9942fa46...7e48 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Trojan
Threat Names:
Trojan.GenericKD.32910233
Gen:Variant.Razy.577567
Win32.Trojan.Neb

PASHKA.exe

Windows Exe (x86-32)

Created at 2020-01-09T07:17:00

...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\PASHKA.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 72.50 KB
MD5 1d051a0f5165c47c90baa60c66cd8dc9 Copy to Clipboard
SHA1 1e776e848abfcc4e7dd2221a6c6128c1649cc3e8 Copy to Clipboard
SHA256 9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48 Copy to Clipboard
SSDeep 1536:2YlhZ0zbT9LvCaU4eWkdSwXof3k0oV+18YwK+RjQar8xZLBn2:2YlhZq9LvCaEbM3k0oVY/+Oac9B Copy to Clipboard
ImpHash 86d17ca0ebe9a8a04650618f7cf850e1 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2020-01-05 17:02 (UTC+1)
Last Seen 2020-01-06 18:21 (UTC+1)
Names Win32.Trojan.Neb
Families Neb
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x403e23
Size Of Code 0x3a00
Size Of Initialized Data 0xe400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-01-04 21:04:59+00:00
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x39d4 0x3a00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.38
.rdata 0x405000 0x1632 0x1800 0x3e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.69
.data 0x407000 0x410 0x200 0x5600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.88
.rsrc 0x408000 0xc450 0xc600 0x5800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.99
.reloc 0x415000 0x34c 0x400 0x11e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.85
Imports (13)
»
KERNEL32.dll (37)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SizeofResource 0x0 0x405008 0x5cc8 0x4ac8 0x57c
VirtualProtect 0x0 0x40500c 0x5ccc 0x4acc 0x5cc
VirtualFree 0x0 0x405010 0x5cd0 0x4ad0 0x5c9
GetCurrentProcess 0x0 0x405014 0x5cd4 0x4ad4 0x217
VirtualAlloc 0x0 0x405018 0x5cd8 0x4ad8 0x5c6
FindResourceA 0x0 0x40501c 0x5cdc 0x4adc 0x193
CreateMutexA 0x0 0x405020 0x5ce0 0x4ae0 0xd7
GetModuleHandleA 0x0 0x405024 0x5ce4 0x4ae4 0x275
CopyFileA 0x0 0x405028 0x5ce8 0x4ae8 0xa8
OpenMutexA 0x0 0x40502c 0x5cec 0x4aec 0x408
CreateFileA 0x0 0x405030 0x5cf0 0x4af0 0xc3
LoadLibraryA 0x0 0x405034 0x5cf4 0x4af4 0x3c1
GetModuleFileNameA 0x0 0x405038 0x5cf8 0x4af8 0x273
CloseHandle 0x0 0x40503c 0x5cfc 0x4afc 0x86
K32GetModuleInformation 0x0 0x405040 0x5d00 0x4b00 0x3a4
LoadResource 0x0 0x405044 0x5d04 0x4b04 0x3c7
GetProcAddress 0x0 0x405048 0x5d08 0x4b08 0x2ae
VirtualAllocEx 0x0 0x40504c 0x5d0c 0x4b0c 0x5c7
CreateFileMappingA 0x0 0x405050 0x5d10 0x4b10 0xc4
ExitProcess 0x0 0x405054 0x5d14 0x4b14 0x15e
CreateProcessW 0x0 0x405058 0x5d18 0x4b18 0xe5
FreeLibrary 0x0 0x40505c 0x5d1c 0x4b1c 0x1ab
CreateProcessA 0x0 0x405060 0x5d20 0x4b20 0xe0
MapViewOfFile 0x0 0x405064 0x5d24 0x4b24 0x3de
SetUnhandledExceptionFilter 0x0 0x405068 0x5d28 0x4b28 0x56d
LockResource 0x0 0x40506c 0x5d2c 0x4b2c 0x3db
TerminateProcess 0x0 0x405070 0x5d30 0x4b30 0x58c
IsProcessorFeaturePresent 0x0 0x405074 0x5d34 0x4b34 0x386
QueryPerformanceCounter 0x0 0x405078 0x5d38 0x4b38 0x44d
GetCurrentProcessId 0x0 0x40507c 0x5d3c 0x4b3c 0x218
GetCurrentThreadId 0x0 0x405080 0x5d40 0x4b40 0x21c
GetModuleHandleW 0x0 0x405084 0x5d44 0x4b44 0x278
GetStartupInfoW 0x0 0x405088 0x5d48 0x4b48 0x2d0
IsDebuggerPresent 0x0 0x40508c 0x5d4c 0x4b4c 0x37f
InitializeSListHead 0x0 0x405090 0x5d50 0x4b50 0x363
GetSystemTimeAsFileTime 0x0 0x405094 0x5d54 0x4b54 0x2e9
UnhandledExceptionFilter 0x0 0x405098 0x5d58 0x4b58 0x5ad
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetUserNameA 0x0 0x405000 0x5cc0 0x4ac0 0x17a
MSVCP140.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
?_Xout_of_range@std@@YAXPBD@Z 0x0 0x4050a0 0x5d60 0x4b60 0x28f
?_Xlength_error@std@@YAXPBD@Z 0x0 0x4050a4 0x5d64 0x4b64 0x28e
ntdll.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NtTerminateProcess 0x0 0x405174 0x5e34 0x4c34 0x272
NtWriteVirtualMemory 0x0 0x405178 0x5e38 0x4c38 0x293
NtSetContextThread 0x0 0x40517c 0x5e3c 0x4c3c 0x235
NtClose 0x0 0x405180 0x5e40 0x4c40 0x100
NtReadVirtualMemory 0x0 0x405184 0x5e44 0x4c44 0x20a
NtGetContextThread 0x0 0x405188 0x5e48 0x4c48 0x16d
NtResumeThread 0x0 0x40518c 0x5e4c 0x4c4c 0x225
VCRUNTIME140.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_except_handler4_common 0x0 0x4050ac 0x5d6c 0x4b6c 0x35
__current_exception 0x0 0x4050b0 0x5d70 0x4b70 0x1c
__current_exception_context 0x0 0x4050b4 0x5d74 0x4b74 0x1d
__std_exception_copy 0x0 0x4050b8 0x5d78 0x4b78 0x21
memset 0x0 0x4050bc 0x5d7c 0x4b7c 0x48
memcpy 0x0 0x4050c0 0x5d80 0x4b80 0x46
__CxxFrameHandler3 0x0 0x4050c4 0x5d84 0x4b84 0x10
__std_exception_destroy 0x0 0x4050c8 0x5d88 0x4b88 0x22
_CxxThrowException 0x0 0x4050cc 0x5d8c 0x4b8c 0x1
memmove 0x0 0x4050d0 0x5d90 0x4b90 0x47
api-ms-win-crt-utility-l1-1-0.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
srand 0x0 0x405168 0x5e28 0x4c28 0x1d
rand 0x0 0x40516c 0x5e2c 0x4c2c 0x1b
api-ms-win-crt-heap-l1-1-0.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_set_new_mode 0x0 0x4050d8 0x5d98 0x4b98 0x16
_callnewh 0x0 0x4050dc 0x5d9c 0x4b9c 0x8
malloc 0x0 0x4050e0 0x5da0 0x4ba0 0x19
free 0x0 0x4050e4 0x5da4 0x4ba4 0x18
api-ms-win-crt-string-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
wcscpy_s 0x0 0x405158 0x5e18 0x4c18 0xa1
api-ms-win-crt-stdio-l1-1-0.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
__stdio_common_vsprintf 0x0 0x405148 0x5e08 0x4c08 0xd
_set_fmode 0x0 0x40514c 0x5e0c 0x4c0c 0x54
__p__commode 0x0 0x405150 0x5e10 0x4c10 0x1
api-ms-win-crt-time-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_time64 0x0 0x405160 0x5e20 0x4c20 0x30
api-ms-win-crt-runtime-l1-1-0.dll (18)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_initterm 0x0 0x4050fc 0x5dbc 0x4bbc 0x38
_initterm_e 0x0 0x405100 0x5dc0 0x4bc0 0x39
exit 0x0 0x405104 0x5dc4 0x4bc4 0x58
_exit 0x0 0x405108 0x5dc8 0x4bc8 0x25
_get_wide_winmain_command_line 0x0 0x40510c 0x5dcc 0x4bcc 0x31
_cexit 0x0 0x405110 0x5dd0 0x4bd0 0x17
_initialize_wide_environment 0x0 0x405114 0x5dd4 0x4bd4 0x37
_register_thread_local_exe_atexit_callback 0x0 0x405118 0x5dd8 0x4bd8 0x3f
_configure_wide_argv 0x0 0x40511c 0x5ddc 0x4bdc 0x1a
_set_app_type 0x0 0x405120 0x5de0 0x4be0 0x44
_seh_filter_exe 0x0 0x405124 0x5de4 0x4be4 0x42
_initialize_onexit_table 0x0 0x405128 0x5de8 0x4be8 0x36
_register_onexit_function 0x0 0x40512c 0x5dec 0x4bec 0x3e
_crt_atexit 0x0 0x405130 0x5df0 0x4bf0 0x1f
_controlfp_s 0x0 0x405134 0x5df4 0x4bf4 0x1d
terminate 0x0 0x405138 0x5df8 0x4bf8 0x6a
_invalid_parameter_noinfo_noreturn 0x0 0x40513c 0x5dfc 0x4bfc 0x3b
_c_exit 0x0 0x405140 0x5e00 0x4c00 0x16
api-ms-win-crt-math-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
__setusermatherr 0x0 0x4050f4 0x5db4 0x4bb4 0x2e
api-ms-win-crt-locale-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_configthreadlocale 0x0 0x4050ec 0x5dac 0x4bac 0x8
Memory Dumps (9)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
pashka.exe 1 0x00E30000 0x00E45FFF Relevant Image True 32-bit 0x00E31000 False False
...
ntdll.dll 1 0x77390000 0x7751DFFF First Execution True 32-bit 0x77402BA0 False False
...
kernel32.dll 1 0x74030000 0x740FFFFF First Execution True 32-bit 0x74046A30 False False
...
kernelbase.dll 1 0x77180000 0x77341FFF Content Changed True 32-bit - False False
...
sechost.dll 1 0x73F20000 0x73F60FFF Content Changed True 32-bit - False False
...
advapi32.dll 1 0x745C0000 0x74636FFF First Execution True 32-bit 0x745E2180 False False
...
amsi.dll 1 0x73C60000 0x73C6CFFF Content Changed True 32-bit - False False
...
pashka.exe 1 0x00E30000 0x00E45FFF Final Dump True 32-bit - True False
...
pashka.exe 1 0x00E30000 0x00E45FFF Process Termination True 32-bit - True False
...
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.32910233
Malicious
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image