Try VMRay Platform
Malicious
Classifications

Injector

Threat Names

Mal/HTMLGen-A Generic.Andromeda.FF046139 Generic.Andromeda.79093CCD Gen:Variant.Razy.655877

Dynamic Analysis Report

Created on 2021-09-27T17:30:00

d0426ed95048ec08395edddaaa1d3ccc7a3f769d4324195e1f075b16f462a4c6.exe

Windows Exe (x86-32)
...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "40 minutes, 15 seconds" to "9 seconds" to reveal dormant functionality.

(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\d0426ed95048ec08395edddaaa1d3ccc7a3f769d4324195e1f075b16f462a4c6.exe Sample File Binary
malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\bcatcih (Dropped File)
MIME Type application/vnd.microsoft.portable-executable
File Size 128.00 KB
MD5 fb45ecbfb0e13b103b6b1c583479a21d Copy to Clipboard
SHA1 9cb9eead55f3b3f4847fd8f1bdd8d20ca46d9dc2 Copy to Clipboard
SHA256 d0426ed95048ec08395edddaaa1d3ccc7a3f769d4324195e1f075b16f462a4c6 Copy to Clipboard
SSDeep 1536:jLOCZw1YLUlP7fXadkUQ0+78Au2SRjj/WgmO/Z/eh3uJp+Q7Jgz70eIacRbUozsz:jnwcUNPfjQv5/Z0qfPeZcRwKsz Copy to Clipboard
ImpHash f98cc9327e2d65cc6189a693f26e1c1d Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x401b2c
Size Of Code 0x10200
Size Of Initialized Data 0x94800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-09-02 13:27:09+00:00
Version Information (3)
»
InternalName sajbmiamezu.ise
Copyright Copyrighz (C) 2021, fudkagat
ProductVersion 8.64.59.5
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x10080 0x10200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.55
.rdata 0x412000 0x31f4 0x3200 0x10600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.16
.data 0x416000 0x8557c 0x1e00 0x13800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.33
.rsrc 0x49c000 0xa8f0 0xaa00 0x15600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.07
Imports (2)
»
KERNEL32.dll (92)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HeapReAlloc - 0x412000 0x14968 0x12f68 0x2a4
GetLocaleInfoA - 0x412004 0x1496c 0x12f6c 0x1e8
LoadResource - 0x412008 0x14970 0x12f70 0x2f6
InterlockedIncrement - 0x41200c 0x14974 0x12f74 0x2c0
GetEnvironmentStringsW - 0x412010 0x14978 0x12f78 0x1c1
AddConsoleAliasW - 0x412014 0x1497c 0x12f7c 0x6
SetEvent - 0x412018 0x14980 0x12f80 0x3d3
OpenSemaphoreA - 0x41201c 0x14984 0x12f84 0x335
GetSystemTimeAsFileTime - 0x412020 0x14988 0x12f88 0x24f
GetCommandLineA - 0x412024 0x1498c 0x12f8c 0x16f
WriteFileGather - 0x412028 0x14990 0x12f90 0x48f
CreateActCtxW - 0x41202c 0x14994 0x12f94 0x68
GetEnvironmentStrings - 0x412030 0x14998 0x12f98 0x1bf
LeaveCriticalSection - 0x412034 0x1499c 0x12f9c 0x2ef
GetFileAttributesA - 0x412038 0x149a0 0x12fa0 0x1c9
ReadFile - 0x41203c 0x149a4 0x12fa4 0x368
GetDevicePowerState - 0x412040 0x149a8 0x12fa8 0x1b3
GetProcAddress - 0x412044 0x149ac 0x12fac 0x220
FreeUserPhysicalPages - 0x412048 0x149b0 0x12fb0 0x150
VerLanguageNameW - 0x41204c 0x149b4 0x12fb4 0x44e
WriteConsoleA - 0x412050 0x149b8 0x12fb8 0x482
GetProcessId - 0x412054 0x149bc 0x12fbc 0x225
LocalAlloc - 0x412058 0x149c0 0x12fc0 0x2f9
RemoveDirectoryW - 0x41205c 0x149c4 0x12fc4 0x380
GlobalGetAtomNameW - 0x412060 0x149c8 0x12fc8 0x28e
WaitForMultipleObjects - 0x412064 0x149cc 0x12fcc 0x462
EnumResourceTypesW - 0x412068 0x149d0 0x12fd0 0xf1
GetModuleFileNameA - 0x41206c 0x149d4 0x12fd4 0x1f4
GetModuleHandleA - 0x412070 0x149d8 0x12fd8 0x1f6
EraseTape - 0x412074 0x149dc 0x12fdc 0x102
GetStringTypeW - 0x412078 0x149e0 0x12fe0 0x240
ReleaseMutex - 0x41207c 0x149e4 0x12fe4 0x377
EndUpdateResourceA - 0x412080 0x149e8 0x12fe8 0xd7
LocalSize - 0x412084 0x149ec 0x12fec 0x302
FindFirstVolumeW - 0x412088 0x149f0 0x12ff0 0x12a
FindNextVolumeA - 0x41208c 0x149f4 0x12ff4 0x132
lstrcpyW - 0x412090 0x149f8 0x12ff8 0x4b0
HeapAlloc - 0x412094 0x149fc 0x12ffc 0x29d
GetStartupInfoA - 0x412098 0x14a00 0x13000 0x239
DeleteCriticalSection - 0x41209c 0x14a04 0x13004 0xbe
EnterCriticalSection - 0x4120a0 0x14a08 0x13008 0xd9
HeapFree - 0x4120a4 0x14a0c 0x1300c 0x2a1
VirtualFree - 0x4120a8 0x14a10 0x13010 0x457
VirtualAlloc - 0x4120ac 0x14a14 0x13014 0x454
HeapCreate - 0x4120b0 0x14a18 0x13018 0x29f
GetModuleHandleW - 0x4120b4 0x14a1c 0x1301c 0x1f9
Sleep - 0x4120b8 0x14a20 0x13020 0x421
ExitProcess - 0x4120bc 0x14a24 0x13024 0x104
WriteFile - 0x4120c0 0x14a28 0x13028 0x48d
GetStdHandle - 0x4120c4 0x14a2c 0x1302c 0x23b
SetHandleCount - 0x4120c8 0x14a30 0x13030 0x3e8
GetFileType - 0x4120cc 0x14a34 0x13034 0x1d7
GetLastError - 0x4120d0 0x14a38 0x13038 0x1e6
SetFilePointer - 0x4120d4 0x14a3c 0x1303c 0x3df
TerminateProcess - 0x4120d8 0x14a40 0x13040 0x42d
GetCurrentProcess - 0x4120dc 0x14a44 0x13044 0x1a9
UnhandledExceptionFilter - 0x4120e0 0x14a48 0x13048 0x43e
SetUnhandledExceptionFilter - 0x4120e4 0x14a4c 0x1304c 0x415
IsDebuggerPresent - 0x4120e8 0x14a50 0x13050 0x2d1
FreeEnvironmentStringsA - 0x4120ec 0x14a54 0x13054 0x14a
FreeEnvironmentStringsW - 0x4120f0 0x14a58 0x13058 0x14b
WideCharToMultiByte - 0x4120f4 0x14a5c 0x1305c 0x47a
TlsGetValue - 0x4120f8 0x14a60 0x13060 0x434
TlsAlloc - 0x4120fc 0x14a64 0x13064 0x432
TlsSetValue - 0x412100 0x14a68 0x13068 0x435
TlsFree - 0x412104 0x14a6c 0x1306c 0x433
SetLastError - 0x412108 0x14a70 0x13070 0x3ec
GetCurrentThreadId - 0x41210c 0x14a74 0x13074 0x1ad
InterlockedDecrement - 0x412110 0x14a78 0x13078 0x2bc
QueryPerformanceCounter - 0x412114 0x14a7c 0x1307c 0x354
GetTickCount - 0x412118 0x14a80 0x13080 0x266
GetCurrentProcessId - 0x41211c 0x14a84 0x13084 0x1aa
InitializeCriticalSectionAndSpinCount - 0x412120 0x14a88 0x13088 0x2b5
RtlUnwind - 0x412124 0x14a8c 0x1308c 0x392
LoadLibraryA - 0x412128 0x14a90 0x13090 0x2f1
SetStdHandle - 0x41212c 0x14a94 0x13094 0x3fc
GetConsoleCP - 0x412130 0x14a98 0x13098 0x183
GetConsoleMode - 0x412134 0x14a9c 0x1309c 0x195
FlushFileBuffers - 0x412138 0x14aa0 0x130a0 0x141
GetCPInfo - 0x41213c 0x14aa4 0x130a4 0x15b
GetACP - 0x412140 0x14aa8 0x130a8 0x152
GetOEMCP - 0x412144 0x14aac 0x130ac 0x213
IsValidCodePage - 0x412148 0x14ab0 0x130b0 0x2db
HeapSize - 0x41214c 0x14ab4 0x130b4 0x2a6
GetConsoleOutputCP - 0x412150 0x14ab8 0x130b8 0x199
WriteConsoleW - 0x412154 0x14abc 0x130bc 0x48c
MultiByteToWideChar - 0x412158 0x14ac0 0x130c0 0x31a
LCMapStringA - 0x41215c 0x14ac4 0x130c4 0x2e1
LCMapStringW - 0x412160 0x14ac8 0x130c8 0x2e3
GetStringTypeA - 0x412164 0x14acc 0x130cc 0x23d
CloseHandle - 0x412168 0x14ad0 0x130d0 0x43
CreateFileA - 0x41216c 0x14ad4 0x130d4 0x78
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetCursorPos - 0x412174 0x14adc 0x130dc 0x119
Exports (1)
»
Api name EAT Address Ordinal
@SetViceVariants@12 0x1000 0x1
Memory Dumps (9)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
d0426ed95048ec08395edddaaa1d3ccc7a3f769d4324195e1f075b16f462a4c6.exe 1 0x00400000 0x004A6FFF Relevant Image False 32-bit 0x00403FFB False False
...
buffer 1 0x006D1F48 0x006D9F1F First Execution False 32-bit 0x006D1F48 True False
...
buffer 1 0x004C0000 0x004C8FFF First Execution False 32-bit 0x004C0000 True False
...
buffer 2 0x00400000 0x00408FFF First Execution False 32-bit 0x00402FA5 True False
...
d0426ed95048ec08395edddaaa1d3ccc7a3f769d4324195e1f075b16f462a4c6.exe 1 0x00400000 0x004A6FFF Process Termination False 32-bit - False False
...
buffer 2 0x00400000 0x00408FFF Content Changed False 32-bit 0x0040288D True False
...
buffer 2 0x00400000 0x00408FFF Content Changed False 32-bit 0x004019E8 True False
...
buffer 2 0x00400000 0x00408FFF Content Changed False 32-bit 0x00402D62 True False
...
buffer 2 0x00500000 0x00515FFF Marked Executable False 32-bit - False False
...
C:\Users\RDHJ0C~1\AppData\Local\Temp\9DC0.exe Dropped File Binary
suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 56.50 KB
MD5 aecbf75645d84cd8c5152d92d40d7bb8 Copy to Clipboard
SHA1 0121c9b63b8ceaa4b1ad56e8ed24dd16a72d0fdf Copy to Clipboard
SHA256 93b774f3ae8414dfad632811c6aee959fa09eec02c03a20706176cfe2b6eed4a Copy to Clipboard
SSDeep 1536:QfhbSGl2j1kEwdhCmRi5imA6oQVrNKUrq:whbScE2zRIKB Copy to Clipboard
ImpHash -
PE Information
»
Image Base 0x140000000
Size Of Code 0x1800
Size Of Initialized Data 0xc800
File Type FileType.executable
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2052-10-17 23:36:11+00:00
Version Information (11)
»
Comments SpotifyInstaller
CompanyName Spotify Ltd
FileDescription SpotifyInstaller
FileVersion 1.1.68.632
InternalName ConsoleApp6.exe
