File name: | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec |
Full analysis: | https://app.any.run/tasks/284e6e47-a494-4a8f-b294-95b728151d42 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 14:38:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 73849EE583E7DD08A7A803C98F1F767E |
SHA1: | 838B0160A994A68267EB89295B6546352E4456ED |
SHA256: | AD2F0AE9522820FE5A56FDB29488FC467D4AA777A2019A6F085CCDD978BD0BEC |
SSDEEP: | 98304:fcv/IvMVoTbdrzlOz0QkwN7qI73OJMtTH:f2SZvOzjkwN7ZCJMtTH |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x2ba88 |
UninitializedDataSize: | - |
InitializedDataSize: | 3301376 |
CodeSize: | 319488 |
LinkerVersion: | 12 |
PEType: | PE32 |
TimeStamp: | 2015:06:19 13:36:01+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 19-Jun-2015 11:36:01 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 9 |
Time date stamp: | 19-Jun-2015 11:36:01 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0004DF51 | 0x0004E000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.59842 |
.rdata | 0x0004F000 | 0x0000B666 | 0x0000B800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.77039 |
.data | 0x0005B000 | 0x038D808C | 0x00031200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.18655 |
.herge | 0x03934000 | 0x00080250 | 0x00080400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.32839 |
.g692 | 0x039B5000 | 0x0008D078 | 0x0008D200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.47422 |
.au45 | 0x03A43000 | 0x00079358 | 0x00079400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.33812 |
.anlth9 | 0x03ABD000 | 0x00092838 | 0x00092A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.3438 |
.rr3aen | 0x03B50000 | 0x0005F350 | 0x0005EE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.15744 |
.rsrc | 0x03BB0000 | 0x00071372 | 0x00071400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.20629 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.07794 | 1223 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.91484 | 304 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 3.40952 | 1186 | Latin 1 / Western European | English - United States | RT_STRING |
4 | 3.47343 | 674 | Latin 1 / Western European | English - United States | RT_STRING |
5 | 3.3354 | 1174 | Latin 1 / Western European | English - United States | RT_STRING |
6 | 4.84888 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 3.39267 | 744 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 3.64963 | 304 | Latin 1 / Western European | UNKNOWN | RT_ICON |
9 | 4.83238 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
10 | 5.43624 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
COMCTL32.dll |
CRYPT32.dll |
KERNEL32.dll |
MPR.dll |
PSAPI.DLL |
USER32.dll |
WININET.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3188 | "C:\Users\admin\AppData\Local\Temp\ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe" | C:\Users\admin\AppData\Local\Temp\ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3684 | "C:\Users\admin\AppData\Local\Temp\ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe" | C:\Users\admin\AppData\Local\Temp\ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | explorer.exe | |
User: admin Integrity Level: HIGH |
(PID) Process: | (3684) ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Key: | HKEY_CURRENT_USER\Software\Downloader |
Operation: | write | Name: | quarantine |
Value: |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | POST | — | 88.208.60.229:80 | http://zombleman.site/api_v2/json/get/initialization | NL | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | 88.208.60.229:80 | zombleman.site | DataWeb Global Group B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
zombleman.site |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |
3684 | ad2f0ae9522820fe5a56fdb29488fc467d4aa777a2019a6f085ccdd978bd0bec.exe | Misc activity | ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST |