Create Interactive Tour

Windows Analysis Report
SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
Analysis ID:	1309615
MD5:	eafba56f876c04229c33c88a0bd964fa
SHA1:	d34f886a895f190c8a2d1bf4e46cbf104358126c
SHA256:	76c77a70b8ff02ec28049a28fdb538a5d663f548b48e9a449371edd4c414a15e
Tags:	exe

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

May use bcdedit to modify the Windows boot settings

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

PE file contains executable resources (Code or Archives)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe (PID: 1408 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe MD5: EAFBA56F876C04229C33C88A0BD964FA)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Virustotal: Detection: 8%

Perma Link

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdbGCTL source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdb source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Source: _02621E4.RSA	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: _02621E4.RSA	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: http://forum.uvnc.com
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: _02621E4.RSA	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: http://www.uvnc.com
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: http://www.uvnc.comhttp://forum.uvnc.comnet
Source: _02621E4.RSA	String found in binary or memory: https://www.globalsign.com/repository/0
Source: _02621E4.RSA	String found in binary or memory: https://www.globalsign.com/repository/03
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: https://www.uvnc.com

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe, 00000000.00000000.304345857.00007FF6A02D0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: OriginalFilenameWinVNC.exe0 vs SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Virustotal: Detection: 8%

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

File created: C:\Users\user\Desktop\UltraVNC.ini

Jump to behavior

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -install
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -startservice
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -settings-uninstall-install-securityeditor-startservice
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -settings-uninstall-install-securityeditor-startservice
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -stopservice
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -stopreconnect
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -startservicehelper
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -installhelper
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: WinVNC_Win32_Instance_Mutexid:-delsoftwarecadhelper-rebootsafemodehelper-stopreconnect-autoreconnect-install-multiUTC-startservicehelpers-securityeditorhelper-openforumMVS-service-killObjectVMS-rebootsafemode-softwarecadhelperMVS-installhelper-preconnect-uninstallhelpernormal
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: WinVNC_Win32_Instance_Mutexid:-delsoftwarecadhelper-rebootsafemodehelper-stopreconnect-autoreconnect-install-multiUTC-startservicehelpers-securityeditorhelper-openforumMVS-service-killObjectVMS-rebootsafemode-softwarecadhelperMVS-installhelper-preconnect-uninstallhelpernormal
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: WinVNC_Win32_Instance_Mutexid:-delsoftwarecadhelper-rebootsafemodehelper-stopreconnect-autoreconnect-install-multiUTC-startservicehelpers-securityeditorhelper-openforumMVS-service-killObjectVMS-rebootsafemode-softwarecadhelperMVS-installhelper-preconnect-uninstallhelpernormal
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -stopservicehelper
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -dsmplugininstance-id:VM/CMS.-securityeditor-delsoftwarecad-openhomepage-stopservicehelper
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -settingshelper-startservice-service_run-softwarecad-run-connectstored
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -stopservice-rebootforce-service_rdp_runAmigaAtheOS
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -installdriver
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -dsmpluginhelperTheosaccess$-installdriver-inifilelocalshrunk
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: winvnc [-sc_prompt] [-sc_exit] [-id:????] [-stopreconnect][-autoreconnect[ ID:????]] [-connect host[:display]] [-connect host[::port]] [-repeater host[:port]] [-inifile ????] [-run]
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: wwinvnc [-sc_prompt] [-sc_exit] [-id:????] [-stopreconnect][-autoreconnect[ ID:????]] [-connect host[:display]] [-connect host[::port]] [-repeater host[:port]] [-inifile ????] [-run]
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -installhelper
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -stopservicehelper
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -startservicehelper
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -rebootsafemodehelper -rebootforcedehelper -uninstallhelper -installhelper -stopservicehelper -startservicehelperC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncmenu.cpp : vncMenu WM_CLOSE call - All cleanup done
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -rebootsafemodehelper -rebootforcedehelper -uninstallhelper -installhelper -stopservicehelper -startservicehelperC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncmenu.cpp : vncMenu WM_CLOSE call - All cleanup done
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	String found in binary or memory: -rebootsafemodehelper -rebootforcedehelper -uninstallhelper -installhelper -stopservicehelper -startservicehelperC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncmenu.cpp : vncMenu WM_CLOSE call - All cleanup done

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

File written: C:\Users\user\Desktop\UltraVNC.ini

Jump to behavior

Source: classification engine

Classification label: sus26.troj.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

File read: C:\Users\user\Desktop\UltraVNC.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Window detected: Number of UI elements: 75

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static file information: File size 3011584 > 1048576

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x178c00

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdbGCTL source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\x64\Release\winvnc.pdb source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: real checksum: 0x2eca70 should be: 0x2e079e

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Code function: 0_2_00007FF69FF64566 push 60F5C5F1h; iretd	0_2_00007FF69FF6456E
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Code function: 0_2_00007FF69FF64A14 push 6FFDC5D5h; iretd	0_2_00007FF69FF64A1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Code function: 0_2_00007FF69FF64EC4 push 6FFDC5CAh; ret	0_2_00007FF69FF64ECA
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Code function: 0_2_00007FF69FF64F10 push 6FFDC5C3h; iretd	0_2_00007FF69FF64F16

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Static PE information: section name: _RDATA

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: bcdedit.exe
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilegeRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe TID: 2220

Thread sleep time: -40000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Process information queried: ProcessInformation

Jump to behavior

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: , (Hyper-V Tools)
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: , (Hyper-V Server)
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe, 00000000.00000002.572221746.00000261E6FC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: Program Manager
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: Progman
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Source: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartC:\Users\rudi\Desktop\git_ultravnc\winvnc\winvnc\vncdesktop.cpp : ~vncDesktop

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Code function: 0_2_00007FF6A00933A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6A00933A8

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: RfbProto.class

String found in binary or memory: RFB 003.003

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	Data from Local System	Exfiltration Over Other Network Medium	1 Remote Access Software	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Bootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	0%	ReversingLabs
SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	8%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://java.sun.com/products/plugin/index.html#download	0%	Avira URL Cloud	safe
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	0%	Avira URL Cloud	safe
http://www.uvnc.comhttp://forum.uvnc.comnet	0%	Avira URL Cloud	safe
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	0%	Virustotal		Browse
http://java.sun.com/products/plugin/index.html#download	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.uvnc.com	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	false		high
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.uvnc.com	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	false		high
http://java.sun.com/products/plugin/index.html#download	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://forum.uvnc.com	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	false		high
http://www.uvnc.comhttp://forum.uvnc.comnet	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1309615
Start date and time:	2023-09-17 17:38:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
Detection:	SUS
Classification:	sus26.troj.winEXE@1/1@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 8.253.131.111, 8.252.238.254, 8.252.64.254, 8.250.103.254, 8.253.45.248, 209.197.3.8
Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, tse1.mm.bing.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, arc.msn.com, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net
Execution Graph export aborted for target SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe, PID 1408 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Process:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	1407
Entropy (8bit):	5.135364793594814
Encrypted:	false
SSDEEP:	24:fJhFXNTxYgMaIUSlAdo9g9iWLseeZJI2/rCcXUOFarxbgc8Gy9AJu5U7gyzn:fJzr8LUUAdTkeeZW2/rCUUOoxMNR9i5z
MD5:	BDB8C36B2807B9D721C271417D925F09
SHA1:	E6DD9833307357CEDF853E27ACED86E8A6C9CED3
SHA-256:	7979240101A8C6399A744855BA4DC97D426784659DF2281703F5BF9EFE389FB4
SHA-512:	6742763BCD2B3685D514801953D9324A3CA2D54FE26B2EE5CFB148A6940DA9B2A20BBBCCD3D804F79ED8080405AB87A6B1881443534035D072A1870BEC56B6CC
Malicious:	false
Reputation:	low
Preview:	[Permissions]..[admin]..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=1..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..primary=1..secondary=0..SocketConnect=1..HTTPConnect=1..AutoPortSelect=1..InputsEnabled=1..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..EnableUnicodeInput=0..EnableWin8Helper=0..QuerySetting=2..QueryTimeout=10..QueryDisableTime=0..QueryAccept=0..MaxViewerSetting=0..MaxViewers=128..Collabo=0..Frame=0..Notification=0..OSD=0..NotificationSelection=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..DebugMode=0..Avilog=0..path=C:\Users\user\Desktop..DebugLevel=0..AllowLoopback=1..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowInjection=0..AllowEditClients=1..FileTransferTimeout=30..KeepAliveInterval=5..IdleInputTimeout=0..DisableTrayIcon=0..rdpmode=0..noscreensaver=0..Secure=0..MSLogonRequired=0..NewMSLogon=0..ReverseAuthRequired=1..ConnectPriority=0..service_commandline=..accept_reject_me

