File name: | cbeed03cf1ffde7c6ed28eb0fb197f79.exe |
Full analysis: | https://app.any.run/tasks/b40873d8-5fb4-4ad5-8f7f-05c6692f4fcd |
Verdict: | Malicious activity |
Analysis date: | February 18, 2019, 15:40:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 51C827496A23F87A3F95A4AF27BE13E3 |
SHA1: | 4F9D5C34D1A176F3899CB99F521E02CF50F83CA8 |
SHA256: | 0DE3F32B0808C5DC43F9CF601D3066F9ADC841411EDA1A7BC362D2D1D29371A2 |
SSDEEP: | 6144:U6+G6Qayiy1CFCu61Y8giEAI3BdBN7fh7YaPt6VEuCLUoWq9JsWUZI:UDzhy1Ij6ZPEt3fLh7YaPwVEuCgZq9S |
.exe | | | Win32 EXE PECompact compressed (generic) (79.7) |
---|---|---|
.exe | | | Win32 Executable (generic) (8.6) |
.exe | | | Win16/32 Executable Delphi generic (3.9) |
.exe | | | Generic Win/DOS Executable (3.8) |
.exe | | | DOS Executable Generic (3.8) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:02:18 16:18:42+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 142336 |
InitializedDataSize: | 316416 |
UninitializedDataSize: | - |
EntryPoint: | 0x23528 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 18-Feb-2019 15:18:42 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 11 |
Time date stamp: | 18-Feb-2019 15:18:42 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00021288 | 0x00021400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43516 |
.itext | 0x00023000 | 0x00001790 | 0x00001800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.58187 |
.data | 0x00025000 | 0x00001888 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.65952 |
.bss | 0x00027000 | 0x00005970 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0002D000 | 0x00000AEC | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.66204 |
.didata | 0x0002E000 | 0x000001C8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.04748 |
.edata | 0x0002F000 | 0x0000006F | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.27362 |
.tls | 0x00030000 | 0x00000014 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00031000 | 0x0000005C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.33262 |
.reloc | 0x00032000 | 0x00002D38 | 0x00002E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.5448 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
4090 | 3.18737 | 464 | UNKNOWN | UNKNOWN | RT_STRING |
4091 | 3.50315 | 508 | UNKNOWN | UNKNOWN | RT_STRING |
4092 | 3.36848 | 196 | UNKNOWN | UNKNOWN | RT_STRING |
4093 | 3.38569 | 304 | UNKNOWN | UNKNOWN | RT_STRING |
4094 | 3.25466 | 796 | UNKNOWN | UNKNOWN | RT_STRING |
4095 | 3.35521 | 852 | UNKNOWN | UNKNOWN | RT_STRING |
4096 | 3.31066 | 696 | UNKNOWN | UNKNOWN | RT_STRING |
GBTA | 7.99941 | 288400 | UNKNOWN | English - United States | EIFL |
DVCLAL | 4 | 16 | UNKNOWN | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.04582 | 408 | UNKNOWN | UNKNOWN | RT_RCDATA |
advapi32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 0x0002A628 |
__dbk_fcall_wrapper | 2 | 0x0000B5E4 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3104 | "C:\Users\admin\AppData\Local\Temp\cbeed03cf1ffde7c6ed28eb0fb197f79.exe" | C:\Users\admin\AppData\Local\Temp\cbeed03cf1ffde7c6ed28eb0fb197f79.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3816 | C:\Windows\system32\regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\CBEED0~1.DLL f1 C:\Users\admin\AppData\Local\Temp\CBEED0~1.EXE@3104 | C:\Windows\system32\regsvr32.exe | — | cbeed03cf1ffde7c6ed28eb0fb197f79.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3068 | C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\CBEED0~1.DLL,f0 | C:\Windows\system32\rundll32.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3104 | cbeed03cf1ffde7c6ed28eb0fb197f79.exe | C:\Users\admin\AppData\Local\Temp\cbeed03cf1ffde7c6ed28eb0fb197f79.dll | executable | |
MD5:D9AD39B149A212762D39521E57412921 | SHA256:026D99DA60DF9C14F7D6C77FA81413C0C215052348EF322B7FA1514B7E76BF7E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3068 | rundll32.exe | 182.47.124.45:443 | — | No.31,Jin-rong Street | CN | unknown |
3068 | rundll32.exe | 146.147.64.117:443 | — | Microsoft Corporation | US | malicious |
3068 | rundll32.exe | 109.181.0.57:443 | — | EE Limited | GB | malicious |
3068 | rundll32.exe | 71.215.192.124:443 | — | Qwest Communications Company, LLC | US | unknown |
3068 | rundll32.exe | 89.144.25.104:443 | — | GHOSTnet GmbH | DE | malicious |
3068 | rundll32.exe | 188.102.210.27:443 | — | Vodafone GmbH | DE | malicious |
3068 | rundll32.exe | 178.209.51.211:443 | — | Nine Internet Solutions AG | CH | malicious |
3068 | rundll32.exe | 42.118.76.158:443 | — | The Corporation for Financing & Promoting Technology | VN | unknown |
3068 | rundll32.exe | 220.196.122.187:443 | — | China Unicom Shanghai network | CN | malicious |
PID | Process | Class | Message |
---|---|---|---|
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3068 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |