Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Exes_005e942c.exe"
- [*] File Size: 638976
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "7ccd050f5e9f7e9c368e55a61a40531efdb5bc53511bf83527b2397df35815f4"
- [*] MD5: "8c47b65450bbcfbbbf0be86ae33a5218"
- [*] SHA1: "30b79b42cf09987d1e4d40dedcd6eb5d457302ba"
- [*] SHA512: "558add095c9d7503382d567f5188c26326df286ae8adb30ba0b8a91e7e2cbfe4b31a9a70b2242ed415215b6ac526312916efdc69daa0d4b6c43003645a832014"
- [*] CRC32: "005E942C"
- [*] SSDEEP: "6144:VQ8oufWtVjM1Er81OWW07SryaqE8VkZQSzHDQ7KsV79nN+2g+AS:V7+tVjsRfSrrFmkykHDQ7KEDr"
- [*] Process Execution: [
- "Exes_005e942c.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details": [
- {
- "section": "name: .text, entropy: 7.85, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00099000, virtual_size: 0x00098f54"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "file": "C:\\Windows\\win.ini"
- },
- {
- "file": "C:\\Windows\\win.ini"
- }
- ]
- },
- {
- "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "MicroWorld-eScan": "Trojan.GenericKD.41362517"
- },
- {
- "FireEye": "Generic.mg.8c47b65450bbcfbb"
- },
- {
- "ALYac": "Trojan.GenericKD.41362517"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "Alibaba": "TrojanSpy:Win32/Noon.cbb16507"
- },
- {
- "K7GW": "Trojan ( 0054fef91 )"
- },
- {
- "K7AntiVirus": "Trojan ( 0054fef91 )"
- },
- {
- "Arcabit": "Trojan.Generic.D2772455"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "Symantec": "Trojan.Gen.MBT"
- },
- {
- "APEX": "Malicious"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Kaspersky": "Trojan-Spy.Win32.Noon.agnx"
- },
- {
- "BitDefender": "Trojan.GenericKD.41362517"
- },
- {
- "Avast": "Win32:Trojan-gen"
- },
- {
- "Tencent": "Win32.Trojan.Inject.Auto"
- },
- {
- "Ad-Aware": "Trojan.GenericKD.41362517"
- },
- {
- "Emsisoft": "Trojan.GenericKD.41362517 (B)"
- },
- {
- "TrendMicro": "TROJ_GEN.R03BC0WFC19"
- },
- {
- "McAfee-GW-Edition": "BehavesLike.Win32.Trojan.jc"
- },
- {
- "Trapmine": "suspicious.low.ml.score"
- },
- {
- "Sophos": "Mal/FareitVB-N"
- },
- {
- "Ikarus": "Trojan.VB.Crypt"
- },
- {
- "ESET-NOD32": "a variant of Win32/Injector.EFXT"
- },
- {
- "Microsoft": "Trojan:Win32/Dynamer!rfn"
- },
- {
- "ZoneAlarm": "Trojan-Spy.Win32.Noon.agnx"
- },
- {
- "GData": "Win32.Trojan-Stealer.FormBook.S6Q4G1"
- },
- {
- "AhnLab-V3": "Trojan/Win32.Injector.R275286"
- },
- {
- "McAfee": "Fareit-FOA!8C47B65450BB"
- },
- {
- "TrendMicro-HouseCall": "TROJ_GEN.R03BC0WFC19"
- },
- {
- "Rising": "Trojan.Injector!1.B459 (CLASSIC)"
- },
- {
- "SentinelOne": "DFI - Malicious PE"
- },
- {
- "Fortinet": "W32/Malicious_Behavior.VEX"
- },
- {
- "AVG": "Win32:Trojan-gen"
- },
- {
- "Cybereason": "malicious.450bbc"
- },
- {
- "Panda": "Trj/CI.A"
- },
- {
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- },
- {
- "Qihoo-360": "HEUR/QVM03.0.C44B.Malware.Gen"
- }
- ]
- },
- {
- "Description": "Anomalous binary characteristics",
- "Details": [
- {
- "anomaly": "Actual checksum does not match that reported in PE header"
- }
- ]
- }
- ]
- [*] Started Service: []
- [*] Executed Commands: [
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_005e942c.exe\""
- ]
- [*] Mutexes: [
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1"
- ]
- [*] Modified Files: [
- "C:\\Windows\\win.ini"
- ]
- [*] Deleted Files: []
- [*] Modified Registry Keys: []
- [*] Deleted Registry Keys: []
- [*] DNS Communications: []
- [*] Domains: []
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: []
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "_CIcos",
- "address": "0x401000"
- },
- {
- "name": "_adj_fptan",
- "address": "0x401004"
- },
- {
- "name": "__vbaVarMove",
- "address": "0x401008"
- },
- {
- "name": null,
- "address": "0x40100c"
- },
- {
- "name": "__vbaFreeVar",
- "address": "0x401010"
- },
- {
- "name": "__vbaStrVarMove",
- "address": "0x401014"
- },
- {
- "name": null,
- "address": "0x401018"
- },
- {
- "name": "__vbaFreeVarList",
- "address": "0x40101c"
- },
- {
- "name": "__vbaVarIdiv",
- "address": "0x401020"
- },
- {
- "name": "_adj_fdiv_m64",
- "address": "0x401024"
- },
- {
- "name": null,
- "address": "0x401028"
- },
- {
- "name": "__vbaFreeObjList",
- "address": "0x40102c"
- },
- {
- "name": null,
- "address": "0x401030"
- },
- {
- "name": "_adj_fprem1",
- "address": "0x401034"
- },
- {
- "name": "__vbaInStrVarB",
- "address": "0x401038"
- },
- {
- "name": "__vbaRecDestruct",
- "address": "0x40103c"
- },
- {
- "name": "__vbaSetSystemError",
- "address": "0x401040"
- },
- {
- "name": "__vbaHresultCheckObj",
- "address": "0x401044"
- },
- {
- "name": null,
- "address": "0x401048"
- },
- {
- "name": null,
- "address": "0x40104c"
- },
- {
- "name": null,
- "address": "0x401050"
- },
- {
- "name": null,
- "address": "0x401054"
- },
- {
- "name": "_adj_fdiv_m32",
- "address": "0x401058"
- },
- {
- "name": "__vbaAryVar",
- "address": "0x40105c"
- },
- {
- "name": null,
- "address": "0x401060"
- },
- {
- "name": "__vbaAryDestruct",
- "address": "0x401064"
- },
- {
- "name": null,
- "address": "0x401068"
- },
- {
- "name": "__vbaBoolStr",
- "address": "0x40106c"
- },
- {
- "name": null,
- "address": "0x401070"
- },
- {
- "name": "__vbaObjSet",
- "address": "0x401074"
- },
- {
- "name": null,
- "address": "0x401078"
- },
- {
- "name": "_adj_fdiv_m16i",
- "address": "0x40107c"
- },
- {
- "name": "__vbaObjSetAddref",
- "address": "0x401080"
- },
- {
- "name": "_adj_fdivr_m16i",
- "address": "0x401084"
- },
- {
- "name": null,
- "address": "0x401088"
- },
- {
- "name": null,
- "address": "0x40108c"
- },
- {
- "name": "__vbaFPFix",
- "address": "0x401090"
- },
- {
- "name": "__vbaFpR8",
- "address": "0x401094"
- },
- {
- "name": "_CIsin",
- "address": "0x401098"
- },
- {
- "name": "__vbaErase",
- "address": "0x40109c"
- },
- {
- "name": "__vbaChkstk",
- "address": "0x4010a0"
- },
- {
- "name": null,
- "address": "0x4010a4"
- },
- {
- "name": "EVENT_SINK_AddRef",
- "address": "0x4010a8"
- },
- {
- "name": "__vbaGenerateBoundsError",
