VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: Trojan, Spyware |
c71c3662a7ebba5fdd0d804fe9ff864789fa08e8286352c21b339b9db2c3db81 (SHA256)
p.exe
Windows Exe (x86-32)
Created at 2018-09-11 15:34:00
This is a filtered view
This list contains only the embedded files and created files
Filters: |
There are no files for this filter
Filename | Category | Type | Severity | Actions |
---|
File Reputation Information
»
Severity |
Blacklisted
|
First Seen | 2018-07-29 21:43 (UTC+2) |
Last Seen | 2018-08-25 04:14 (UTC+2) |
Names | Win32.Trojan.Fareit |
Families | Fareit |
Classification | Trojan |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x40fe0e |
Size Of Code | 0xfc00 |
Size Of Initialized Data | 0x4e00 |
File Type | executable |
Subsystem | windows_gui |
Machine Type | i386 |
Compile Timestamp | 2018-07-29 03:18:07+00:00 |
Sections (2)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0xfbab | 0xfc00 | 0x200 | cnt_code, mem_execute, mem_read | 5.99 |
.data | 0x411000 | 0x4cc8 | 0x4800 | 0xfe00 | cnt_initialized_data, mem_read, mem_write | 5.39 |
Imports (8)
»
kernel32.dll (51)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFileA | 0x0 | 0x414fa8 | 0x14e24 | 0x13c24 | 0x3d |
ReadFile | 0x0 | 0x414fac | 0x14e28 | 0x13c28 | 0x241 |
CloseHandle | 0x0 | 0x414fb0 | 0x14e2c | 0x13c2c | 0x23 |
WriteFile | 0x0 | 0x414fb4 | 0x14e30 | 0x13c30 | 0x2fb |
lstrlenA | 0x0 | 0x414fb8 | 0x14e34 | 0x13c34 | 0x31d |
GlobalLock | 0x0 | 0x414fbc | 0x14e38 | 0x13c38 | 0x1b0 |
GlobalUnlock | 0x0 | 0x414fc0 | 0x14e3c | 0x13c3c | 0x1b7 |
LocalFree | 0x0 | 0x414fc4 | 0x14e40 | 0x13c40 | 0x1f4 |
LocalAlloc | 0x0 | 0x414fc8 | 0x14e44 | 0x13c44 | 0x1f0 |
GetTickCount | 0x0 | 0x414fcc | 0x14e48 | 0x13c48 | 0x18d |
lstrcpyA | 0x0 | 0x414fd0 | 0x14e4c | 0x13c4c | 0x319 |
lstrcatA | 0x0 | 0x414fd4 | 0x14e50 | 0x13c50 | 0x313 |
GetFileAttributesA | 0x0 | 0x414fd8 | 0x14e54 | 0x13c54 | 0x117 |
ExpandEnvironmentStringsA | 0x0 | 0x414fdc | 0x14e58 | 0x13c58 | 0x9d |
GetFileSize | 0x0 | 0x414fe0 | 0x14e5c | 0x13c5c | 0x11c |
CreateFileMappingA | 0x0 | 0x414fe4 | 0x14e60 | 0x13c60 | 0x3e |
MapViewOfFile | 0x0 | 0x414fe8 | 0x14e64 | 0x13c64 | 0x200 |
UnmapViewOfFile | 0x0 | 0x414fec | 0x14e68 | 0x13c68 | 0x2d3 |
LoadLibraryA | 0x0 | 0x414ff0 | 0x14e6c | 0x13c6c | 0x1ea |
GetProcAddress | 0x0 | 0x414ff4 | 0x14e70 | 0x13c70 | 0x153 |
GetTempPathA | 0x0 | 0x414ff8 | 0x14e74 | 0x13c74 | 0x184 |
CreateDirectoryA | 0x0 | 0x414ffc | 0x14e78 | 0x13c78 | 0x35 |
DeleteFileA | 0x0 | 0x415000 | 0x14e7c | 0x13c7c | 0x69 |
GetCurrentProcess | 0x0 | 0x415004 | 0x14e80 | 0x13c80 | 0x100 |
WideCharToMultiByte | 0x0 | 0x415008 | 0x14e84 | 0x13c84 | 0x2f0 |
GetLastError | 0x0 | 0x41500c | 0x14e88 | 0x13c88 | 0x128 |
lstrcmpA | 0x0 | 0x415010 | 0x14e8c | 0x13c8c | 0x315 |
CreateToolhelp32Snapshot | 0x0 | 0x415014 | 0x14e90 | 0x13c90 | 0x59 |
Process32First | 0x0 | 0x415018 | 0x14e94 | 0x13c94 | 0x225 |
OpenProcess | 0x0 | 0x41501c | 0x14e98 | 0x13c98 | 0x218 |
Process32Next | 0x0 | 0x415020 | 0x14e9c | 0x13c9c | 0x227 |
FindFirstFileA | 0x0 | 0x415024 | 0x14ea0 | 0x13ca0 | 0xb1 |
lstrcmpiA | 0x0 | 0x415028 | 0x14ea4 | 0x13ca4 | 0x317 |
FindNextFileA | 0x0 | 0x41502c | 0x14ea8 | 0x13ca8 | 0xba |
FindClose | 0x0 | 0x415030 | 0x14eac | 0x13cac | 0xad |
GetModuleHandleA | 0x0 | 0x415034 | 0x14eb0 | 0x13cb0 | 0x134 |
GetVersionExA | 0x0 | 0x415038 | 0x14eb4 | 0x13cb4 | 0x196 |
GetLocaleInfoA | 0x0 | 0x41503c | 0x14eb8 | 0x13cb8 | 0x12a |
GetSystemInfo | 0x0 | 0x415040 | 0x14ebc | 0x13cbc | 0x174 |
GetWindowsDirectoryA | 0x0 | 0x415044 | 0x14ec0 | 0x13cc0 | 0x1a0 |
GetPrivateProfileStringA | 0x0 | 0x415048 | 0x14ec4 | 0x13cc4 | 0x14f |
SetCurrentDirectoryA | 0x0 | 0x41504c | 0x14ec8 | 0x13cc8 | 0x27a |
GetPrivateProfileSectionNamesA | 0x0 | 0x415050 | 0x14ecc | 0x13ccc | 0x14c |
GetPrivateProfileIntA | 0x0 | 0x415054 | 0x14ed0 | 0x13cd0 | 0x149 |
GetCurrentDirectoryA | 0x0 | 0x415058 | 0x14ed4 | 0x13cd4 | 0xfe |
lstrlenW | 0x0 | 0x41505c | 0x14ed8 | 0x13cd8 | 0x31e |
MultiByteToWideChar | 0x0 | 0x415060 | 0x14edc | 0x13cdc | 0x20d |
Sleep | 0x0 | 0x415064 | 0x14ee0 | 0x13ce0 | 0x2bb |
LCMapStringA | 0x0 | 0x415068 | 0x14ee4 | 0x13ce4 | 0x1e7 |
ExitProcess | 0x0 | 0x41506c | 0x14ee8 | 0x13ce8 | 0x9b |
SetUnhandledExceptionFilter | 0x0 | 0x415070 | 0x14eec | 0x13cec | 0x2b1 |
ole32.dll (6)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateStreamOnHGlobal | 0x0 | 0x415078 | 0x14ef4 | 0x13cf4 | 0x8b |
GetHGlobalFromStream | 0x0 | 0x41507c | 0x14ef8 | 0x13cf8 | 0x97 |
CoCreateGuid | 0x0 | 0x415080 | 0x14efc | 0x13cfc | 0xe |
CoTaskMemFree | 0x0 | 0x415084 | 0x14f00 | 0x13d00 | 0x60 |
CoCreateInstance | 0x0 | 0x415088 | 0x14f04 | 0x13d04 | 0xf |
OleInitialize | 0x0 | 0x41508c | 0x14f08 | 0x13d08 | 0xf3 |
user32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
wsprintfA | 0x0 | 0x415094 | 0x14f10 | 0x13d10 | 0x27d |
advapi32.dll (11)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegOpenKeyExA | 0x0 | 0x41509c | 0x14f18 | 0x13d18 | 0x1d0 |
RegQueryValueExA | 0x0 | 0x4150a0 | 0x14f1c | 0x13d1c | 0x1da |
RegCloseKey | 0x0 | 0x4150a4 | 0x14f20 | 0x13d20 | 0x1b7 |
RegOpenKeyA | 0x0 | 0x4150a8 | 0x14f24 | 0x13d24 | 0x1cf |
RegEnumKeyExA | 0x0 | 0x4150ac | 0x14f28 | 0x13d28 | 0x1c4 |
RegCreateKeyA | 0x0 | 0x4150b0 | 0x14f2c | 0x13d2c | 0x1ba |
RegSetValueExA | 0x0 | 0x4150b4 | 0x14f30 | 0x13d30 | 0x1e7 |
IsTextUnicode | 0x0 | 0x4150b8 | 0x14f34 | 0x13d34 | 0x12d |
RegOpenCurrentUser | 0x0 | 0x4150bc | 0x14f38 | 0x13d38 | 0x1ce |
RegEnumValueA | 0x0 | 0x4150c0 | 0x14f3c | 0x13d3c | 0x1c7 |
GetUserNameA | 0x0 | 0x4150c4 | 0x14f40 | 0x13d40 | 0x11b |
wininet.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
InternetCrackUrlA | 0x0 | 0x4150cc | 0x14f48 | 0x13d48 | 0x79 |
InternetCreateUrlA | 0x0 | 0x4150d0 | 0x14f4c | 0x13d4c | 0x7b |
shlwapi.dll (6)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
StrStrIA | 0x0 | 0x4150d8 | 0x14f54 | 0x13d54 | 0x10d |
StrRChrIA | 0x0 | 0x4150dc | 0x14f58 | 0x13d58 | 0x100 |
StrToIntA | 0x0 | 0x4150e0 | 0x14f5c | 0x13d5c | 0x114 |
StrStrA | 0x0 | 0x4150e4 | 0x14f60 | 0x13d60 | 0x10c |
StrCmpNIA | 0x0 | 0x4150e8 | 0x14f64 | 0x13d64 | 0xea |
StrStrIW | 0x0 | 0x4150ec | 0x14f68 | 0x13d68 | 0x10e |
wsock32.dll (10)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
inet_addr | 0x0 | 0x4150f4 | 0x14f70 | 0x13d70 | 0x36 |
gethostbyname | 0x0 | 0x4150f8 | 0x14f74 | 0x13d74 | 0x2a |
socket | 0x0 | 0x4150fc | 0x14f78 | 0x13d78 | 0x49 |
connect | 0x0 | 0x415100 | 0x14f7c | 0x13d7c | 0x27 |
closesocket | 0x0 | 0x415104 | 0x14f80 | 0x13d80 | 0x26 |
send | 0x0 | 0x415108 | 0x14f84 | 0x13d84 | 0x44 |
select | 0x0 | 0x41510c | 0x14f88 | 0x13d88 | 0x43 |
recv | 0x0 | 0x415110 | 0x14f8c | 0x13d8c | 0x3e |
setsockopt | 0x0 | 0x415114 | 0x14f90 | 0x13d90 | 0x47 |
WSAStartup | 0x0 | 0x415118 | 0x14f94 | 0x13d94 | 0x21 |
userenv.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
LoadUserProfileA | 0x0 | 0x415120 | 0x14f9c | 0x13d9c | 0x4d |
UnloadUserProfile | 0x0 | 0x415124 | 0x14fa0 | 0x13da0 | 0x61 |
YARA Matches
»
Rule Name | Rule Description | Classification | Severity | Actions |
---|---|---|---|---|
pony | Pony spyware | Spyware |
5/5
|
...
|
pony_stealer | Pony spyware | Spyware |
5/5
|
...
|