File name: | 0be167ef2e2f61860ad1957c380eb678209450ce8166f12c500b594b634dfad3 |
Full analysis: | https://app.any.run/tasks/9122ebfa-9953-4779-b0f6-585b6b471a5f |
Verdict: | Malicious activity |
Analysis date: | February 18, 2019, 13:30:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 8DFAE7DC3DD36F296593124AC2BCFE79 |
SHA1: | 47146DC99254D26DD171223FBBBD82B6238007DB |
SHA256: | 0BE167EF2E2F61860AD1957C380EB678209450CE8166F12C500B594B634DFAD3 |
SSDEEP: | 6144:NaQYJvuSR3olVqbnpI0ZRlgsusexRH/YZEsKTQ1AJFGDOHiYoCtVIAi:NKolobS/sOf/Q1AJFGDSVti |
.exe | | | Win32 EXE PECompact compressed (generic) (79.7) |
---|---|---|
.exe | | | Win32 Executable (generic) (8.6) |
.exe | | | Win16/32 Executable Delphi generic (3.9) |
.exe | | | Generic Win/DOS Executable (3.8) |
.exe | | | DOS Executable Generic (3.8) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:02:13 13:18:19+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 139776 |
InitializedDataSize: | 317952 |
UninitializedDataSize: | - |
EntryPoint: | 0x22528 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Feb-2019 12:18:19 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 11 |
Time date stamp: | 13-Feb-2019 12:18:19 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000209FC | 0x00020A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44246 |
.itext | 0x00022000 | 0x00001628 | 0x00001800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.32247 |
.data | 0x00024000 | 0x00001888 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.66304 |
.bss | 0x00026000 | 0x00005954 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0002C000 | 0x00000AEC | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.65761 |
.didata | 0x0002D000 | 0x000001C8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.05764 |
.edata | 0x0002E000 | 0x0000006F | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.27733 |
.tls | 0x0002F000 | 0x00000014 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00030000 | 0x0000005C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.35256 |
.reloc | 0x00031000 | 0x00002D10 | 0x00002E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.53208 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
4090 | 3.18737 | 464 | UNKNOWN | UNKNOWN | RT_STRING |
4091 | 3.50315 | 508 | UNKNOWN | UNKNOWN | RT_STRING |
4092 | 3.36848 | 196 | UNKNOWN | UNKNOWN | RT_STRING |
4093 | 3.38569 | 304 | UNKNOWN | UNKNOWN | RT_STRING |
4094 | 3.25466 | 796 | UNKNOWN | UNKNOWN | RT_STRING |
4095 | 3.35521 | 852 | UNKNOWN | UNKNOWN | RT_STRING |
4096 | 3.31066 | 696 | UNKNOWN | UNKNOWN | RT_STRING |
PKQY | 7.99929 | 289936 | UNKNOWN | English - United States | VWUD |
DVCLAL | 4 | 16 | UNKNOWN | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.0488 | 416 | UNKNOWN | UNKNOWN | RT_RCDATA |
advapi32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 0x00029628 |
__dbk_fcall_wrapper | 2 | 0x0000B5E4 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3052 | "C:\Users\admin\AppData\Local\Temp\0be167ef2e2f61860ad1957c380eb678209450ce8166f12c500b594b634dfad3.exe" | C:\Users\admin\AppData\Local\Temp\0be167ef2e2f61860ad1957c380eb678209450ce8166f12c500b594b634dfad3.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3768 | C:\Windows\system32\regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\0BE167~1.DLL f1 C:\Users\admin\AppData\Local\Temp\0BE167~1.EXE@3052 | C:\Windows\system32\regsvr32.exe | — | 0be167ef2e2f61860ad1957c380eb678209450ce8166f12c500b594b634dfad3.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2976 | C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\0BE167~1.DLL,f0 | C:\Windows\system32\rundll32.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2028 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3052 | 0be167ef2e2f61860ad1957c380eb678209450ce8166f12c500b594b634dfad3.exe | C:\Users\admin\AppData\Local\Temp\0be167ef2e2f61860ad1957c380eb678209450ce8166f12c500b594b634dfad3.dll | executable | |
MD5:C549B5C58790CD30D1132F79F6BB423E | SHA256:749F84E34A95595F9B017FE3B7B36217F6616BCBB421539709307126C32F90C2 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2976 | rundll32.exe | 100.249.91.126:443 | — | T-Mobile USA, Inc. | US | malicious |
2976 | rundll32.exe | 14.130.125.15:443 | — | China Networks Inter-Exchange | CN | malicious |
2976 | rundll32.exe | 169.126.133.8:443 | — | — | US | malicious |
2976 | rundll32.exe | 185.92.222.238:443 | — | Choopa, LLC | NL | malicious |
2976 | rundll32.exe | 99.70.14.24:443 | — | AT&T Services, Inc. | US | malicious |
2976 | rundll32.exe | 192.71.249.51:443 | — | lcp nv | BE | malicious |
2976 | rundll32.exe | 58.115.124.113:443 | — | Hoshin Multimedia Center Inc. | TW | malicious |
2976 | rundll32.exe | 128.84.12.158:443 | — | Cornell University | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2976 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |