6d365f79...9487

VTI SCORE: 100/100

Target:

win7_64_sp1 | windows_script_file

Classification:

Trojan, Dropper

6d365f7901cd47dd0f1169c656d2e442ffabbc3197f0a6d056aee9471e9d9487 (SHA256)

Scan92933944.js

JScript

Created at 2018-05-23 13:36:00

Severity	Category	Operation	Classification
5/5	Injection	Writes into the memory of a process running from a created or modified executable	-
"c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe" modifies memory of "c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe" ... VTI Actions Go to Function Call
5/5	YARA	YARA match	-
Detected IOCs of backdoor Adzok: Rule "RAT_Nanocore" from ruleset "RATs" has matched for "\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe" ... VTI Actions Go to YARA Match
4/5	Process	Reads from memory of another process	-
"c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe" reads from "C:\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe". ... VTI Actions Go to Function Call
4/5	Persistence	Installs system startup script or application	-
Adds "C:\Program Files (x86)\IMAP Service\imapsv.exe" to Windows startup via registry. ... VTI Actions Go to Function Call
4/5	File System	Associated with malicious files	Trojan
File "c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe" is a known malicious file. ... VTI Actions Go to File Details Go to Function Call
4/5	PE	Executes dropped PE file	-
Executes dropped file "c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe". ... VTI Actions Go to File Details Go to Function Call
2/5	Information Stealing	Reads system data	-
Reads the cryptographic machine GUID from registry. ... VTI Actions Go to Function Call
2/5	PE	Drops PE file	Dropper
Drops file "c:\users\5p5nrg~1\appdata\local\temp\hsbftstclaogdeeotf.exe". ... VTI Actions Go to File Details Go to Function Call
1/5	Process	Creates system object	-
Creates nameless mutex. ... VTI Actions Go to Function Call
Creates mutex with name "Global\{70e0240c-77de-4f81-ac5c-cb838d2319d3}". ... VTI Actions Go to Function Call
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to Function Call
1/5	PE	The PE file was created with a packer	-
File "\Users\5P5NRG~1\AppData\Local\Temp\hSbFTsTClaogdEEotf.exe" is packed with "Armadillo v1.71". ... VTI Actions

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

After