b365a249...0b07 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 98/100
Dynamic Analysis Report
Classification: Hacktool, Trojan, Dropper, Pua, Downloader

b365a249a15ceeaee2e054f7112bf83683e6ada258f90da71762c992797b0b07 (SHA256)

resultado-623472740.PDF.lnk

Windows Batch File (Shell Link)

Created at 2018-10-22 05:25:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "36 minutes, 30 seconds" to "6 minutes, 10 seconds" to reveal dormant functionality.

Severity Category Operation Classification
4/5
File System Known malicious file Trojan
  • File "c:\programdata\tempa\marxvxinhhm98.dll" is a known malicious file.
    ...
  • File "c:\programdata\tempa\marxvxinhhm64.dll" is a known malicious file.
    ...
4/5
Injection Writes into the memory of another running process -
  • "c:\windows\system32\regsvr32.exe" modifies memory of "c:\windows\system32\userinit.exe"
    ...
4/5
Injection Modifies control flow of another process -
  • "c:\windows\system32\regsvr32.exe" alters context of "c:\windows\system32\userinit.exe"
    ...
3/5
Process Creates an unusally large number of processes -
2/5
Anti Analysis Delays execution -
2/5
File System Known suspicious file Hacktool, Pua
  • File "c:\programdata\tempa\marxvxinhhma.jpg" is a known suspicious file.
    ...
  • File "c:\programdata\tempa\marxvxinhhmb.jpg" is a known suspicious file.
    ...
2/5
Network Associated with known malicious/suspicious URLs -
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/r1.log" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521" is known as malicious URL.
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238" is known as malicious URL.
    ...
1/5
Anti Analysis Resolves APIs dynamically -
1/5
Process Creates process with hidden window -
  • The process "C:\Windows\System32\userinit.exe" starts with hidden window.
    ...
1/5
Process Reads from memory of another process -
  • "c:\windows\system32\regsvr32.exe" reads from "C:\Windows\System32\userinit.exe".
    ...
1/5
Process Creates a page with write and execute permissions -
  • Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
    ...
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: c:\programdata\tempa\marxvxinhhm98.dll.
    ...
1/5
Network Downloads data Downloader
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238".
    ...
1/5
Network Connects to HTTP server -
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307".
    ...
  • URL "http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218".
    ...
1/5
PE The PE file was created with a packer -
  • File "c:\programdata\tempa\marxvxinhhm98.dll" is packed with "ASPack v2.12 -> Alexey Solodovnikov".
    ...
  • File "c:\programdata\tempa\marxvxinhhm64.dll" is packed with "ASPack v2.12 -> Alexey Solodovnikov".
    ...
  • File "\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll" is packed with "ASPack v2.12 -> Alexey Solodovnikov".
    ...
  • File "\ProgramData\tempa\marxvxinhhm98.dll" is packed with "ASPack v2.12 -> Alexey Solodovnikov".
    ...
  • File "\ProgramData\tempa\marxvxinhhm64.dll" is packed with "ASPack v2.12 -> Alexey Solodovnikov".
    ...
1/5
PE Drops PE file Dropper
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image