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.568545613343524
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
File size:	3'011'584 bytes
MD5:	eafba56f876c04229c33c88a0bd964fa
SHA1:	d34f886a895f190c8a2d1bf4e46cbf104358126c
SHA256:	76c77a70b8ff02ec28049a28fdb538a5d663f548b48e9a449371edd4c414a15e
SHA512:	80e3dc784a25d86a3a63032ab6f66e39484e3c480b4cc94dba2d63f0f9897ac1fcd86482f5c8b078639aba617e35d20c0938c6f58869f4bc4402bc8229d46b21
SSDEEP:	49152:AAOdl4d7NHNUb75uEEbOyYWHxL9X5zT/dRSAUA/J:Zl8DFWH1
TLSH:	D9D55B16AA50989AD3A28474CD56CA76D7723C1D43F642F331E4BED73B3BA913A36301
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........Ad..Ad..Ad......Ld.......d......Sd..'.~.Nd......Rd......Md.......d......fd......Ld..Ad..Zd......@d..Ad..Tf......Zd.......d.

File Icon


Icon Hash:	499669d8d82916a8

Static PE Info

General

Entrypoint:	0x140132ebc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x643AC151 [Sat Apr 15 15:22:57 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	310b1cc8abef97edfcabf0ed406947cf

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1BB891FBE8h
dec eax
add esp, 28h
jmp 00007F1BB891F57Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F1BB891F712h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F1BB891F715h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F1BB891F70Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F1BB891ED4Ah
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F1BB891EA8Bh
dec eax
lea edx, dword ptr [000CF73Fh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F1BB89219AAh
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F1BB880166Bh
dec eax
lea edx, dword ptr [000CFA27h]
dec eax
lea ecx, dword ptr [eax+eax+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x202b00	0x4dc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x202fdc	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b2000	0xcabb4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2a5000	0xbb98	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2dcc00	0x27c8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x37d000	0x1240	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1eb7a0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1eb980	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1eb800	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17a000	0xfa0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x178a20	0x178c00	False	0.4302862682481752	data	6.547312417626284	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17a000	0x8c2da	0x8c400	False	0.23794180314171123	data	5.3447528842875185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x207000	0x9d550	0x2200	False	0.20323988970588236	DOS executable (block device driver \322f\324\377\3772)	3.0315124359800243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2a5000	0xbb98	0xbc00	False	0.4939328457446808	data	6.225012673580742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x2b1000	0xf4	0x200	False	0.296875	data	2.416915977417612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2b2000	0xcabb4	0xcac00	False	0.3262537569358816	data	5.944617712006417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x37d000	0x1240	0x1400	False	0.3951171875	data	5.258512641319918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x2b31ec	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2b31f0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2b31f4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2b31f8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2b31fc	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x2b3200	0x2	data	English	United States	5.0
JAVAARCHIVE	0x2b3204	0x120ed	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	0.9881836003515176
JAVAARCHIVE	0x2c52f4	0x120bf	Zip archive data, at least v2.0 to extract, compression method=deflate	Dutch	Belgium	0.9881897752945792
RT_CURSOR	0x2d73b4	0x134	data	English	United States	0.3961038961038961
RT_CURSOR	0x2d74e8	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2d761c	0xcac	data	English	United States	0.016029593094944512
RT_CURSOR	0x2d82c8	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2d83fc	0xcac	data	English	United States	0.07860665844636251
RT_CURSOR	0x2d90a8	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2d91dc	0xcac	data	English	United States	0.07860665844636251
RT_CURSOR	0x2d9e88	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2d9fbc	0xcac	data	English	United States	0.06966707768187423
RT_CURSOR	0x2dac68	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2dad9c	0xcac	data	English	United States	0.07644882860665844
RT_CURSOR	0x2dba48	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2dbb7c	0xcac	data	English	United States	0.07644882860665844
RT_CURSOR	0x2dc828	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2dc95c	0xcac	data	English	United States	0.07706535141800247
RT_CURSOR	0x2dd608	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2dd73c	0xcac	data	English	United States	0.07274969173859433
RT_CURSOR	0x2de3e8	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.13636363636363635
RT_CURSOR	0x2de51c	0xcac	data	English	United States	0.0752157829839704
RT_BITMAP	0x2df1c8	0x3028	Device independent bitmap graphic, 64 x 64 x 24, image size 12288, resolution 2835 x 2835 px/m	Dutch	Belgium	0.004299156391953277
