File name: | wsus.bin |
Full analysis: | https://app.any.run/tasks/7effca26-552c-426c-9706-c80c8c862862 |
Verdict: | Malicious activity |
Threats: | FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics. |
Analysis date: | February 19, 2019, 08:14:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 30B4E109CAAEBAB50007872085E8D208 |
SHA1: | DEB4CC157FB846C7BC876221201FD249E7B78B98 |
SHA256: | 7ECFD68341FE276C17246DC51C5D70EE2C1BBC6801C85201C8A62956C23D872D |
SSDEEP: | 12288:rjXq7SyOLQ7gOlzFZu/KAj2I2ISOGJ8NLVWrzmOGGEAle0Yu54HrW+vUTUhjJBC6:rjwYLQ7BzFC2ISIVW+B64HfvokJgijqE |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:02:18 16:35:52+01:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 484352 |
InitializedDataSize: | 178688 |
UninitializedDataSize: | - |
EntryPoint: | 0x4f866 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.18.2.51920 |
ProductVersionNumber: | 1.18.2.51920 |
FileFlagsMask: | 0x003f |
FileFlags: | Pre-release, Patched, Special build |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Greek |
CharacterSet: | Windows, Hebrew |
CompanyName: | Microsoft Block Security |
FileDescription: | Microsoft Block Security |
FileVersion: | 1.18.2.51920 |
LegalCopyright: | Microsoft Block Security Copyright 1994 - 2019 |
OriginalFileName: | wsus.exe |
ProductName: | ActivesNetworks System |
ProductVersion: | 1.18.2.51920 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 18-Feb-2019 15:35:52 |
Detected languages: |
|
CompanyName: | Microsoft Block Security |
FileDescription: | Microsoft Block Security |
FileVersion: | 1.18.2.51920 |
LegalCopyright: | Microsoft Block Security Copyright 1994 - 2019 |
OriginalFilename: | wsus.exe |
ProductName: | ActivesNetworks System |
ProductVersion: | 1.18.2.51920 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 7 |
Time date stamp: | 18-Feb-2019 15:35:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0007631E | 0x00076400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61779 |
.rdata | 0x00078000 | 0x0001EF26 | 0x0001F000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.3456 |
.data | 0x00097000 | 0x00009098 | 0x00002A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.45257 |
.gfids | 0x000A1000 | 0x000002F0 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.03126 |
.tls | 0x000A2000 | 0x00000009 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 0x000A3000 | 0x000032D0 | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.65267 |
.reloc | 0x000A7000 | 0x000065D8 | 0x00006600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.68053 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.50931 | 792 | Latin 1 / Western European | English - United States | RT_VERSION |
74 | 2.37044 | 88 | Latin 1 / Western European | English - United States | RT_STRING |
86 | 2.72303 | 126 | Latin 1 / Western European | English - United States | RT_STRING |
89 | 2.70355 | 110 | Latin 1 / Western European | English - United States | RT_STRING |
92 | 3.21356 | 194 | Latin 1 / Western European | English - United States | RT_STRING |
100 | 2.88701 | 140 | Latin 1 / Western European | English - United States | RT_STRING |
123 | 2.95801 | 154 | Latin 1 / Western European | English - United States | RT_STRING |
125 | 2.36776 | 90 | Latin 1 / Western European | English - United States | RT_STRING |
129 | 2.61271 | 106 | Latin 1 / Western European | English - United States | RT_STRING |
133 | 2.50497 | 98 | Latin 1 / Western European | English - United States | RT_STRING |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
Secur32.dll |
USER32.dll |
USERENV.dll |
WINSPOOL.DRV |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Users\admin\AppData\Local\Temp\wsus.bin.exe" | C:\Users\admin\AppData\Local\Temp\wsus.bin.exe | explorer.exe | |
User: admin Company: Microsoft Block Security Integrity Level: MEDIUM Description: Microsoft Block Security Version: 1.18.2.51920 |
(PID) Process: | (2968) wsus.bin.exe | Key: | HKEY_CURRENT_USER\System\CurrentControlSet\Control |
Operation: | write | Name: | netsxuid |
Value: 56003647 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2968 | wsus.bin.exe | 185.99.133.2:80 | — | Zappie Host LLC | NZ | malicious |
PID | Process | Class | Message |
---|---|---|---|
2968 | wsus.bin.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT |
2968 | wsus.bin.exe | A Network Trojan was detected | MALWARE [PTsecurity] AMMYY RAT |
2968 | wsus.bin.exe | A Network Trojan was detected | ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin |
2968 | wsus.bin.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin |