VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: |
Dropper
|
Threat Names: |
Gen:Variant.MSILPerseus.194329
Gen:Variant.MSILPerseus.195992
Gen:Variant.Razy.548085
|
ekati6482.exe
Windows Exe (x86-32)
Created at 2020-02-27T09:41:00
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x46727a |
Size Of Code | 0x65400 |
Size Of Initialized Data | 0x7800 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2020-02-27 03:48:55+00:00 |
Version Information (11)
»
Assembly Version | 2.0.0.0 |
Comments | Ekati |
CompanyName | Lee Wei |
FileDescription | ekati |
FileVersion | 2.0.0.0 |
InternalName | ekati.exe |
LegalCopyright | Lee Wei |
LegalTrademarks | - |
OriginalFilename | ekati.exe |
ProductName | Ekati |
ProductVersion | 2.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x402000 | 0x65280 | 0x65400 | 0x200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.52 |
.rsrc | 0x468000 | 0x7430 | 0x7600 | 0x65600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.89 |
.reloc | 0x470000 | 0xc | 0x200 | 0x6cc00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | 0x0 | 0x402000 | 0x67250 | 0x65450 | 0x0 |
Memory Dumps (2)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
ekati6482.exe | 1 | 0x00EC0000 | 0x00F31FFF | Relevant Image | 32-bit | - |
...
|
|||
ekati6482.exe | 1 | 0x00EC0000 | 0x00F31FFF | Final Dump | 32-bit | - |
...
|
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
Gen:Variant.MSILPerseus.194329 |
Malicious
|
C:\Users\FD1HVy\Desktop\qq3d1t429055.exe | Dropped File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x405afe |
Size Of Code | 0x3c00 |
Size Of Initialized Data | 0x800 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2085-06-15 19:44:26+00:00 |
Version Information (11)
»
Assembly Version | 1.0.0.0 |
Comments | - |
CompanyName | - |
FileDescription | diamond |
FileVersion | 1.0.0.0 |
InternalName | diamond.exe |
LegalCopyright | - |
LegalTrademarks | - |
OriginalFilename | diamond.exe |
ProductName | diamond |
ProductVersion | 1.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x402000 | 0x3b04 | 0x3c00 | 0x200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.5 |
.rsrc | 0x406000 | 0x57c | 0x600 | 0x3e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.96 |
.reloc | 0x408000 | 0xc | 0x200 | 0x4400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.06 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | 0x0 | 0x402000 | 0x5ad2 | 0x3cd2 | 0x0 |
Memory Dumps (2)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
qq3d1t429055.exe | 17 | 0x00280000 | 0x00289FFF | Relevant Image | 32-bit | - |
...
|
|||
qq3d1t429055.exe | 17 | 0x00280000 | 0x00289FFF | Process Termination | 32-bit | - |
...
|
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
Gen:Variant.MSILPerseus.195992 |
Malicious
|
C:\Users\FD1HVy\Desktop\onc2pn4u4214.exe | Dropped File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x403f2e |
Size Of Code | 0x2000 |
Size Of Initialized Data | 0x800 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2045-02-20 14:27:17+00:00 |
Version Information (11)
»
Assembly Version | 1.0.0.0 |
Comments | - |
CompanyName | - |
FileDescription | diamond |
FileVersion | 1.0.0.0 |
InternalName | ruby.exe |
LegalCopyright | - |
LegalTrademarks | - |
OriginalFilename | ruby.exe |
ProductName | diamond |
ProductVersion | 1.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x402000 | 0x1f34 | 0x2000 | 0x200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.19 |
.rsrc | 0x404000 | 0x574 | 0x600 | 0x2200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.94 |
.reloc | 0x406000 | 0xc | 0x200 | 0x2800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.08 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | 0x0 | 0x402000 | 0x3f04 | 0x2104 | 0x0 |
Memory Dumps (1)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
onc2pn4u4214.exe | 19 | 0x00DD0000 | 0x00DD7FFF | Relevant Image | 32-bit | - |
...
|
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
Gen:Variant.Razy.548085 |
Malicious
|
C:\WINDOWS\system32\drivers\etc\hosts | Modified File | Text |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_idx.db | Modified File | Stream |
Unknown
|
...
|
»
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_32.db | Modified File | Stream |
Unknown
|
...
|
»
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_32.db | Modified File | Stream |
Unknown
|
...
|
»
C:\Users\FD1HVy\AppData\Local\Temp\vacation.jpg.exe | Dropped File | Text |
Unknown
|
...
|
»
C:\Users\FD1HVy\Desktop\redback.jpg | Dropped File | Image |
Unknown
|
...
|
»
C:\Users\FD1HVy\Desktop\diamond.log | Dropped File | Text |
Unknown
|
...
|
»
C:\Users\FD1HVy\Desktop\onion.jpg | Downloaded File | Image |
Unknown
|
...
|
»
C:\Users\FD1HVy\Desktop\iptest.html | Downloaded File | Text |
Unknown
|
...
|
»
Embedded URLs (13)
»
URL | First Seen | Categories | Threat Names | Reputation Status | WHOIS Data | Actions |
---|---|---|---|---|---|---|
http://onion.net/cms-und-mehr | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/ueber-uns/impressum | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/vision | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/ueber-uns/kontakt | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/e-commerce | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/karriere | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/events | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/sharepoint | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/community-edition | - | - | - |
Unknown
|
Not Queried
|
...
|
//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/1.0.10/cookieconsent.min.js | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/aktuelles | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/en | - | - | - |
Unknown
|
Not Queried
|
...
|
http://onion.net/ueber-uns/sitemap | - | - | - |
Unknown
|
Not Queried
|
...
|