b77b82fa...2607 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Keylogger, Spyware, Trojan

gmmqacgpk.exe

Windows Exe (x86-32)

Created at 2019-07-22T00:24:00

...

Remarks (1/1)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 692.00 KB
MD5 e4117e6974363cac8b37e5e3ff5d07a6 Copy to Clipboard
SHA1 74a02a421e029d24a1d2c692df28a90296d052d0 Copy to Clipboard
SHA256 b77b82fa96b676790b9a207d8208d90ace3a0922d5db5938c446cd22e9132607 Copy to Clipboard
SSDeep 12288:3qPSBEsVqSI0TjVMB2rdet1pEpWI8c8J:8eHVqSmUr0HipF8x Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Blacklisted
First Seen 2016-08-14 02:37 (UTC+2)
Last Seen 2018-01-23 06:38 (UTC+1)
Names Win32.Trojan.Razy
Families Razy
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x451d7e
Size Of Code 0x50000
Size Of Initialized Data 0x5c000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2016-08-11 01:19:38+00:00
Version Information (7)
»
Assembly Version 0.0.0.0
FileDescription
FileVersion 0.0.0.0
InternalName nono.exe
LegalCopyright
OriginalFilename nono.exe
ProductVersion 0.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x4fd84 0x50000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.89
.rsrc 0x452000 0x5a9a8 0x5b000 0x51000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.05
.reloc 0x4ae000 0xc 0x1000 0xac000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.02
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x51d58 0x50d58 0x0
Memory Dumps (11)
»
Name Process ID Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
system.drawing.ni.dll 1 0x747F0000 0x74977FFF Content Changed - 32-bit 0x74843870, 0x74828140 False False
...
system.drawing.ni.dll 1 0x747F0000 0x74977FFF Content Changed - 32-bit 0x7483BB90, 0x74839940 False False
...
system.drawing.ni.dll 1 0x747F0000 0x74977FFF Content Changed - 32-bit 0x7483FEDC, 0x74827478, ... False False
...
microsoft.visualbasic.ni.dll 1 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F386A0, 0x73F37A6C, ... False False
...
microsoft.visualbasic.ni.dll 1 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F8A650, 0x73E891D0, ... False False
...
microsoft.visualbasic.ni.dll 1 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F3A025, 0x73F39DF8, ... False False
...
microsoft.visualbasic.ni.dll 1 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F4FC90 False False
...
microsoft.visualbasic.ni.dll 1 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F4C0FC False False
...
microsoft.visualbasic.ni.dll 1 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F33B94, 0x73F53EB4, ... False False
...
microsoft.visualbasic.ni.dll 1 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F7F441, 0x73F4AADE, ... False False
...
system.drawing.ni.dll 1 0x747F0000 0x74977FFF Content Changed - 32-bit 0x7483A7F0, 0x74831FAC False False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Variant.Razy.89635
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 51 bytes
MD5 112a15fe8f0812fb5b44e44f1b5a8df2 Copy to Clipboard
SHA1 fa53bc2d594d4a1307176406fe4c4b63f01607ae Copy to Clipboard
SHA256 fb83cd90872a11a04c5df9734833cf8e0e4adf6af25d9ded59dcbae3e77dfccf Copy to Clipboard
SSDeep 3:oNBiTktGaACIIUvJLACn:oNUTk4FC1URLNn Copy to Clipboard
C:\Users\5P5NRG~1\AppData\Local\Temp\IEPass.txt Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 389 bytes
MD5 b8ea3a8f80e92d59650fbf1e4bc84bfd Copy to Clipboard
SHA1 cbeed9d5866317cabf68ab8a356094fb06d761c0 Copy to Clipboard
SHA256 fdaeb29c5dc8d7be90d16833ec1afadf778cefde08f5ff22b0d420fe274da0f0 Copy to Clipboard
SSDeep 3:r133PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPovL1E0AN0yOAVKXRy133a:evL1NyJvVNSvrJWgOWUVFDZNJ48WUfa Copy to Clipboard
C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 475 bytes
MD5 0e8d54d411f43f166821d012d45b1199 Copy to Clipboard
SHA1 a102c887b7ee1e8f1e2555e30c1c58015248251b Copy to Clipboard
SHA256 72ee1a9d65acc2cf4fea9c11dbec1e6ee7b67fed882b5fd37d69c3692814b4df Copy to Clipboard
SSDeep 6:QAXqqq9UMe7PQDC+8ADAwzRIjMw1NAmYezRSJcnDWpSnDWAwb:QZ9UHr+8ADzRIRvGe9SJgyp6yAwb Copy to Clipboard
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 64 bytes
MD5 8298bd7dd49a941d4f9dee3f49df4857 Copy to Clipboard
SHA1 8820f66e7123fdfae68c1a049286576c5c58910c Copy to Clipboard
SHA256 0bba49534b921bcfc1b5f71926165f357add38b22a48763d946d55e4e8ab46db Copy to Clipboard
SSDeep 3:oNBiTktG+Vh4EaKC5cEcTrkCn:oNUTk4aJaZ5cTTrkCn Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image