API tools faq
paste
Advertisement
paladin316

Exes_ba2ff14b_exe.json

paladin316
Jun 17th, 2019
1,267
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 41.88 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: "Swrort"
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Exes_ba2ff14b.exe"
  7. [*] File Size: 50688
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. [*] SHA256: "4654852bf3d149436316cc156eb4597124f9dc8befab3c7498527ec6c245fbbe"
  10. [*] MD5: "44474595365adc5747996deb68f41500"
  11. [*] SHA1: "adb8dc2b81d871f32201d3e69df27ca1c76740c5"
  12. [*] SHA512: "3623a0f700d4d05bcab9fca85bc68ca8f44abc045f2b1502c862c818fffcf5dfb2d917feada5de8b3e4a2c657d64b54369df1355fe381d13768e1c079e165932"
  13. [*] CRC32: "BA2FF14B"
  14. [*] SSDEEP: "768:aH87Ji+W2XpikZyxLIWxH0e8FdkzLNK2tZUFbyc/XI/wtjOOZHmk:aH2o+W2Xpi7v0LFdkHNKImZHf"
  15.  
  16. [*] Process Execution: [
  17. "Exes_ba2ff14b.exe"
  18. ]
  19.  
  20. [*] Signatures Detected: [
  21. {
  22. "Description": "Creates RWX memory",
  23. "Details": []
  24. },
  25. {
  26. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  27. "Details": [
  28. {
  29. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
  30. },
  31. {
  32. "suspicious_request": "http://31.44.184.33/H7mp"
  33. },
  34. {
  35. "suspicious_request": "http://31.44.184.33/__utm.gif"
  36. },
  37. {
  38. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
  39. },
  40. {
  41. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
  42. },
  43. {
  44. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
  45. }
  46. ]
  47. },
  48. {
  49. "Description": "Performs some HTTP requests",
  50. "Details": [
  51. {
  52. "url": "http://31.44.184.33/H7mp"
  53. },
  54. {
  55. "url": "http://31.44.184.33/__utm.gif"
  56. },
  57. {
  58. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
  59. },
  60. {
  61. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
  62. },
  63. {
  64. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
  65. }
  66. ]
  67. },
  68. {
  69. "Description": "File has been identified by 41 Antiviruses on VirusTotal as malicious",
  70. "Details": [
  71. {
  72. "MicroWorld-eScan": "Trojan.GenericKD.41364169"
  73. },
  74. {
  75. "FireEye": "Generic.mg.44474595365adc57"
  76. },
  77. {
  78. "McAfee": "RDN/Generic.grp"
  79. },
  80. {
  81. "Malwarebytes": "Trojan.Agent"
  82. },
  83. {
  84. "AegisLab": "Trojan.Win32.Swrort.4!c"
  85. },
  86. {
  87. "BitDefender": "Trojan.GenericKD.41364169"
  88. },
  89. {
  90. "K7GW": "Riskware ( 0040eff71 )"
  91. },
  92. {
  93. "K7AntiVirus": "Riskware ( 0040eff71 )"
  94. },
  95. {
  96. "TrendMicro": "TROJ_GEN.R049C0WFC19"
  97. },
  98. {
  99. "Symantec": "Trojan.Gen.MBT"
  100. },
  101. {
  102. "Kaspersky": "Trojan.Win32.Swrort.bdc"
  103. },
  104. {
  105. "Alibaba": "Trojan:Win32/Swrort.1c4993dc"
  106. },
  107. {
  108. "Ad-Aware": "Trojan.GenericKD.41364169"
  109. },
  110. {
  111. "Emsisoft": "Trojan.GenericKD.41364169 (B)"
  112. },
  113. {
  114. "F-Secure": "Trojan.TR/AD.Swrort.lyfhn"
  115. },
  116. {
  117. "DrWeb": "BackDoor.Meterpreter.67"
  118. },
  119. {
  120. "Invincea": "heuristic"
  121. },
  122. {
  123. "McAfee-GW-Edition": "Artemis!Trojan"
  124. },
  125. {
  126. "Sophos": "Mal/Generic-S"
  127. },
  128. {
  129. "Ikarus": "Trojan.SuspectCRC"
  130. },
  131. {
  132. "Endgame": "malicious (high confidence)"
  133. },
  134. {
  135. "Webroot": "W32.Trojan.Gen"
  136. },
  137. {
  138. "Avira": "TR/AD.Swrort.lyfhn"
  139. },
  140. {
  141. "Fortinet": "W32/Swrort.BDC!tr"
  142. },
  143. {
  144. "Arcabit": "Trojan.Generic.D2772AC9"
  145. },
  146. {
  147. "AhnLab-V3": "Malware/Win32.Generic.C3287720"
  148. },
  149. {
  150. "ZoneAlarm": "Trojan.Win32.Swrort.bdc"
  151. },
  152. {
  153. "Microsoft": "Trojan:Win32/Tiggre!plock"
  154. },
  155. {
  156. "ESET-NOD32": "a variant of Generik.IRAGVDS"
  157. },
  158. {
  159. "VBA32": "Trojan.Swrort"
  160. },
  161. {
  162. "ALYac": "Trojan.GenericKD.41364169"
  163. },
  164. {
  165. "Cylance": "Unsafe"
  166. },
  167. {
  168. "Panda": "Trj/GdSda.A"
  169. },
  170. {
  171. "TrendMicro-HouseCall": "TROJ_GEN.R049C0WFC19"
  172. },
  173. {
  174. "Rising": "Ransom.Timer!8.30B6/N3#87% (RDM+:cmRtazogEh4YAkHyEFKO3OzRJxo0)"
  175. },
  176. {
  177. "SentinelOne": "DFI - Suspicious PE"
  178. },
  179. {
  180. "GData": "Trojan.GenericKD.41364169"
  181. },
  182. {
  183. "AVG": "FileRepMalware"
  184. },
  185. {
  186. "Cybereason": "malicious.5365ad"
  187. },
  188. {
  189. "Paloalto": "generic.ml"
  190. },
  191. {
  192. "Qihoo-360": "Win32/Trojan.cac"
  193. }
  194. ]
  195. },
  196. {
  197. "Description": "Created network traffic indicative of malicious activity",
  198. "Details": [
  199. {
  200. "signature": "ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server)"
  201. }
  202. ]
  203. }
  204. ]
  205.  
  206. [*] Started Service: []
  207.  
  208. [*] Executed Commands: []
  209.  
  210. [*] Mutexes: [
  211. "DBWinMutex"
  212. ]
  213.  
  214. [*] Modified Files: []
  215.  
  216. [*] Deleted Files: []
  217.  
  218. [*] Modified Registry Keys: []
  219.  
  220. [*] Deleted Registry Keys: []
  221.  
  222. [*] DNS Communications: []
  223.  
  224. [*] Domains: []
  225.  
  226. [*] Network Communication - ICMP: []
  227.  
  228. [*] Network Communication - HTTP: [
  229. {
  230. "count": 1,
  231. "body": "",
  232. "uri": "http://31.44.184.33/H7mp",
  233. "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)",
  234. "method": "GET",
  235. "host": "31.44.184.33",
  236. "version": "1.1",
  237. "path": "/H7mp",
  238. "data": "GET /H7mp HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)\r\nHost: 31.44.184.33\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  239. "port": 80
  240. },
  241. {
  242. "count": 29,
  243. "body": "",
  244. "uri": "http://31.44.184.33/__utm.gif",
  245. "user-agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)",
  246. "method": "GET",
  247. "host": "31.44.184.33",
  248. "version": "1.1",
  249. "path": "/__utm.gif",
  250. "data": "GET /__utm.gif HTTP/1.1\r\nAccept: */*\r\nCookie: VwrNfXWooOzMeo+6dl8g8ocX0eZSY07ZNDazQNOdjiw+BtD43CiZHLiqTFyYC0Z+xbIGGA0fiKmLCTlNYfeu6ucEG39cXY99bzc/DOLkOFOwozk2ooGio8hOHSd11Ny5ZqXIppIoPFWIXGVpdzCqgoK8nrqR74E3oyvP7Asi2XY=\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)\r\nHost: 31.44.184.33\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  251. "port": 80
  252. },
  253. {
  254. "count": 1,
  255. "body": "",
  256. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  257. "user-agent": "Microsoft-CryptoAPI/6.1",
  258. "method": "GET",
  259. "host": "ocsp.digicert.com",
  260. "version": "1.1",
  261. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  262. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  263. "port": 80
  264. },
  265. {
  266. "count": 1,
  267. "body": "",
  268. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  269. "user-agent": "Microsoft-CryptoAPI/6.1",
  270. "method": "GET",
  271. "host": "ocsp.digicert.com",
  272. "version": "1.1",
  273. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  274. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  275. "port": 80
  276. },
  277. {
  278. "count": 1,
  279. "body": "",
  280. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  281. "user-agent": "Microsoft-CryptoAPI/6.1",
  282. "method": "GET",
  283. "host": "ocsp.digicert.com",
  284. "version": "1.1",
  285. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  286. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  287. "port": 80
  288. }
  289. ]
  290.  
  291. [*] Network Communication - SMTP: []
  292.  
  293. [*] Network Communication - Hosts: []
  294.  
  295. [*] Network Communication - IRC: []
  296.  
  297. [*] Static Analysis: {
  298. "pe": {
  299. "peid_signatures": null,
  300. "imports": [
  301. {
  302. "imports": [
  303. {
  304. "name": "FindResourceW",
  305. "address": "0x408000"
  306. },
  307. {
  308. "name": "OpenProcess",
  309. "address": "0x408004"
  310. },
  311. {
  312. "name": "GetLongPathNameA",
  313. "address": "0x408008"
  314. },
  315. {
  316. "name": "FindResourceA",
  317. "address": "0x40800c"
  318. },
  319. {
  320. "name": "InterlockedCompareExchange",
  321. "address": "0x408010"
  322. },
  323. {
  324. "name": "GetSystemDefaultUILanguage",
  325. "address": "0x408014"
  326. },
  327. {
  328. "name": "GetModuleHandleExW",
  329. "address": "0x408018"
  330. },
  331. {
  332. "name": "GetModuleFileNameW",
  333. "address": "0x40801c"
  334. },
  335. {
  336. "name": "GetTimeFormatW",
  337. "address": "0x408020"
  338. },
  339. {
  340. "name": "TerminateProcess",
  341. "address": "0x408024"
  342. },
  343. {
  344. "name": "GetDriveTypeW",
  345. "address": "0x408028"
  346. },
  347. {
  348. "name": "SetThreadPriority",
  349. "address": "0x40802c"
  350. },
  351. {
  352. "name": "lstrlenW",
  353. "address": "0x408030"
  354. },
  355. {
  356. "name": "GetSystemDirectoryW",
  357. "address": "0x408034"
  358. },
  359. {
  360. "name": "VirtualProtect",
  361. "address": "0x408038"
  362. },
  363. {
  364. "name": "GetShortPathNameA",
  365. "address": "0x40803c"
  366. },
  367. {
  368. "name": "GlobalAddAtomW",
  369. "address": "0x408040"
  370. },
  371. {
  372. "name": "SetFileAttributesA",
  373. "address": "0x408044"
  374. },
  375. {
  376. "name": "LCMapStringA",
  377. "address": "0x408048"
  378. },
  379. {
  380. "name": "SetCurrentDirectoryW",
  381. "address": "0x40804c"
  382. },
  383. {
  384. "name": "SetFilePointerEx",
  385. "address": "0x408050"
  386. },
  387. {
  388. "name": "lstrcpyA",
  389. "address": "0x408054"
  390. },
  391. {
  392. "name": "SystemTimeToTzSpecificLocalTime",
  393. "address": "0x408058"
  394. },
  395. {
  396. "name": "ConvertDefaultLocale",
  397. "address": "0x40805c"
  398. },
  399. {
  400. "name": "VerSetConditionMask",
  401. "address": "0x408060"
  402. },
  403. {
  404. "name": "GetLocalTime",
  405. "address": "0x408064"
  406. },
  407. {
  408. "name": "ExitThread",
  409. "address": "0x408068"
  410. },
  411. {
  412. "name": "SignalObjectAndWait",
  413. "address": "0x40806c"
  414. },
  415. {
  416. "name": "GetPrivateProfileSectionW",
  417. "address": "0x408070"
  418. },
  419. {
  420. "name": "SetLastError",
  421. "address": "0x408074"
  422. },
  423. {
  424. "name": "CloseHandle",
  425. "address": "0x408078"
  426. },
  427. {
  428. "name": "SetThreadExecutionState",
  429. "address": "0x40807c"
  430. },
  431. {
  432. "name": "GetModuleFileNameA",
  433. "address": "0x408080"
  434. },
  435. {
  436. "name": "GlobalAlloc",
  437. "address": "0x408084"
  438. },
  439. {
  440. "name": "FindClose",
  441. "address": "0x408088"
  442. },
  443. {
  444. "name": "AreFileApisANSI",
  445. "address": "0x40808c"
  446. },
  447. {
  448. "name": "lstrcatA",
  449. "address": "0x408090"
  450. },
  451. {
  452. "name": "RemoveDirectoryA",
  453. "address": "0x408094"
  454. },
  455. {
  456. "name": "OpenFileMappingA",
  457. "address": "0x408098"
  458. },
  459. {
  460. "name": "SetNamedPipeHandleState",
  461. "address": "0x40809c"
  462. },
  463. {
  464. "name": "GetDiskFreeSpaceW",
  465. "address": "0x4080a0"
  466. },
  467. {
  468. "name": "PeekNamedPipe",
  469. "address": "0x4080a4"
  470. },
  471. {
  472. "name": "MoveFileW",
  473. "address": "0x4080a8"
  474. },
  475. {
  476. "name": "DeleteFileW",
  477. "address": "0x4080ac"
  478. },
  479. {
  480. "name": "HeapValidate",
  481. "address": "0x4080b0"
  482. },
  483. {
  484. "name": "CreateProcessA",
  485. "address": "0x4080b4"
  486. },
  487. {
  488. "name": "SetErrorMode",
  489. "address": "0x4080b8"
  490. },
  491. {
  492. "name": "IsDBCSLeadByteEx",
  493. "address": "0x4080bc"
  494. },
  495. {
  496. "name": "TlsSetValue",
  497. "address": "0x4080c0"
  498. },
  499. {
  500. "name": "GetSystemTime",
  501. "address": "0x4080c4"
  502. },
  503. {
  504. "name": "GetTempPathW",
  505. "address": "0x4080c8"
  506. },
  507. {
  508. "name": "EnumSystemLocalesA",
  509. "address": "0x4080cc"
  510. },
  511. {
  512. "name": "CreateEventA",
  513. "address": "0x4080d0"
  514. }
  515. ],
  516. "dll": "KERNEL32.dll"
  517. }
  518. ],
  519. "digital_signers": null,
  520. "exported_dll_name": null,
  521. "actual_checksum": "0x0001bb00",
  522. "overlay": null,
  523. "imagebase": "0x00400000",
  524. "reported_checksum": "0x0001bb00",
  525. "icon_hash": null,
  526. "entrypoint": "0x004016eb",
  527. "timestamp": "2019-01-22 04:33:56",
  528. "osversion": "4.0",
  529. "sections": [
  530. {
  531. "name": ".text",
  532. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  533. "virtual_address": "0x00001000",
  534. "size_of_data": "0x00007000",
  535. "entropy": "5.59",
  536. "raw_address": "0x00000400",
  537. "virtual_size": "0x00006ff8",
  538. "characteristics_raw": "0x60000020"
  539. },
  540. {
  541. "name": ".rdata",
  542. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  543. "virtual_address": "0x00008000",
  544. "size_of_data": "0x00000800",
  545. "entropy": "4.11",
  546. "raw_address": "0x00007400",
  547. "virtual_size": "0x00000796",
  548. "characteristics_raw": "0x40000040"
  549. },
  550. {
  551. "name": ".data",
  552. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  553. "virtual_address": "0x00009000",
  554. "size_of_data": "0x00001a00",
  555. "entropy": "0.97",
  556. "raw_address": "0x00007c00",
  557. "virtual_size": "0x00002d60",
  558. "characteristics_raw": "0xc0000040"
  559. },
  560. {
  561. "name": ".rsrc",
  562. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  563. "virtual_address": "0x0000c000",
  564. "size_of_data": "0x00003000",
  565. "entropy": "3.99",
  566. "raw_address": "0x00009600",
  567. "virtual_size": "0x00003000",
  568. "characteristics_raw": "0x40000040"
  569. }
  570. ],
  571. "resources": [],
  572. "dirents": [
  573. {
  574. "virtual_address": "0x00002f10",
  575. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  576. "size": "0x0000049c"
  577. },
  578. {
  579. "virtual_address": "0x0000829c",
  580. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  581. "size": "0x00000028"
  582. },
  583. {
  584. "virtual_address": "0x0000c000",
  585. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  586. "size": "0x00002bbc"
  587. },
  588. {
  589. "virtual_address": "0x00000000",
  590. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  591. "size": "0x00000000"
  592. },
  593. {
  594. "virtual_address": "0x00000000",
  595. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  596. "size": "0x00000000"
  597. },
  598. {
  599. "virtual_address": "0x00000000",
  600. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  601. "size": "0x00000000"
  602. },
  603. {
  604. "virtual_address": "0x00000000",
  605. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  606. "size": "0x00000000"
  607. },
  608. {
  609. "virtual_address": "0x00000000",
  610. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  611. "size": "0x00000000"
  612. },
  613. {
  614. "virtual_address": "0x00000000",
  615. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  616. "size": "0x00000000"
  617. },
  618. {
  619. "virtual_address": "0x00000000",
  620. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  621. "size": "0x00000000"
  622. },
  623. {
  624. "virtual_address": "0x00000000",
  625. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  626. "size": "0x00000000"
  627. },
  628. {
  629. "virtual_address": "0x00000000",
  630. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  631. "size": "0x00000000"
  632. },
  633. {
  634. "virtual_address": "0x00008000",
  635. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  636. "size": "0x000000d8"
  637. },
  638. {
  639. "virtual_address": "0x00000000",
  640. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  641. "size": "0x00000000"
  642. },
  643. {
  644. "virtual_address": "0x00000000",
  645. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  646. "size": "0x00000000"
  647. },
  648. {
  649. "virtual_address": "0x00000000",
  650. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  651. "size": "0x00000000"
  652. }
  653. ],
  654. "exports": [],
  655. "guest_signers": {},
  656. "imphash": "e34faf9923d8ad1d448278b4e46f05f4",
  657. "icon_fuzzy": null,
  658. "icon": null,
  659. "pdbpath": null,
  660. "imported_dll_count": 1,
  661. "versioninfo": []
  662. }
  663. }
  664.  
  665. [*] Resolved APIs: [
  666. "kernel32.dll.GetModuleHandleA",
  667. "kernel32.dll.LoadLibraryA",
  668. "kernel32.dll.VirtualAlloc",
  669. "kernel32.dll.VirtualFree",
  670. "kernel32.dll.OutputDebugStringA",
  671. "ntdll.dll._stricmp",
  672. "ntdll.dll.memset",
  673. "ntdll.dll.memcpy",
  674. "kernel32.dll.CreateThread",
  675. "kernel32.dll.DeleteCriticalSection",
  676. "kernel32.dll.EnterCriticalSection",
  677. "kernel32.dll.FreeLibrary",
  678. "kernel32.dll.GetCurrentProcess",
  679. "kernel32.dll.GetCurrentProcessId",
  680. "kernel32.dll.GetCurrentThreadId",
  681. "kernel32.dll.GetLastError",
  682. "kernel32.dll.GetProcAddress",
  683. "kernel32.dll.GetStartupInfoA",
  684. "kernel32.dll.GetSystemTimeAsFileTime",
  685. "kernel32.dll.GetTickCount",
  686. "kernel32.dll.InitializeCriticalSection",
  687. "kernel32.dll.LeaveCriticalSection",
  688. "kernel32.dll.LoadLibraryW",
  689. "kernel32.dll.QueryPerformanceCounter",
  690. "kernel32.dll.SetUnhandledExceptionFilter",
  691. "kernel32.dll.Sleep",
  692. "kernel32.dll.TerminateProcess",
  693. "kernel32.dll.TlsGetValue",
  694. "kernel32.dll.UnhandledExceptionFilter",
  695. "kernel32.dll.VirtualProtect",
  696. "kernel32.dll.VirtualQuery",
  697. "msvcrt.dll.__dllonexit",
  698. "msvcrt.dll.__getmainargs",
  699. "msvcrt.dll.__initenv",
  700. "msvcrt.dll.__lconv_init",
  701. "msvcrt.dll.__set_app_type",
  702. "msvcrt.dll.__setusermatherr",
  703. "msvcrt.dll._acmdln",
  704. "msvcrt.dll._amsg_exit",
  705. "msvcrt.dll._cexit",
  706. "msvcrt.dll._fmode",
  707. "msvcrt.dll._initterm",
  708. "msvcrt.dll._iob",
  709. "msvcrt.dll._lock",
  710. "msvcrt.dll._onexit",
  711. "msvcrt.dll._unlock",
  712. "msvcrt.dll._winmajor",
  713. "msvcrt.dll.abort",
  714. "msvcrt.dll.calloc",
  715. "msvcrt.dll.exit",
  716. "msvcrt.dll.fprintf",
  717. "msvcrt.dll.free",
  718. "msvcrt.dll.fwrite",
  719. "msvcrt.dll.malloc",
  720. "msvcrt.dll.memcpy",
  721. "msvcrt.dll.signal",
  722. "msvcrt.dll.strlen",
  723. "msvcrt.dll.strncmp",
  724. "msvcrt.dll.vfprintf",
  725. "rasapi32.dll.RasConnectionNotificationW",
  726. "sechost.dll.NotifyServiceStatusChangeA",
  727. "cryptbase.dll.SystemFunction036",
  728. "kernel32.dll.UpdateProcThreadAttribute",
  729. "kernel32.dll.HeapFree",
  730. "kernel32.dll.GetProcessHeap",
  731. "kernel32.dll.CreateRemoteThread",
  732. "kernel32.dll.VirtualProtectEx",
  733. "kernel32.dll.VirtualAllocEx",
  734. "kernel32.dll.ProcessIdToSessionId",
  735. "kernel32.dll.DuplicateHandle",
  736. "kernel32.dll.InitializeProcThreadAttributeList",
  737. "kernel32.dll.WriteProcessMemory",
  738. "kernel32.dll.GetThreadContext",
  739. "kernel32.dll.SetThreadContext",
  740. "kernel32.dll.Thread32First",
  741. "kernel32.dll.Thread32Next",
  742. "kernel32.dll.SetLastError",
  743. "kernel32.dll.OpenThread",
  744. "kernel32.dll.CreateToolhelp32Snapshot",
  745. "kernel32.dll.GetVersionExA",
  746. "kernel32.dll.SuspendThread",
  747. "kernel32.dll.ResumeThread",
  748. "kernel32.dll.PeekNamedPipe",
  749. "kernel32.dll.WaitNamedPipeA",
  750. "kernel32.dll.SetNamedPipeHandleState",
  751. "kernel32.dll.LocalAlloc",
  752. "kernel32.dll.LocalFree",
  753. "kernel32.dll.GetComputerNameA",
  754. "kernel32.dll.Process32First",
  755. "kernel32.dll.HeapAlloc",
  756. "kernel32.dll.ExitProcess",
  757. "kernel32.dll.DeleteProcThreadAttributeList",
  758. "kernel32.dll.FindNextFileA",
  759. "kernel32.dll.MoveFileA",
  760. "kernel32.dll.FindClose",
  761. "kernel32.dll.CopyFileA",
  762. "kernel32.dll.FindFirstFileA",
  763. "kernel32.dll.FileTimeToSystemTime",
  764. "kernel32.dll.GetFileAttributesA",
  765. "kernel32.dll.ExpandEnvironmentStringsA",
  766. "kernel32.dll.GetLogicalDrives",
  767. "kernel32.dll.SystemTimeToTzSpecificLocalTime",
  768. "kernel32.dll.GetFullPathNameA",
  769. "kernel32.dll.CreateNamedPipeA",
  770. "kernel32.dll.ReadFile",
  771. "kernel32.dll.GetCurrentThread",
  772. "kernel32.dll.ConnectNamedPipe",
  773. "kernel32.dll.CloseHandle",
  774. "kernel32.dll.GetFileTime",
  775. "kernel32.dll.GetCurrentDirectoryA",
  776. "kernel32.dll.CreatePipe",
  777. "kernel32.dll.GetCurrentDirectoryW",
  778. "kernel32.dll.SetCurrentDirectoryA",
  779. "kernel32.dll.FlushFileBuffers",
  780. "kernel32.dll.DisconnectNamedPipe",
  781. "kernel32.dll.MultiByteToWideChar",
  782. "kernel32.dll.CreateProcessA",
  783. "kernel32.dll.OpenProcess",
  784. "kernel32.dll.WriteFile",
  785. "kernel32.dll.SetFileTime",
  786. "kernel32.dll.WaitForSingleObject",
  787. "kernel32.dll.SetEnvironmentVariableW",
  788. "kernel32.dll.CreateFileA",
  789. "kernel32.dll.SetEnvironmentVariableA",
  790. "kernel32.dll.CompareStringW",
  791. "kernel32.dll.CompareStringA",
  792. "kernel32.dll.SetEndOfFile",
  793. "kernel32.dll.GetStringTypeW",
  794. "kernel32.dll.GetStringTypeA",
  795. "kernel32.dll.LCMapStringW",
  796. "kernel32.dll.LCMapStringA",
  797. "kernel32.dll.GetModuleFileNameW",
  798. "kernel32.dll.SetStdHandle",
  799. "kernel32.dll.WriteConsoleW",
  800. "kernel32.dll.GetConsoleOutputCP",
  801. "kernel32.dll.WriteConsoleA",
  802. "kernel32.dll.GetLocaleInfoA",
  803. "kernel32.dll.HeapSize",
  804. "kernel32.dll.IsValidCodePage",
  805. "kernel32.dll.GetCPInfo",
  806. "kernel32.dll.DebugBreak",
  807. "kernel32.dll.RaiseException",
  808. "kernel32.dll.GetEnvironmentStringsW",
  809. "kernel32.dll.FreeEnvironmentStringsW",
  810. "kernel32.dll.GetOEMCP",
  811. "kernel32.dll.GetLocalTime",
  812. "kernel32.dll.GetACP",
  813. "kernel32.dll.Process32Next",
  814. "kernel32.dll.GetEnvironmentStrings",
  815. "kernel32.dll.FreeEnvironmentStringsA",
  816. "kernel32.dll.SetFilePointer",
  817. "kernel32.dll.GetFileType",
  818. "kernel32.dll.GetModuleHandleW",
  819. "kernel32.dll.DeleteFileA",
  820. "kernel32.dll.CreateDirectoryA",
  821. "kernel32.dll.RemoveDirectoryA",
  822. "kernel32.dll.GetCommandLineA",
  823. "kernel32.dll.IsDebuggerPresent",
  824. "kernel32.dll.HeapCreate",
  825. "kernel32.dll.HeapDestroy",
  826. "kernel32.dll.HeapReAlloc",
  827. "kernel32.dll.GetStdHandle",
  828. "kernel32.dll.GetModuleFileNameA",
  829. "kernel32.dll.TlsAlloc",
  830. "kernel32.dll.TlsSetValue",
  831. "kernel32.dll.TlsFree",
  832. "kernel32.dll.InterlockedIncrement",
  833. "kernel32.dll.InterlockedDecrement",
  834. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
  835. "kernel32.dll.RtlUnwind",
  836. "kernel32.dll.WideCharToMultiByte",
  837. "kernel32.dll.GetConsoleCP",
  838. "kernel32.dll.GetConsoleMode",
  839. "kernel32.dll.SetHandleCount",
  840. "advapi32.dll.RegEnumValueA"
  841. ]
  842.  
