VTI SCORE: 98/100
Dynamic Analysis Report |
Classification: Hacktool, Trojan, Dropper, Pua, Downloader |
b365a249a15ceeaee2e054f7112bf83683e6ada258f90da71762c992797b0b07 (SHA256)
resultado-623472740.PDF.lnk
Windows Batch File (Shell Link)
Created at 2018-10-22 05:25:00
Notifications (1/1)
The overall sleep time of all monitored processes was truncated from "36 minutes, 30 seconds" to "6 minutes, 10 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files and created files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
File Reputation Information
»
Severity |
Blacklisted
|
First Seen | 2018-10-18 13:08 (UTC+2) |
Last Seen | 2018-10-21 00:30 (UTC+2) |
Names | Win32.Trojan.Guildma |
Families | Guildma |
Classification | Trojan |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x516001 |
Size Of Code | 0xeaa00 |
Size Of Initialized Data | 0x1f800 |
File Type | dll |
Subsystem | windows_gui |
Machine Type | i386 |
Compile Timestamp | 2018-10-15 16:10:58+00:00 |
Packer | ASPack v2.12 -> Alexey Solodovnikov |
Sections (12)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0xea000 | 0x3e200 | 0x400 | cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write | 8.0 |
.itext | 0x4eb000 | 0x1000 | 0x800 | 0x3e600 | cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write | 6.7 |
.data | 0x4ec000 | 0x5000 | 0x1c00 | 0x3ee00 | cnt_initialized_data, mem_read, mem_write | 7.86 |
.bss | 0x4f1000 | 0x5e38 | 0x0 | 0x0 | cnt_initialized_data, mem_read, mem_write | 0.0 |
.idata | 0x4f7000 | 0x2000 | 0xa00 | 0x40a00 | cnt_initialized_data, mem_read, mem_write | 7.26 |
.didata | 0x4f9000 | 0x1000 | 0x200 | 0x41400 | cnt_initialized_data, mem_read, mem_write | 5.3 |
.edata | 0x4fa000 | 0x1000 | 0x200 | 0x41600 | cnt_initialized_data, mem_read, mem_write | 2.11 |
.rdata | 0x4fb000 | 0x1000 | 0x200 | 0x41800 | cnt_initialized_data, mem_read, mem_write | 1.17 |
.reloc | 0x4fc000 | 0x17000 | 0xbe00 | 0x41a00 | cnt_initialized_data, mem_discardable, mem_read, mem_write | 7.98 |
.rsrc | 0x513000 | 0x3000 | 0x1000 | 0x4d800 | cnt_initialized_data, mem_read, mem_write | 7.06 |
.aspack | 0x516000 | 0x2000 | 0x1400 | 0x4e800 | cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write | 5.77 |
.adata | 0x518000 | 0x1000 | 0x0 | 0x4fc00 | cnt_initialized_data, mem_execute, mem_read, mem_write | 0.0 |
Imports (10)
»
kernel32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetProcAddress | 0x0 | 0x516fd0 | 0x116fd0 | 0x4f7d0 | 0x0 |
GetModuleHandleA | 0x0 | 0x516fd4 | 0x116fd4 | 0x4f7d4 | 0x0 |
LoadLibraryA | 0x0 | 0x516fd8 | 0x116fd8 | 0x4f7d8 | 0x0 |
oleaut32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SysFreeString | 0x0 | 0x517169 | 0x117169 | 0x4f969 | 0x0 |
advapi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegQueryValueExW | 0x0 | 0x517171 | 0x117171 | 0x4f971 | 0x0 |
user32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CharNextW | 0x0 | 0x517179 | 0x117179 | 0x4f979 | 0x0 |
user32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ReleaseDC | 0x0 | 0x517181 | 0x117181 | 0x4f981 | 0x0 |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
UnrealizeObject | 0x0 | 0x517189 | 0x117189 | 0x4f989 | 0x0 |
version.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
VerQueryValueW | 0x0 | 0x517191 | 0x117191 | 0x4f991 | 0x0 |
advapi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegUnLoadKeyW | 0x0 | 0x517199 | 0x117199 | 0x4f999 | 0x0 |
netapi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
NetApiBufferFree | 0x0 | 0x5171a1 | 0x1171a1 | 0x4f9a1 | 0x0 |
oleaut32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SafeArrayPtrOfIndex | 0x0 | 0x5171a9 | 0x1171a9 | 0x4f9a9 | 0x0 |
Exports (4)
»
Api name | EAT Address | Ordinal |
---|---|---|
BTMEMO | 0xe7bf0 | 0x4 |
TMethodImplementationIntercept | 0x5ecf0 | 0x3 |
__dbk_fcall_wrapper | 0x10188 | 0x2 |
dbkFCallWrapperAddr | 0xf4630 | 0x1 |
File Reputation Information
»
Severity |
Blacklisted
|
First Seen | 2018-10-18 02:18 (UTC+2) |
Last Seen | 2018-10-21 23:34 (UTC+2) |
Names | Win32.Trojan.Rdn |
Families | Rdn |
Classification | Trojan |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x515001 |
Size Of Code | 0xea400 |
Size Of Initialized Data | 0x1f600 |
File Type | dll |
Subsystem | windows_gui |
Machine Type | i386 |
Compile Timestamp | 2018-10-15 16:10:58+00:00 |
Packer | ASPack v2.12 -> Alexey Solodovnikov |
Sections (12)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0xea000 | 0x3de00 | 0x400 | cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write | 8.0 |
.itext | 0x4eb000 | 0x1000 | 0x800 | 0x3e200 | cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write | 7.28 |
.data | 0x4ec000 | 0x5000 | 0x1c00 | 0x3ea00 | cnt_initialized_data, mem_read, mem_write | 7.86 |
.bss | 0x4f1000 | 0x5e38 | 0x0 | 0x0 | cnt_initialized_data, mem_read, mem_write | 0.0 |
.idata | 0x4f7000 | 0x2000 | 0xa00 | 0x40600 | cnt_initialized_data, mem_read, mem_write | 7.27 |
.didata | 0x4f9000 | 0x1000 | 0x200 | 0x41000 | cnt_initialized_data, mem_read, mem_write | 5.33 |
.edata | 0x4fa000 | 0x1000 | 0x200 | 0x41200 | cnt_initialized_data, mem_read, mem_write | 1.88 |
.rdata | 0x4fb000 | 0x1000 | 0x200 | 0x41400 | cnt_initialized_data, mem_read, mem_write | 1.17 |
.reloc | 0x4fc000 | 0x16000 | 0xbc00 | 0x41600 | cnt_initialized_data, mem_discardable, mem_read, mem_write | 7.99 |
.rsrc | 0x512000 | 0x3000 | 0x1000 | 0x4d200 | cnt_initialized_data, mem_read, mem_write | 7.06 |
.aspack | 0x515000 | 0x2000 | 0x1400 | 0x4e200 | cnt_code, cnt_initialized_data, mem_execute, mem_read, mem_write | 5.77 |
.adata | 0x517000 | 0x1000 | 0x0 | 0x4f600 | cnt_initialized_data, mem_execute, mem_read, mem_write | 0.0 |
Imports (10)
»
kernel32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetProcAddress | 0x0 | 0x515fd0 | 0x115fd0 | 0x4f1d0 | 0x0 |
GetModuleHandleA | 0x0 | 0x515fd4 | 0x115fd4 | 0x4f1d4 | 0x0 |
LoadLibraryA | 0x0 | 0x515fd8 | 0x115fd8 | 0x4f1d8 | 0x0 |
oleaut32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SysFreeString | 0x0 | 0x516169 | 0x116169 | 0x4f369 | 0x0 |
advapi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegQueryValueExW | 0x0 | 0x516171 | 0x116171 | 0x4f371 | 0x0 |
user32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CharNextW | 0x0 | 0x516179 | 0x116179 | 0x4f379 | 0x0 |
user32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ReleaseDC | 0x0 | 0x516181 | 0x116181 | 0x4f381 | 0x0 |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
UnrealizeObject | 0x0 | 0x516189 | 0x116189 | 0x4f389 | 0x0 |
version.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
VerQueryValueW | 0x0 | 0x516191 | 0x116191 | 0x4f391 | 0x0 |
advapi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegUnLoadKeyW | 0x0 | 0x516199 | 0x116199 | 0x4f399 | 0x0 |
netapi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
NetApiBufferFree | 0x0 | 0x5161a1 | 0x1161a1 | 0x4f3a1 | 0x0 |
oleaut32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SafeArrayPtrOfIndex | 0x0 | 0x5161a9 | 0x1161a9 | 0x4f3a9 | 0x0 |
Exports (3)
»
Api name | EAT Address | Ordinal |
---|---|---|
TMethodImplementationIntercept | 0x5ecf0 | 0x3 |
__dbk_fcall_wrapper | 0x10248 | 0x2 |
dbkFCallWrapperAddr | 0xf4630 | 0x1 |
File Reputation Information
»
Severity |
Suspicious
|
First Seen | 2018-09-09 11:43 (UTC+2) |
Last Seen | 2018-10-16 17:25 (UTC+2) |
Names | Win32.Hacktool.Passview |
Families | Passview |
Classification | Hacktool |
File Reputation Information
»
Severity |
Suspicious
|
First Seen | 2015-11-24 20:52 (UTC+1) |
Last Seen | 2018-10-18 12:56 (UTC+2) |
Names | Win32.PUA.Nirsoft |
Families | Nirsoft |
Classification | Pua |
C:\Users\EEBsYm5\Desktop\resultado-623472740.PDF.lnk | Sample File | Stream |
Unknown
|
...
|
»
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x44da00 |
Size Of Code | 0x4cc00 |
Size Of Initialized Data | 0xda00 |
File Type | dll |
Subsystem | windows_gui |
Machine Type | i386 |
Compile Timestamp | 1992-06-19 22:22:17+00:00 |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
CODE | 0x401000 | 0x4cb1c | 0x4cc00 | 0x400 | cnt_code, mem_execute, mem_read | 6.53 |
DATA | 0x44e000 | 0x1120 | 0x1200 | 0x4d000 | cnt_initialized_data, mem_read, mem_write | 0.0 |
BSS | 0x450000 | 0xc9d | 0x0 | 0x4e200 | mem_read, mem_write | 0.0 |
.idata | 0x451000 | 0x210e | 0x2200 | 0x4e200 | cnt_initialized_data, mem_read, mem_write | 0.0 |
.reloc | 0x454000 | 0x5634 | 0x5800 | 0x50400 | cnt_initialized_data, mem_shared, mem_read | 0.0 |
.rsrc | 0x45a000 | 0x4e00 | 0x4e00 | 0x55c00 | cnt_initialized_data, mem_shared, mem_read | 0.0 |