b933cb32...26ef | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Threat Names:
Gen:Variant.MSILPerseus.194329
Gen:Variant.MSILPerseus.195992
Gen:Variant.Razy.548085

ekati6482.exe

Windows Exe (x86-32)

Created at 2020-02-27T09:41:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\ekati6482.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 435.75 KB
MD5 6a2e9f2a8858ad64aeb84b533fea78d0 Copy to Clipboard
SHA1 87eee3af618e99ff2d50eed9d3296c049efd3a81 Copy to Clipboard
SHA256 b933cb32689517aac6e459d33e9d8c7c8f31f0710008bfa09d9e91c2526826ef Copy to Clipboard
SSDeep 6144:2/qFbO4bGNqL43QWqqPheG/lCcC9msYwXEvEsdqthb5cC9msYwXEvEsdqthbOn:2/qPKQWJ3/2wsYwXFtlwsYwXFt4 Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x46727a
Size Of Code 0x65400
Size Of Initialized Data 0x7800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-02-27 03:48:55+00:00
Version Information (11)
»
Assembly Version 2.0.0.0
Comments Ekati
CompanyName Lee Wei
FileDescription ekati
FileVersion 2.0.0.0
InternalName ekati.exe
LegalCopyright Lee Wei
LegalTrademarks -
OriginalFilename ekati.exe
ProductName Ekati
ProductVersion 2.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x65280 0x65400 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.52
.rsrc 0x468000 0x7430 0x7600 0x65600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.89
.reloc 0x470000 0xc 0x200 0x6cc00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x67250 0x65450 0x0
Icons (1)
»
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
ekati6482.exe 1 0x00EC0000 0x00F31FFF Relevant Image True 32-bit - True False
...
ekati6482.exe 1 0x00EC0000 0x00F31FFF Final Dump True 32-bit - True False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Variant.MSILPerseus.194329
Malicious
C:\Users\FD1HVy\Desktop\qq3d1t429055.exe Dropped File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 17.75 KB
MD5 eb70f217211aa5b21efad8f2110bac2b Copy to Clipboard
SHA1 e3b4f2b87108e4e0c435a891591f328ecdb3b9a0 Copy to Clipboard
SHA256 da243bb628a3638f496cd6bf998c1c60dbc638342960e1ff090e4ecaaa61d224 Copy to Clipboard
SSDeep 384:9DZmRTlu5VohQOa8bUJ92lsrdjpJXBvvUDRf:GTlu5ehu8budpJx0Dp Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x405afe
Size Of Code 0x3c00
Size Of Initialized Data 0x800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2085-06-15 19:44:26+00:00
Version Information (11)
»
Assembly Version 1.0.0.0
Comments -
CompanyName -
FileDescription diamond
FileVersion 1.0.0.0
InternalName diamond.exe
LegalCopyright -
LegalTrademarks -
OriginalFilename diamond.exe
ProductName diamond
ProductVersion 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x3b04 0x3c00 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.5
.rsrc 0x406000 0x57c 0x600 0x3e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.96
.reloc 0x408000 0xc 0x200 0x4400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.06
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x5ad2 0x3cd2 0x0
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
qq3d1t429055.exe 17 0x00280000 0x00289FFF Relevant Image True 32-bit - True False
...
qq3d1t429055.exe 17 0x00280000 0x00289FFF Process Termination True 32-bit - True False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Variant.MSILPerseus.195992
Malicious
C:\Users\FD1HVy\Desktop\onc2pn4u4214.exe Dropped File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 10.75 KB
MD5 5ab6380c030384adba175b5bb5a35f94 Copy to Clipboard
SHA1 867750b32fbc4f881de72e63c7585513abbfb641 Copy to Clipboard
SHA256 8ec3faec81b3b70d29d16cc76a6d156e5cdad660180ec1634f3b9ce6e5470e3b Copy to Clipboard
SSDeep 192:3biJ1hpDRqz/fxv1MzKOlxaNbr2/1Mhsv87hwsYk:EtWB15KxaNb6G487atk Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x403f2e
Size Of Code 0x2000
Size Of Initialized Data 0x800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2045-02-20 14:27:17+00:00
Version Information (11)
»
Assembly Version 1.0.0.0
Comments -
CompanyName -
FileDescription diamond
FileVersion 1.0.0.0
InternalName ruby.exe
LegalCopyright -
LegalTrademarks -
OriginalFilename ruby.exe
ProductName diamond
ProductVersion 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x1f34 0x2000 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.19
.rsrc 0x404000 0x574 0x600 0x2200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.94
.reloc 0x406000 0xc 0x200 0x2800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x3f04 0x2104 0x0
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
onc2pn4u4214.exe 19 0x00DD0000 0x00DD7FFF Relevant Image True 32-bit - True False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Variant.Razy.548085
Malicious
C:\WINDOWS\system32\drivers\etc\hosts Modified File Text
Whitelisted
...
»
Mime Type text/plain
File Size 824 Bytes
MD5 3688374325b992def12793500307566d Copy to Clipboard
SHA1 4bed0823746a2a8577ab08ac8711b79770e48274 Copy to Clipboard
SHA256 2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085 Copy to Clipboard
SSDeep 24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcp Copy to Clipboard
ImpHash -
File Reputation Information
»
Severity
Whitelisted
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_idx.db Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 113.77 KB
MD5 1339a4fb62778299fa5eabb69215a3f5 Copy to Clipboard
SHA1 be8636531fa64aaa7cb0bef64dad422cbbdd92bf Copy to Clipboard
SHA256 d4f445b05d341b2ce0192c9bf046fbb002f685b96474f486a672f55b7df18e38 Copy to Clipboard
SSDeep 384:LH+cnIE3AWgX4lgoHuLg/C3LoXoY5Eo9/eK7o7wTGQer9LGlCekThZt8bwRDeYsj:D+d7MOLKC3xmYqHs9LmCHObSeM4 Copy to Clipboard
ImpHash -
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_32.db Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 3.00 MB
MD5 426fe7cfdaf8b6ca0e3541ac38be4eba Copy to Clipboard
SHA1 7632d4b346a8b367c1644877a1ab48efc9a30b65 Copy to Clipboard
SHA256 f19d220c4f96f8d4214a477b22f119eb1c47a173b5b4cf12220fe22197de68cf Copy to Clipboard
SSDeep 24576:7VZt4VPVJ02LPknyS5iz7ZTYqjYKqsdN7OQWMAVAu:7VZt0PVu2LgiPZTYoXqsdWMASu Copy to Clipboard
ImpHash -
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_32.db Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 3.00 MB
MD5 377dac4e8d64e82b88dda5aa4b17a347 Copy to Clipboard
SHA1 406d5cc858f993ac898b31fb9e6dee67f04abd38 Copy to Clipboard
SHA256 dcc32449157af19deb8d45052cea22b97967ea7ae66126a209a1be10e26d6202 Copy to Clipboard
SSDeep 24576:MVZt4VPVJ02LPknyS5iz7ZTYqjYKqsdN7OQWMAVAuw:MVZt0PVu2LgiPZTYoXqsdWMASu Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\AppData\Local\Temp\vacation.jpg.exe Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 23 Bytes
MD5 42b6ce7b079a73188f5592525553415f Copy to Clipboard
SHA1 506d62bfa86dc868fc40f0195c3da6d9b039abaf Copy to Clipboard
SHA256 a16e13bea79bf514b72d016b5f25ef84fafcbd5cd4b70ecff9fc94b21c936f2f Copy to Clipboard
SSDeep 3:8gkpmwn:8Hpmw Copy to Clipboard
ImpHash -
message.html Dropped File Text
Unknown
...
»
Mime Type text/html
File Size 3.08 KB
MD5 f75ccb0426877a511f7a8f69c53565ee Copy to Clipboard
SHA1 866429a8499bfbb39eaddef9963dcb62acb3be94 Copy to Clipboard
SHA256 385c81e2f39118c97a42476227f8e6adefb1cfafc68be377ea5b48b49bf44060 Copy to Clipboard
SSDeep 48:0d+A955tcmnSEtp5JpNtNFxNKshBCL0k/Cv2e9j5PH5PD5P+fc0NJLAFkOcRL04v:lA9Dyi7THDuQk/q2e15PH5PD5Pm/2KgY Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\Desktop\redback.jpg Dropped File Image
Unknown
...