  843. [*] Static Analysis: {
  844. "pe": {
  845. "peid_signatures": null,
  846. "imports": [
  847. {
  848. "imports": [
  849. {
  850. "name": "FindResourceW",
  851. "address": "0x408000"
  852. },
  853. {
  854. "name": "OpenProcess",
  855. "address": "0x408004"
  856. },
  857. {
  858. "name": "GetLongPathNameA",
  859. "address": "0x408008"
  860. },
  861. {
  862. "name": "FindResourceA",
  863. "address": "0x40800c"
  864. },
  865. {
  866. "name": "InterlockedCompareExchange",
  867. "address": "0x408010"
  868. },
  869. {
  870. "name": "GetSystemDefaultUILanguage",
  871. "address": "0x408014"
  872. },
  873. {
  874. "name": "GetModuleHandleExW",
  875. "address": "0x408018"
  876. },
  877. {
  878. "name": "GetModuleFileNameW",
  879. "address": "0x40801c"
  880. },
  881. {
  882. "name": "GetTimeFormatW",
  883. "address": "0x408020"
  884. },
  885. {
  886. "name": "TerminateProcess",
  887. "address": "0x408024"
  888. },
  889. {
  890. "name": "GetDriveTypeW",
  891. "address": "0x408028"
  892. },
  893. {
  894. "name": "SetThreadPriority",
  895. "address": "0x40802c"
  896. },
  897. {
  898. "name": "lstrlenW",
  899. "address": "0x408030"
  900. },
  901. {
  902. "name": "GetSystemDirectoryW",
  903. "address": "0x408034"
  904. },
  905. {
  906. "name": "VirtualProtect",
  907. "address": "0x408038"
  908. },
  909. {
  910. "name": "GetShortPathNameA",
  911. "address": "0x40803c"
  912. },
  913. {
  914. "name": "GlobalAddAtomW",
  915. "address": "0x408040"
  916. },
  917. {
  918. "name": "SetFileAttributesA",
  919. "address": "0x408044"
  920. },
  921. {
  922. "name": "LCMapStringA",
  923. "address": "0x408048"
  924. },
  925. {
  926. "name": "SetCurrentDirectoryW",
  927. "address": "0x40804c"
  928. },
  929. {
  930. "name": "SetFilePointerEx",
  931. "address": "0x408050"
  932. },
  933. {
  934. "name": "lstrcpyA",
  935. "address": "0x408054"
  936. },
  937. {
  938. "name": "SystemTimeToTzSpecificLocalTime",
  939. "address": "0x408058"
  940. },
  941. {
  942. "name": "ConvertDefaultLocale",
  943. "address": "0x40805c"
  944. },
  945. {
  946. "name": "VerSetConditionMask",
  947. "address": "0x408060"
  948. },
  949. {
  950. "name": "GetLocalTime",
  951. "address": "0x408064"
  952. },
  953. {
  954. "name": "ExitThread",
  955. "address": "0x408068"
  956. },
  957. {
  958. "name": "SignalObjectAndWait",
  959. "address": "0x40806c"
  960. },
  961. {
  962. "name": "GetPrivateProfileSectionW",
  963. "address": "0x408070"
  964. },
  965. {
  966. "name": "SetLastError",
  967. "address": "0x408074"
  968. },
  969. {
  970. "name": "CloseHandle",
  971. "address": "0x408078"
  972. },
  973. {
  974. "name": "SetThreadExecutionState",
  975. "address": "0x40807c"
  976. },
  977. {
  978. "name": "GetModuleFileNameA",
  979. "address": "0x408080"
  980. },
  981. {
  982. "name": "GlobalAlloc",
  983. "address": "0x408084"
  984. },
  985. {
  986. "name": "FindClose",
  987. "address": "0x408088"
  988. },
  989. {
  990. "name": "AreFileApisANSI",
  991. "address": "0x40808c"
  992. },
  993. {
  994. "name": "lstrcatA",
  995. "address": "0x408090"
  996. },
  997. {
  998. "name": "RemoveDirectoryA",
  999. "address": "0x408094"
  1000. },
  1001. {
  1002. "name": "OpenFileMappingA",
  1003. "address": "0x408098"
  1004. },
  1005. {
  1006. "name": "SetNamedPipeHandleState",
  1007. "address": "0x40809c"
  1008. },
  1009. {
  1010. "name": "GetDiskFreeSpaceW",
  1011. "address": "0x4080a0"
  1012. },
  1013. {
  1014. "name": "PeekNamedPipe",
  1015. "address": "0x4080a4"
  1016. },
  1017. {
  1018. "name": "MoveFileW",
  1019. "address": "0x4080a8"
  1020. },
  1021. {
  1022. "name": "DeleteFileW",
  1023. "address": "0x4080ac"
  1024. },
  1025. {
  1026. "name": "HeapValidate",
  1027. "address": "0x4080b0"
  1028. },
  1029. {
  1030. "name": "CreateProcessA",
  1031. "address": "0x4080b4"
  1032. },
  1033. {
  1034. "name": "SetErrorMode",
  1035. "address": "0x4080b8"
  1036. },
  1037. {
  1038. "name": "IsDBCSLeadByteEx",
  1039. "address": "0x4080bc"
  1040. },
  1041. {
  1042. "name": "TlsSetValue",
  1043. "address": "0x4080c0"
  1044. },
  1045. {
  1046. "name": "GetSystemTime",
  1047. "address": "0x4080c4"
  1048. },
  1049. {
  1050. "name": "GetTempPathW",
  1051. "address": "0x4080c8"
  1052. },
  1053. {
  1054. "name": "EnumSystemLocalesA",
  1055. "address": "0x4080cc"
  1056. },
  1057. {
  1058. "name": "CreateEventA",
  1059. "address": "0x4080d0"
  1060. }
  1061. ],
  1062. "dll": "KERNEL32.dll"
  1063. }
  1064. ],
  1065. "digital_signers": null,
  1066. "exported_dll_name": null,
  1067. "actual_checksum": "0x0001bb00",
  1068. "overlay": null,
  1069. "imagebase": "0x00400000",
  1070. "reported_checksum": "0x0001bb00",
  1071. "icon_hash": null,
  1072. "entrypoint": "0x004016eb",
  1073. "timestamp": "2019-01-22 04:33:56",
  1074. "osversion": "4.0",
  1075. "sections": [
  1076. {
  1077. "name": ".text",
  1078. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  1079. "virtual_address": "0x00001000",
  1080. "size_of_data": "0x00007000",
  1081. "entropy": "5.59",
  1082. "raw_address": "0x00000400",
  1083. "virtual_size": "0x00006ff8",
  1084. "characteristics_raw": "0x60000020"
  1085. },
  1086. {
  1087. "name": ".rdata",
  1088. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1089. "virtual_address": "0x00008000",
  1090. "size_of_data": "0x00000800",
  1091. "entropy": "4.11",
  1092. "raw_address": "0x00007400",
  1093. "virtual_size": "0x00000796",
  1094. "characteristics_raw": "0x40000040"
  1095. },
  1096. {
  1097. "name": ".data",
  1098. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1099. "virtual_address": "0x00009000",
  1100. "size_of_data": "0x00001a00",
  1101. "entropy": "0.97",
  1102. "raw_address": "0x00007c00",
  1103. "virtual_size": "0x00002d60",
  1104. "characteristics_raw": "0xc0000040"
  1105. },
  1106. {
  1107. "name": ".rsrc",
  1108. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1109. "virtual_address": "0x0000c000",
  1110. "size_of_data": "0x00003000",
  1111. "entropy": "3.99",
  1112. "raw_address": "0x00009600",
  1113. "virtual_size": "0x00003000",
  1114. "characteristics_raw": "0x40000040"
  1115. }
  1116. ],
  1117. "resources": [],
  1118. "dirents": [
  1119. {
  1120. "virtual_address": "0x00002f10",
  1121. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1122. "size": "0x0000049c"
  1123. },
  1124. {
  1125. "virtual_address": "0x0000829c",
  1126. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1127. "size": "0x00000028"
  1128. },
  1129. {
  1130. "virtual_address": "0x0000c000",
  1131. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1132. "size": "0x00002bbc"
  1133. },
  1134. {
  1135. "virtual_address": "0x00000000",
  1136. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1137. "size": "0x00000000"
  1138. },
  1139. {
  1140. "virtual_address": "0x00000000",
  1141. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1142. "size": "0x00000000"
  1143. },
  1144. {
  1145. "virtual_address": "0x00000000",
  1146. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1147. "size": "0x00000000"
  1148. },
  1149. {
  1150. "virtual_address": "0x00000000",
  1151. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1152. "size": "0x00000000"
  1153. },
  1154. {
  1155. "virtual_address": "0x00000000",
  1156. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1157. "size": "0x00000000"
  1158. },
  1159. {
  1160. "virtual_address": "0x00000000",
  1161. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1162. "size": "0x00000000"
  1163. },
  1164. {
  1165. "virtual_address": "0x00000000",
  1166. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1167. "size": "0x00000000"
  1168. },
  1169. {
  1170. "virtual_address": "0x00000000",
  1171. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1172. "size": "0x00000000"
  1173. },
  1174. {
  1175. "virtual_address": "0x00000000",
  1176. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1177. "size": "0x00000000"
  1178. },
  1179. {
  1180. "virtual_address": "0x00008000",
  1181. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1182. "size": "0x000000d8"
  1183. },
  1184. {
  1185. "virtual_address": "0x00000000",
  1186. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1187. "size": "0x00000000"
  1188. },
  1189. {
  1190. "virtual_address": "0x00000000",
  1191. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1192. "size": "0x00000000"
  1193. },
  1194. {
  1195. "virtual_address": "0x00000000",
  1196. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1197. "size": "0x00000000"
  1198. }
  1199. ],
  1200. "exports": [],
  1201. "guest_signers": {},
  1202. "imphash": "e34faf9923d8ad1d448278b4e46f05f4",
  1203. "icon_fuzzy": null,
  1204. "icon": null,
  1205. "pdbpath": null,
  1206. "imported_dll_count": 1,
  1207. "versioninfo": []
  1208. }
  1209. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!