b365a249...0b07 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 98/100
Dynamic Analysis Report
Classification: Hacktool, Trojan, Dropper, Pua, Downloader

b365a249a15ceeaee2e054f7112bf83683e6ada258f90da71762c992797b0b07 (SHA256)

resultado-623472740.PDF.lnk

Windows Batch File (Shell Link)

Created at 2018-10-22 05:25:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "36 minutes, 30 seconds" to "6 minutes, 10 seconds" to reveal dormant functionality.

Filters:
Filename Category Type Severity Actions
c:\programdata\tempa\marxvxinhhm98.dll Created File Binary
Blacklisted
...
»
Mime Type application/x-dosexec
File Size 319.00 KB
MD5 320859640b9d422dca92088607ac7fa2 Copy to Clipboard
SHA1 055b1b49a3558d269fdb8a62607cb9290cbb4d1b Copy to Clipboard
SHA256 506130cdf68cecfcb204c610fbb9d6e2efa32a377aea7f7e228cc97eee2abd7b Copy to Clipboard
SSDeep 6144:PllYWJpb6ftWdApn8pcEWs8N7JPSyQx0bTjss9UY+:PAWJB6FWdVpmBJKyDbXVUY+ Copy to Clipboard
ImpHash 0485ee165c399bcf557ce42d30bd4086 Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Blacklisted
First Seen 2018-10-18 13:08 (UTC+2)
Last Seen 2018-10-21 00:30 (UTC+2)
Names Win32.Trojan.Guildma
Families Guildma
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x516001
Size Of Code 0xeaa00
Size Of Initialized Data 0x1f800
File Type dll
Subsystem windows_gui
Machine Type i386
Compile Timestamp 2018-10-15 16:10:58+00:00
Packer ASPack v2.12 -> Alexey Solodovnikov
Sections (12)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0xea000 0x3e200 0x400 cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write 8.0
.itext 0x4eb000 0x1000 0x800 0x3e600 cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write 6.7
.data 0x4ec000 0x5000 0x1c00 0x3ee00 cnt_initialized_data, mem_read, mem_write 7.86
.bss 0x4f1000 0x5e38 0x0 0x0 cnt_initialized_data, mem_read, mem_write 0.0
.idata 0x4f7000 0x2000 0xa00 0x40a00 cnt_initialized_data, mem_read, mem_write 7.26
.didata 0x4f9000 0x1000 0x200 0x41400 cnt_initialized_data, mem_read, mem_write 5.3
.edata 0x4fa000 0x1000 0x200 0x41600 cnt_initialized_data, mem_read, mem_write 2.11
.rdata 0x4fb000 0x1000 0x200 0x41800 cnt_initialized_data, mem_read, mem_write 1.17
.reloc 0x4fc000 0x17000 0xbe00 0x41a00 cnt_initialized_data, mem_discardable, mem_read, mem_write 7.98
.rsrc 0x513000 0x3000 0x1000 0x4d800 cnt_initialized_data, mem_read, mem_write 7.06
.aspack 0x516000 0x2000 0x1400 0x4e800 cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write 5.77
.adata 0x518000 0x1000 0x0 0x4fc00 cnt_initialized_data, mem_execute, mem_read, mem_write 0.0
Imports (10)
»
kernel32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcAddress 0x0 0x516fd0 0x116fd0 0x4f7d0 0x0
GetModuleHandleA 0x0 0x516fd4 0x116fd4 0x4f7d4 0x0
LoadLibraryA 0x0 0x516fd8 0x116fd8 0x4f7d8 0x0
oleaut32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysFreeString 0x0 0x517169 0x117169 0x4f969 0x0
advapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegQueryValueExW 0x0 0x517171 0x117171 0x4f971 0x0
user32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CharNextW 0x0 0x517179 0x117179 0x4f979 0x0
user32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ReleaseDC 0x0 0x517181 0x117181 0x4f981 0x0
gdi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
UnrealizeObject 0x0 0x517189 0x117189 0x4f989 0x0
version.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VerQueryValueW 0x0 0x517191 0x117191 0x4f991 0x0
advapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegUnLoadKeyW 0x0 0x517199 0x117199 0x4f999 0x0
netapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NetApiBufferFree 0x0 0x5171a1 0x1171a1 0x4f9a1 0x0
oleaut32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayPtrOfIndex 0x0 0x5171a9 0x1171a9 0x4f9a9 0x0
Exports (4)
»
Api name EAT Address Ordinal
BTMEMO 0xe7bf0 0x4
TMethodImplementationIntercept 0x5ecf0 0x3
__dbk_fcall_wrapper 0x10188 0x2
dbkFCallWrapperAddr 0xf4630 0x1
c:\programdata\tempa\marxvxinhhm64.dll Created File Binary
Blacklisted
...
»
Also Known As c:\programdata\xxx6000137xx\marxvxinhhm64528113361.dll (Created File)
Mime Type application/x-dosexec
File Size 317.50 KB
MD5 c2db303e16c758e680b30e3e32d6433e Copy to Clipboard
SHA1 71efc7632ab2708438911be366db6ed089df35f3 Copy to Clipboard
SHA256 514ab0cd6033c3712cd2f15601c3151847584ff6d1e9f9ed3683f5fe76fada30 Copy to Clipboard
SSDeep 6144:WM1e38/HuSStti8ZfhFcodT05Y32mAZGdvhIlcZ029+VEItgzVnRKIBz1oSo6T:R1e38mSQJlhy4t3ngUvWlc/UaKURogZ/ Copy to Clipboard
ImpHash 0485ee165c399bcf557ce42d30bd4086 Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Blacklisted
First Seen 2018-10-18 02:18 (UTC+2)
Last Seen 2018-10-21 23:34 (UTC+2)
Names Win32.Trojan.Rdn
Families Rdn
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x515001
Size Of Code 0xea400
Size Of Initialized Data 0x1f600
File Type dll
Subsystem windows_gui
Machine Type i386
Compile Timestamp 2018-10-15 16:10:58+00:00
Packer ASPack v2.12 -> Alexey Solodovnikov
Sections (12)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0xea000 0x3de00 0x400 cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write 8.0
.itext 0x4eb000 0x1000 0x800 0x3e200 cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write 7.28
.data 0x4ec000 0x5000 0x1c00 0x3ea00 cnt_initialized_data, mem_read, mem_write 7.86
.bss 0x4f1000 0x5e38 0x0 0x0 cnt_initialized_data, mem_read, mem_write 0.0
.idata 0x4f7000 0x2000 0xa00 0x40600 cnt_initialized_data, mem_read, mem_write 7.27
.didata 0x4f9000 0x1000 0x200 0x41000 cnt_initialized_data, mem_read, mem_write 5.33
.edata 0x4fa000 0x1000 0x200 0x41200 cnt_initialized_data, mem_read, mem_write 1.88
.rdata 0x4fb000 0x1000 0x200 0x41400 cnt_initialized_data, mem_read, mem_write 1.17
.reloc 0x4fc000 0x16000 0xbc00 0x41600 cnt_initialized_data, mem_discardable, mem_read, mem_write 7.99
.rsrc 0x512000 0x3000 0x1000 0x4d200 cnt_initialized_data, mem_read, mem_write 7.06
.aspack 0x515000 0x2000 0x1400 0x4e200 cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write 5.77
.adata 0x517000 0x1000 0x0 0x4f600 cnt_initialized_data, mem_execute, mem_read, mem_write 0.0
Imports (10)
»
kernel32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcAddress 0x0 0x515fd0 0x115fd0 0x4f1d0 0x0
GetModuleHandleA 0x0 0x515fd4 0x115fd4 0x4f1d4 0x0
LoadLibraryA 0x0 0x515fd8 0x115fd8 0x4f1d8 0x0
oleaut32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysFreeString 0x0 0x516169 0x116169 0x4f369 0x0
advapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegQueryValueExW 0x0 0x516171 0x116171 0x4f371 0x0
user32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CharNextW 0x0 0x516179 0x116179 0x4f379 0x0
user32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ReleaseDC 0x0 0x516181 0x116181 0x4f381 0x0
gdi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
UnrealizeObject 0x0 0x516189 0x116189 0x4f389 0x0
version.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VerQueryValueW 0x0 0x516191 0x116191 0x4f391 0x0
advapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegUnLoadKeyW 0x0 0x516199 0x116199 0x4f399 0x0
netapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NetApiBufferFree 0x0 0x5161a1 0x1161a1 0x4f3a1 0x0
oleaut32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayPtrOfIndex 0x0 0x5161a9 0x1161a9 0x4f3a9 0x0
Exports (3)
»
Api name EAT Address Ordinal
TMethodImplementationIntercept 0x5ecf0 0x3
__dbk_fcall_wrapper 0x10248 0x2
dbkFCallWrapperAddr 0xf4630 0x1
c:\programdata\tempa\marxvxinhhma.jpg Created File Stream
Suspicious
...
»
Mime Type application/octet-stream
File Size 110.20 KB
MD5 74f8ffeab0574cf75dddd49fd6a4c884 Copy to Clipboard
SHA1 5d8a48b2fe48c247a3057be2c866d33c3c71ee98 Copy to Clipboard
SHA256 7d81f8c4c4a69b8c1dab40df5882d1527342aa905e30618dfdf645bc2cf23e9f Copy to Clipboard
SSDeep 1536:QiSasVPHZObGKBWli1JB7uY4b361tn1TjskLi068Xtx6ko6uy+ilvOnxWGBEb:QTVvIbBf7uVb36FsOi+Xtx62udn06y Copy to Clipboard
File Reputation Information
»
Severity
Suspicious
First Seen 2018-09-09 11:43 (UTC+2)
Last Seen 2018-10-16 17:25 (UTC+2)
Names Win32.Hacktool.Passview
Families Passview
Classification Hacktool
c:\programdata\tempa\marxvxinhhmb.jpg Created File Stream
Suspicious
...
»
Mime Type application/octet-stream
File Size 185.50 KB
MD5 b0747e5e0c4bec220f081bbf63f8e145 Copy to Clipboard
SHA1 5579e03eb1da076ef939196cb14f8b769f30a302 Copy to Clipboard
SHA256 762f962251800b0028a90b53a50503558fff9116c43fccdab376a05fdd03e27e Copy to Clipboard
SSDeep 3072:Y5C7vA89QZlnuK3QUEEMsApOKsdH2jsrmFJ7E2rs2O1v6ZEH0Q7B5rd:swvA890TA6MsAlTGils2O1vkhWrd Copy to Clipboard
File Reputation Information
»
Severity
Suspicious
First Seen 2015-11-24 20:52 (UTC+1)
Last Seen 2018-10-18 12:56 (UTC+2)
Names Win32.PUA.Nirsoft
Families Nirsoft
Classification Pua
C:\Users\EEBsYm5\Desktop\resultado-623472740.PDF.lnk Sample File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 1.34 KB
MD5 cc759f37d3d2b50d31a3fab352a32a53 Copy to Clipboard
SHA1 86a14b63dd6fd7eae38d841f64d9799fa4a53542 Copy to Clipboard
SHA256 b365a249a15ceeaee2e054f7112bf83683e6ada258f90da71762c992797b0b07 Copy to Clipboard
SSDeep 24:8NjFpQQCi7pnLj1Em0W5RwqGZ1M41mKjRg5cI4i4o0Czab/xtl:8tF/pLj15V5RK/5sc9oJabxt Copy to Clipboard
c:\programdata\tempa\marxvxinhhmdwwn.gif Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 916.00 KB
MD5 aa1222d4d1a1ee695eba51cd6df9207c Copy to Clipboard
SHA1 fae60ad94cc07f50140c8d3e153c4c0d12a1ee87 Copy to Clipboard
SHA256 50eb97606f16157cf61878d414aa4d6347dbbcba55b1392363da56a5f8c49139 Copy to Clipboard
SSDeep 24576:Jnshq1LAFHR/mF5BclYoZkB5duMUdh+lUG1+xG:Jshq1cz/mfBNj5duMUI91+xG Copy to Clipboard
c:\programdata\tempa\marxvxinhhmxa.gif Created File Binary
Unknown
...
»
Mime Type application/x-dosexec
File Size 187.00 KB
MD5 c843e90ba4929afc31b56abd44cbbf0c Copy to Clipboard
SHA1 95429037d3461bbda19c8ea8cf44f8afc40fd938 Copy to Clipboard
SHA256 f89f02d38dc1ab0a8459e7a9d7d9776fd0f80a774988681bb369937d1bb06baa Copy to Clipboard
SSDeep 3072:oIPoJQ3TMogfqJGyc0S5xxQUWKb6T2TYfAALZ0jAo+m0L7yrXjPSlVZyugTSAvEu:jPQ6TdYsG0KO7PpL7sjqLZyuNvFU Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x44da00
Size Of Code 0x4cc00
Size Of Initialized Data 0xda00
File Type dll
Subsystem windows_gui
Machine Type i386
Compile Timestamp 1992-06-19 22:22:17+00:00
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
CODE 0x401000 0x4cb1c 0x4cc00 0x400 cnt_code, mem_execute, mem_read 6.53
DATA 0x44e000 0x1120 0x1200 0x4d000 cnt_initialized_data, mem_read, mem_write 0.0
BSS 0x450000 0xc9d 0x0 0x4e200 mem_read, mem_write 0.0
.idata 0x451000 0x210e 0x2200 0x4e200 cnt_initialized_data, mem_read, mem_write 0.0
.reloc 0x454000 0x5634 0x5800 0x50400 cnt_initialized_data, mem_shared, mem_read 0.0
.rsrc 0x45a000 0x4e00 0x4e00 0x55c00 cnt_initialized_data, mem_shared, mem_read 0.0
c:\programdata\tempa\r1.log Created File Text
Unknown
...
