Try VMRay Platform
Malicious
Classifications

Downloader

Threat Names

Mal/Generic-S Mal/HTMLGen-A VBS.Heur.Nyx.1.6E86CAD5.Gen Trojan.VBS.Agent.BMC

Dynamic Analysis Report

Created on 2021-09-28T11:25:00

7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32.rtf

RTF Document
...
Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32.rtf Sample File RTF
malicious
...
»
Also Known As c:\users\keecfmwgj\desktop\~wrl0001.tmp (Dropped File)
MIME Type text/rtf
File Size 535.81 KB
MD5 84c45c2b0e94b8d1d064e739150ba84c Copy to Clipboard
SHA1 f6a98ac4e50a89495626b5eaebb85d1116554faa Copy to Clipboard
SHA256 7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32 Copy to Clipboard
SSDeep 12288:z////////////////////////////////////CAggMdzFHRsU0:evRsU0 Copy to Clipboard
ImpHash -
Parser Error Remark Static engine was unable to completely parse the analyzed file
AV Matches (1)
»
Threat Name Verdict
VBS.Heur.Nyx.1.6E86CAD5.Gen
malicious
Office Information
»
Controls (2)
»
CLSID Control Name Associated Vulnerability
{00000300-0000-0000-C000-000000000046} OleLink CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2018-8174
{00000308-0000-0000-C000-000000000046} PackagerMoniker EmbededFile
c:\users\keecfmwgj\desktop\~wrd0000.tmp Dropped File RTF
malicious
...
»
Also Known As c:\users\keecfmwgj\desktop\7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32.rtf (Dropped File)
MIME Type text/rtf
File Size 393.60 KB
MD5 d76b7db5c1432b2d9315fd2d94c273f1 Copy to Clipboard
SHA1 7cfa00cb83f5216a3115b3eebbfa1c96e19486b7 Copy to Clipboard
SHA256 7cc901ac4336504f4c3789ccdcfbd8aef984ded60c89648bf4f372ed8a80c98a Copy to Clipboard
SSDeep 1536:3lRUlyzlxjYHvI47u1IJDZIzPds9viYCofJ:30lBxBiYCoh Copy to Clipboard
ImpHash -
AV Matches (2)
»
Threat Name Verdict
VBS.Heur.Nyx.1.6E86CAD5.Gen
malicious
VBS.Heur.Nyx.1.6E86CAD5.Gen
malicious
Office Information
»
Revision 2
Create Time 2021-09-28 13:26:00+00:00
Modify Time 2021-09-28 13:28:00+00:00
App Version 85
Editing Time 2.0
Page Count 2
Word Count 42
Character Count 242
Chars With Spaces 283
operator kEecfMwgj
Controls (2)
»
CLSID Control Name Associated Vulnerability
{00000300-0000-0000-C000-000000000046} OleLink CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2018-8174
{0003000C-0000-0000-C000-000000000046} Package EmbeddedFile
Document Content
» 
c05Microsoft Office does not work in email Preview.
Please download the document and clickEnable Editingwhen opening.
C:\Users\kEecfMwgj\AppData\Roaming\doc.exe Downloaded File Binary
malicious
...
»
Also Known As c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\doc[1].exe (Downloaded File)
C:\Users\kEecfMwgj\AppData\Roaming\maBdogbw.exe (Downloaded File)
Parent File analysis.pcap
MIME Type application/vnd.microsoft.portable-executable
File Size 622.50 KB
MD5 d8bc91e846e3d624814d4557681f33ad Copy to Clipboard
SHA1 873f451438efce56d2bce9dd9b44beefb2c6a28b Copy to Clipboard
SHA256 30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e Copy to Clipboard
SSDeep 12288:JA9Ni+hBr7IUA4S8vxou4AqcUkhPXuFJ:i9Ni+hBr8UAcZtIQXQ Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x400000
Entry Point 0x4726f2
Size Of Code 0x70800
Size Of Initialized Data 0x2b000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2021-09-28 06:16:14+00:00
Version Information (11)
»
Comments -
CompanyName Paradoxlost
FileDescription Paradoxlost WinForms Theme Engine
FileVersion 1.1.0.0
InternalName InternalAssemblyBuild.exe
LegalCopyright Copyright © 2016
LegalTrademarks -
OriginalFilename InternalAssemblyBuild.exe
ProductName Paradoxlost UX
ProductVersion 1.1.0
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x706f8 0x70800 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.02
.rsrc 0x474000 0x2ad20 0x2ae00 0x70a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.59
.reloc 0x4a0000 0xc 0x200 0x9b800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x402000 0x726c8 0x708c8 0x0
abdtfhghgeghDh.ScT Embedded File Text
malicious
...
»
Also Known As abdtfhgxgeghdh.sct (Embedded File)
Parent File c:\users\keecfmwgj\desktop\~wrd0000.tmp
MIME Type text/x-wsf
File Size 167.39 KB
MD5 8e17238688d177980df980776169fcf2 Copy to Clipboard
