7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc

Interactive malware hunting service

General Info

File name: Netbull.exe

Full analysis: https://app.any.run/tasks/43cfacd1-5388-4661-a789-4a7ac92a9e13

Verdict: Malicious activity

Analysis date: 12/2/2019, 22:02:46

OS:: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)

Indicators:

MIME:: application/x-dosexec

File info:: PE32 executable (GUI) Intel 80386, for MS Windows

MD5: 28602ba664770c545fe59c28fa64d207

SHA1: 824168027bc2d4c46892c042ff3b4f8e62dfa080

SHA256: 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc

SSDEEP: 6144:Wa6rm3jPz4m78UknzfVLr97rBp+4xdtBIF0tlOQOQbqJ+NJk1bznjAb1ytk2C:WmTEmgUQl97rBp+QtWWaQOQbqJm60YA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration: 300 seconds

Additional time used: 240 seconds

Fakenet option: off

Heavy Evaision option: off

MITM proxy: off

Route via Tor: off

Network geolocation: off

Privacy: Public submission

Autoconfirmation of UAC: on

Software preset

Internet Explorer 8.0.7601.17514
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Behavior activities

MALICIOUS	SUSPICIOUS	INFO
Application was dropped or rewritten from another process NPE[1].exe (PID: 2124) NPE[1].exe (PID: 1552) Uses SVCHOST.EXE for hidden code execution Netbull.exe (PID: 2176) Changes settings of System certificates NPE[1].exe (PID: 1552) Changes the autorun value in the registry svchost.exe (PID: 3180) NPE[1].exe (PID: 1552)	Executable content was dropped or overwritten Netbull.exe (PID: 2176) svchost.exe (PID: 3180) iexplore.exe (PID: 2204) NPE[1].exe (PID: 1552) iexplore.exe (PID: 4072) Loads DLL from Mozilla Firefox svchost.exe (PID: 3180) Creates files in the Windows directory NPE[1].exe (PID: 1552) Removes files from Windows directory NPE[1].exe (PID: 1552) Creates files in the driver directory NPE[1].exe (PID: 1552) Creates files in the program directory NPE[1].exe (PID: 1552) Adds / modifies Windows certificates NPE[1].exe (PID: 1552) Reads Internet Cache Settings NPE[1].exe (PID: 1552) Executed as Windows Service vssvc.exe (PID: 3400) Searches for installed software NPE[1].exe (PID: 1552)	Reads internet explorer settings iexplore.exe (PID: 2472) iexplore.exe (PID: 2204) Changes internet zones settings iexplore.exe (PID: 4072) iexplore.exe (PID: 976) Reads Internet Cache Settings iexplore.exe (PID: 2472) iexplore.exe (PID: 2204) iexplore.exe (PID: 4072) Application launched itself iexplore.exe (PID: 976) Manual execution by user iexplore.exe (PID: 976) iexplore.exe (PID: 4072) Reads the hosts file NPE[1].exe (PID: 1552) Dropped object may contain Bitcoin addresses NPE[1].exe (PID: 1552) Low-level read access rights to disk partition vssvc.exe (PID: 3400) Reads settings of System Certificates NPE[1].exe (PID: 1552)

MALICIOUS

SUSPICIOUS

INFO

Application was dropped or rewritten from another process

NPE[1].exe (PID: 2124)
NPE[1].exe (PID: 1552)

Uses SVCHOST.EXE for hidden code execution

Netbull.exe (PID: 2176)

Changes settings of System certificates

NPE[1].exe (PID: 1552)

Changes the autorun value in the registry

svchost.exe (PID: 3180)
NPE[1].exe (PID: 1552)

Executable content was dropped or overwritten

Netbull.exe (PID: 2176)
svchost.exe (PID: 3180)
iexplore.exe (PID: 2204)
NPE[1].exe (PID: 1552)
iexplore.exe (PID: 4072)

Loads DLL from Mozilla Firefox

svchost.exe (PID: 3180)

Creates files in the Windows directory

NPE[1].exe (PID: 1552)

Removes files from Windows directory

NPE[1].exe (PID: 1552)

Creates files in the driver directory

NPE[1].exe (PID: 1552)

Creates files in the program directory

NPE[1].exe (PID: 1552)

Adds / modifies Windows certificates

NPE[1].exe (PID: 1552)

Reads Internet Cache Settings

NPE[1].exe (PID: 1552)

Executed as Windows Service

vssvc.exe (PID: 3400)

Searches for installed software

NPE[1].exe (PID: 1552)

Reads internet explorer settings

iexplore.exe (PID: 2472)
iexplore.exe (PID: 2204)

Changes internet zones settings

iexplore.exe (PID: 4072)
iexplore.exe (PID: 976)

Reads Internet Cache Settings

iexplore.exe (PID: 2472)
iexplore.exe (PID: 2204)
iexplore.exe (PID: 4072)

Application launched itself

iexplore.exe (PID: 976)

Manual execution by user

iexplore.exe (PID: 976)
iexplore.exe (PID: 4072)

Reads the hosts file

NPE[1].exe (PID: 1552)

Dropped object may contain Bitcoin addresses

NPE[1].exe (PID: 1552)

Low-level read access rights to disk partition

vssvc.exe (PID: 3400)

Reads settings of System Certificates

NPE[1].exe (PID: 1552)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD

.exe

| UPX compressed Win32 Executable (38.2%)

.exe

| Win32 EXE Yoda's Crypter (37.5%)

.dll

| Win32 Dynamic Link Library (generic) (9.2%)

.exe

| Win32 Executable (generic) (6.3%)

.exe

| Win16/32 Executable Delphi generic (2.9%)

EXIF

MachineType:

Intel 386 or later, and compatibles

TimeStamp:

1992:06:20 00:22:17+02:00

PEType:

PE32

LinkerVersion:

2.25

CodeSize:

28160

InitializedDataSize:

12288

UninitializedDataSize:

null

EntryPoint:

0x79d0

OSVersion:

ImageVersion:

null

SubsystemVersion:

Subsystem:

Windows GUI

Summary

Architecture:

IMAGE_FILE_MACHINE_I386

Subsystem:

IMAGE_SUBSYSTEM_WINDOWS_GUI

Compilation Date:

19-Jun-1992 22:22:17

Detected languages

English - United States

DOS Header

Magic number:

Bytes on last page of file:

0x0050

Pages in file:

0x0002

Relocations:

0x0000

Size of header:

0x0004

Min extra paragraphs:

0x000F

Max extra paragraphs:

0xFFFF

Initial SS value:

0x0000

Initial SP value:

0x00B8

Checksum:

0x0000

Initial IP value:

0x0000

Initial CS value:

0x0000

Overlay number:

0x001A

OEM identifier:

0x0000

OEM information:

0x0000

Address of NE header:

0x00000100

PE Headers

Signature:

Machine:

IMAGE_FILE_MACHINE_I386

Number of sections:

Time date stamp:

19-Jun-1992 22:22:17

Pointer to Symbol Table:

0x00000000

Number of symbols:

Size of Optional Header:

0x00E0

Characteristics

IMAGE_FILE_32BIT_MACHINE

IMAGE_FILE_BYTES_REVERSED_HI

IMAGE_FILE_BYTES_REVERSED_LO

IMAGE_FILE_EXECUTABLE_IMAGE

IMAGE_FILE_LINE_NUMS_STRIPPED

IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
CODE	0x00001000	0x00006CB8	0x00006E00	IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ	6.51771
DATA	0x00008000	0x00000830	0x00000A00	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE	4.21269
BSS	0x00009000	0x00000A75	0x00000000	IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE	0
.idata	0x0000A000	0x0000087C	0x00000A00	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE	4.11254
.tls	0x0000B000	0x00000008	0x00000000	IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE	0
.rdata	0x0000C000	0x00000018	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED	0.204488
.reloc	0x0000D000	0x00000754	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED	6.41981
.rsrc	0x0000E000	0x0000102C	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED	4.38169

Resources

DVCLAL

PACKAGEINFO

MAINICON

Imports

kernel32.dll

user32.dll

advapi32.dll

oleaut32.dll

shell32.dll

Exports

No exports.

Screenshots

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 17850 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 20861 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 27913 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 29940 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 32943 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 33967 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 35968 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 39969 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 40991 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 41992 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 43993 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 45994 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 46995 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 47996 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 50027 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 51029 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 56058 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 58082 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 61082 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 62092 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 65093 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 67113 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 69114 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 71123 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 73177 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 74178 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 76179 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 79181 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 81197 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 84199 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 87251 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 91274 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 94282 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 96310 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 99342 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 102376 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 105397 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 109467 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 112503 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 115548 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 118558 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 121584 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 123585 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 126609 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 130609 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 133670 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 136678 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 139710 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 142712 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 146746 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 147747 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 151748 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 153749 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 160806 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 162844 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 165847 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 168849 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 171870 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 175900 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 178902 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 180917 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 187968 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 192023 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 193023 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 198026 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 199027 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 202054 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 205065 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 209075 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 212082 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 218792 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 220796 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 228768 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 229769 ms from task started

Screenshot of 7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc taken from 231770 ms from task started

Processes

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

–

Specs description

Program did not start

Integrity level elevation

Task сontains an error or was rebooted

Process has crashed

Task contains several apps running

Executable file was dropped

Debug information is available

Process was injected

Network attacks were detected

Application downloaded the executable file

Actions similar to stealing personal data

Behavior similar to exploiting the vulnerability

Inspected object has sucpicious PE structure

File is detected by antivirus software

CPU overrun

RAM overrun

Process starts the services

Process was added to the startup

Behavior similar to spam

Low-level access to the HDD

Probably Tor was used

System was rebooted

Connects to the network

Known threat

Process information

Click at the process to see the details.

PID: 2176

CMD: "C:\Users\admin\Desktop\Netbull.exe"

Path: C:\Users\admin\Desktop\Netbull.exe

Indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\users\admin\desktop\netbull.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clbcatq.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll

PID: 3180

CMD: svchost.exe

Path: C:\Windows\system32\svchost.exe

Indicators

Parent process: Netbull.exe

User: admin

Integrity Level: MEDIUM

Exit code: 15663104

Version:

Company: Microsoft Corporation

Description: Host Process for Windows Services

Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Image
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\svchost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

General Info

Netbull.exe

Take your security to the next level

28602ba664770c545fe59c28fa64d207

824168027bc2d4c46892c042ff3b4f8e62dfa080

7559d9262637d1e610f24bd694d8333a95a15df687599a128055aa03025df4dc

6144:Wa6rm3jPz4m78UknzfVLr97rBp+4xdtBIF0tlOQOQbqJ+NJk1bznjAb1ytk2C:WmTEmgUQl97rBp+QtWWaQOQbqJm60YA

Launch configuration

Software preset

Hotfixes

Behavior activities

Static information

Screenshots

Processes

Behavior graph

Process information

Take your security
to the next level