VMRay Analyzer Report for Sample #21058
VMRay Analyzer
2.2.0
URI
kdotraky.com
Resolved_To
Address
101.99.75.184
Process
1
2352
excel.exe
1100
excel.exe
"C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE"
C:\Users\kFT6uTQW\Desktop\
c:\program files (x86)\microsoft office\office12\excel.exe
Child_Of
Child_Of
Created
Created
Process
2
984
svchost.exe
452
svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\
c:\windows\system32\svchost.exe
Process
3
2620
heidi.exe
2352
heidi.exe
"C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\temp\heidi.exe
Child_Of
Opened
Opened
Opened
Process
4
2672
heidi.exe
2620
heidi.exe
"C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\temp\heidi.exe
Wrote_To
Deleted
Created
Moved
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Modified_Properties_Of
Read_From
Read_From
Connected_To
Connected_To
Connected_To
File
users\kft6utqw\appdata\local\temp\heidi.exe
users\kft6utqw\appdata\local\temp\heidi.exe
c:\
c:\users\kft6utqw\appdata\local\temp\heidi.exe
exe
MD5
a6a97f17880e37067c822e14a75bb3af
SHA1
1aab183abb65685af92b201a2e47ba3d9ce0856e
SHA256
b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac
URI
http://kdotraky.com/kat/val.exe
Contains
WinRegistryKey
Software\Borland\Locales
HKEY_CURRENT_USER
WinRegistryKey
Software\Borland\Locales
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Borland\Delphi\Locales
HKEY_CURRENT_USER
File
users\kft6utqw\appdata\roaming\98e541\12eef2.hdb
users\kft6utqw\appdata\roaming\98e541\12eef2.hdb
c:\
c:\users\kft6utqw\appdata\roaming\98e541\12eef2.hdb
hdb
MD5
aced026ed487b5cbb298f9ab09e6f1c1
SHA1
1ceff0fbc90b0f2c6fab37bcde68f2a9170a7cf8
SHA256
c22bcce160e0645d030b554a30a0671bc2b2f30b1654dcd4111d871bb9c8e6bf
File
users\kft6utqw\appdata\roaming\98e541\12eef2.lck
users\kft6utqw\appdata\roaming\98e541\12eef2.lck
c:\
c:\users\kft6utqw\appdata\roaming\98e541\12eef2.lck
lck
File
users\kft6utqw\appdata\local\google\chrome\user data\default\login data
users\kft6utqw\appdata\local\google\chrome\user data\default\login data
c:\
c:\users\kft6utqw\appdata\local\google\chrome\user data\default\login data
File
users\kft6utqw\appdata\roaming\98e541\12eef2.exe
users\kft6utqw\appdata\roaming\98e541\12eef2.exe
c:\
c:\users\kft6utqw\appdata\roaming\98e541\12eef2.exe
exe
MD5
a6a97f17880e37067c822e14a75bb3af
SHA1
1aab183abb65685af92b201a2e47ba3d9ce0856e
SHA256
b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac
Moved_To
File
users\kft6utqw\appdata\local\temp\heidi.exe
users\kft6utqw\appdata\local\temp\heidi.exe
c:\
c:\users\kft6utqw\appdata\local\temp\heidi.exe
exe
Moved_From
Mutex
73EE9CC98E5412EEF2B9A336
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE
CurrentVersion
WinRegistryKey
SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main
HKEY_LOCAL_MACHINE
Install Directory
WinRegistryKey
SOFTWARE\ComodoGroup\IceDragon\Setup
HKEY_LOCAL_MACHINE
SetupPath
WinRegistryKey
SOFTWARE\Apple Computer, Inc.\Safari
HKEY_LOCAL_MACHINE
InstallDir
WinRegistryKey
SOFTWARE\K-Meleon
HKEY_LOCAL_MACHINE
CurrentVersion
WinRegistryKey
SOFTWARE\mozilla.org\SeaMonkey
HKEY_LOCAL_MACHINE
CurrentVersion
WinRegistryKey
SOFTWARE\Mozilla\SeaMonkey
HKEY_LOCAL_MACHINE
CurrentVersion
WinRegistryKey
SOFTWARE\Mozilla\Flock
HKEY_LOCAL_MACHINE
CurrentVersion
WinRegistryKey
������Д�������ќ��Ћ���Я����Й���Й��я��
HKEY_CURRENT_USER
DNSRecord
80
kdotraky.com
DNSRecord
80
����ÅÐÐ��������Ñ���Ð����Я����Ð����Ð���Ñ���
URI
����ÅÐÐ��������Ñ���Ð����Я����Ð����Ð���Ñ���
SocketAddress
101.99.75.184
80
TCP
NetworkSocket
101.99.75.184
80
TCP
Contains
SocketAddress
kdotraky.com
80
NetworkConnection
HTTP
kdotraky.com
80
URI
kdotraky.com/temp/Panel/five/fre.php
Contains
URI
None
Analyzed Sample #21058
Malware Artifacts
21058
Sample-ID: #21058
Job-ID: #17184
This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system
0
VTI Score based on VTI Database Version 2.6
Metadata of Sample File #21058
Submission-ID: #22043
C:\Users\kFT6uTQW\Desktop\QAS_031218.xls
xls
MD5
e9095deab097f17e0989cf518b0133ce
SHA1
4d3e7af89f9afb8c5d4b0f7c3f865bb4dbacf327
SHA256
2dc346015c02c8c9f97e75f72cf194c8a8830c7a932ba22c502fcd3841a14e56
Opened_By
Metadata of Analysis for Job-ID #17184
Timeout
False
x86 64-bit
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
win7_64_sp1-mso2007
True
221.291
Windows 7
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Network
VTI rule match with VTI rule score 4/5
vmray_download_file_by_url
Download file from "http://kdotraky.com/kat/val.exe" to "c:\users\kft6utqw\appdata\local\temp\heidi.exe".
Download file
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Create process "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe".
Create process
Anti Analysis
VTI rule match with VTI rule score 4/5
vmray_detect_debugger_by_api
Check via API "NtQueryInformationProcess".
Try to detect debugger
Information Stealing
VTI rule match with VTI rule score 2/5
vmray_read_machine_guid
Read the cryptographic machine GUID from registry.
Read system data
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Create mutex with name "73EE9CC98E5412EEF2B9A336".
Create system object
Browser
VTI rule match with VTI rule score 3/5
vmray_read_browser_credentials
Read saved credentials for "Google Chrome".
Read data related to saved browser credentials
Network
VTI rule match with VTI rule score 3/5
vmray_request_dns_by_name
Resolve host name "kdotraky.com".
Perform DNS request
Network
VTI rule match with VTI rule score 3/5
vmray_request_dns_by_name
Resolve host name "ÅÐÐÑÐЯÐÐÑ".
Perform DNS request