (screen_0.png)

`.data

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

ADVAPI32.dll

Ansi based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

AlwaysShowExt

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

ANALY5l5

Ansi based on Image Processing (screen_0.png)

Attributes

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

AuthenticodeEnabled

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

AutoCheckSelect

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

Background Intelligent Transfer Service Proxy

Unicode based on Memory/File Scan (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe.bin)

BrowseInPlace

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

CallForAttributes

Unicode based on Runtime Data (41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04.exe )

Extracted Files

No significant files were extracted.

Notifications

Runtime

Added comment to Virus Total report

Community

There are no community comments.

You must be logged in to submit a comment.

41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04

Incident Response

Risk Assessment

Indicators

Malicious Indicators 7

Suspicious Indicators 16

Informative 9

File Details

41211eadd2124022e54acec029c3e2d8d8c35d191955d5805472f201d0c2be04

Resources

Visualization

Version Info

Classification (TrID)

File Sections

File Resources

File Imports

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

HTTP Traffic

Details for POST to 209.140.18.37:8080

Suricata Alerts

Extracted Strings

Extracted Files

Notifications

Runtime

Community

Latest News

Vetting required

Request Report Deletion

Link