SHA1 c43a0581ddd877cdc5d066067a7489497db8b282 Copy to Clipboard
SHA256 3b3e99d32e8913d3bdc94907f3fc39d08a8396b9aa15d982b55024327f598b92 Copy to Clipboard
SSDeep 384:pAayMzzacasapa2hb04gQmU38Nl6UnRJbtqEEE6oEaE35n0:2azzacasapa2G4gQ538Nl6Un7ZFPW1p0 Copy to Clipboard
ImpHash -
AV Matches (1)
»
Threat Name Verdict
VBS.Heur.Nyx.1.6E86CAD5.Gen
malicious
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 13.51 KB
MD5 d4c3758e783e84a32506012d68b83499 Copy to Clipboard
SHA1 0b68aac758ab4056590208ab2ac59155b4854abd Copy to Clipboard
SHA256 cd5af7ad412ac22e95345129207ede77e3352bedcce19b870051579ef26add7b Copy to Clipboard
SSDeep 384:tSa5q/4HWrxVIp3jZu3dVvjFUpEA4kjh4iUx6:wa5q/4HWrxVIp3jc3dVvjFUpEAhh4iUA Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.word\~wrs{585e37b0-76b3-4e28-85d2-c19844bc5f60}.tmp Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 45.55 KB
MD5 b87d691f7ee6023da0eef67dbe09faf5 Copy to Clipboard
SHA1 ed3e55f3a0e77e55a8e865119e5f8d7e401bc09b Copy to Clipboard
SHA256 df4b879010d6b7c2126e8993328ea642983061fbc5f264e0aa0971eb695fe586 Copy to Clipboard
SSDeep 768:4F/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P586:WFia0Dqeb0nstw29rVzWSgm586 Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\microsoft\office\otele\{d60d99f1-3a70-4d9d-bd27-d5d18917048f} (0) - 3392 - winword.exe - otele.dat Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 339 Bytes
MD5 c7e61982aaea53ad652f2183bb68dd53 Copy to Clipboard
SHA1 3be2cb690df8f711d8d2670d2fc37ebb263743e7 Copy to Clipboard
SHA256 c20b7fa4b6e27ce20c20654df94ca60d34023abe6d4f6390f25fcaf1f4ca653d Copy to Clipboard
SSDeep 6:An9vV+nH4/lt/T6/Bha9/JUwTtZazutKsBse/Kmtlt6/:i+Y/TTMg9Fh3tKsvia36/ Copy to Clipboard
ImpHash -
C:\Users\kEecfMwgj\AppData\Local\Temp\tmp6692.tmp Dropped File Text
clean
...
»
Also Known As C:\Users\kEecfMwgj\AppData\Local\Temp\tmp6BEF.tmp (Dropped File)
MIME Type text/xml
File Size 1.60 KB
MD5 1c21bb53557eab37e19d64428d2cbd4c Copy to Clipboard
SHA1 f0c5afcf94d19bab02c3bcd5226e04bad3aa4dc5 Copy to Clipboard
SHA256 4379f7709d784376e742037386f5f9148d9dc3d5762ddc4cca5439ee010b5740 Copy to Clipboard
SSDeep 24:2dH4+SEqCD5v7qNlNMFy5/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBCtn:cbhD17qNlNQy5/rydbz9I3YODOLNdq3S Copy to Clipboard
ImpHash -
olelink_2 Embedded File Unknown
clean
...
»
Parent File C:\Users\kEecfMwgj\Desktop\7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32.rtf
MIME Type application/CDFV2
File Size 2.50 KB
MD5 f50e885e63680011dcf1fd498ffaf2f2 Copy to Clipboard
SHA1 9852cba7fb91a8d14deea1873eae8f7d4073e945 Copy to Clipboard
SHA256 f2d352e6c698a4196eae9664f328deda2eb5299ee91338a3560971da2fbf92af Copy to Clipboard
SSDeep 6:j1bxc+CF2DqbXbEGR1/CX22qQ0CNP//UA4EH3FvmyG81Gju:pbaF2uLbEY/iL0Sn/yEHVvt1u Copy to Clipboard
ImpHash -
unknown_3 Embedded File Stream
clean
...
»
Parent File C:\Users\kEecfMwgj\Desktop\7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32.rtf
MIME Type application/octet-stream
File Size 12.01 KB
MD5 220e3812fb0d543e46083390eb4acdaa Copy to Clipboard
SHA1 16e27da8e622e2f8dfe2047204dd70c0dc055bd7 Copy to Clipboard
SHA256 44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037 Copy to Clipboard
SSDeep 96:MD3E3lKKtEQCFWsZxA0pnkK0jOGO0UJWr:kEVKKtewGhxxmLr Copy to Clipboard
ImpHash -
olelink_1 Embedded File OLE Compound
clean
...
»
Parent File c:\users\keecfmwgj\desktop\~wrd0000.tmp
MIME Type application/CDFV2
File Size 5.50 KB
MD5 217246a18b89a73d3e0dce329667beae Copy to Clipboard
SHA1 19c16f3b91af591096a4141f28b9ee9f747eaf49 Copy to Clipboard
SHA256 531752507bb3431e4c37d5942ae4f1f8d61f53bd40fc5f0256bf96a440545f4f Copy to Clipboard
SSDeep 48:ranHmw8bwZC/snl2DHNmpHRc4jcnH9l0Y4zO7nl:mm3bZ/ht0xljcH9lI Copy to Clipboard
ImpHash -
Office Information
»
Controls (1)
»
CLSID Control Name Associated Vulnerability
{00000300-0000-0000-C000-000000000046} OleLink CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2018-8174
CFB Streams (4)
»
Name ID Size Actions
Root\OlE 1 2.08 KB
...
Root\CompObj 2 74 Bytes
...
Root\ObjInfo 3 10 Bytes
...
Root\LinkInfo 4 306 Bytes
...
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image