- "address": "0x4010ac"
- },
- {
- "name": "__vbaStrCmp",
- "address": "0x4010b0"
- },
- {
- "name": "__vbaAryConstruct2",
- "address": "0x4010b4"
- },
- {
- "name": "__vbaVarTstEq",
- "address": "0x4010b8"
- },
- {
- "name": null,
- "address": "0x4010bc"
- },
- {
- "name": "__vbaObjVar",
- "address": "0x4010c0"
- },
- {
- "name": "DllFunctionCall",
- "address": "0x4010c4"
- },
- {
- "name": null,
- "address": "0x4010c8"
- },
- {
- "name": null,
- "address": "0x4010cc"
- },
- {
- "name": "_adj_fpatan",
- "address": "0x4010d0"
- },
- {
- "name": null,
- "address": "0x4010d4"
- },
- {
- "name": "__vbaLateIdCallLd",
- "address": "0x4010d8"
- },
- {
- "name": "__vbaRedim",
- "address": "0x4010dc"
- },
- {
- "name": "EVENT_SINK_Release",
- "address": "0x4010e0"
- },
- {
- "name": null,
- "address": "0x4010e4"
- },
- {
- "name": "_CIsqrt",
- "address": "0x4010e8"
- },
- {
- "name": "EVENT_SINK_QueryInterface",
- "address": "0x4010ec"
- },
- {
- "name": null,
- "address": "0x4010f0"
- },
- {
- "name": "__vbaExceptHandler",
- "address": "0x4010f4"
- },
- {
- "name": null,
- "address": "0x4010f8"
- },
- {
- "name": "__vbaStrToUnicode",
- "address": "0x4010fc"
- },
- {
- "name": null,
- "address": "0x401100"
- },
- {
- "name": "_adj_fprem",
- "address": "0x401104"
- },
- {
- "name": "_adj_fdivr_m64",
- "address": "0x401108"
- },
- {
- "name": null,
- "address": "0x40110c"
- },
- {
- "name": null,
- "address": "0x401110"
- },
- {
- "name": null,
- "address": "0x401114"
- },
- {
- "name": null,
- "address": "0x401118"
- },
- {
- "name": null,
- "address": "0x40111c"
- },
- {
- "name": null,
- "address": "0x401120"
- },
- {
- "name": "__vbaFPException",
- "address": "0x401124"
- },
- {
- "name": null,
- "address": "0x401128"
- },
- {
- "name": "__vbaStrVarVal",
- "address": "0x40112c"
- },
- {
- "name": null,
- "address": "0x401130"
- },
- {
- "name": null,
- "address": "0x401134"
- },
- {
- "name": "_CIlog",
- "address": "0x401138"
- },
- {
- "name": "__vbaErrorOverflow",
- "address": "0x40113c"
- },
- {
- "name": null,
- "address": "0x401140"
- },
- {
- "name": "__vbaNew2",
- "address": "0x401144"
- },
- {
- "name": "__vbaR8Str",
- "address": "0x401148"
- },
- {
- "name": null,
- "address": "0x40114c"
- },
- {
- "name": null,
- "address": "0x401150"
- },
- {
- "name": "_adj_fdiv_m32i",
- "address": "0x401154"
- },
- {
- "name": "_adj_fdivr_m32i",
- "address": "0x401158"
- },
- {
- "name": "__vbaStrCopy",
- "address": "0x40115c"
- },
- {
- "name": "__vbaI4Str",
- "address": "0x401160"
- },
- {
- "name": null,
- "address": "0x401164"
- },
- {
- "name": "__vbaFreeStrList",
- "address": "0x401168"
- },
- {
- "name": null,
- "address": "0x40116c"
- },
- {
- "name": null,
- "address": "0x401170"
- },
- {
- "name": "__vbaDerefAry1",
- "address": "0x401174"
- },
- {
- "name": null,
- "address": "0x401178"
- },
- {
- "name": "_adj_fdivr_m32",
- "address": "0x40117c"
- },
- {
- "name": "_adj_fdiv_r",
- "address": "0x401180"
- },
- {
- "name": null,
- "address": "0x401184"
- },
- {
- "name": null,
- "address": "0x401188"
- },
- {
- "name": "__vbaVarTstNe",
- "address": "0x40118c"
- },
- {
- "name": "__vbaI4Var",
- "address": "0x401190"
- },
- {
- "name": null,
- "address": "0x401194"
- },
- {
- "name": "__vbaVarAdd",
- "address": "0x401198"
- },
- {
- "name": "__vbaStrToAnsi",
- "address": "0x40119c"
- },
- {
- "name": "__vbaVarDup",
- "address": "0x4011a0"
- },
- {
- "name": null,
- "address": "0x4011a4"
- },
- {
- "name": null,
- "address": "0x4011a8"
- },
- {
- "name": "__vbaVarCopy",
- "address": "0x4011ac"
- },
- {
- "name": "_CIatan",
- "address": "0x4011b0"
- },
- {
- "name": null,
- "address": "0x4011b4"
- },
- {
- "name": "__vbaStrMove",
- "address": "0x4011b8"
- },
- {
- "name": "__vbaAryCopy",
- "address": "0x4011bc"
- },
- {
- "name": null,
- "address": "0x4011c0"
- },
- {
- "name": "_allmul",
- "address": "0x4011c4"
- },
- {
- "name": null,
- "address": "0x4011c8"
- },
- {
- "name": "_CItan",
- "address": "0x4011cc"
- },
- {
- "name": "_CIexp",
- "address": "0x4011d0"
- },
- {
- "name": "__vbaFreeObj",
- "address": "0x4011d4"
- },
- {
- "name": "__vbaFreeStr",
- "address": "0x4011d8"
- },
- {
- "name": null,
- "address": "0x4011dc"
- },
- {
- "name": null,
- "address": "0x4011e0"
- }
- ],
- "dll": "MSVBVM60.DLL"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0009d56b",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x000a0178",
- "icon_hash": null,
- "entrypoint": "0x00401558",
- "timestamp": "2008-08-01 05:08:00",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00099000",
- "entropy": "7.85",
- "raw_address": "0x00001000",
- "virtual_size": "0x00098f54",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0009a000",
- "size_of_data": "0x00001000",
- "entropy": "0.00",
- "raw_address": "0x0009a000",
- "virtual_size": "0x00005530",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x000a0000",
- "size_of_data": "0x00001000",
- "entropy": "3.46",
- "raw_address": "0x0009b000",
- "virtual_size": "0x00000e58",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00099894",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x000a0000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000e58"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000238",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000020"
- },
- {
- "virtual_address": "0x00001000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000001e8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "9148078ae78bba505b83bb73096b0dc6",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "cryptbase.dll.SystemFunction036",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "oleaut32.dll.OleLoadPictureEx",
- "oleaut32.dll.DispCallFunc",
- "oleaut32.dll.LoadTypeLibEx",
- "oleaut32.dll.UnRegisterTypeLib",
- "oleaut32.dll.CreateTypeLib2",
- "oleaut32.dll.VarDateFromUdate",
- "oleaut32.dll.VarUdateFromDate",
- "oleaut32.dll.GetAltMonthNames",
- "oleaut32.dll.VarNumFromParseNum",
- "oleaut32.dll.VarParseNumFromStr",
- "oleaut32.dll.VarDecFromR4",
- "oleaut32.dll.VarDecFromR8",
- "oleaut32.dll.VarDecFromDate",
- "oleaut32.dll.VarDecFromI4",
- "oleaut32.dll.VarDecFromCy",
- "oleaut32.dll.VarR4FromDec",
- "oleaut32.dll.GetRecordInfoFromTypeInfo",
- "oleaut32.dll.GetRecordInfoFromGuids",
- "oleaut32.dll.SafeArrayGetRecordInfo",
- "oleaut32.dll.SafeArraySetRecordInfo",
- "oleaut32.dll.SafeArrayGetIID",
- "oleaut32.dll.SafeArraySetIID",
- "oleaut32.dll.SafeArrayCopyData",
- "oleaut32.dll.SafeArrayAllocDescriptorEx",
- "oleaut32.dll.SafeArrayCreateEx",
- "oleaut32.dll.VarFormat",
- "oleaut32.dll.VarFormatDateTime",
- "oleaut32.dll.VarFormatNumber",
- "oleaut32.dll.VarFormatPercent",
- "oleaut32.dll.VarFormatCurrency",
- "oleaut32.dll.VarWeekdayName",
- "oleaut32.dll.VarMonthName",
- "oleaut32.dll.VarAdd",
- "oleaut32.dll.VarAnd",
- "oleaut32.dll.VarCat",
- "oleaut32.dll.VarDiv",
- "oleaut32.dll.VarEqv",
- "oleaut32.dll.VarIdiv",
- "oleaut32.dll.VarImp",
- "oleaut32.dll.VarMod",
- "oleaut32.dll.VarMul",
- "oleaut32.dll.VarOr",
- "oleaut32.dll.VarPow",
- "oleaut32.dll.VarSub",
- "oleaut32.dll.VarXor",
- "oleaut32.dll.VarAbs",
- "oleaut32.dll.VarFix",
- "oleaut32.dll.VarInt",
- "oleaut32.dll.VarNeg",
- "oleaut32.dll.VarNot",
- "oleaut32.dll.VarRound",
- "oleaut32.dll.VarCmp",
- "oleaut32.dll.VarDecAdd",
- "oleaut32.dll.VarDecCmp",
- "oleaut32.dll.VarBstrCat",
- "oleaut32.dll.VarCyMulI4",
- "oleaut32.dll.VarBstrCmp",
- "ole32.dll.CoCreateInstanceEx",
- "ole32.dll.CLSIDFromProgIDEx",
- "sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary",
- "user32.dll.GetSystemMetrics",
- "user32.dll.MonitorFromWindow",
- "user32.dll.MonitorFromRect",
- "user32.dll.MonitorFromPoint",
- "user32.dll.EnumDisplayMonitors",
- "user32.dll.GetMonitorInfoA",
- "kernel32.dll.NlsGetCacheUpdateCount",
- "kernel32.dll.GetCalendarInfoW",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "lpk.dll.LpkEditControl",
- "comctl32.dll.HIMAGELIST_QueryInterface",
- "comctl32.dll.DrawShadowText",
- "comctl32.dll.DrawSizeBox",
- "comctl32.dll.DrawScrollBar",
- "comctl32.dll.SizeBoxHwnd",
- "comctl32.dll.ScrollBar_MouseMove",
- "comctl32.dll.ScrollBar_Menu",
- "comctl32.dll.HandleScrollCmd",
- "comctl32.dll.DetachScrollBars",
- "comctl32.dll.AttachScrollBars",
- "comctl32.dll.CCSetScrollInfo",
- "comctl32.dll.CCGetScrollInfo",
- "comctl32.dll.CCEnableScrollBar",
- "comctl32.dll.QuerySystemGestureStatus",
- "uxtheme.dll.#49",
- "uxtheme.dll.CloseThemeData",
- "uxtheme.dll.DrawThemeBackground",
- "uxtheme.dll.GetThemeBackgroundContentRect",
- "uxtheme.dll.GetThemePartSize",
- "gdi32.dll.GetLayout",
- "gdi32.dll.GdiRealizationInfo",
- "gdi32.dll.FontIsLinked",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegQueryInfoKeyW",
- "gdi32.dll.GetTextFaceAliasW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegQueryValueExW",
- "gdi32.dll.GetFontAssocStatus",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegEnumKeyExW",
- "gdi32.dll.GdiIsMetaPrintDC",
- "ole32.dll.CoInitializeEx",
- "ole32.dll.CoUninitialize",
- "ole32.dll.CoRegisterInitializeSpy",
- "ole32.dll.CoRevokeInitializeSpy",
- "user32.dll.EnumChildWindows",
- "shell32.dll.Shell_NotifyIconA",
- "ntdll.dll.ZwSetInformationProcess",
- "kernel32.dll.Sleep",
- "kernel32.dll.WriteProfileStringA",
- "ntdll.dll.NtProtectVirtualMemory",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.WriteFile",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.ReadFile",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.VirtualProtectEx",
- "kernel32.dll.GetLongPathNameA",
- "kernel32.dll.TerminateProcess",
- "iphlpapi.dll.GetAdaptersInfo",
- "kernel32.dll.VirtualAllocEx",
- "kernel32.dll.CreateProcessW",
- "shell32.dll.ShellExecuteA",
- "advapi32.dll.RegCreateKeyExA",
- "advapi32.dll.RegSetValueExA",
- "kernel32.dll.WaitForDebugEvent",
- "kernel32.dll.ContinueDebugEvent",
- "kernel32.dll.DebugActiveProcessStop",
- "kernel32.dll.OutputDebugStringW"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "_CIcos",
- "address": "0x401000"
- },
- {
- "name": "_adj_fptan",
- "address": "0x401004"
- },
- {
- "name": "__vbaVarMove",
- "address": "0x401008"
- },
- {
- "name": null,
- "address": "0x40100c"
- },
- {
- "name": "__vbaFreeVar",
- "address": "0x401010"
- },
- {
- "name": "__vbaStrVarMove",
- "address": "0x401014"
- },
- {
- "name": null,
- "address": "0x401018"
- },
- {
- "name": "__vbaFreeVarList",
- "address": "0x40101c"
- },
- {
- "name": "__vbaVarIdiv",
- "address": "0x401020"
- },
- {
- "name": "_adj_fdiv_m64",
- "address": "0x401024"
- },
- {
- "name": null,
- "address": "0x401028"
- },
- {
- "name": "__vbaFreeObjList",
- "address": "0x40102c"
- },
- {
- "name": null,
- "address": "0x401030"
- },
- {
- "name": "_adj_fprem1",
- "address": "0x401034"
- },
- {
- "name": "__vbaInStrVarB",
- "address": "0x401038"
- },
- {
- "name": "__vbaRecDestruct",
- "address": "0x40103c"
- },
- {
- "name": "__vbaSetSystemError",
- "address": "0x401040"
- },
- {
- "name": "__vbaHresultCheckObj",
- "address": "0x401044"
- },
- {
- "name": null,
- "address": "0x401048"
- },
- {
- "name": null,
- "address": "0x40104c"
- },
- {
- "name": null,
- "address": "0x401050"
- },
- {
- "name": null,
- "address": "0x401054"
- },
- {
- "name": "_adj_fdiv_m32",
- "address": "0x401058"
- },
- {
- "name": "__vbaAryVar",
- "address": "0x40105c"
- },
- {
- "name": null,
- "address": "0x401060"
- },
- {
- "name": "__vbaAryDestruct",
- "address": "0x401064"
- },
- {
- "name": null,
- "address": "0x401068"
- },
- {
- "name": "__vbaBoolStr",
- "address": "0x40106c"
- },
- {
- "name": null,
- "address": "0x401070"
- },
- {
- "name": "__vbaObjSet",
- "address": "0x401074"
- },
- {
- "name": null,
- "address": "0x401078"
- },
- {
- "name": "_adj_fdiv_m16i",
- "address": "0x40107c"
- },
- {
- "name": "__vbaObjSetAddref",
- "address": "0x401080"
- },
- {
- "name": "_adj_fdivr_m16i",
- "address": "0x401084"
- },
- {
- "name": null,
- "address": "0x401088"
- },
- {
- "name": null,
- "address": "0x40108c"
- },
- {
