Malicious
Classifications
Spyware Injector
Threat Names
FormBook Mal/Generic-S Gen:Variant.Razy.679962
Dynamic Analysis Report
Created on 2021-09-28T08:19:00
cc.exe
Windows Exe (x86-32)
Remarks (2/2)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "8 hours, 16 minutes, 24 seconds" to "8 seconds" to reveal dormant functionality.
Remarks
(0x0200004A): 4 dumps were skipped because they exceeded the maximum dump size of 7 MB. The largest one was 27 MB.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
File Reputation Information
»
Verdict |
malicious
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x4395ce |
Size Of Code | 0x37600 |
Size Of Initialized Data | 0x10e00 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2021-09-24 23:26:05+00:00 |
Version Information (6)
»
CompanyName | km |
FileVersion | 7, 0, 9, 0 |
FileDescription | - |
LegalCopyright | roIhml |
ProductName | oj |
ProductVersion | 7, 0, 9, 0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x402000 | 0x375d4 | 0x37600 | 0x200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.rsrc | 0x43a000 | 0x10b38 | 0x10c00 | 0x37800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.01 |
.reloc | 0x44c000 | 0xc | 0x200 | 0x48400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x402000 | 0x395a0 | 0x377a0 | 0x0 |
Memory Dumps (9)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
cc.exe | 1 | 0x013D0000 | 0x0141DFFF | Relevant Image | 32-bit | 0x013D7C80 |
...
|
|||
buffer | 2 | 0x00060000 | 0x00088FFF | First Execution | 32-bit | 0x0007D460 |
...
|
|||
cc.exe | 2 | 0x013D0000 | 0x0141DFFF | Relevant Image | 32-bit | - |
...
|
|||
buffer | 2 | 0x001B0000 | 0x001C0FFF | First Execution | 32-bit | 0x001B0000 |
...
|
|||
buffer | 2 | 0x00D00000 | 0x00E97FFF | Marked Executable | 32-bit | - |
...
|
|||
buffer | 2 | 0x00060000 | 0x00088FFF | Content Changed | 32-bit | 0x0007813B |
...
|
|||
buffer | 2 | 0x00020000 | 0x0002DFFF | Image In Buffer | 32-bit | - |
...
|
|||
buffer | 2 | 0x00100000 | 0x00128FFF | Marked Executable | 32-bit | - |
...
|
|||
buffer | 2 | 0x00130000 | 0x00140FFF | Marked Executable | 32-bit | - |
...
|
YARA Matches (3)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
MultipleNetObfuscatorAttributes | .NET file contains multiple obfuscator attributes | - |
2/5
|
...
|
BabelObfuscatorAttributes | Babel Obfuscator Attributes | - |
1/5
|
...
|
YanoObfuscatorAttributes | Yano Obfuscator Attributes | - |
1/5
|
...
|