VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: |
Spyware
|
Threat Names: |
Gen:Variant.Ursu.895492
|
FeeLmebq987g92.exe
Windows Exe (x86-32)
Created at 2020-06-12T15:49:00
Remarks
(0x0200000C): The maximum memory dump size was exceeded. Some dumps may be missing in the report.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x84cc08 |
Size Of Code | 0x8d200 |
Size Of Initialized Data | 0x151e00 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2020-06-02 15:41:24+00:00 |
Version Information (11)
»
Assembly Version | 1.0.0.0 |
Comments | Vortex Software |
CompanyName | Vortex Software |
FileDescription | Vortex Software |
FileVersion | 1.0.0.0 |
InternalName | FeeLmebq987g92.exe |
LegalCopyright | Copyright © Vortex Software 2020 |
LegalTrademarks | Vortex Software |
OriginalFilename | FeeLmebq987g92.exe |
ProductName | Vortex Software |
ProductVersion | 1.0.0.0 |
Sections (13)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0x8d17f | 0x8d200 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.23 |
.rdata | 0x48f000 | 0xd27a | 0xd400 | 0x8d600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.68 |
.data | 0x49d000 | 0x20f0 | 0x600 | 0x9aa00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.34 |
.reloc | 0x4a0000 | 0x9164 | 0x9200 | 0x9b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.8 |
0x4aa000 | 0x1395a6 | 0x53e71 | 0xa4200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 8.0 | |
.imports | 0x5e4000 | 0x1000 | 0x600 | 0xf8200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.99 |
.tls | 0x5e5000 | 0x1000 | 0x200 | 0xf8800 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.18 |
.vmp0 | 0x5e6000 | 0x40000 | 0x40000 | 0xf8a00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 8.0 |
.themida | 0x626000 | 0x226000 | 0x0 | 0x0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
.boot | 0x84c000 | 0xc9e00 | 0xc9e00 | 0x138a00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.95 |
.vmp1 | 0x916000 | 0x5d0 | 0x600 | 0x202800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.53 |
.reloc | 0x917000 | 0x10 | 0x200 | 0x202e00 | IMAGE_SCN_MEM_READ | 0.17 |
.rsrc | 0x918000 | 0x3ff36 | 0x40000 | 0x203000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.09 |
Imports (19)
»
kernel32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetModuleHandleA | 0x0 | 0x5e4488 | 0x1e4488 | 0xf8688 | 0x0 |
USER32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetDC | 0x0 | 0x5e4490 | 0x1e4490 | 0xf8690 | 0x0 |
GDI32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
DeleteObject | 0x0 | 0x5e4498 | 0x1e4498 | 0xf8698 | 0x0 |
MSVCP140.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
??4?$_Yarn@D@std@@QAEAAV01@PBD@Z | 0x0 | 0x5e44a0 | 0x1e44a0 | 0xf86a0 | 0x0 |
SHLWAPI.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
PathFindExtensionW | 0x0 | 0x5e44a8 | 0x1e44a8 | 0xf86a8 | 0x0 |
gdiplus.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GdiplusStartup | 0x0 | 0x5e44b0 | 0x1e44b0 | 0xf86b0 | 0x0 |
WININET.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
HttpEndRequestA | 0x0 | 0x5e44b8 | 0x1e44b8 | 0xf86b8 | 0x0 |
VCRUNTIME140.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CxxThrowException | 0x0 | 0x5e44c0 | 0x1e44c0 | 0xf86c0 | 0x0 |
api-ms-win-crt-runtime-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_configure_narrow_argv | 0x0 | 0x5e44c8 | 0x1e44c8 | 0xf86c8 | 0x0 |
api-ms-win-crt-time-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
clock | 0x0 | 0x5e44d0 | 0x1e44d0 | 0xf86d0 | 0x0 |
api-ms-win-crt-string-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
wcscspn | 0x0 | 0x5e44d8 | 0x1e44d8 | 0xf86d8 | 0x0 |
api-ms-win-crt-heap-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_recalloc | 0x0 | 0x5e44e0 | 0x1e44e0 | 0xf86e0 | 0x0 |
api-ms-win-crt-utility-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
srand | 0x0 | 0x5e44e8 | 0x1e44e8 | 0xf86e8 | 0x0 |
api-ms-win-crt-stdio-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
fopen | 0x0 | 0x5e44f0 | 0x1e44f0 | 0xf86f0 | 0x0 |
api-ms-win-crt-multibyte-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_mbsicmp | 0x0 | 0x5e44f8 | 0x1e44f8 | 0xf86f8 | 0x0 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
getenv | 0x0 | 0x5e4500 | 0x1e4500 | 0xf8700 | 0x0 |
api-ms-win-crt-convert-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
atoi | 0x0 | 0x5e4508 | 0x1e4508 | 0xf8708 | 0x0 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_configthreadlocale | 0x0 | 0x5e4510 | 0x1e4510 | 0xf8710 | 0x0 |
api-ms-win-crt-math-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
__setusermatherr | 0x0 | 0x5e4518 | 0x1e4518 | 0xf8718 | 0x0 |
Digital Signatures (4)
»
Certificate: Comodo Security Solutions, Inc.
»
Issued by | Comodo Security Solutions, Inc. |
Parent Certificate | COMODO RSA Extended Validation Code Signing CA |
Country Name | US |
Valid From | 2018-12-04 00:00:00+00:00 |
Valid Until | 2021-12-03 23:59:59+00:00 |
Algorithm | sha256_rsa |
Serial Number | 1B 42 7B 06 0E 28 66 BF B5 86 CC 26 7E 1C 3E AA |
Thumbprint | 31 D0 19 FC 7A B6 97 D5 7D 9C 4A FB 34 0E D7 C4 D1 04 00 DF |
Certificate: COMODO RSA Extended Validation Code Signing CA
»
Issued by | COMODO RSA Extended Validation Code Signing CA |
Parent Certificate | COMODO RSA Certification Authority |
Country Name | GB |
Valid From | 2014-12-03 00:00:00+00:00 |
Valid Until | 2029-12-02 23:59:59+00:00 |
Algorithm | sha384_rsa |
Serial Number | 6D D4 72 EB 02 AE 04 06 E3 DD 84 3F 5F E1 45 E1 |
Thumbprint | 35 1A 78 EB C1 B4 BB 6D C3 66 72 8D 33 42 31 AB A9 AE 3E A7 |
Certificate: COMODO RSA Certification Authority
»
Issued by | COMODO RSA Certification Authority |
Parent Certificate | AddTrust External CA Root |
Country Name | GB |
Valid From | 2000-05-30 10:48:38+00:00 |
Valid Until | 2020-05-30 10:48:38+00:00 |
Algorithm | sha384_rsa |
Serial Number | 27 66 EE 56 EB 49 F3 8E AB D7 70 A2 FC 84 DE 22 |
Thumbprint | F5 AD 0B CC 1A D5 6C D1 50 72 5B 1C 86 6C 30 AD 92 EF 21 B0 |
Certificate: AddTrust External CA Root
»
Issued by | AddTrust External CA Root |
Country Name | SE |
Valid From | 2013-08-15 20:26:30+00:00 |
Valid Until | 2023-08-15 20:36:30+00:00 |
Algorithm | sha1_rsa |
Serial Number | 33 00 00 00 35 D8 D5 59 5B 06 71 41 2B 00 00 00 00 00 35 |
Thumbprint | A7 5A C6 57 AA 7A 4C DF E5 F9 DE 39 3E 69 EF CA B6 59 D2 50 |
Memory Dumps (19)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | First Execution | 32-bit | 0x00C7CC08 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AA51E4 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AA51E4 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AA6DDC |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AA51E4 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AB51B4 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00BF3959 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00B5833D |
...
|
|||
ntdll.dll | 1 | 0x77970000 | 0x77AFDFFF | First Execution | 32-bit | 0x779E2070 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00B5208D |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AB2EED |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AAF42E |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AB7304 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AC83C6 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AA51E4 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AB7304 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AC8B92 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AA6BF2 |
...
|
|||
feelmebq987g92.exe | 1 | 0x00830000 | 0x00D87FFF | Content Changed | 32-bit | 0x00AA51E4 |
...
|
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
Gen:Variant.Ursu.895492 |
Malicious
|
C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\VLECKIRDYJ.XSEDUSIPO | Dropped File | Sqlite |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
c:\users\fd1hvy\appdata\local\microsoft\windows\inetcache\counters2.dat | Modified File | Stream |
Unknown
|
...
|
»
C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\VLECKIRDYJ.XSEDUSIPO | Dropped File | Sqlite |
Unknown
|
...
|
»
C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\VLECKIRDYJ.XSEDUSIPO | Dropped File | Sqlite |
Unknown
|
...
|
»
C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\VLECKIRDYJ.XSEDUSIPO | Dropped File | Sqlite |
Unknown
|
...
|
»
C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\MBPYOSOUSCHFUBMYIQE.DONGRRSRLTUTWRHX | Dropped File | Image |
Unknown
|
...
|
»
C:\Users\FD1HVy\AppData\Local\Temp\OQSIDRQUQRHQSPKEYKPY\TQTWTFWFSLNNKWQERGTK.IQTQ | Dropped File | Text |
Unknown
|
...
|
»