- "name": "__vbaFPFix",
- "address": "0x401090"
- },
- {
- "name": "__vbaFpR8",
- "address": "0x401094"
- },
- {
- "name": "_CIsin",
- "address": "0x401098"
- },
- {
- "name": "__vbaErase",
- "address": "0x40109c"
- },
- {
- "name": "__vbaChkstk",
- "address": "0x4010a0"
- },
- {
- "name": null,
- "address": "0x4010a4"
- },
- {
- "name": "EVENT_SINK_AddRef",
- "address": "0x4010a8"
- },
- {
- "name": "__vbaGenerateBoundsError",
- "address": "0x4010ac"
- },
- {
- "name": "__vbaStrCmp",
- "address": "0x4010b0"
- },
- {
- "name": "__vbaAryConstruct2",
- "address": "0x4010b4"
- },
- {
- "name": "__vbaVarTstEq",
- "address": "0x4010b8"
- },
- {
- "name": null,
- "address": "0x4010bc"
- },
- {
- "name": "__vbaObjVar",
- "address": "0x4010c0"
- },
- {
- "name": "DllFunctionCall",
- "address": "0x4010c4"
- },
- {
- "name": null,
- "address": "0x4010c8"
- },
- {
- "name": null,
- "address": "0x4010cc"
- },
- {
- "name": "_adj_fpatan",
- "address": "0x4010d0"
- },
- {
- "name": null,
- "address": "0x4010d4"
- },
- {
- "name": "__vbaLateIdCallLd",
- "address": "0x4010d8"
- },
- {
- "name": "__vbaRedim",
- "address": "0x4010dc"
- },
- {
- "name": "EVENT_SINK_Release",
- "address": "0x4010e0"
- },
- {
- "name": null,
- "address": "0x4010e4"
- },
- {
- "name": "_CIsqrt",
- "address": "0x4010e8"
- },
- {
- "name": "EVENT_SINK_QueryInterface",
- "address": "0x4010ec"
- },
- {
- "name": null,
- "address": "0x4010f0"
- },
- {
- "name": "__vbaExceptHandler",
- "address": "0x4010f4"
- },
- {
- "name": null,
- "address": "0x4010f8"
- },
- {
- "name": "__vbaStrToUnicode",
- "address": "0x4010fc"
- },
- {
- "name": null,
- "address": "0x401100"
- },
- {
- "name": "_adj_fprem",
- "address": "0x401104"
- },
- {
- "name": "_adj_fdivr_m64",
- "address": "0x401108"
- },
- {
- "name": null,
- "address": "0x40110c"
- },
- {
- "name": null,
- "address": "0x401110"
- },
- {
- "name": null,
- "address": "0x401114"
- },
- {
- "name": null,
- "address": "0x401118"
- },
- {
- "name": null,
- "address": "0x40111c"
- },
- {
- "name": null,
- "address": "0x401120"
- },
- {
- "name": "__vbaFPException",
- "address": "0x401124"
- },
- {
- "name": null,
- "address": "0x401128"
- },
- {
- "name": "__vbaStrVarVal",
- "address": "0x40112c"
- },
- {
- "name": null,
- "address": "0x401130"
- },
- {
- "name": null,
- "address": "0x401134"
- },
- {
- "name": "_CIlog",
- "address": "0x401138"
- },
- {
- "name": "__vbaErrorOverflow",
- "address": "0x40113c"
- },
- {
- "name": null,
- "address": "0x401140"
- },
- {
- "name": "__vbaNew2",
- "address": "0x401144"
- },
- {
- "name": "__vbaR8Str",
- "address": "0x401148"
- },
- {
- "name": null,
- "address": "0x40114c"
- },
- {
- "name": null,
- "address": "0x401150"
- },
- {
- "name": "_adj_fdiv_m32i",
- "address": "0x401154"
- },
- {
- "name": "_adj_fdivr_m32i",
- "address": "0x401158"
- },
- {
- "name": "__vbaStrCopy",
- "address": "0x40115c"
- },
- {
- "name": "__vbaI4Str",
- "address": "0x401160"
- },
- {
- "name": null,
- "address": "0x401164"
- },
- {
- "name": "__vbaFreeStrList",
- "address": "0x401168"
- },
- {
- "name": null,
- "address": "0x40116c"
- },
- {
- "name": null,
- "address": "0x401170"
- },
- {
- "name": "__vbaDerefAry1",
- "address": "0x401174"
- },
- {
- "name": null,
- "address": "0x401178"
- },
- {
- "name": "_adj_fdivr_m32",
- "address": "0x40117c"
- },
- {
- "name": "_adj_fdiv_r",
- "address": "0x401180"
- },
- {
- "name": null,
- "address": "0x401184"
- },
- {
- "name": null,
- "address": "0x401188"
- },
- {
- "name": "__vbaVarTstNe",
- "address": "0x40118c"
- },
- {
- "name": "__vbaI4Var",
- "address": "0x401190"
- },
- {
- "name": null,
- "address": "0x401194"
- },
- {
- "name": "__vbaVarAdd",
- "address": "0x401198"
- },
- {
- "name": "__vbaStrToAnsi",
- "address": "0x40119c"
- },
- {
- "name": "__vbaVarDup",
- "address": "0x4011a0"
- },
- {
- "name": null,
- "address": "0x4011a4"
- },
- {
- "name": null,
- "address": "0x4011a8"
- },
- {
- "name": "__vbaVarCopy",
- "address": "0x4011ac"
- },
- {
- "name": "_CIatan",
- "address": "0x4011b0"
- },
- {
- "name": null,
- "address": "0x4011b4"
- },
- {
- "name": "__vbaStrMove",
- "address": "0x4011b8"
- },
- {
- "name": "__vbaAryCopy",
- "address": "0x4011bc"
- },
- {
- "name": null,
- "address": "0x4011c0"
- },
- {
- "name": "_allmul",
- "address": "0x4011c4"
- },
- {
- "name": null,
- "address": "0x4011c8"
- },
- {
- "name": "_CItan",
- "address": "0x4011cc"
- },
- {
- "name": "_CIexp",
- "address": "0x4011d0"
- },
- {
- "name": "__vbaFreeObj",
- "address": "0x4011d4"
- },
- {
- "name": "__vbaFreeStr",
- "address": "0x4011d8"
- },
- {
- "name": null,
- "address": "0x4011dc"
- },
- {
- "name": null,
- "address": "0x4011e0"
- }
- ],
- "dll": "MSVBVM60.DLL"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0009d56b",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x000a0178",
- "icon_hash": null,
- "entrypoint": "0x00401558",
- "timestamp": "2008-08-01 05:08:00",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00099000",
- "entropy": "7.85",
- "raw_address": "0x00001000",
- "virtual_size": "0x00098f54",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0009a000",
- "size_of_data": "0x00001000",
- "entropy": "0.00",
- "raw_address": "0x0009a000",
- "virtual_size": "0x00005530",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x000a0000",
- "size_of_data": "0x00001000",
- "entropy": "3.46",
- "raw_address": "0x0009b000",
- "virtual_size": "0x00000e58",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00099894",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x000a0000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000e58"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000238",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000020"
- },
- {
- "virtual_address": "0x00001000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000001e8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "9148078ae78bba505b83bb73096b0dc6",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement