Try VMRay Platform
Malicious
Classifications

Spyware Injector

Threat Names

FormBook Mal/Generic-S Gen:Variant.Razy.679962

Dynamic Analysis Report

Created on 2021-09-28T08:19:00

cc.exe

Windows Exe (x86-32)
...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "8 hours, 16 minutes, 24 seconds" to "8 seconds" to reveal dormant functionality.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Remarks

(0x0200004A): 4 dumps were skipped because they exceeded the maximum dump size of 7 MB. The largest one was 27 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\cc.exe Sample File Binary
malicious
...
»
Also Known As c:\users\keecfmwgj\appdata\local\temp\cmrkpgp\winzvg4hxq8.exe (Dropped File)
c:\program files (x86)\cmrkpgp\winzvg4hxq8.exe (Dropped File)
MIME Type application/vnd.microsoft.portable-executable
File Size 1.00 MB
MD5 4c70d5b1c63a468f7e0aedf64f93ca42 Copy to Clipboard
SHA1 c248ab00560786b7be23151597d9503a2e84602f Copy to Clipboard
SHA256 83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a Copy to Clipboard
SSDeep 3072:EWrIy8kmoEBZBB2lrEtC1JZdDFs3sb5fkaLZ2sf2h8yezeci6x46xXX07/Bg9s9L:N/ZzLfkuS8yADi6vxU7/w8+PsFT8lw Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x400000
Entry Point 0x4395ce
Size Of Code 0x37600
Size Of Initialized Data 0x10e00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2021-09-24 23:26:05+00:00
Version Information (6)
»
CompanyName km
FileVersion 7, 0, 9, 0
FileDescription -
LegalCopyright roIhml
ProductName oj
ProductVersion 7, 0, 9, 0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x375d4 0x37600 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.77
.rsrc 0x43a000 0x10b38 0x10c00 0x37800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.01
.reloc 0x44c000 0xc 0x200 0x48400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x402000 0x395a0 0x377a0 0x0
Memory Dumps (9)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
cc.exe 1 0x013D0000 0x0141DFFF Relevant Image False 32-bit 0x013D7C80 False True
...
buffer 2 0x00060000 0x00088FFF First Execution False 32-bit 0x0007D460 True False
...
cc.exe 2 0x013D0000 0x0141DFFF Relevant Image False 32-bit - False True
...
buffer 2 0x001B0000 0x001C0FFF First Execution False 32-bit 0x001B0000 False False
...
buffer 2 0x00D00000 0x00E97FFF Marked Executable False 32-bit - False False
...
buffer 2 0x00060000 0x00088FFF Content Changed False 32-bit 0x0007813B True False
...
buffer 2 0x00020000 0x0002DFFF Image In Buffer False 32-bit - False False
...
buffer 2 0x00100000 0x00128FFF Marked Executable False 32-bit - False False
...
buffer 2 0x00130000 0x00140FFF Marked Executable False 32-bit - False False
...
YARA Matches (3)
»
Rule Name Rule Description Classification Score Actions
MultipleNetObfuscatorAttributes .NET file contains multiple obfuscator attributes -
2/5
...
BabelObfuscatorAttributes Babel Obfuscator Attributes -
1/5
...
YanoObfuscatorAttributes Yano Obfuscator Attributes -
1/5
...
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image