LegalCopyright Copyright (c) 2021, Spotify Ltd
LegalTrademarks -
OriginalFilename ConsoleApp6.exe
ProductName Spotify
ProductVersion 1.1.68.632
Assembly Version 1.1.68.632
Sections (2)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140002000 0x175c 0x1800 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.54
.rsrc 0x140004000 0xc6c4 0xc800 0x1a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.87
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
9dc0.exe 5 0x140000000 0x140011FFF Relevant Image False 64-bit - False False
...
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 2.16 KB
MD5 b6c7adc91bab8711e18378c32cbcb3c1 Copy to Clipboard
SHA1 80d20118f767b23b53b0d9372c44f474aaac9257 Copy to Clipboard
SHA256 db123d2d2807b259aa3a7cdbba857fb570602df5bf5a9039fe79329b39e36bf5 Copy to Clipboard
SSDeep 48:yHSdSM7gcL7g9GAl2UKcZkzyzSKhABzyziLBzyzzGHBXPCV:yil7gcL7g9GAl2UKskzyzSKaBzyziLBg Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe77092-4798-42ae-bda5-e7f822b580e9 Modified File Stream
clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 1.16 KB
MD5 9832b59b183bb6318e62f1385d345c6d Copy to Clipboard
SHA1 54b856a180fb3723403f9aad24ca548de63dc376 Copy to Clipboard
SHA256 bfd60204585f1603ee9faac7c44adb9fcd6fa56b7748f03ecb1a9beaa7c56ea1 Copy to Clipboard
SSDeep 24:WM83yV+ty+qXlIZXxf/DXdQXPZX3X6S+Z+Wz+q:BSy8PilIhNTWPhn6lgDq Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_da21122d-ae44-4f93-ba1d-c9a978ca5b20 Modified File Stream
clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 10.76 KB
MD5 8845f276e426accd51223008b6aed4bf Copy to Clipboard
SHA1 c9fa81aa57e7c32c4bcefd33788967cc3170fe91 Copy to Clipboard
SHA256 72831bc6962c8017ea71abc038a8f60e79976ebaf05d363c80f32c975a55d0d9 Copy to Clipboard
SSDeep 192:8wUOJGqwAf5CBbXuQuxs0B8HX64MnENxUyrTEAsr9jQ0uwm/CgGZYySo0nbSRNNo:8wUOJGqwARCBbXxss0B8364MnENxUyr3 Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\9DC0.tmp Dropped File Unknown
clean
...
  • Actions
»
MIME Type -
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 2.16 KB
MD5 f0f0892d829bcdfcea156e1a80e515f1 Copy to Clipboard
SHA1 8a0668582bcad6859839a5306378e74071f60b10 Copy to Clipboard
SHA256 779d2f224e62c6e4470e00582475be919e67c554cb3d8760ab3a9f3bdda4a464 Copy to Clipboard
SSDeep 48:yHSdSM7gbL7g9GAl2UKcZkzyzSKhABzyziLBzyzzGHBXPCV:yil7gbL7g9GAl2UKskzyzSKaBzyziLBg Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 2.16 KB
MD5 1a967b3ef5c2a119d7885fcd50be4607 Copy to Clipboard
SHA1 86163c16ead8d880e39945af8cad9fc0a39316b4 Copy to Clipboard
SHA256 92b1624b445f72288a2b5a009e108e325933b5b24f70b22deaffbb31322004d0 Copy to Clipboard
SSDeep 48:yHSdSM7gbL7g+GAl2UKcZkzyzSKhABzyziLBzyzzGHBXPCV:yil7gbL7g+GAl2UKskzyzSKaBzyziLBg Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image