»
Mime Type image/jpeg
File Size 200.44 KB
MD5 df556fd667e79bb2afa291b93248e035 Copy to Clipboard
SHA1 201da65574e8b5a67a27465909fc05a8881dd38a Copy to Clipboard
SHA256 fbd6fe4ce1648f597547c6afdd35ff066d6e731ca33b9dcaae214cb45320afcf Copy to Clipboard
SSDeep 3072:5LD831qWqqP0pSkBvnI7/l87cCb6umsvw+vPX1JEvEsVT/qR4DQ:5L43QWqqPheG/lCcC9msYwXEvEsdqF Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\Desktop\diamond.log Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 111 Bytes
MD5 218b761bbdd58247e4f7f56b1e0bfcac Copy to Clipboard
SHA1 2cf27aa4c7acbc794f5e8269a53e21be60d4671b Copy to Clipboard
SHA256 d067842c0033cedfdb98e05e64dda4ce71d2f1e29906b6474df0f1f31846a84b Copy to Clipboard
SSDeep 3:j6uVf34Rel0ORfUPFYM16YMUIF3AunhKH9lg:j6uVQRGUWMtiF3Auncdi Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\Desktop\ekati.log Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 1.38 KB
MD5 9af3923cbd066908c83736cb8bfd7722 Copy to Clipboard
SHA1 4d05497087a9fce4caa4d7df07278ce02a343f49 Copy to Clipboard
SHA256 57c472091c4d5cdad04061b348eb69dd070f999f9a75f1bcffea28cea0b21602 Copy to Clipboard
SSDeep 24:Hy0QuyXHZWpuyIg6asuyEOg6d1uyBgr1uyLg6Duydg6+ZZaJuyHgyVR48Cuy5g6/:rQ7HZ+cd1Rdjd0HdDBd+ZZ2LtT4R1dfn Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\Desktop\ruby.log Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 229 Bytes
MD5 e51cefc8d6f3e4218499d2d6e6474690 Copy to Clipboard
SHA1 83fbf21acc384dda9fb1f9a0d71e307d2b4750dc Copy to Clipboard
SHA256 95d96f8efed45c7cf70073e5799f498958fd3e04111d7f20fa154812002dba22 Copy to Clipboard
SSDeep 6:j6uVQR88E9Q02nuVOreoy587seCnuVO3R5XOvUGJnuVOGflC5Yv:HVBJ9suVNbxuVSX56uVvflCs Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\Desktop\onion.jpg Downloaded File Image
Unknown
...
»
Mime Type image/png
File Size 9.17 KB
MD5 816b5d59ce09ada5d3c98726f364020e Copy to Clipboard
SHA1 5b413567b8bfcc6afe30ef6bf6f2d0feea628fef Copy to Clipboard
SHA256 5eb0e5203d131ff7b0e7757e2d56635930ff3269e65762df595d5f72f841886b Copy to Clipboard
SSDeep 192:PS/d+OrgRQrKZpVvB4HxUfhoXpJK8CGVXZNQaYmyK/v6rxwlB:61lrnrOQHxUfhoXp/CaTL Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\Desktop\iptest.html Downloaded File Text
Unknown
...
»
Mime Type text/html
File Size 10.19 KB
MD5 84243e441ecfd8d9dde858ccfe54a009 Copy to Clipboard
SHA1 59ac42e48513804f4093dde173f4cd1e8b1791db Copy to Clipboard
SHA256 2b28b9ea472f72174dc6deba3a701b365296ffd2681a5f5d80823983e7a31e8f Copy to Clipboard
SSDeep 192:osmrJKwROHjGJbWUxqNdMcJBHFqRzgCdCYs8MTax3DYnQ:IKwPxIMElqRMHlKUQ Copy to Clipboard
ImpHash -
Parser Error Remark Static engine was unable to completely parse the analyzed file
Embedded URLs (13)
»
URL First Seen Categories Threat Names Reputation Status WHOIS Data Actions
http://onion.net/cms-und-mehr - - -
Unknown
Not Queried
...
http://onion.net/ueber-uns/impressum - - -
Unknown
Not Queried
...
http://onion.net/vision - - -
Unknown
Not Queried
...
http://onion.net/ueber-uns/kontakt - - -
Unknown
Not Queried
...
http://onion.net/e-commerce - - -
Unknown
Not Queried
...
http://onion.net/karriere - - -
Unknown
Not Queried
...
http://onion.net/events - - -
Unknown
Not Queried
...
http://onion.net/sharepoint - - -
Unknown
Not Queried
...
http://onion.net/community-edition - - -
Unknown
Not Queried
...
//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/1.0.10/cookieconsent.min.js - - -
Unknown
Not Queried
...
http://onion.net/aktuelles - - -
Unknown
Not Queried
...
http://onion.net/en - - -
Unknown
Not Queried
...
http://onion.net/ueber-uns/sitemap - - -
Unknown
Not Queried
...
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image