VTI SCORE: 100/100
| Dynamic Analysis Report |
| Classification: Trojan, Spyware |
c71c3662a7ebba5fdd0d804fe9ff864789fa08e8286352c21b339b9db2c3db81 (SHA256)
p.exe
Windows Exe (x86-32)
Created at 2018-09-11 15:34:00
This is a filtered view
This list contains only the embedded files and created files
| Filters: |
There are no files for this filter
| Filename | Category | Type | Severity | Actions |
|---|
| Mime Type | application/x-dosexec |
| File Size | 81.50 KB |
| MD5 |
ba9f2b64df4bd9cb44c6be4f03c780fc
|
| SHA1 |
918322331409a83f3c4df4698ac194813001cdd3
|
| SHA256 |
c71c3662a7ebba5fdd0d804fe9ff864789fa08e8286352c21b339b9db2c3db81
|
| SSDeep |
1536:w6/W/jqTJldK7DjWN5YvAbnoD72egkjOp/EFCkzmPA:JYkgWN5YHzOp/EFaPA
|
| ImpHash |
9b4192c1bb37e89f7af1e420b76961bb
|
File Reputation Information
»
| Severity |
Blacklisted
|
| First Seen | 2018-07-29 21:43 (UTC+2) |
| Last Seen | 2018-08-25 04:14 (UTC+2) |
| Names | Win32.Trojan.Fareit |
| Families | Fareit |
| Classification | Trojan |
PE Information
»
| Image Base | 0x400000 |
| Entry Point | 0x40fe0e |
| Size Of Code | 0xfc00 |
| Size Of Initialized Data | 0x4e00 |
| File Type | executable |
| Subsystem | windows_gui |
| Machine Type | i386 |
| Compile Timestamp | 2018-07-29 03:18:07+00:00 |
Sections (2)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0xfbab | 0xfc00 | 0x200 | cnt_code, mem_execute, mem_read | 5.99 |
| .data | 0x411000 | 0x4cc8 | 0x4800 | 0xfe00 | cnt_initialized_data, mem_read, mem_write | 5.39 |
Imports (8)
»
kernel32.dll (51)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateFileA | 0x0 | 0x414fa8 | 0x14e24 | 0x13c24 | 0x3d |
| ReadFile | 0x0 | 0x414fac | 0x14e28 | 0x13c28 | 0x241 |
| CloseHandle | 0x0 | 0x414fb0 | 0x14e2c | 0x13c2c | 0x23 |
| WriteFile | 0x0 | 0x414fb4 | 0x14e30 | 0x13c30 | 0x2fb |
| lstrlenA | 0x0 | 0x414fb8 | 0x14e34 | 0x13c34 | 0x31d |
| GlobalLock | 0x0 | 0x414fbc | 0x14e38 | 0x13c38 | 0x1b0 |
| GlobalUnlock | 0x0 | 0x414fc0 | 0x14e3c | 0x13c3c | 0x1b7 |
| LocalFree | 0x0 | 0x414fc4 | 0x14e40 | 0x13c40 | 0x1f4 |
| LocalAlloc | 0x0 | 0x414fc8 | 0x14e44 | 0x13c44 | 0x1f0 |
| GetTickCount | 0x0 | 0x414fcc | 0x14e48 | 0x13c48 | 0x18d |
| lstrcpyA | 0x0 | 0x414fd0 | 0x14e4c | 0x13c4c | 0x319 |
| lstrcatA | 0x0 | 0x414fd4 | 0x14e50 | 0x13c50 | 0x313 |
| GetFileAttributesA | 0x0 | 0x414fd8 | 0x14e54 | 0x13c54 | 0x117 |
| ExpandEnvironmentStringsA | 0x0 | 0x414fdc | 0x14e58 | 0x13c58 | 0x9d |
| GetFileSize | 0x0 | 0x414fe0 | 0x14e5c | 0x13c5c | 0x11c |
| CreateFileMappingA | 0x0 | 0x414fe4 | 0x14e60 | 0x13c60 | 0x3e |
| MapViewOfFile | 0x0 | 0x414fe8 | 0x14e64 | 0x13c64 | 0x200 |
| UnmapViewOfFile | 0x0 | 0x414fec | 0x14e68 | 0x13c68 | 0x2d3 |
| LoadLibraryA | 0x0 | 0x414ff0 | 0x14e6c | 0x13c6c | 0x1ea |
| GetProcAddress | 0x0 | 0x414ff4 | 0x14e70 | 0x13c70 | 0x153 |
| GetTempPathA | 0x0 | 0x414ff8 | 0x14e74 | 0x13c74 | 0x184 |
| CreateDirectoryA | 0x0 | 0x414ffc | 0x14e78 | 0x13c78 | 0x35 |
| DeleteFileA | 0x0 | 0x415000 | 0x14e7c | 0x13c7c | 0x69 |
| GetCurrentProcess | 0x0 | 0x415004 | 0x14e80 | 0x13c80 | 0x100 |
| WideCharToMultiByte | 0x0 | 0x415008 | 0x14e84 | 0x13c84 | 0x2f0 |
| GetLastError | 0x0 | 0x41500c | 0x14e88 | 0x13c88 | 0x128 |
| lstrcmpA | 0x0 | 0x415010 | 0x14e8c | 0x13c8c | 0x315 |
| CreateToolhelp32Snapshot | 0x0 | 0x415014 | 0x14e90 | 0x13c90 | 0x59 |
| Process32First | 0x0 | 0x415018 | 0x14e94 | 0x13c94 | 0x225 |
| OpenProcess | 0x0 | 0x41501c | 0x14e98 | 0x13c98 | 0x218 |
| Process32Next | 0x0 | 0x415020 | 0x14e9c | 0x13c9c | 0x227 |
| FindFirstFileA | 0x0 | 0x415024 | 0x14ea0 | 0x13ca0 | 0xb1 |
| lstrcmpiA | 0x0 | 0x415028 | 0x14ea4 | 0x13ca4 | 0x317 |
| FindNextFileA | 0x0 | 0x41502c | 0x14ea8 | 0x13ca8 | 0xba |
| FindClose | 0x0 | 0x415030 | 0x14eac | 0x13cac | 0xad |
| GetModuleHandleA | 0x0 | 0x415034 | 0x14eb0 | 0x13cb0 | 0x134 |
| GetVersionExA | 0x0 | 0x415038 | 0x14eb4 | 0x13cb4 | 0x196 |
| GetLocaleInfoA | 0x0 | 0x41503c | 0x14eb8 | 0x13cb8 | 0x12a |
| GetSystemInfo | 0x0 | 0x415040 | 0x14ebc | 0x13cbc | 0x174 |
| GetWindowsDirectoryA | 0x0 | 0x415044 | 0x14ec0 | 0x13cc0 | 0x1a0 |
| GetPrivateProfileStringA | 0x0 | 0x415048 | 0x14ec4 | 0x13cc4 | 0x14f |
| SetCurrentDirectoryA | 0x0 | 0x41504c | 0x14ec8 | 0x13cc8 | 0x27a |
| GetPrivateProfileSectionNamesA | 0x0 | 0x415050 | 0x14ecc | 0x13ccc | 0x14c |
| GetPrivateProfileIntA | 0x0 | 0x415054 | 0x14ed0 | 0x13cd0 | 0x149 |
| GetCurrentDirectoryA | 0x0 | 0x415058 | 0x14ed4 | 0x13cd4 | 0xfe |
| lstrlenW | 0x0 | 0x41505c | 0x14ed8 | 0x13cd8 | 0x31e |
| MultiByteToWideChar | 0x0 | 0x415060 | 0x14edc | 0x13cdc | 0x20d |
| Sleep | 0x0 | 0x415064 | 0x14ee0 | 0x13ce0 | 0x2bb |
| LCMapStringA | 0x0 | 0x415068 | 0x14ee4 | 0x13ce4 | 0x1e7 |
| ExitProcess | 0x0 | 0x41506c | 0x14ee8 | 0x13ce8 | 0x9b |
| SetUnhandledExceptionFilter | 0x0 | 0x415070 | 0x14eec | 0x13cec | 0x2b1 |
ole32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateStreamOnHGlobal | 0x0 | 0x415078 | 0x14ef4 | 0x13cf4 | 0x8b |
| GetHGlobalFromStream | 0x0 | 0x41507c | 0x14ef8 | 0x13cf8 | 0x97 |
| CoCreateGuid | 0x0 | 0x415080 | 0x14efc | 0x13cfc | 0xe |
| CoTaskMemFree | 0x0 | 0x415084 | 0x14f00 | 0x13d00 | 0x60 |
| CoCreateInstance | 0x0 | 0x415088 | 0x14f04 | 0x13d04 | 0xf |
| OleInitialize | 0x0 | 0x41508c | 0x14f08 | 0x13d08 | 0xf3 |
user32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| wsprintfA | 0x0 | 0x415094 | 0x14f10 | 0x13d10 | 0x27d |
advapi32.dll (11)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| RegOpenKeyExA | 0x0 | 0x41509c | 0x14f18 | 0x13d18 | 0x1d0 |
| RegQueryValueExA | 0x0 | 0x4150a0 | 0x14f1c | 0x13d1c | 0x1da |
| RegCloseKey | 0x0 | 0x4150a4 | 0x14f20 | 0x13d20 | 0x1b7 |
| RegOpenKeyA | 0x0 | 0x4150a8 | 0x14f24 | 0x13d24 | 0x1cf |
| RegEnumKeyExA | 0x0 | 0x4150ac | 0x14f28 | 0x13d28 | 0x1c4 |
| RegCreateKeyA | 0x0 | 0x4150b0 | 0x14f2c | 0x13d2c | 0x1ba |
| RegSetValueExA | 0x0 | 0x4150b4 | 0x14f30 | 0x13d30 | 0x1e7 |
| IsTextUnicode | 0x0 | 0x4150b8 | 0x14f34 | 0x13d34 | 0x12d |
| RegOpenCurrentUser | 0x0 | 0x4150bc | 0x14f38 | 0x13d38 | 0x1ce |
| RegEnumValueA | 0x0 | 0x4150c0 | 0x14f3c | 0x13d3c | 0x1c7 |
| GetUserNameA | 0x0 | 0x4150c4 | 0x14f40 | 0x13d40 | 0x11b |
wininet.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| InternetCrackUrlA | 0x0 | 0x4150cc | 0x14f48 | 0x13d48 | 0x79 |
| InternetCreateUrlA | 0x0 | 0x4150d0 | 0x14f4c | 0x13d4c | 0x7b |
shlwapi.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| StrStrIA | 0x0 | 0x4150d8 | 0x14f54 | 0x13d54 | 0x10d |
| StrRChrIA | 0x0 | 0x4150dc | 0x14f58 | 0x13d58 | 0x100 |
| StrToIntA | 0x0 | 0x4150e0 | 0x14f5c | 0x13d5c | 0x114 |
| StrStrA | 0x0 | 0x4150e4 | 0x14f60 | 0x13d60 | 0x10c |
| StrCmpNIA | 0x0 | 0x4150e8 | 0x14f64 | 0x13d64 | 0xea |
| StrStrIW | 0x0 | 0x4150ec | 0x14f68 | 0x13d68 | 0x10e |
wsock32.dll (10)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| inet_addr | 0x0 | 0x4150f4 | 0x14f70 | 0x13d70 | 0x36 |
| gethostbyname | 0x0 | 0x4150f8 | 0x14f74 | 0x13d74 | 0x2a |
| socket | 0x0 | 0x4150fc | 0x14f78 | 0x13d78 | 0x49 |
| connect | 0x0 | 0x415100 | 0x14f7c | 0x13d7c | 0x27 |
| closesocket | 0x0 | 0x415104 | 0x14f80 | 0x13d80 | 0x26 |
| send | 0x0 | 0x415108 | 0x14f84 | 0x13d84 | 0x44 |
| select | 0x0 | 0x41510c | 0x14f88 | 0x13d88 | 0x43 |
| recv | 0x0 | 0x415110 | 0x14f8c | 0x13d8c | 0x3e |
| setsockopt | 0x0 | 0x415114 | 0x14f90 | 0x13d90 | 0x47 |
| WSAStartup | 0x0 | 0x415118 | 0x14f94 | 0x13d94 | 0x21 |
userenv.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LoadUserProfileA | 0x0 | 0x415120 | 0x14f9c | 0x13d9c | 0x4d |
| UnloadUserProfile | 0x0 | 0x415124 | 0x14fa0 | 0x13da0 | 0x61 |
YARA Matches
»
| Rule Name | Rule Description | Classification | Severity | Actions |
|---|---|---|---|---|
| pony | Pony spyware | Spyware |
5/5
|
...
|
| pony_stealer | Pony spyware | Spyware |
5/5
|
...
|
