fb4077e5...1834 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Spyware

fb4077e5ef55027b2972e94fe54eca985dfb933702f09a640a799f31b2181834 (SHA256)

clifind.log.exe

Windows Exe (x86-32)

Created at 2018-11-14 12:09:00

...
Severity Category Operation Classification
5/5
YARA YARA match -
  • Rule "APT28_IMPLANT_4_v10" from ruleset "APTs" has matched for "\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe"
    ...
4/5
Injection Writes into the memory of another running process -
  • "c:\users\ciihmnxmn6ps\desktop\clifind.log.exe" modifies memory of "c:\windows\syswow64\explorer.exe"
    ...
3/5
Anti Analysis Tries to detect application sandbox -
  • Possibly trying to detect "Sandboxie" by checking for existence of module "sbiedll.dll".
    ...
2/5
Anti Analysis Tries to detect virtual machine -
  • Reads out system information, commonly used to detect VMs via registry. (Value "VideoBiosVersion" in key "HKEY_LOCAL_MACHINE\HARDWARE\Description\System").
    ...
2/5
Anti Analysis Tries to detect debugger -
1/5
Information Stealing Reads system data Spyware
1/5
Process Creates process with hidden window -
  • The process "C:\Windows\SysWOW64\explorer.exe" starts with hidden window.
    ...
1/5
Process Reads from memory of another process -
  • "c:\users\ciihmnxmn6ps\desktop\clifind.log.exe" reads from "C:\Windows\SysWOW64\explorer.exe".
    ...
1/5
Anti Analysis Resolves APIs dynamically -
1/5
Process Creates system object -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image