»
Mime Type text/plain
File Size 0.01 KB
MD5 f1cfc80a135c345285713ada8710ae1b Copy to Clipboard
SHA1 22594577a264b83b87cbc7a60ae7cea8b26a3844 Copy to Clipboard
SHA256 3de19a8bb9fe48b63bc01b46d02d9711c00ac63df219b330d22910a178e548bf Copy to Clipboard
SSDeep 3:PrM/:Y/ Copy to Clipboard
c:\programdata\tempa\marxvxinhhmc.jpg Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 232.50 KB
MD5 7c71fcf52b6e9474e9c0d65a8601829f Copy to Clipboard
SHA1 a9d4c7b169e4c850d6bd93c9067717faa74dde1b Copy to Clipboard
SHA256 569df9c9b0004baffe56628f0aa280252e62fd434a9fdbc4993f3357d424e3a3 Copy to Clipboard
SSDeep 6144:CXUDsUWLpiBvGGqP2dXFh8wGAytcIbfaEaQu7sl/13+mM:ND2ikGO2lFHyOIbH5u7sl/1umM Copy to Clipboard
C:\ProgramData\tempa\marxvxinhhmgx.gif Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 376.00 KB
MD5 6775eed60fd6b5dfa5d9dba8f976e49b Copy to Clipboard
SHA1 b7d360811f09185a13fe6f23650a6bb20fd96fb3 Copy to Clipboard
SHA256 5ac790ca79eaf5c42171b496d9157b4fe8b60b6ea509c5b5a44a58f9579d1979 Copy to Clipboard
SSDeep 6144:M+oYY1UA5qNrHPRsW8QgQ52+zeej+zWYIav6x70LkeQtlrsTgOitJHVKJ:GYYvqBH18Gdbj+1cxILSZPLtJ1KJ Copy to Clipboard
c:\programdata\tempa\marxvxinhhmf.jpg Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 238.00 KB
MD5 b88434b7ab2d7d29a9fceaa167698b12 Copy to Clipboard
SHA1 bbef4e910b3230d3b7ff7196a344ae73550c659d Copy to Clipboard
SHA256 7dc1d25e7145cf3b219fa4bfb54630e303ad95f2b085598772369b1ef6d1d095 Copy to Clipboard
SSDeep 6144:eTzMSlU8/VLFK+Dut1wcC+XzRkeaNBFCvC:qlT/VJDutGEX1Vmsv Copy to Clipboard
C:\ProgramData\tempa\marxvxinhhmg.gif Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 1.05 MB
MD5 9f23bc32d7a7301be6180bd71cb94bb8 Copy to Clipboard
SHA1 4b9a92061c0db704ecdc3a08f8ef368329afabaa Copy to Clipboard
SHA256 b25e74cd4e7ad8a72c893e6a65d012a1a623405fe6d5f2f49b6b3bb28792d9da Copy to Clipboard
SSDeep 24576:G+U+3yhhnsfavKGgvMyKyrexEBhz54Bj2Tiht:GXCyhxsoKZvMySxEBhzA1ht Copy to Clipboard
c:\programdata\tempa\marxvxinhhmxb.gif Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 175.50 KB
MD5 9096e58936be2c6f06254cc8556bf566 Copy to Clipboard
SHA1 7e02caf99d9a7b163371f56d933fbea533dcdad1 Copy to Clipboard
SHA256 dbae1639ffbb0568174809db2929847accd8588b8db2f1c5404b6b5d51d3c59d Copy to Clipboard
SSDeep 3072:bPVTmNoQchJmJC2OWpEtetKH4z+YKgutcOoVWCMQbuxkABH9IpnlbFI:DJ3QchJm1OWpEjYzbKguahV1DAWl Copy to Clipboard
c:\programdata\tempa\marxvxinhhmdx.gif Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 916.00 KB
MD5 196ab3d8d2a9f1f80aa50c3552fdf57f Copy to Clipboard
SHA1 d8375b71bbdbc10da1926d34ce44e6d20b359c76 Copy to Clipboard
SHA256 0f80f84bbf36d5e32c210c3d89b8996f9c8cc178740685c770a1ca1efd8b03b8 Copy to Clipboard
SSDeep 24576:XPH++JilXQ0KwKeENWDcK8Vl5igp5/EcNPz99Y9GmlznG:XPHL0TpwKMZp5/bNPzDY9PdnG Copy to Clipboard
c:\programdata\tempa\marxvxinhhme.jpg Created File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 153.00 KB
MD5 f7cbf18a7f540d67e79261a2098fc460 Copy to Clipboard
SHA1 8fa490225d106ff166f8a82db1f2eb3aa528650c Copy to Clipboard
SHA256 55b7eba0fcabb4772c3b4b1ddcf9508c2aa35ee3393f32fa47c147e5a152929e Copy to Clipboard
SSDeep 3072:F+Dx+gve7Lc8H5FfRaSyQq9fTGYy10h7Kv6WxM2C7i:u+UeHc8jf9Q795KCWxFCW Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image