File name: | Natasha.exe |
Full analysis: | https://app.any.run/tasks/36eb9d88-4eea-40df-a2cb-9fb82fac85b5 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 21:49:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C2C122E7E32CAAD03FD52C06A1D260BA |
SHA1: | 15295E8933DDDE42BEB953632B9E19C46C7B9B38 |
SHA256: | 39E39B67DFDB930CB5BFCC060BD2BA96FE8E58871538A2A3234DDC5AA7ACBC20 |
SSDEEP: | 12288:ih1Lk70Tnvjc5Zab5kThXxGPWKO9XjQgJTPEVMBHiJIJiSE0:Wk70Trcs5kZxk0xUgRPEECJqp |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
AssemblyVersion: | 1.3.0.1 |
---|---|
ProductVersion: | 1.3.0.9 |
ProductName: | Reborn |
OriginalFileName: | Natasha.exe |
LegalTrademarks: | - |
LegalCopyright: | Copyright © 2011 |
InternalName: | Natasha.exe |
FileVersion: | 1.3.0.9 |
FileDescription: | Reborn |
CompanyName: | - |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.3.0.9 |
FileVersionNumber: | 1.3.0.9 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xcd2f |
UninitializedDataSize: | - |
InitializedDataSize: | 462848 |
CodeSize: | 104448 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2012:07:14 00:47:16+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Jul-2012 22:47:16 |
Debug artifacts: | |
Comments: | - |
CompanyName: | - |
FileDescription: | Reborn |
FileVersion: | 1.3.0.9 |
InternalName: | Natasha.exe |
LegalCopyright: | Copyright © 2011 |
LegalTrademarks: | - |
OriginalFilename: | Natasha.exe |
ProductName: | Reborn |
ProductVersion: | 1.3.0.9 |
Assembly Version: | 1.3.0.1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 13-Jul-2012 22:47:16 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00019718 | 0x00019800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.74852 |
.rdata | 0x0001B000 | 0x00006DB4 | 0x00006E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.44296 |
.data | 0x00022000 | 0x000030C0 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.26259 |
.rsrc | 0x00026000 | 0x00068AFC | 0x00068C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.99915 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.3065 | 780 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
__ | 7.99954 | 427761 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
~ | 4.75 | 32 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
KERNEL32.dll |
OLEAUT32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2980 | "C:\Users\admin\AppData\Local\Temp\Natasha.exe" | C:\Users\admin\AppData\Local\Temp\Natasha.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Description: Reborn Exit code: 0 Version: 1.3.0.9 | ||||
3580 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\filterpeace.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2060 | "C:\Program Files\FileZilla FTP Client\filezilla.exe" | C:\Program Files\FileZilla FTP Client\filezilla.exe | — | Explorer.EXE |
User: admin Company: FileZilla Project Integrity Level: MEDIUM Description: FileZilla FTP Client Exit code: 0 Version: 3, 51, 0, 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD052.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{352687A5-1590-46CE-B7A0-91B403835F07}.tmp | binary | |
MD5:F853B242E4016BFD539F49387981BF89 | SHA256:45EFE54CFE4B4DFE94AD97939EEAB6329ECB099A41502A034AF2C48D9992005D | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:DCF2A03C9E068C0FC16F7D763280F07B | SHA256:6F509D582B071642BF28AAF416E60099832ABF928EBF10EB5D1FA6A522D5C60E | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:AB7310ED5DEFB2A0F9A1B894776A8171 | SHA256:AD138B59AFD8DFF86726EE14EA2F5A841F37BBFEDC995EFA5A23C0822909494F | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\filterpeace.rtf.LNK | lnk | |
MD5:A07A377F4673B75AF577CBDCA9724F0E | SHA256:D2E997174F948963E04D1DCE4C1607DC0EDADF3EF777D0A4D2C2B5B6C11C69AC | |||
3580 | WINWORD.EXE | C:\Users\admin\Desktop\~$lterpeace.rtf | pgc | |
MD5:EAF9423EC55F3393C20F7166F7ECA5B0 | SHA256:C5515876A21E5D8A62CB3E1F03887CA49E1DC2769F77A4D5F758A4435A0D5448 | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C80F13D0-17B9-4B4A-BE46-40AC997C8594}.tmp | dbf | |
MD5:82907542BEC275A2C4A98C4478202306 | SHA256:E36E6DAAB15B1E9B745491E654AA3421E526D0FFAA7AC1E6EBDD4E3B1347DFF2 | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B094A82-B413-4101-A55A-C0B00A3A49B1}.tmp | smt | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 | |||
2060 | filezilla.exe | C:\Users\admin\AppData\Roaming\FileZilla\layout.xml | xml | |
MD5:F76334C9999EBFBFC0BAFE574784CDA6 | SHA256:62FD434F500CDE527D0C1CF2CEF956F896A48F8D2071DBCA1A505A11E08363D7 | |||
2060 | filezilla.exe | C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml | xml | |
MD5:CD2C9315387D20E6F0DE46045DA81F64 | SHA256:58DB83124A68400441EC1AD90B97202478D4CF7E822CE5A296B285A559636995 |