RT_BITMAP	0x2e21f0	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0, resolution 3779 x 3779 px/m	English	United States	0.11386138613861387
RT_BITMAP	0x2e2518	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0, resolution 3779 x 3779 px/m	English	United States	0.1150990099009901
RT_BITMAP	0x2e2840	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 0, resolution 3779 x 3779 px/m	English	United States	0.11262376237623763
RT_BITMAP	0x2e2b68	0x39c	Device independent bitmap graphic, 17 x 17 x 24, image size 0, resolution 3780 x 3780 px/m	Dutch	Belgium	0.724025974025974
RT_BITMAP	0x2e2f04	0x39c	Device independent bitmap graphic, 17 x 17 x 24, image size 0, resolution 3780 x 3780 px/m			0.7207792207792207
RT_ICON	0x2e32a0	0x1b8e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9167848029486816
RT_ICON	0x2e4e30	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.299390243902439
RT_ICON	0x2e5498	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.478494623655914
RT_ICON	0x2e5780	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0			0.48155737704918034
RT_ICON	0x2e5968	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.597972972972973
RT_ICON	0x2e5a90	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Dutch	Belgium	0.6095415778251599
RT_ICON	0x2e6938	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Dutch	Belgium	0.7540613718411552
RT_ICON	0x2e71e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Dutch	Belgium	0.7292626728110599
RT_ICON	0x2e78a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Dutch	Belgium	0.5267341040462428
RT_ICON	0x2e7e10	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	Dutch	Belgium	0.13207533213007072
RT_ICON	0x329e38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Dutch	Belgium	0.5340248962655602
RT_ICON	0x32c3e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Dutch	Belgium	0.649859287054409
RT_ICON	0x32d488	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Dutch	Belgium	0.7213114754098361
RT_ICON	0x32de10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Dutch	Belgium	0.8147163120567376
RT_ICON	0x32e278	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Dutch	Belgium	0.6010127931769723
RT_ICON	0x32f120	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Dutch	Belgium	0.759927797833935
RT_ICON	0x32f9c8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Dutch	Belgium	0.7695852534562212
RT_ICON	0x330090	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Dutch	Belgium	0.5397398843930635
RT_ICON	0x3305f8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	Dutch	Belgium	0.13159082167056246
RT_ICON	0x372620	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Dutch	Belgium	0.5381742738589211
RT_ICON	0x374bc8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Dutch	Belgium	0.6515009380863039
RT_ICON	0x375c70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Dutch	Belgium	0.7295081967213115
RT_ICON	0x3765f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Dutch	Belgium	0.8138297872340425
RT_MENU	0x376a60	0x296	Matlab v4 mat-file (little endian) &, numeric, rows 7602320, columns 6357106, imaginary	English	United States	0.44108761329305135
RT_MENU	0x376cf8	0x68	Matlab v4 mat-file (little endian) &, numeric, rows 7602320, columns 6357106, imaginary	English	United States	0.8173076923076923
RT_DIALOG	0x376d60	0x2b4	data	English	United States	0.49710982658959535
RT_DIALOG	0x377014	0x608	data	English	United States	0.4378238341968912
RT_DIALOG	0x37761c	0x636	data	English	United States	0.39119496855345914
RT_DIALOG	0x377c54	0x194	data	English	United States	0.5767326732673267
RT_DIALOG	0x377de8	0x26a	data	English	United States	0.4854368932038835
RT_DIALOG	0x378054	0x174	data	English	United States	0.5860215053763441
RT_DIALOG	0x3781c8	0x22c	data	English	United States	0.48381294964028776
RT_DIALOG	0x3783f4	0x532	data	Dutch	Belgium	0.37819548872180453
RT_DIALOG	0x378928	0x19ae	data	English	United States	0.33799817462731974
RT_DIALOG	0x37a2d8	0x28a	data	English	United States	0.44153846153846155
RT_STRING	0x37a564	0x174	data	English	United States	0.5080645161290323
RT_STRING	0x37a6d8	0x2a2	Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0	English	United States	0.35756676557863504
RT_STRING	0x37a97c	0x8d6	data	English	United States	0.268788682581786
RT_STRING	0x37b254	0x8c4	data	English	United States	0.3270944741532977
RT_STRING	0x37bb18	0x6fc	data	English	United States	0.3529082774049217
RT_GROUP_CURSOR	0x37c214	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c238	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c25c	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c280	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	0.9411764705882353
RT_GROUP_CURSOR	0x37c2a4	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c2c8	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c2ec	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c310	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c334	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x37c358	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_ICON	0x37c36c	0x4c	data			0.75
RT_GROUP_ICON	0x37c3b8	0x84	data	Dutch	Belgium	0.6818181818181818
RT_GROUP_ICON	0x37c43c	0x84	data	Dutch	Belgium	0.6742424242424242
RT_VERSION	0x37c4c0	0x36c	data	English	United States	0.4417808219178082
RT_MANIFEST	0x37c82c	0x387	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.40420819490586934

Imports

DLL	Import
WS2_32.dll	setsockopt, getsockopt, WSAGetLastError, gethostbyname, inet_ntoa, htons, htonl, WSACleanup, __WSAFDIsSet, accept, bind, WSAIoctl, closesocket, select, shutdown, listen, WSAStartup, getpeername, inet_addr, getsockname, send, socket, connect, recv, ntohl, WSASendTo, gethostname
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
USERENV.dll	ExpandEnvironmentStringsForUserA, DestroyEnvironmentBlock, CreateEnvironmentBlock
KERNEL32.dll	WritePrivateProfileStringA, GetPrivateProfileStructA, GetPrivateProfileIntA, GetPrivateProfileStringA, WritePrivateProfileSectionA, CreateFileMappingA, Sleep, CreateThread, MulDiv, VerSetConditionMask, VerifyVersionInfoW, ReadFile, WriteFile, OutputDebugStringA, WaitForMultipleObjects, GetEnvironmentVariableA, WaitForSingleObject, CreateFileW, GetSystemDirectoryW, SetCurrentDirectoryA, lstrcatW, LoadLibraryW, SetFileAttributesA, CreateEventA, WaitNamedPipeW, GetExitCodeProcess, ResumeThread, ResetEvent, CompareFileTime, CreateFileA, GetFileSize, GetFileTime, GetStdHandle, WriteConsoleA, FreeConsole, FormatMessageA, AllocConsole, GetExitCodeThread, MoveFileA, GetDriveTypeA, SetFileTime, SetErrorMode, SetFilePointer, SetEndOfFile, GetFileAttributesA, MoveFileExA, FileTimeToSystemTime, GetLogicalDriveStringsA, SystemTimeToFileTime, CreateDirectoryA, GetSystemTime, FlushFileBuffers, TerminateProcess, VirtualAllocEx, ReadProcessMemory, SetThreadExecutionState, VirtualFreeEx, TerminateThread, SizeofResource, FindResourceA, LockResource, LoadResource, CreateMutexA, ReleaseMutex, GlobalGetAtomNameA, GlobalDeleteAtom, GetModuleHandleW, SetProcessShutdownParameters, WinExec, WritePrivateProfileStructA, HeapReAlloc, RaiseException, FreeLibraryAndExitThread, ExitThread, GetFullPathNameW, GetCurrentDirectoryW, SetCurrentDirectoryW, SetEnvironmentVariableW, GetCPInfo, SetStdHandle, SetFilePointerEx, ReadConsoleW, GetTimeZoneInformation, GetConsoleMode, GetConsoleOutputCP, GetModuleHandleExW, ExitProcess, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetFileInformationByHandle, GetDriveTypeW, LoadLibraryExW, RtlUnwind, EncodePointer, RtlPcToFileHeader, RtlUnwindEx, OutputDebugStringW, InitializeSListHead, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, CreateSemaphoreA, TlsFree, TlsGetValue, TlsAlloc, GetCurrentThread, DuplicateHandle, SetThreadPriority, ReleaseSemaphore, TlsSetValue, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableCS, SwitchToThread, GetFileType, lstrcatA, lstrcmpiA, lstrcpynA, DosDateTimeToFileTime, GetLocalTime, FileTimeToLocalFileTime, SetVolumeLabelA, LocalFileTimeToFileTime, GetVersion, GetLocaleInfoA, GetFullPathNameA, lstrcpyA, CompareStringW, LCMapStringW, GetLocaleInfoW, OpenProcess, FlsAlloc, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, DecodePointer, GetModuleFileNameW, GetStringTypeW, CreateDirectoryW, GetFileSizeEx, DeleteFileW, GetCurrentProcessId, WTSGetActiveConsoleSessionId, Process32FirstW, Process32Next, Process32NextW, GlobalAddAtomA, ProcessIdToSessionId, CreateToolhelp32Snapshot, Process32First, GetComputerNameA, GetSystemInfo, GetSystemDirectoryA, MapViewOfFile, OpenFileMappingA, UnmapViewOfFile, DeleteFileA, GetTempPathA, FindClose, FindNextFileA, FindFirstFileA, GetProcessTimes, GetSystemTimeAsFileTime, DeleteCriticalSection, GetModuleHandleA, InitializeCriticalSection, LeaveCriticalSection, GetCurrentProcess, EnterCriticalSection, CloseHandle, GetVersionExA, SetEvent, GetLastError, GetCurrentThreadId, OpenEventA, GetModuleFileNameA, GetTickCount, FreeLibrary, GetProcessHeap, GetProcAddress, HeapAlloc, InitializeCriticalSectionAndSpinCount, LoadLibraryA, lstrlenA, SetLastError, HeapFree, GlobalUnlock, WideCharToMultiByte, GlobalLock, GlobalFree, GetFileAttributesExW, GlobalAlloc, GlobalSize, MultiByteToWideChar, SetFileAttributesW, MoveFileExW, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, RemoveDirectoryW, HeapSize, WriteConsoleW, FlsGetValue, FlsSetValue, FlsFree, OpenThread, QueryPerformanceFrequency, LocalFree, SetThreadAffinityMask, InitializeCriticalSectionEx, GetVolumeInformationA
USER32.dll	GetSubMenu, SetMenuDefaultItem, DestroyMenu, TrackPopupMenuEx, RemoveMenu, EnableMenuItem, EnableWindow, GetWindow, VkKeyScanA, IsWindow, GetAsyncKeyState, MapVirtualKeyA, ToAscii, SendInput, SetClipboardViewer, GetClipboardOwner, WaitMessage, PostThreadMessageA, ChangeClipboardChain, SendNotifyMessageA, PeekMessageA, IsWindowVisible, LoadMenuA, GetIconInfo, GetClassNameA, WindowFromPoint, ChangeWindowMessageFilter, EnumDesktopWindows, SetRect, DrawIconEx, DestroyIcon, GetKeyboardState, mouse_event, PtInRect, MessageBeep, FlashWindow, EnumDisplaySettingsExA, EnumDisplayDevicesA, ChangeDisplaySettingsExA, GetKeyState, keybd_event, EnumDisplaySettingsA, EnumWindows, GetWindowLongA, SetWindowLongA, RedrawWindow, SetDlgItemInt, CheckDlgButton, GetDlgItemInt, IntersectRect, GetWindowRect, LoadStringA, ScreenToClient, GetScrollInfo, IsDlgButtonChecked, FillRect, MoveWindow, SetFocus, SendDlgItemMessageA, GetCursorPos, ExitWindowsEx, LockWorkStation, DrawIcon, SetLayeredWindowAttributes, UpdateWindow, InvalidateRect, GetMessageA, LoadImageA, DispatchMessageA, LoadCursorA, DestroyWindow, SetWindowPos, DrawTextA, SetWindowDisplayAffinity, AdjustWindowRect, DefWindowProcA, IsRectEmpty, CreateWindowExA, TranslateMessage, LoadIconA, GetClientRect, PostQuitMessage, RegisterClassExA, BeginPaint, EndPaint, wsprintfA, SystemParametersInfoA, GetWindowThreadProcessId, GetUserObjectInformationA, PostMessageA, RegisterWindowMessageA, FindWindowExA, OpenDesktopA, MessageBoxA, GetProcessWindowStation, FindWindowA, GetSystemMetrics, EndDialog, DialogBoxParamA, ShowWindow, GetDlgItemTextA, SetTimer, SetDlgItemTextA, SendMessageA, GetDlgItem, GetWindowLongPtrA, KillTimer, SetWindowLongPtrA, SetForegroundWindow, SetThreadDesktop, GetThreadDesktop, CloseDesktop, GetForegroundWindow, OpenInputDesktop, GetDesktopWindow, GetDC, ReleaseDC, OpenClipboard, CloseClipboard, EmptyClipboard, GetClipboardData, SetClipboardData, IsClipboardFormatAvailable, RegisterClipboardFormatA, GetTopWindow, OemToCharA, CharToOemA, wvsprintfA, SetWindowTextA
GDI32.dll	GetBitmapBits, SetDIBColorTable, GdiFlush, RealizePalette, SelectPalette, SetBkColor, CreateFontIndirectA, GetObjectA, ExtEscape, GetSystemPaletteEntries, DeleteObject, DeleteDC, GetPixel, GetDeviceCaps, GetDIBits, CreateCompatibleDC, CreateDIBSection, SelectObject, CreateCompatibleBitmap, BitBlt, CreateFontA, CreateDCA, CreateSolidBrush, Rectangle, CreatePen, SetBkMode, SetTextColor, GetClipBox, GetStockObject, StretchBlt, PatBlt, GetRgnBox, CombineRgn, PtInRegion, GetRegionData, CreateRectRgn, OffsetRgn, CreatePalette, SetRectRgn
ADVAPI32.dll	SetSecurityInfo, RegCreateKeyA, GetSecurityDescriptorSacl, SetSecurityDescriptorDacl, ConvertStringSecurityDescriptorToSecurityDescriptorA, SetSecurityDescriptorSacl, InitializeSecurityDescriptor, CreateServiceA, GetSecurityDescriptorLength, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorControl, GetSecurityDescriptorOwner, IsValidSid, IsValidSecurityDescriptor, GetKernelObjectSecurity, SetKernelObjectSecurity, IsValidAcl, AdjustTokenPrivileges, StartServiceCtrlDispatcherA, QueryServiceStatus, RegDeleteKeyA, SetTokenInformation, LookupPrivilegeValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, DeleteService, DuplicateTokenEx, ImpersonateLoggedOnUser, EqualSid, AllocateAndInitializeSid, FreeSid, OpenProcessToken, RevertToSelf, CloseServiceHandle, OpenSCManagerA, GetUserNameA, LookupAccountSidA, OpenServiceA, GetTokenInformation, CreateProcessAsUserA, RegCloseKey, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA
SHELL32.dll	ShellExecuteA, SHGetMalloc, Shell_NotifyIconA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHFileOperationA, ShellExecuteExA
ole32.dll	CoInitialize, CoCreateInstance, CoUninitialize
SHLWAPI.dll	PathStripPathA
IMM32.dll	ImmGetDefaultIMEWnd
dwmapi.dll	DwmIsCompositionEnabled
IPHLPAPI.DLL	GetAdaptersInfo

Exports

Name	Ordinal	Address
adler32	1	0x1400d3270
adler32_combine	2	0x1400d3360
adler32_z	3	0x1400d3030
compress	4	0x1400d3490
compress2	5	0x1400d3370
compressBound	6	0x1400d34b0
crc32	7	0x1400cc320
crc32_combine	8	0x1400cc6b0
crc32_final	9	0x1400cc820
crc32_init	10	0x1400cc7b0
crc32_update	11	0x1400cc7f0
crc32_z	12	0x1400cc260
deflate	13	0x1400cfe30
deflateBound	14	0x1400cfc50
deflateCopy	15	0x1400d0ab0
deflateEnd	16	0x1400d09a0
deflateGetDictionary	17	0x1400cf4e0
deflateInit2_	18	0x1400ceec0
deflateInit_	19	0x1400cee80
deflateParams	20	0x1400cfa00
deflatePending	21	0x1400cf870
deflatePrime	22	0x1400cf8f0
deflateReset	23	0x1400cf720
deflateResetKeep	24	0x1400cf5b0
deflateSetDictionary	25	0x1400cf210
deflateSetHeader	26	0x1400cf810
deflateTune	27	0x1400cfbd0
get_crc_table	28	0x1400cc250
inflate	29	0x1400ccdc0
inflateCodesUsed	30	0x1400cedb0
inflateCopy	31	0x1400ceab0
inflateEnd	32	0x1400ce5d0
inflateGetDictionary	33	0x1400ce650
inflateGetHeader	34	0x1400ce7e0
inflateInit2_	35	0x1400ccb20
inflateInit_	36	0x1400ccc20
inflateMark	37	0x1400ced30
inflatePrime	38	0x1400ccc30
inflateReset	39	0x1400cc9c0
inflateReset2	40	0x1400cca10
inflateResetKeep	41	0x1400cc910
inflateSetDictionary	42	0x1400ce700
inflateSync	43	0x1400ce8a0
inflateSyncPoint	44	0x1400cea60
inflateUndermine	45	0x1400cec90
inflateValidate	46	0x1400cece0
uncompress	47	0x1400d3010
uncompress2	48	0x1400d2e70
zError	49	0x1400d3b90
zlibCompileFlags	50	0x1400d3b80
zlibVersion	51	0x1400d3b70

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Dutch	Belgium

• SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exePID: 1408, Parent PID: 3520

Function Logs

General

Target ID:	0
Start time:	17:39:05
Start date:	17/09/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe
Imagebase:	0x7ff69ff60000
File size:	3'011'584 bytes
MD5 hash:	EAFBA56F876C04229C33C88A0BD964FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Created / dropped Files

C:\Users\user\Desktop\UltraVNC.ini

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exePID: 1408, Parent PID: 3520

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Windows Analysis Report
SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.UltraVNC.gen.27745.639.exe