Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: "Swrort"
- [*] MalScore: 10.0
- [*] File Name: "Exes_ba2ff14b.exe"
- [*] File Size: 50688
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "4654852bf3d149436316cc156eb4597124f9dc8befab3c7498527ec6c245fbbe"
- [*] MD5: "44474595365adc5747996deb68f41500"
- [*] SHA1: "adb8dc2b81d871f32201d3e69df27ca1c76740c5"
- [*] SHA512: "3623a0f700d4d05bcab9fca85bc68ca8f44abc045f2b1502c862c818fffcf5dfb2d917feada5de8b3e4a2c657d64b54369df1355fe381d13768e1c079e165932"
- [*] CRC32: "BA2FF14B"
- [*] SSDEEP: "768:aH87Ji+W2XpikZyxLIWxH0e8FdkzLNK2tZUFbyc/XI/wtjOOZHmk:aH2o+W2Xpi7v0LFdkHNKImZHf"
- [*] Process Execution: [
- "Exes_ba2ff14b.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details": [
- {
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- },
- {
- "suspicious_request": "http://31.44.184.33/H7mp"
- },
- {
- "suspicious_request": "http://31.44.184.33/__utm.gif"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://31.44.184.33/H7mp"
- },
- {
- "url": "http://31.44.184.33/__utm.gif"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- }
- ]
- },
- {
- "Description": "File has been identified by 41 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "MicroWorld-eScan": "Trojan.GenericKD.41364169"
- },
- {
- "FireEye": "Generic.mg.44474595365adc57"
- },
- {
- "McAfee": "RDN/Generic.grp"
- },
- {
- "Malwarebytes": "Trojan.Agent"
- },
- {
- "AegisLab": "Trojan.Win32.Swrort.4!c"
- },
- {
- "BitDefender": "Trojan.GenericKD.41364169"
- },
- {
- "K7GW": "Riskware ( 0040eff71 )"
- },
- {
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- },
- {
- "TrendMicro": "TROJ_GEN.R049C0WFC19"
- },
- {
- "Symantec": "Trojan.Gen.MBT"
- },
- {
- "Kaspersky": "Trojan.Win32.Swrort.bdc"
- },
- {
- "Alibaba": "Trojan:Win32/Swrort.1c4993dc"
- },
- {
- "Ad-Aware": "Trojan.GenericKD.41364169"
- },
- {
- "Emsisoft": "Trojan.GenericKD.41364169 (B)"
- },
- {
- "F-Secure": "Trojan.TR/AD.Swrort.lyfhn"
- },
- {
- "DrWeb": "BackDoor.Meterpreter.67"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "McAfee-GW-Edition": "Artemis!Trojan"
- },
- {
- "Sophos": "Mal/Generic-S"
- },
- {
- "Ikarus": "Trojan.SuspectCRC"
- },
- {
- "Endgame": "malicious (high confidence)"
- },
- {
- "Webroot": "W32.Trojan.Gen"
- },
- {
- "Avira": "TR/AD.Swrort.lyfhn"
- },
- {
- "Fortinet": "W32/Swrort.BDC!tr"
- },
- {
- "Arcabit": "Trojan.Generic.D2772AC9"
- },
- {
- "AhnLab-V3": "Malware/Win32.Generic.C3287720"
- },
- {
- "ZoneAlarm": "Trojan.Win32.Swrort.bdc"
- },
- {
- "Microsoft": "Trojan:Win32/Tiggre!plock"
- },
- {
- "ESET-NOD32": "a variant of Generik.IRAGVDS"
- },
- {
- "VBA32": "Trojan.Swrort"
- },
- {
- "ALYac": "Trojan.GenericKD.41364169"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "Panda": "Trj/GdSda.A"
- },
- {
- "TrendMicro-HouseCall": "TROJ_GEN.R049C0WFC19"
- },
- {
- "Rising": "Ransom.Timer!8.30B6/N3#87% (RDM+:cmRtazogEh4YAkHyEFKO3OzRJxo0)"
- },
- {
- "SentinelOne": "DFI - Suspicious PE"
- },
- {
- "GData": "Trojan.GenericKD.41364169"
- },
- {
- "AVG": "FileRepMalware"
- },
- {
- "Cybereason": "malicious.5365ad"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Qihoo-360": "Win32/Trojan.cac"
- }
- ]
- },
- {
- "Description": "Created network traffic indicative of malicious activity",
- "Details": [
- {
- "signature": "ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server)"
- }
- ]
- }
- ]
- [*] Started Service: []
- [*] Executed Commands: []
- [*] Mutexes: [
- "DBWinMutex"
- ]
- [*] Modified Files: []
- [*] Deleted Files: []
- [*] Modified Registry Keys: []
- [*] Deleted Registry Keys: []
- [*] DNS Communications: []
- [*] Domains: []
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://31.44.184.33/H7mp",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)",
- "method": "GET",
- "host": "31.44.184.33",
- "version": "1.1",
- "path": "/H7mp",
- "data": "GET /H7mp HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)\r\nHost: 31.44.184.33\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- },
- {
- "count": 29,
- "body": "",
- "uri": "http://31.44.184.33/__utm.gif",
- "user-agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)",
- "method": "GET",
- "host": "31.44.184.33",
- "version": "1.1",
- "path": "/__utm.gif",
- "data": "GET /__utm.gif HTTP/1.1\r\nAccept: */*\r\nCookie: VwrNfXWooOzMeo+6dl8g8ocX0eZSY07ZNDazQNOdjiw+BtD43CiZHLiqTFyYC0Z+xbIGGA0fiKmLCTlNYfeu6ucEG39cXY99bzc/DOLkOFOwozk2ooGio8hOHSd11Ny5ZqXIppIoPFWIXGVpdzCqgoK8nrqR74E3oyvP7Asi2XY=\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)\r\nHost: 31.44.184.33\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "FindResourceW",
- "address": "0x408000"
- },
- {
- "name": "OpenProcess",
- "address": "0x408004"
- },
- {
- "name": "GetLongPathNameA",
- "address": "0x408008"
- },
- {
- "name": "FindResourceA",
- "address": "0x40800c"
- },
- {
- "name": "InterlockedCompareExchange",
- "address": "0x408010"
- },
- {
- "name": "GetSystemDefaultUILanguage",
- "address": "0x408014"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x408018"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x40801c"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x408020"
- },
- {
- "name": "TerminateProcess",
- "address": "0x408024"
- },
- {
- "name": "GetDriveTypeW",
- "address": "0x408028"
- },
- {
- "name": "SetThreadPriority",
- "address": "0x40802c"
- },
- {
- "name": "lstrlenW",
- "address": "0x408030"
- },
- {
- "name": "GetSystemDirectoryW",
- "address": "0x408034"
- },
- {
- "name": "VirtualProtect",
- "address": "0x408038"
- },
- {
- "name": "GetShortPathNameA",
- "address": "0x40803c"
- },
- {
- "name": "GlobalAddAtomW",
- "address": "0x408040"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x408044"
- },
- {
- "name": "LCMapStringA",
- "address": "0x408048"
- },
- {
- "name": "SetCurrentDirectoryW",
- "address": "0x40804c"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x408050"
- },
- {
- "name": "lstrcpyA",
- "address": "0x408054"
- },
- {
- "name": "SystemTimeToTzSpecificLocalTime",
- "address": "0x408058"
- },
- {
- "name": "ConvertDefaultLocale",
- "address": "0x40805c"
- },
- {
- "name": "VerSetConditionMask",
- "address": "0x408060"
- },
- {
- "name": "GetLocalTime",
- "address": "0x408064"
- },
- {
- "name": "ExitThread",
- "address": "0x408068"
- },
- {
- "name": "SignalObjectAndWait",
- "address": "0x40806c"
- },
- {
- "name": "GetPrivateProfileSectionW",
- "address": "0x408070"
- },
- {
- "name": "SetLastError",
- "address": "0x408074"
- },
- {
- "name": "CloseHandle",
- "address": "0x408078"
- },
- {
- "name": "SetThreadExecutionState",
- "address": "0x40807c"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x408080"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x408084"
- },
- {
- "name": "FindClose",
- "address": "0x408088"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x40808c"
- },
- {
- "name": "lstrcatA",
- "address": "0x408090"
- },
- {
- "name": "RemoveDirectoryA",
- "address": "0x408094"
- },
- {
- "name": "OpenFileMappingA",
- "address": "0x408098"
- },
- {
- "name": "SetNamedPipeHandleState",
- "address": "0x40809c"
- },
- {
- "name": "GetDiskFreeSpaceW",
- "address": "0x4080a0"
- },
- {
- "name": "PeekNamedPipe",
- "address": "0x4080a4"
- },
- {
- "name": "MoveFileW",
- "address": "0x4080a8"
- },
- {
- "name": "DeleteFileW",
- "address": "0x4080ac"
- },
- {
- "name": "HeapValidate",
- "address": "0x4080b0"
- },
- {
- "name": "CreateProcessA",
- "address": "0x4080b4"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4080b8"
- },
- {
- "name": "IsDBCSLeadByteEx",
- "address": "0x4080bc"
- },
- {
- "name": "TlsSetValue",
- "address": "0x4080c0"
- },
- {
- "name": "GetSystemTime",
- "address": "0x4080c4"
- },
- {
- "name": "GetTempPathW",
- "address": "0x4080c8"
- },
- {
- "name": "EnumSystemLocalesA",
- "address": "0x4080cc"
- },
- {
- "name": "CreateEventA",
- "address": "0x4080d0"
- }
- ],
- "dll": "KERNEL32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0001bb00",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x0001bb00",
- "icon_hash": null,
- "entrypoint": "0x004016eb",
- "timestamp": "2019-01-22 04:33:56",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00007000",
- "entropy": "5.59",
- "raw_address": "0x00000400",
- "virtual_size": "0x00006ff8",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00008000",
- "size_of_data": "0x00000800",
- "entropy": "4.11",
- "raw_address": "0x00007400",
- "virtual_size": "0x00000796",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00001a00",
- "entropy": "0.97",
- "raw_address": "0x00007c00",
- "virtual_size": "0x00002d60",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0000c000",
- "size_of_data": "0x00003000",
- "entropy": "3.99",
- "raw_address": "0x00009600",
- "virtual_size": "0x00003000",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00002f10",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x0000049c"
- },
- {
- "virtual_address": "0x0000829c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x0000c000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00002bbc"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00008000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000000d8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "e34faf9923d8ad1d448278b4e46f05f4",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.OutputDebugStringA",
- "ntdll.dll._stricmp",
- "ntdll.dll.memset",
- "ntdll.dll.memcpy",
- "kernel32.dll.CreateThread",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.GetCurrentThreadId",
- "kernel32.dll.GetLastError",
- "kernel32.dll.GetProcAddress",
- "kernel32.dll.GetStartupInfoA",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.LoadLibraryW",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.SetUnhandledExceptionFilter",
- "kernel32.dll.Sleep",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.TlsGetValue",
- "kernel32.dll.UnhandledExceptionFilter",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.VirtualQuery",
- "msvcrt.dll.__dllonexit",
- "msvcrt.dll.__getmainargs",
- "msvcrt.dll.__initenv",
- "msvcrt.dll.__lconv_init",
- "msvcrt.dll.__set_app_type",
- "msvcrt.dll.__setusermatherr",
- "msvcrt.dll._acmdln",
- "msvcrt.dll._amsg_exit",
- "msvcrt.dll._cexit",
- "msvcrt.dll._fmode",
- "msvcrt.dll._initterm",
- "msvcrt.dll._iob",
- "msvcrt.dll._lock",
- "msvcrt.dll._onexit",
- "msvcrt.dll._unlock",
- "msvcrt.dll._winmajor",
- "msvcrt.dll.abort",
- "msvcrt.dll.calloc",
- "msvcrt.dll.exit",
- "msvcrt.dll.fprintf",
- "msvcrt.dll.free",
- "msvcrt.dll.fwrite",
- "msvcrt.dll.malloc",
- "msvcrt.dll.memcpy",
- "msvcrt.dll.signal",
- "msvcrt.dll.strlen",
- "msvcrt.dll.strncmp",
- "msvcrt.dll.vfprintf",
- "rasapi32.dll.RasConnectionNotificationW",
- "sechost.dll.NotifyServiceStatusChangeA",
- "cryptbase.dll.SystemFunction036",
- "kernel32.dll.UpdateProcThreadAttribute",
- "kernel32.dll.HeapFree",
- "kernel32.dll.GetProcessHeap",
- "kernel32.dll.CreateRemoteThread",
- "kernel32.dll.VirtualProtectEx",
- "kernel32.dll.VirtualAllocEx",
- "kernel32.dll.ProcessIdToSessionId",
- "kernel32.dll.DuplicateHandle",
- "kernel32.dll.InitializeProcThreadAttributeList",
- "kernel32.dll.WriteProcessMemory",
- "kernel32.dll.GetThreadContext",
- "kernel32.dll.SetThreadContext",
- "kernel32.dll.Thread32First",
- "kernel32.dll.Thread32Next",
- "kernel32.dll.SetLastError",
- "kernel32.dll.OpenThread",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.GetVersionExA",
- "kernel32.dll.SuspendThread",
- "kernel32.dll.ResumeThread",
- "kernel32.dll.PeekNamedPipe",
- "kernel32.dll.WaitNamedPipeA",
- "kernel32.dll.SetNamedPipeHandleState",
- "kernel32.dll.LocalAlloc",
- "kernel32.dll.LocalFree",
- "kernel32.dll.GetComputerNameA",
- "kernel32.dll.Process32First",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.DeleteProcThreadAttributeList",
- "kernel32.dll.FindNextFileA",
- "kernel32.dll.MoveFileA",
- "kernel32.dll.FindClose",
- "kernel32.dll.CopyFileA",
- "kernel32.dll.FindFirstFileA",
- "kernel32.dll.FileTimeToSystemTime",
- "kernel32.dll.GetFileAttributesA",
- "kernel32.dll.ExpandEnvironmentStringsA",
- "kernel32.dll.GetLogicalDrives",
- "kernel32.dll.SystemTimeToTzSpecificLocalTime",
- "kernel32.dll.GetFullPathNameA",
- "kernel32.dll.CreateNamedPipeA",
- "kernel32.dll.ReadFile",
- "kernel32.dll.GetCurrentThread",
- "kernel32.dll.ConnectNamedPipe",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.GetFileTime",
- "kernel32.dll.GetCurrentDirectoryA",
- "kernel32.dll.CreatePipe",
- "kernel32.dll.GetCurrentDirectoryW",
- "kernel32.dll.SetCurrentDirectoryA",
- "kernel32.dll.FlushFileBuffers",
- "kernel32.dll.DisconnectNamedPipe",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.CreateProcessA",
- "kernel32.dll.OpenProcess",
- "kernel32.dll.WriteFile",
- "kernel32.dll.SetFileTime",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.SetEnvironmentVariableW",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.SetEnvironmentVariableA",
- "kernel32.dll.CompareStringW",
- "kernel32.dll.CompareStringA",
- "kernel32.dll.SetEndOfFile",
- "kernel32.dll.GetStringTypeW",
- "kernel32.dll.GetStringTypeA",
- "kernel32.dll.LCMapStringW",
- "kernel32.dll.LCMapStringA",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.SetStdHandle",
- "kernel32.dll.WriteConsoleW",
- "kernel32.dll.GetConsoleOutputCP",
- "kernel32.dll.WriteConsoleA",
- "kernel32.dll.GetLocaleInfoA",
- "kernel32.dll.HeapSize",
- "kernel32.dll.IsValidCodePage",
- "kernel32.dll.GetCPInfo",
- "kernel32.dll.DebugBreak",
- "kernel32.dll.RaiseException",
- "kernel32.dll.GetEnvironmentStringsW",
- "kernel32.dll.FreeEnvironmentStringsW",
- "kernel32.dll.GetOEMCP",
- "kernel32.dll.GetLocalTime",
- "kernel32.dll.GetACP",
- "kernel32.dll.Process32Next",
- "kernel32.dll.GetEnvironmentStrings",
- "kernel32.dll.FreeEnvironmentStringsA",
- "kernel32.dll.SetFilePointer",
- "kernel32.dll.GetFileType",
- "kernel32.dll.GetModuleHandleW",
- "kernel32.dll.DeleteFileA",
- "kernel32.dll.CreateDirectoryA",
- "kernel32.dll.RemoveDirectoryA",
- "kernel32.dll.GetCommandLineA",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.HeapCreate",
- "kernel32.dll.HeapDestroy",
- "kernel32.dll.HeapReAlloc",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetModuleFileNameA",
- "kernel32.dll.TlsAlloc",
- "kernel32.dll.TlsSetValue",
- "kernel32.dll.TlsFree",
- "kernel32.dll.InterlockedIncrement",
- "kernel32.dll.InterlockedDecrement",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "kernel32.dll.RtlUnwind",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.GetConsoleCP",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.SetHandleCount",
- "advapi32.dll.RegEnumValueA"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "FindResourceW",
- "address": "0x408000"
- },
- {
- "name": "OpenProcess",
- "address": "0x408004"
- },
- {
- "name": "GetLongPathNameA",
- "address": "0x408008"
- },
- {
- "name": "FindResourceA",
- "address": "0x40800c"
- },
- {
- "name": "InterlockedCompareExchange",
- "address": "0x408010"
- },
- {
- "name": "GetSystemDefaultUILanguage",
- "address": "0x408014"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x408018"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x40801c"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x408020"
- },
- {
- "name": "TerminateProcess",
- "address": "0x408024"
- },
- {
- "name": "GetDriveTypeW",
- "address": "0x408028"
- },
- {
- "name": "SetThreadPriority",
- "address": "0x40802c"
- },
- {
- "name": "lstrlenW",
- "address": "0x408030"
- },
- {
- "name": "GetSystemDirectoryW",
- "address": "0x408034"
- },
- {
- "name": "VirtualProtect",
- "address": "0x408038"
- },
- {
- "name": "GetShortPathNameA",
- "address": "0x40803c"
- },
- {
- "name": "GlobalAddAtomW",
- "address": "0x408040"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x408044"
- },
- {
- "name": "LCMapStringA",
- "address": "0x408048"
- },
- {
- "name": "SetCurrentDirectoryW",
- "address": "0x40804c"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x408050"
- },
- {
- "name": "lstrcpyA",
- "address": "0x408054"
- },
- {
- "name": "SystemTimeToTzSpecificLocalTime",
- "address": "0x408058"
- },
- {
- "name": "ConvertDefaultLocale",
- "address": "0x40805c"
- },
- {
- "name": "VerSetConditionMask",
- "address": "0x408060"
- },
- {
- "name": "GetLocalTime",
- "address": "0x408064"
- },
- {
- "name": "ExitThread",
- "address": "0x408068"
- },
- {
- "name": "SignalObjectAndWait",
- "address": "0x40806c"
- },
- {
- "name": "GetPrivateProfileSectionW",
- "address": "0x408070"
- },
- {
- "name": "SetLastError",
- "address": "0x408074"
- },
- {
- "name": "CloseHandle",
- "address": "0x408078"
- },
- {
- "name": "SetThreadExecutionState",
- "address": "0x40807c"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x408080"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x408084"
- },
- {
- "name": "FindClose",
- "address": "0x408088"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x40808c"
- },
- {
- "name": "lstrcatA",
- "address": "0x408090"
- },
- {
- "name": "RemoveDirectoryA",
- "address": "0x408094"
- },
- {
- "name": "OpenFileMappingA",
- "address": "0x408098"
- },
- {
- "name": "SetNamedPipeHandleState",
- "address": "0x40809c"
- },
- {
- "name": "GetDiskFreeSpaceW",
- "address": "0x4080a0"
- },
- {
- "name": "PeekNamedPipe",
- "address": "0x4080a4"
- },
- {
- "name": "MoveFileW",
- "address": "0x4080a8"
- },
- {
- "name": "DeleteFileW",
- "address": "0x4080ac"
- },
- {
- "name": "HeapValidate",
- "address": "0x4080b0"
- },
- {
- "name": "CreateProcessA",
- "address": "0x4080b4"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4080b8"
- },
- {
- "name": "IsDBCSLeadByteEx",
- "address": "0x4080bc"
- },
- {
- "name": "TlsSetValue",
- "address": "0x4080c0"
- },
- {
- "name": "GetSystemTime",
- "address": "0x4080c4"
- },
- {
- "name": "GetTempPathW",
- "address": "0x4080c8"
- },
- {
- "name": "EnumSystemLocalesA",
- "address": "0x4080cc"
- },
- {
- "name": "CreateEventA",
- "address": "0x4080d0"
- }
- ],
- "dll": "KERNEL32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0001bb00",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x0001bb00",
- "icon_hash": null,
- "entrypoint": "0x004016eb",
- "timestamp": "2019-01-22 04:33:56",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00007000",
- "entropy": "5.59",
- "raw_address": "0x00000400",
- "virtual_size": "0x00006ff8",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00008000",
- "size_of_data": "0x00000800",
- "entropy": "4.11",
- "raw_address": "0x00007400",
- "virtual_size": "0x00000796",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00001a00",
- "entropy": "0.97",
- "raw_address": "0x00007c00",
- "virtual_size": "0x00002d60",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0000c000",
- "size_of_data": "0x00003000",
- "entropy": "3.99",
- "raw_address": "0x00009600",
- "virtual_size": "0x00003000",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00002f10",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x0000049c"
- },
- {
- "virtual_address": "0x0000829c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x0000c000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00002bbc"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00008000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000000d8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "e34faf9923d8ad1d448278b4e46f05f4",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement