Edit tour

Windows Analysis Report
ViKing-R2.exe

Overview

General Information

Sample name:	ViKing-R2.exe
Analysis ID:	1467980
MD5:	c39554bdab22961d0ac64c5c2e607915
SHA1:	ea1d422f6ef34c453d1a72f605051666544994b2
SHA256:	6c1563fd7bc5f73b45639867591d05afb944dd7dce4caa94e59fbcfb9a48756c
Tags:	exe
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

AI detected suspicious sample

Hides threads from debuggers

Machine Learning detection for sample

PE file has a writeable .text section

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

ViKing-R2.exe (PID: 1812 cmdline: "C:\Users\user\Desktop\ViKing-R2.exe" MD5: C39554BDAB22961D0AC64C5C2E607915)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ViKing-R2.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: ViKing-R2.exe PID: 1812	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Win32/Agent.xxxyeb Connectivity Check - Source IP: 192.168.2.5 - Destination IP: 103.235.47.188

Timestamp:	07/05/24-07:59:43.098294
SID:	2830033
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\libCzf.dll

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: ViKing-R2.exe

Virustotal: Detection: 45%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: ViKing-R2.exe

Joe Sandbox ML: detected

Source: ViKing-R2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wkernel32.pdb source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield64.pdb source: ViKing-R2.exe
Source:	Binary string: wntdll.pdb source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield32.pdb source: ViKing-R2.exe
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdbf source: ViKing-R2.exe
Source:	Binary string: wuser32.pdb source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdb source: ViKing-R2.exe
Source:	Binary string: wkernelbase.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2830033 ETPRO TROJAN Win32/Agent.xxxyeb Connectivity Check 192.168.2.5:49712 -> 103.235.47.188:80

Source: Joe Sandbox View

IP Address: 103.235.47.188 103.235.47.188

Source: Joe Sandbox View

ASN Name: BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd

Source: global traffic

HTTP traffic detected: GET /ipJson.jsp HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: whois.pconline.com.cnCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: testHost: www.baidu.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ipJson.jsp HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: whois.pconline.com.cnCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.baidu.com
Source: global traffic	DNS traffic detected: DNS query: whois.pconline.com.cn

Source: ViKing-R2.exe	String found in binary or memory: http://.https
Source: ViKing-R2.exe	String found in binary or memory: http://api.ip138.com/ip/?token=
Source: ViKing-R2.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ViKing-R2.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.sectigo.com00
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcb.com/th.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcb.com/th.crt0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcd.com0&
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whois.pconline.com.cn/
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whois.pconline.com.cn/Y
Source: ViKing-R2.exe	String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp
Source: ViKing-R2.exe	String found in binary or memory: http://www.adeds.com
Source: ViKing-R2.exe	String found in binary or memory: https://2023.ipchaxun.com/
Source: ViKing-R2.exe	String found in binary or memory: https://api.ip138.com/ip/?token=
Source: ViKing-R2.exe	String found in binary or memory: https://api.ip138.com/ip/?token=http://api.ip138.com/ip/?token=retokip
Source: ViKing-R2.exe	String found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/get
Source: ViKing-R2.exe	String found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/getaddress:----
Source: ViKing-R2.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: ViKing-R2.exe	String found in binary or memory: https://www.adeds.com
Source: ViKing-R2.exe	String found in binary or memory: https://www.thawte.com/cps0/
Source: ViKing-R2.exe	String found in binary or memory: https://www.thawte.com/repository0

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_8e4265c0-f

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_c576141b-f

Source: Yara match	File source: ViKing-R2.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ViKing-R2.exe PID: 1812, type: MEMORYSTR

System Summary

PE file has a writeable .text section

Source: ViKing-R2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process Stats: CPU usage > 49%

Source: libCzf.dll.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.00000000039FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.00000000039FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000960000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2312707983.000000000159A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000940000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.00000000006C2000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.00000000006C2000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe

Source: ViKing-R2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ViKing-R2.exe	Binary string: H:\Device\HarddiskVolume6G:\Device\HarddiskVolume5F:\Device\HarddiskVolume4E:\Device\HarddiskVolume3D:\Device\HarddiskVolume2C:\Device\HarddiskVolume1Q@@@
Source: ViKing-R2.exe	Binary string: \Device\TLibShield\DosDevices\TLibShieldTLibShield: Installing
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume6
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume5
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume4
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume3
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume2
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume1
Source: ViKing-R2.exe	Binary string: \Device\TLibShield

Source: classification engine

Classification label: mal96.evad.winEXE@1/1@2/2

Source: C:\Users\user\Desktop\ViKing-R2.exe

File created: C:\Users\user\Desktop\libCzf.dll

Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ViKing-R2.exe

Virustotal: Detection: 45%

Source: ViKing-R2.exe	String found in binary or memory: TLibShieldCtrl.exe -install -name NameofExe -reject NameofExe -uninstall -deprotect [-?]
Source: ViKing-R2.exe	String found in binary or memory: -install install driver
Source: ViKing-R2.exe	String found in binary or memory: Unknown exceptionbad array new lengthbad caststring too longinvalid stoi argumentstoi argument out of range(unknown)(unknown source location):%ld in function ': iostreamsystem:%dUnknown error (%d)std:unknownUnknown interop error %dbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setstd: [ at ]No message text available for error %dasio.miscAlready openEnd of fileElement not foundThe descriptor does not fit into the select call's fd_setasio.misc errortsswinsockUsage: TLibShieldCtrl.exe -install -name NameofExe -reject NameofExe -uninstall -deprotect [-?] -install install driver -uninstall uninstall driver -name NameofExe protect/filter access to NameofExe -reject NameofExe prevents execution of NameofExe -deprotect unprotect/unfilter-iCALL POSE:\OSP\Windows-driver-samples-master\general\obcallback\control\main.cpp %d
Source: ViKing-R2.exe	String found in binary or memory: PCAUTODROP.BIN -addr=%s -port=%d -guid=%s -type=%d
Source: ViKing-R2.exe	String found in binary or memory: PCAUTODROP.BIN -addr=%s -port=%d -guid=%s -type=%dPCAUTODROP.BIN
Source: ViKing-R2.exe	String found in binary or memory: -addr
Source: ViKing-R2.exe	String found in binary or memory: <http://www.adeds.com - QQ:778716166> =-addr-port-guid-type127.0.0.1{1268EEDD-41FE-4e88-B5CE-33D2E1692024}

Source: C:\Users\user\Desktop\ViKing-R2.exe

File read: C:\Users\user\Desktop\ViKing-R2.exe

Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ext-ms-win-gdi-desktop-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: olepro32.dll	Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: ViKing-R2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ViKing-R2.exe

Static file information: File size 12681216 > 1048576

Source: ViKing-R2.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xb0b000
Source: ViKing-R2.exe	Static PE information: Raw size of .sedata is bigger than: 0x100000 < 0x106000

Source:	Binary string: wkernel32.pdb source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield64.pdb source: ViKing-R2.exe
Source:	Binary string: wntdll.pdb source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield32.pdb source: ViKing-R2.exe
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdbf source: ViKing-R2.exe
Source:	Binary string: wuser32.pdb source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdb source: ViKing-R2.exe
Source:	Binary string: wkernelbase.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .sedata

Source: libCzf.dll.0.dr

Static PE information: real checksum: 0x12096 should be: 0x1ec26

Source: ViKing-R2.exe	Static PE information: section name: .sedata
Source: ViKing-R2.exe	Static PE information: section name: .sedata

Source: ViKing-R2.exe

Static PE information: section name: .sedata entropy: 7.459508118890517

Source: C:\Users\user\Desktop\ViKing-R2.exe

File created: C:\Users\user\Desktop\libCzf.dll

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Filemonclass	Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ViKing-R2.exe

API/Special instruction interceptor: Address: F37685

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F2A9B4 second address: F2AA9C instructions: 0x00000000 rdtsc 0x00000002 mov edx, ebx 0x00000004 jmp 00007F1C39389402h 0x00000006 lea eax, dword ptr [00000000h+eax4] 0x0000000d setnb cl 0x00000010 lea ecx, dword ptr [00000000h+ebx4] 0x00000017 jmp 00007F1C393893DAh 0x00000019 cmc 0x0000001a jmp 00007F1C39389476h 0x0000001c mov ah, byte ptr [esp] 0x0000001f lea esp, dword ptr [esp+20h] 0x00000023 dec esi 0x00000024 not ecx 0x00000026 lea edx, dword ptr [edi+ebp] 0x00000029 jmp 00007F1C3938942Dh 0x0000002b setle dl 0x0000002e bt eax, eax 0x00000031 jc 00007F1C39389485h 0x00000033 push esp 0x00000034 pop word ptr [esp] 0x00000038 mov dx, word ptr [esp+01h] 0x0000003d xchg word ptr [esp], ax 0x00000041 lea esp, dword ptr [esp+02h] 0x00000045 call 00007F1C393895B3h 0x0000004a shr eax, 1Fh 0x0000004d add ecx, 9BD8A65Eh 0x00000053 xchg cx, ax 0x00000056 mov dx, B974h 0x0000005a mov ah, byte ptr [esp] 0x0000005d jmp 00007F1C3938940Fh 0x0000005f xchg dword ptr [esp], ebx 0x00000062 push ebp 0x00000063 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F35619 second address: F36692 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], edi 0x00000006 lea ecx, dword ptr [ecx+edi] 0x00000009 jmp 00007F1C395684BDh 0x0000000b mov cx, dx 0x0000000e lea ecx, dword ptr [edx+ebx] 0x00000011 popad 0x00000012 mov dword ptr [eax], edx 0x00000014 bsf cx, sp 0x00000018 js 00007F1C395683EBh 0x0000001a jns 00007F1C39568477h 0x0000001c mov ax, E463h 0x00000020 mov cl, byte ptr [esp] 0x00000023 neg eax 0x00000025 call 00007F1C395693B6h 0x0000002a rcl edx, 00000000h 0x0000002d mov eax, dword ptr [esp] 0x00000030 jmp 00007F1C3956845Ah 0x00000032 lea ecx, dword ptr [esp+00006F25h] 0x00000039 bt ax, dx 0x0000003d xchg dword ptr [esp], esi 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F3781C second address: F378CC instructions: 0x00000000 rdtsc 0x00000002 mov cl, dh 0x00000004 mov dl, byte ptr [esp] 0x00000007 jmp 00007F1C393894A3h 0x00000009 mov esi, dword ptr [edi] 0x0000000b neg ecx 0x0000000d je 00007F1C39389436h 0x0000000f lea edx, dword ptr [00000000h+eax*4] 0x00000016 mov dh, 8Eh 0x00000018 jmp 00007F1C3938946Ch 0x0000001a add edi, 04h 0x0000001d mov cx, word ptr [esp] 0x00000021 mov edx, FE7663B8h 0x00000026 jmp 00007F1C3938942Ah 0x00000028 xchg ah, dh 0x0000002a mov ah, bl 0x0000002c jmp 00007F1C393894E5h 0x00000031 mov cl, D4h 0x00000033 lea eax, dword ptr [ecx-000060CCh] 0x00000039 call 00007F1C3938940Ah 0x0000003e mov ecx, 5B6801A9h 0x00000043 mov dword ptr [esp], ebx 0x00000046 clc 0x00000047 jmp 00007F1C3938946Ch 0x00000049 jns 00007F1C39389415h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F378CC second address: F378CE instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F427C8 second address: F428E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389463h 0x00000004 dec esi 0x00000005 btc eax, edi 0x00000008 jmp 00007F1C39389499h 0x0000000a jo 00007F1C3938940Dh 0x0000000c mov dh, ch 0x0000000e mov ax, word ptr [esp] 0x00000012 jmp 00007F1C39389432h 0x00000014 mov ax, dx 0x00000017 sub esp, 0Bh 0x0000001a mov dl, byte ptr [esp+06h] 0x0000001e jmp 00007F1C39389429h 0x00000020 sub esp, 02h 0x00000023 jmp 00007F1C39389507h 0x00000028 bsf dx, dx 0x0000002c jns 00007F1C393893E5h 0x0000002e pop dx 0x00000030 sub esp, 1Ch 0x00000033 jmp 00007F1C39389435h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 jmp 00007F1C3938947Fh 0x0000003b rol cl, 00000000h 0x0000003e xor edx, 46F3B00Ah 0x00000044 jnbe 00007F1C39389431h 0x00000046 setb dl 0x00000049 jmp 00007F1C3938948Dh 0x0000004b mov ax, di 0x0000004e sub esp, 12h 0x00000051 lea edx, dword ptr [00000000h+edx*4] 0x00000058 jmp 00007F1C3938948Ah 0x0000005a mov byte ptr [esp+0Dh], ch 0x0000005e xchg ax, dx 0x00000060 lea esp, dword ptr [esp+02h] 0x00000064 lea esp, dword ptr [esp+34h] 0x00000068 jmp 00007F1C3938942Ch 0x0000006a sub cl, FFFFFF9Ch 0x0000006d bsr eax, ecx 0x00000070 jno 00007F1C39389470h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F428E8 second address: F42931 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebp-00008B49h] 0x00000008 jmp 00007F1C39568793h 0x0000000d neg dl 0x0000000f lea edx, dword ptr [eax+ebx] 0x00000012 neg cl 0x00000014 jmp 00007F1C39568338h 0x00000019 xor dx, 6196h 0x0000001e jng 00007F1C395682FBh 0x00000024 setne al 0x00000027 push esp 0x00000028 push dword ptr [esp+02h] 0x0000002c xchg byte ptr [esp+05h], al 0x00000030 mov dx, FDC8h 0x00000034 jmp 00007F1C3956820Eh 0x00000039 lea esp, dword ptr [esp+08h] 0x0000003d neg cl 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F2800E second address: F28095 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [ebx+esi] 0x00000005 adc dh, bh 0x00000007 jnbe 00007F1C39389428h 0x00000009 jmp 00007F1C3938949Ah 0x0000000b dec eax 0x0000000c sub esp, 08h 0x0000000f push dword ptr [esp+06h] 0x00000013 jmp 00007F1C39389400h 0x00000015 pop dword ptr [esp+01h] 0x00000019 pop word ptr [esp+02h] 0x0000001e setnle ah 0x00000021 lea esp, dword ptr [esp+02h] 0x00000025 jmp 00007F1C393894C1h 0x00000027 lea esp, dword ptr [esp+04h] 0x0000002b xor ebp, 7F5A9E0Eh 0x00000031 not ch 0x00000033 sub ecx, 8F082D72h 0x00000039 jbe 00007F1C39389428h 0x0000003b lea eax, dword ptr [eax+eax] 0x0000003e neg ax 0x00000041 setnle dl 0x00000044 dec dh 0x00000046 not ch 0x00000048 jmp 00007F1C39389494h 0x0000004a dec ebp 0x0000004b jmp 00007F1C39389423h 0x0000004d inc cx 0x0000004f jnl 00007F1C39389438h 0x00000051 not ah 0x00000053 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F34550 second address: F345B5 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 call 00007F1C39568446h 0x00000009 setl ah 0x0000000c xchg eax, edx 0x0000000d mov al, byte ptr [esp] 0x00000010 mov dh, bh 0x00000012 xchg dword ptr [esp], ecx 0x00000015 jmp 00007F1C395684A8h 0x00000017 not edx 0x00000019 pushfd 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e mov edx, dword ptr [esp] 0x00000021 mov dh, dl 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F1C39568401h 0x00000029 lea ecx, dword ptr [ecx-00000025h] 0x0000002f bsf eax, ebp 0x00000032 lea eax, dword ptr [00000000h+ebp*4] 0x00000039 xchg dword ptr [esp], ecx 0x0000003c mov edx, dword ptr [esp] 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F345B5 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389422h 0x00000004 bsr dx, sp 0x00000008 mov al, dh 0x0000000a push dword ptr [esp] 0x0000000d retn 0004h 0x00000010 bsf dx, si 0x00000014 xchg dword ptr [esp+08h], eax 0x00000018 jmp 00007F1C3938950Fh 0x0000001d mov ax, word ptr [esp+1Fh] 0x00000022 jmp 00007F1C39389430h 0x00000024 cmc 0x00000025 rol ecx, 00000000h 0x00000028 bswap edx 0x0000002a mov eax, 595FFF3Bh 0x0000002f lea edx, dword ptr [00000000h+ecx*4] 0x00000036 jmp 00007F1C39389460h 0x00000038 mov dword ptr [edi], ecx 0x0000003a mov eax, dword ptr [esp] 0x0000003d mov ecx, CEC89CB5h 0x00000042 mov cl, byte ptr [esp] 0x00000045 jmp 00007F1C393894E2h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F368B9 second address: F36BB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39568420h 0x00000004 mov al, byte ptr [esp] 0x00000007 jmp 00007F1C3956845Fh 0x00000009 add edi, 04h 0x0000000c bsf cx, ax 0x00000010 jp 00007F1C39568ED3h 0x00000016 lea eax, dword ptr [edi+00000548h] 0x0000001c jmp 00007F1C39567C99h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F39806 second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 mov dx, 2C96h 0x00000006 mov ch, bl 0x00000008 jmp 00007F1C3938B25Ah 0x0000000d xchg dword ptr [esp], eax 0x00000010 cmp ecx, 2F7A7201h 0x00000016 mov edx, dword ptr [esp] 0x00000019 xchg dl, ch 0x0000001b dec edx 0x0000001c mov cl, 24h 0x0000001e jmp 00007F1C393877DAh 0x00000023 lea eax, dword ptr [eax+01h] 0x00000026 rol ecx, cl 0x00000028 xchg ecx, edx 0x0000002a mov edx, ebx 0x0000002c xchg dword ptr [esp], eax 0x0000002f sub esp, 1Ch 0x00000032 jmp 00007F1C393893CDh 0x00000037 bswap eax 0x00000039 dec edx 0x0000003a pop dx 0x0000003c add esp, 16h 0x0000003f push dword ptr [esp+04h] 0x00000043 retn 0008h 0x00000046 inc cx 0x00000048 jno 00007F1C39389585h 0x0000004e jmp 00007F1C3938941Eh 0x00000050 xchg ax, cx 0x00000052 jmp 00007F1C39377BD4h 0x00000057 mov ebx, ebp 0x00000059 jmp 00007F1C39389400h 0x0000005b sets cl 0x0000005e mov ch, byte ptr [esp] 0x00000061 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F37599 second address: F37685 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 87B0h 0x00000006 jmp 00007F1C39568475h 0x00000008 mov dx, word ptr [esp] 0x0000000c jmp 00007F1C39568509h 0x00000011 mov dx, 57B4h 0x00000015 mov cx, word ptr [esp] 0x00000019 lea ebp, dword ptr [00000000h+ecx*4] 0x00000020 mov ebp, dword ptr [esp] 0x00000023 mov cx, DB09h 0x00000027 jmp 00007F1C395683C4h 0x00000029 mov dx, ax 0x0000002c dec dh 0x0000002e jbe 00007F1C39568425h 0x00000030 mov ax, 646Ah 0x00000034 jmp 00007F1C3956845Dh 0x00000036 lea esp, dword ptr [esp+04h] 0x0000003a push ebx 0x0000003b push word ptr [esp+02h] 0x00000040 jmp 00007F1C3956841Bh 0x00000042 dec ecx 0x00000043 jmp 00007F1C3956847Ch 0x00000045 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F37685 second address: F3764F instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+02h] 0x00000006 add esp, 04h 0x00000009 jp 00007F1C3938940Dh 0x0000000b jnp 00007F1C3938940Bh 0x0000000d jmp 00007F1C39389474h 0x0000000f mov ebx, dword ptr [esp] 0x00000012 not si 0x00000015 not esi 0x00000017 lea esp, dword ptr [esp+04h] 0x0000001b mov dh, ah 0x0000001d jmp 00007F1C39389420h 0x0000001f mov ch, CDh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F3764F second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C395684BEh 0x00000004 pop esi 0x00000005 jmp 00007F1C39558DC6h 0x0000000a mov ebx, ebp 0x0000000c jmp 00007F1C395683F0h 0x0000000e sets cl 0x00000011 mov ch, byte ptr [esp] 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72D2A second address: F72D49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389466h 0x00000004 lea edx, dword ptr [00000000h+eax*4] 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72D49 second address: F72EF7 instructions: 0x00000000 rdtsc 0x00000002 mov dx, word ptr [esp] 0x00000006 mov edx, 8DD8D877h 0x0000000b xchg dword ptr [esp+24h], ebp 0x0000000f jmp 00007F1C39568475h 0x00000011 or edx, C95B0182h 0x00000017 mov dx, 3462h 0x0000001b cmp ax, cx 0x0000001e mov dx, word ptr [esp] 0x00000022 push dword ptr [esp+24h] 0x00000026 retn 0028h 0x00000029 lea edx, dword ptr [00000000h+edi4] 0x00000030 call 00007F1C395684F3h 0x00000035 lea eax, dword ptr [00000000h+eax4] 0x0000003c not ax 0x0000003f mov eax, dword ptr [esp] 0x00000042 xchg dh, dl 0x00000044 xchg dword ptr [esp], ecx 0x00000047 jmp 00007F1C395683FCh 0x00000049 xchg al, ah 0x0000004b not ah 0x0000004d bt dx, ax 0x00000051 bsr dx, cx 0x00000055 lea ecx, dword ptr [ecx+0Ah] 0x00000058 mov eax, 2F6AAD75h 0x0000005d jmp 00007F1C39568405h 0x0000005f not edx 0x00000061 mov al, ch 0x00000063 bsr edx, esp 0x00000066 xchg dword ptr [esp], ecx 0x00000069 sets al 0x0000006c lea edx, dword ptr [esp+edx] 0x0000006f jmp 00007F1C3956846Dh 0x00000071 adc ax, 0000576Bh 0x00000075 push dword ptr [esp] 0x00000078 retn 0004h 0x0000007b mov ah, bh 0x0000007d jmp 00007F1C395685BBh 0x00000082 mov word ptr [edi], cx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F574E4 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 jmp 00007F1C39389430h 0x00000007 neg dx 0x0000000a jno 00007F1C39389488h 0x0000000c mov ecx, edi 0x0000000e mov edi, dword ptr [ecx] 0x00000010 jmp 00007F1C393665E9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F36852 second address: F36BB6 instructions: 0x00000000 rdtsc 0x00000002 mov al, byte ptr [esp] 0x00000005 jmp 00007F1C395684A6h 0x00000007 add edi, 04h 0x0000000a bsf cx, ax 0x0000000e jp 00007F1C39568ED3h 0x00000014 lea eax, dword ptr [edi+00000548h] 0x0000001a jmp 00007F1C39567C99h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F27B51 second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esp+ebx] 0x00000005 mov ebp, dword ptr [esp] 0x00000008 bswap eax 0x0000000a jmp 00007F1C39389456h 0x0000000c mov ebp, dword ptr [esp+2Ch] 0x00000010 lea esi, dword ptr [00000000h+eax4] 0x00000017 mov dh, B5h 0x00000019 mov eax, ebp 0x0000001b call 00007F1C3938947Bh 0x00000020 jmp 00007F1C39389438h 0x00000022 lea edi, dword ptr [esp+04h] 0x00000026 cmc 0x00000027 jns 00007F1C3938947Eh 0x00000029 xchg ebx, edx 0x0000002b bswap eax 0x0000002d sub esp, 000000BCh 0x00000033 mov esi, esp 0x00000035 mov al, byte ptr [esp] 0x00000038 jmp 00007F1C39389456h 0x0000003a lea ebx, dword ptr [00000000h+esi4] 0x00000041 neg edx 0x00000043 ja 00007F1C393898CFh 0x00000049 mov bh, byte ptr [esp] 0x0000004c jmp 00007F1C393898C9h 0x00000051 mov ebx, ebp 0x00000053 jmp 00007F1C39389400h 0x00000055 sets cl 0x00000058 mov ch, byte ptr [esp] 0x0000005b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F34512 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 bsf dx, si 0x00000008 xchg dword ptr [esp+08h], eax 0x0000000c mov ax, word ptr [esp+1Fh] 0x00000011 jmp 00007F1C395684FDh 0x00000016 cmc 0x00000017 rol ecx, 00000000h 0x0000001a bswap edx 0x0000001c mov eax, 595FFF3Bh 0x00000021 lea edx, dword ptr [00000000h+ecx*4] 0x00000028 jmp 00007F1C39568450h 0x0000002a mov dword ptr [edi], ecx 0x0000002c mov eax, dword ptr [esp] 0x0000002f mov ecx, CEC89CB5h 0x00000034 mov cl, byte ptr [esp] 0x00000037 jmp 00007F1C395684D2h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F657CE second address: F657E7 instructions: 0x00000000 rdtsc 0x00000002 mov dx, sp 0x00000005 lea eax, dword ptr [00000000h+eax4] 0x0000000c jmp 00007F1C3938946Eh 0x0000000e xchg dword ptr [esp], edx 0x00000011 mov ah, byte ptr [esp] 0x00000014 push si 0x00000016 xchg cx, ax 0x00000019 mov cx, 107Fh 0x0000001d xchg word ptr [esp], cx 0x00000021 jmp 00007F1C39389486h 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 lea edx, dword ptr [edx+54h] 0x0000002a setnp cl 0x0000002d bswap eax 0x0000002f lea eax, dword ptr [00000000h+ebx4] 0x00000036 mov cx, dx 0x00000039 jmp 00007F1C39389424h 0x0000003b bswap ecx 0x0000003d xchg dword ptr [esp], edx 0x00000040 lea eax, dword ptr [00000000h+edx4] 0x00000047 lea eax, dword ptr [edx+ebx] 0x0000004a jmp 00007F1C39389485h 0x0000004c mov edx, 65381AEFh 0x00000051 call 00007F1C39389435h 0x00000056 lea eax, dword ptr [00000000h+edx4] 0x0000005d push dword ptr [esp+04h] 0x00000061 retn 0008h 0x00000064 pop dword ptr [edi] 0x00000066 setb ch 0x00000069 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72ECC second address: F72ED6 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 jmp 00007F1C39568446h 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F83EC9 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 08h 0x00000005 jnbe 00007F1C3938942Fh 0x00000007 mov byte ptr [esp+05h], al 0x0000000b jmp 00007F1C393894A0h 0x0000000d sub edi, 08h 0x00000010 stc 0x00000011 jne 00007F1C393893FEh 0x00000013 push eax 0x00000014 jmp 00007F1C39389472h 0x00000016 pop word ptr [esp] 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e xchg edx, ecx 0x00000020 jmp 00007F1C39389456h 0x00000022 push bx 0x00000024 pushfd 0x00000025 lea esp, dword ptr [esp] 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c jmp 00007F1C39389488h 0x0000002e mov dword ptr [edi], ecx 0x00000030 dec ecx 0x00000031 jno 00007F1C39389437h 0x00000033 setnle cl 0x00000036 jmp 00007F1C39389487h 0x00000038 bswap ecx 0x0000003a mov cx, word ptr [esp] 0x0000003e mov dword ptr [edi+04h], eax 0x00000041 jmp 00007F1C393895C8h 0x00000046 clc 0x00000047 jnl 00007F1C39389341h 0x0000004d rcl ecx, cl 0x0000004f ror al, cl 0x00000051 jmp 00007F1C39339B2Eh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F6F66D second address: F6F66F instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F8ECF9 second address: F8EDC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389511h 0x00000007 not eax 0x00000009 mov edx, edi 0x0000000b mov cx, word ptr [edx] 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: FAC844 second address: FAC875 instructions: 0x00000000 rdtsc 0x00000002 not ecx 0x00000004 jmp 00007F1C3956846Ah 0x00000006 sub edi, 02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F322B8 second address: F322BA instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F0C0EA second address: F0C135 instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esp+02h], dh 0x00000006 xchg dword ptr [esp+04h], ebp 0x0000000a jmp 00007F1C3956847Eh 0x0000000c mov ecx, dword ptr [esp] 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: FF7E17 second address: FF7DB4 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov ah, EEh 0x00000007 lea edx, dword ptr [ebx+ebp] 0x0000000a not ah 0x0000000c jmp 00007F1C393893D6h 0x0000000e mov ch, byte ptr [esp] 0x00000011 mov dx, DB0Bh 0x00000015 mov ecx, dword ptr [esp+04h] 0x00000019 rdtsc

Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 723	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 712	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 795	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 752	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 858	Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\libCzf.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 1576	Thread sleep time: -1446000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 4080	Thread sleep time: -1424000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 5636	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 6340	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 2820	Thread sleep time: -1590000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 5456	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 6592	Thread sleep time: -1504000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 4292	Thread sleep time: -1716000s >= -30000s	Jump to behavior

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0\|0

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\ViKing-R2.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\ViKing-R2.exe	Open window title or class name: filemonclass

Source: C:\Users\user\Desktop\ViKing-R2.exe

File opened: NTICE

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process token adjusted: Debug

Jump to behavior

Source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	21 Input Capture	621 Security Software Discovery	Remote Services	21 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	23 Virtualization/Sandbox Evasion	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ViKing-R2.exe	46%	Virustotal		Browse
ViKing-R2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\libCzf.dll	33%	ReversingLabs	Win32.Adware.Amonetize
C:\Users\user\Desktop\libCzf.dll	14%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.wshifen.com	0%	Virustotal	Browse
whois.pconline.com.cn.ctadns.cn	1%	Virustotal	Browse
whois.pconline.com.cn	0%	Virustotal	Browse
www.baidu.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://www.thawte.com/cps0/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://api.ip138.com/ip/?token=http://api.ip138.com/ip/?token=retokip	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com00	0%	Avira URL Cloud	safe
http://.https	0%	Avira URL Cloud	safe
http://whois.pconline.com.cn/ipJson.jsp	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	Avira URL Cloud	safe
http://whois.pconline.com.cn/	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	Avira URL Cloud	safe
https://2023.ipchaxun.com/	0%	Avira URL Cloud	safe
https://api.ip138.com/ip/?token=http://api.ip138.com/ip/?token=retokip	0%	Virustotal		Browse
http://whois.pconline.com.cn/ipJson.jsp	0%	Virustotal		Browse
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	Virustotal		Browse
https://api.ip138.com/ip/?token=	0%	Avira URL Cloud	safe
https://searchplugin.csdn.net/api/v1/ip/get	0%	Avira URL Cloud	safe
https://www.adeds.com	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	Virustotal		Browse
https://2023.ipchaxun.com/	0%	Virustotal		Browse
http://www.baidu.com/	0%	Avira URL Cloud	safe
https://api.ip138.com/ip/?token=	0%	Virustotal		Browse
http://whois.pconline.com.cn/	0%	Virustotal		Browse
http://crl.thawte.com/ThawtePCA.crl0	0%	Avira URL Cloud	safe
http://whois.pconline.com.cn/Y	0%	Avira URL Cloud	safe
https://www.adeds.com	0%	Virustotal		Browse
https://searchplugin.csdn.net/api/v1/ip/get	0%	Virustotal		Browse
http://api.ip138.com/ip/?token=	0%	Avira URL Cloud	safe
http://www.adeds.com	0%	Avira URL Cloud	safe
http://crl.thawte.com/ThawtePCA.crl0	0%	Virustotal		Browse
https://searchplugin.csdn.net/api/v1/ip/getaddress:----	0%	Avira URL Cloud	safe
https://www.thawte.com/repository0	0%	Avira URL Cloud	safe
https://www.thawte.com/repository0	0%	Virustotal		Browse
http://whois.pconline.com.cn/Y	0%	Virustotal		Browse
https://searchplugin.csdn.net/api/v1/ip/getaddress:----	0%	Virustotal		Browse
http://www.adeds.com	0%	Virustotal		Browse
http://www.baidu.com/	1%	Virustotal		Browse
http://api.ip138.com/ip/?token=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wshifen.com	103.235.47.188	true	true	0%, Virustotal, Browse	unknown
whois.pconline.com.cn.ctadns.cn	14.29.101.160	true	false	1%, Virustotal, Browse	unknown
whois.pconline.com.cn	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.baidu.com	unknown	unknown	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whois.pconline.com.cn/ipJson.jsp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.baidu.com/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com00	ViKing-R2.exe	false	Avira URL Cloud: safe	unknown
https://api.ip138.com/ip/?token=http://api.ip138.com/ip/?token=retokip	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	ViKing-R2.exe	false	URL Reputation: safe	unknown
http://.https	ViKing-R2.exe	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	ViKing-R2.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	ViKing-R2.exe	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	ViKing-R2.exe	false	URL Reputation: safe	unknown
http://whois.pconline.com.cn/	ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://2023.ipchaxun.com/	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip138.com/ip/?token=	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://searchplugin.csdn.net/api/v1/ip/get	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	ViKing-R2.exe	false	URL Reputation: safe	unknown
https://www.adeds.com	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	ViKing-R2.exe	false	URL Reputation: safe	unknown
https://www.thawte.com/cps0/	ViKing-R2.exe	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawtePCA.crl0	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://whois.pconline.com.cn/Y	ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adeds.com	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	ViKing-R2.exe	false	URL Reputation: safe	unknown
http://api.ip138.com/ip/?token=	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://searchplugin.csdn.net/api/v1/ip/getaddress:----	ViKing-R2.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	true
14.29.101.160	whois.pconline.com.cn.ctadns.cn	China		58466	CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467980
Start date and time:	2024-07-05 08:06:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	ViKing-R2.exe
Detection:	MAL
Classification:	mal96.evad.winEXE@1/1@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:08:10	API Interceptor	5047x Sleep call for process: ViKing-R2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.235.47.188	Tas8.dll	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Tas10_WL.dll	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Tas10.dll	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
14.29.101.160	setup.exe	Get hash	malicious	Unknown	Browse	whois.pconline.com.cn/ipJson.jsp
	setup.exe	Get hash	malicious	Unknown	Browse	whois.pconline.com.cn/ipJson.jsp
	#U67e5#U8be2#U5165#U53e3.exe	Get hash	malicious	Unknown	Browse	whois.pconline.com.cn/ipJson.jsp
	7r7iKqMM88.exe	Get hash	malicious	Unknown	Browse	whois.pconline.com.cn/jsFunction.jsp?callback=jsShow

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
whois.pconline.com.cn.ctadns.cn	C7jdH7geD6.exe	Get hash	malicious	Unknown	Browse	14.29.101.168
	setup.exe	Get hash	malicious	Unknown	Browse	14.29.101.169
	setup.exe	Get hash	malicious	Unknown	Browse	14.29.101.168
	setup.exe	Get hash	malicious	Unknown	Browse	14.29.101.160
	#U67e5#U8be2#U5165#U53e3.exe	Get hash	malicious	Unknown	Browse	14.29.101.160
	#U67e5#U8be2#U5165#U53e3.exe	Get hash	malicious	Unknown	Browse	14.29.101.160
	sample.exe	Get hash	malicious	Unknown	Browse	14.29.101.169
	sample.exe	Get hash	malicious	Unknown	Browse	14.29.101.169
	sample.exe	Get hash	malicious	Unknown	Browse	14.29.101.169
www.wshifen.com	Tas8.dll	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	Tas10.dll	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	Tas8.dll	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	Tas8_WL.dll	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	Tas10_WL.dll	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	Tas10.dll	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	https://www.bmlenin.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://www.bmlenin.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://www.bmlenin.com/	Get hash	malicious	Unknown	Browse	103.235.46.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	http://www.telegramkv.com/	Get hash	malicious	Unknown	Browse	182.61.201.163
	http://www.telegramkv.com/	Get hash	malicious	Unknown	Browse	182.61.201.163
	Tas8.dll	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	Tas10.dll	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	Tas8.dll	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	Tas8_WL.dll	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	Tas10_WL.dll	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	Tas10.dll	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	https://www.bmlenin.com/	Get hash	malicious	Unknown	Browse	180.76.59.213
CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN	jhpg1LVUrZ.elf	Get hash	malicious	Mirai	Browse	125.88.193.121
	https://www.qcc.com/web/cms/overseaApply?opsriskcountry=%E7%BE%8E%E5%9B%BD&ip=155.190.35.6&back=%2Fweblogin%3Fback%3D%2Ffirm%2F1ef8635d382a741aaca689243a486673.html	Get hash	malicious	Unknown	Browse	14.215.183.79
	ikFn0h3xhF.elf	Get hash	malicious	Mirai	Browse	119.147.167.54
	fPqdDUeLwj.elf	Get hash	malicious	Mirai, Moobot	Browse	113.102.254.123
	zQ35ev2Uw0.elf	Get hash	malicious	Mirai	Browse	14.18.115.224
	https://towallet.io/	Get hash	malicious	Unknown	Browse	14.215.183.79
	HTUyCRuDev.elf	Get hash	malicious	Unknown	Browse	113.105.112.161
	jzXBbfutn2.elf	Get hash	malicious	Unknown	Browse	14.22.222.67
	https://edgetunnel-2no.pages.dev/	Get hash	malicious	Unknown	Browse	14.215.183.79

Process:	C:\Users\user\Desktop\ViKing-R2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66048
Entropy (8bit):	6.333621993901875
Encrypted:	false
SSDEEP:	768:maGHTyDNMoH4Dyo6RJ3yLTdkc3vPEq37RJ8IDp5pEq8fknpDRik0mohIw9TGzaZo:mUA9+MXdkIvM2NSIppqI4KzaZMDEnfc
MD5:	0FEECF918DE81C9B174D663867F63ED0
SHA1:	C33A72B855A978E40C2F3705899D1BE6DE06F787
SHA-256:	1F97936E56D01845E7FA3162F1A6594B770016E0050325678543B6D612B58182
SHA-512:	1803D0F0CC2EA8FD0EB985582F8AE29B9C949FBB835CD02441A192B08C0AA6D5B6035E7E7476263D646F23F2E76F5645DC0FF48B63469CEB60B5BD2D8BF942E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33% Antivirus: Virustotal, Detection: 14%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8D..\|%`.\|%`.\|%`.g...u%`.g...w%`.u]...%`.\|%a.6%`.g...>%`.g...}%`.g...}%`.g...}%`.Rich\|%`.........PE..L...^..S...........!.........@..............................................@....... ....@.........................P...d...L...(.... ..D....................0..P.......................................@............................................text...b........................... ..`.rdata...!......."..................@..@.data...D...........................@....rsrc...D.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2413259133579695
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ViKing-R2.exe
File size:	12'681'216 bytes
MD5:	c39554bdab22961d0ac64c5c2e607915
SHA1:	ea1d422f6ef34c453d1a72f605051666544994b2
SHA256:	6c1563fd7bc5f73b45639867591d05afb944dd7dce4caa94e59fbcfb9a48756c
SHA512:	0e8f2be91f7d859e9bd204df6c5bcd4fdfcd79db3335f4432174c3a0109aec05bfd576e762dea19f4022ac7e89378cf56ac3a0d5edabca14d0fc849e18da4ad6
SSDEEP:	196608:Ib7evKc810eta6eylh97NSqCDJVzN1O/jN/O:Inevv81K1whnOR1Op/O
TLSH:	E7D67C52663D887DCC1AF4718A22E1B9D1789F009F146AC3B3AEB5597AB31DC5E33D02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..K<...<...<...S...5...S...:...G...9...j...............^..."...<...........?.......................I.......!...<...D.......=..

File Icon


Icon Hash:	33e8f499f8ec6933

Static PE Info

General

Entrypoint:	0x100fe38
Entrypoint Section:	.sedata
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6616A340 [Wed Apr 10 14:33:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dd51c91fd9a2e73ba8991e77f1ccede1

Entrypoint Preview

Instruction
call 00007F1C39304121h
push ebx
popad
outsb
imul ebp, dword ptr [bp+65h], 69685320h
insb
outsb
and byte ptr [esi+32h], dh
xor al, 2Eh
xor byte ptr [esi], ch
xor byte ptr [eax], al
jmp 00007F1C393040C7h
lea esp, dword ptr [esp+02h]
mov dword ptr [esp], edi
call 00007F1C3930412Eh
xchg eax, esp
or eax, BC17E49Dh
sbb al, 6Fh
jbe 00007F1C39304163h
pop word ptr [esp]
call 00007F1C393040E6h
dec edi
bswap edi
pop edi
push ecx
xchg ecx, edi
bsf ecx, ecx
jmp 00007F1C39304141h
mov edx, 22D7B022h
xchg eax, ebp
jecxz 00007F1C3930411Ch
jne 00007F1C39304166h
mov di, dx
adc edi, 52CD9E99h
jmp 00007F1C393040E1h
mov word ptr [ebx], ds
mov ebp, esi
sbb eax, 127CE29Ch
jne 00007F1C39304086h
add ecx, ecx
push FFC2E8F5h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc120e0	0x190	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc15000	0x2000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b8000	0x8a4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb0b000	0xb0b000	f4e4c388b5e8a8e02526fc2775a89f18	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sedata	0xb0c000	0x106000	0x106000	90671ee3d49e3b4a47a8ff60a3d94f9a	False	0.7892013433325382	data	7.459508118890517	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc12000	0x3000	0x3000	befc1b1a06ba537dfb54bf96d1a3c8f8	False	0.3653157552083333	data	4.908959229193993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc15000	0x2000	0x2000	9e41b7e9c1b994255298a297db2b8cc1	False	0.3001708984375	data	4.991228977865284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sedata	0xc17000	0x1000	0x1000	1fc93487359c1b1d6304f9be9bc93b3d	False	0.78076171875	data	7.983609715626119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc15118	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.848826714801444
RT_ICON	0xc159c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.848826714801444
RT_GROUP_ICON	0xc16268	0x14	data			1.15
RT_GROUP_ICON	0xc1627c	0x14	data	Chinese	China	1.15
RT_MANIFEST	0xc16290	0x2b9	XML 1.0 document, ASCII text, with very long lines (697), with no line terminators			0.5279770444763271

Imports

DLL	Import
iphlpapi.dll	GetAdaptersInfo
WINMM.dll	waveOutRestart, midiOutUnprepareHeader, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, waveOutOpen, waveOutGetNumDevs, waveOutClose
WS2_32.dll	gethostname, inet_addr, inet_ntoa, WSAStartup, select, send, closesocket, WSAAsyncSelect, htons, socket, recvfrom, ioctlsocket, connect, recv, getpeername, accept, ntohl, WSACleanup, gethostbyname
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA, VerLanguageNameA
RASAPI32.dll	RasGetConnectStatusA, RasHangUpA
KERNEL32.dll	TerminateProcess, OpenProcess, GetWindowsDirectoryA, GetSystemDirectoryA, SetLastError, GetTimeZoneInformation, GetVersion, TerminateThread, SetSystemPowerState, GetCurrentProcess, CreateMutexA, ReleaseMutex, SuspendThread, GetACP, InterlockedIncrement, InterlockedDecrement, LocalFree, FormatMessageA, FileTimeToLocalFileTime, lstrcpynA, DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, GetStringTypeExA, GetThreadLocale, lstrcmpiA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, lstrcmpA, LocalAlloc, TlsAlloc, GlobalHandle, TlsFree, TlsSetValue, LocalReAlloc, TlsGetValue, GetFileTime, GetCurrentThread, GlobalFlags, SetErrorMode, GetProcessVersion, GetCPInfo, GetOEMCP, GetStartupInfoA, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, WideCharToMultiByte, MultiByteToWideChar, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, DeleteFileA, CopyFileA, CreateDirectoryA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, GetDiskFreeSpaceA, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, InterlockedExchange, VirtualProtect, VirtualQuery, GetSystemInfo, InterlockedCompareExchange, FileTimeToSystemTime
USER32.dll	CharNextA, SetWindowContextHelpId, MapDialogRect, LoadStringA, GetSysColorBrush, GetNextDlgGroupItem, PostThreadMessageA, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetLastActivePopup, RegisterWindowMessageA, GetWindowPlacement, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, UnregisterClassA, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, CharUpperA, GetWindowTextLengthA, SetWindowTextA, ExitWindowsEx, GetForegroundWindow, GetWindowTextA, FindWindowExA, GetDlgItem, FindWindowA, GetWindowThreadProcessId, GetClassNameA, GetDesktopWindow, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, TrackPopupMenu, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBeep, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, GetMenuCheckMarkDimensions, CreateIconFromResource, GetMenuState, ReleaseCapture, DestroyWindow
GDI32.dll	GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, GetObjectA, EndPage, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, GetMapMode, SetBkColor, CreateRectRgnIndirect, CreateDIBSection, SetPixel, ExtCreateRegion, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, GetPixel, CreateCompatibleDC, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, SaveDC, GetTextExtentPoint32A, LineTo, GetDeviceCaps, GetDIBits, GetWindowExtEx, GetViewportOrgEx
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesA, OpenPrinterA
comdlg32.dll	GetFileTitleA, GetSaveFileNameA, GetOpenFileNameA, ChooseColorA
ADVAPI32.dll	LookupPrivilegeValueA, AdjustTokenPrivileges, RegCreateKeyExA, OpenProcessToken, RegQueryValueA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHELL32.dll	SHGetSpecialFolderPathA, Shell_NotifyIconA, ShellExecuteA
ole32.dll	OleIsCurrentClipboard, OleFlushClipboard, CoRevokeClassObject, CoRegisterMessageFilter, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoDisconnectObject, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, OleInitialize, OleUninitialize, CLSIDFromString, CoCreateInstance, OleRun
OLEAUT32.dll	VariantInit, VariantCopyInd, SafeArrayAccessData, SafeArrayUnaccessData, SysAllocString, SafeArrayGetLBound, SafeArrayGetUBound, VariantChangeType, VariantClear, VariantCopy, SafeArrayCreate, RegisterTypeLib, SafeArrayGetDim, VariantTimeToSystemTime, SysStringLen, SysAllocStringLen, LHashValOfNameSys, LoadTypeLib, OleCreateFontIndirect, SysFreeString, SafeArrayGetElemsize, SysAllocStringByteLen, UnRegisterTypeLib
COMCTL32.dll	ImageList_Destroy
oledlg.dll
WININET.dll	InternetCloseHandle, InternetOpenA, InternetGetConnectedState, InternetSetOptionA, InternetConnectA, InternetReadFile, HttpQueryInfoA, InternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, InternetOpenUrlA
MSVCRT.dll	strncpy
PSAPI.DLL	GetMappedFileNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/05/24-07:59:43.098294	TCP	2830033	ETPRO TROJAN Win32/Agent.xxxyeb Connectivity Check	49712	80	192.168.2.5	103.235.47.188

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 08:07:41.595711946 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:41.601608038 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:41.601711988 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:41.601829052 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:41.606612921 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506494999 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506520987 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506532907 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506545067 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506556034 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506567001 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506580114 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506603956 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.506660938 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506675005 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506726980 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.506727934 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.506727934 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.506750107 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.506794930 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.511569023 CEST	80	49711	103.235.47.188	192.168.2.5
Jul 5, 2024 08:07:42.511656046 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.520713091 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.520755053 CEST	49711	80	192.168.2.5	103.235.47.188
Jul 5, 2024 08:07:42.578242064 CEST	49712	80	192.168.2.5	14.29.101.160
Jul 5, 2024 08:07:42.583255053 CEST	80	49712	14.29.101.160	192.168.2.5
Jul 5, 2024 08:07:42.583353043 CEST	49712	80	192.168.2.5	14.29.101.160
Jul 5, 2024 08:07:42.583467960 CEST	49712	80	192.168.2.5	14.29.101.160
Jul 5, 2024 08:07:42.588140011 CEST	80	49712	14.29.101.160	192.168.2.5
Jul 5, 2024 08:07:44.494996071 CEST	80	49712	14.29.101.160	192.168.2.5
Jul 5, 2024 08:07:44.495101929 CEST	49712	80	192.168.2.5	14.29.101.160
Jul 5, 2024 08:08:44.497416019 CEST	80	49712	14.29.101.160	192.168.2.5
Jul 5, 2024 08:08:44.497519970 CEST	49712	80	192.168.2.5	14.29.101.160
Jul 5, 2024 08:09:31.568089962 CEST	49712	80	192.168.2.5	14.29.101.160
Jul 5, 2024 08:09:31.572979927 CEST	80	49712	14.29.101.160	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 08:07:41.582539082 CEST	56972	53	192.168.2.5	1.1.1.1
Jul 5, 2024 08:07:41.590425014 CEST	53	56972	1.1.1.1	192.168.2.5
Jul 5, 2024 08:07:42.570229053 CEST	57843	53	192.168.2.5	1.1.1.1
Jul 5, 2024 08:07:42.577403069 CEST	53	57843	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2024 08:07:41.582539082 CEST	192.168.2.5	1.1.1.1	0x3229	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 08:07:42.570229053 CEST	192.168.2.5	1.1.1.1	0x575e	Standard query (0)	whois.pconline.com.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 08:07:41.590425014 CEST	1.1.1.1	192.168.2.5	0x3229	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 08:07:41.590425014 CEST	1.1.1.1	192.168.2.5	0x3229	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 08:07:41.590425014 CEST	1.1.1.1	192.168.2.5	0x3229	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Jul 5, 2024 08:07:41.590425014 CEST	1.1.1.1	192.168.2.5	0x3229	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Jul 5, 2024 08:07:42.577403069 CEST	1.1.1.1	192.168.2.5	0x575e	No error (0)	whois.pconline.com.cn	whois.pconline.com.cn.ctadns.cn		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 08:07:42.577403069 CEST	1.1.1.1	192.168.2.5	0x575e	No error (0)	whois.pconline.com.cn.ctadns.cn		14.29.101.160	A (IP address)	IN (0x0001)	false
Jul 5, 2024 08:07:42.577403069 CEST	1.1.1.1	192.168.2.5	0x575e	No error (0)	whois.pconline.com.cn.ctadns.cn		14.29.101.168	A (IP address)	IN (0x0001)	false
Jul 5, 2024 08:07:42.577403069 CEST	1.1.1.1	192.168.2.5	0x575e	No error (0)	whois.pconline.com.cn.ctadns.cn		14.29.101.169	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.baidu.com

whois.pconline.com.cn

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	103.235.47.188	80	1812	C:\Users\user\Desktop\ViKing-R2.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 08:07:41.601829052 CEST	82	OUT	GET / HTTP/1.1 User-Agent: test Host: www.baidu.com Cache-Control: no-cache
Jul 5, 2024 08:07:42.506494999 CEST	1236	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: no-cache Connection: keep-alive Content-Length: 9508 Content-Type: text/html Date: Fri, 05 Jul 2024 06:07:42 GMT P3p: CP=" OTI DSP COR IVA OUR IND COM " P3p: CP=" OTI DSP COR IVA OUR IND COM " Pragma: no-cache Server: BWS/1.1 Set-Cookie: BAIDUID=4ED3DE093260FA641B6D4C553738DC9B:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com Set-Cookie: BIDUPSID=4ED3DE093260FA641B6D4C553738DC9B; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com Set-Cookie: PSTM=1720159662; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com Set-Cookie: BAIDUID=4ED3DE093260FA646C3B1EDB338B57FD:FG=1; max-age=31536000; expires=Sat, 05-Jul-25 06:07:42 GMT; domain=.baidu.com; path=/; version=1; comment=bd Traceid: 172015966239541289068411138338558106240 Vary: Accept-Encoding X-Ua-Compatible: IE=Edge,chrome=1 X-Xss-Protection: 1;mode=block Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 61 6c 77 61 79 73 22 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e5 85 a8 e7 90 83 e9 a2 86 e5 85 88 e7 9a 84 e4 b8 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta content="always" name="referrer"><meta name="description" content="
Jul 5, 2024 08:07:42.506520987 CEST	224	IN	Data Raw: ad e6 96 87 e6 90 9c e7 b4 a2 e5 bc 95 e6 93 8e e3 80 81 e8 87 b4 e5 8a 9b e4 ba 8e e8 ae a9 e7 bd 91 e6 b0 91 e6 9b b4 e4 be bf e6 8d b7 e5 9c b0 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af ef bc 8c e6 89 be e5 88 b0 e6 89 80 e6 b1 82 e3 80 82 e7 99 be Data Ascii: "><link rel="shortcut icon" href="//www.baidu.com/favicon.
Jul 5, 2024 08:07:42.506532907 CEST	1236	IN	Data Raw: 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 65 61 72 63 68 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 70 65 6e 73 65 61 72 63 68 64 65 73 63 72 69 70 74 69 6f Data Ascii: ico" type="image/x-icon"><link rel="search" type="application/opensearchdescription+xml" href="//www.baidu.com/content-search.xml" title=""><title></title><style type="text/css">body{margin:0;padding:0;te
Jul 5, 2024 08:07:42.506545067 CEST	224	IN	Data Raw: 2d 77 65 69 67 68 74 3a 34 30 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 6f 75 74 6c 69 6e 65 3a 30 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 33 30 70 78 Data Ascii: -weight:400;text-align:center;vertical-align:middle;outline:0;border:0;height:30px;width:80px;line-height:30px;font-size:13px;border-radius:6px;padding:0;background-color:#f5f5f6;cursor:pointer}.c-btn:hover{background-color:
Jul 5, 2024 08:07:42.506556034 CEST	1236	IN	Data Raw: 23 33 31 35 65 66 62 3b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 61 2e 63 2d 62 74 6e 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 63 2d 62 74 6e 2d 6d 69 6e 69 7b 68 65 69 67 68 74 3a 32 34 70 78 3b Data Ascii: #315efb;color:#fff!important}a.c-btn{text-decoration:none}.c-btn-mini{height:24px;width:48px;line-height:24px}.c-btn-primary,.c-btn-primary:visited{color:#fff!important}.c-btn-primary{background-color:#4e6ef2}.c-btn-primary:hover{background-co
Jul 5, 2024 08:07:42.506567001 CEST	1236	IN	Data Raw: 61 70 70 65 72 20 23 6b 77 7b 77 69 64 74 68 3a 35 31 32 70 78 3b 68 65 69 67 68 74 3a 31 36 70 78 3b 70 61 64 64 69 6e 67 3a 31 32 70 78 20 31 36 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 6d 61 72 67 69 6e 3a 30 3b 76 65 72 74 69 63 Data Ascii: apper #kw{width:512px;height:16px;padding:12px 16px;font-size:16px;margin:0;vertical-align:top;outline:0;box-shadow:none;border-radius:10px 0 0 10px;border:2px solid #c4c7ce;background:#fff;color:#222;overflow:hidden;box-sizing:content-box}#he
Jul 5, 2024 08:07:42.506580114 CEST	1236	IN	Data Raw: 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 30 3b 74 6f 70 3a 30 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 3b 68 65 69 67 68 74 3a 36 30 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 34 70 78 7d 2e 73 2d 74 6f 70 2d 72 Data Ascii: osition:absolute;right:0;top:0;z-index:100;height:60px;padding-right:24px}.s-top-right .s-top-right-text{margin-left:32px;margin-top:19px;display:inline-block;position:relative;vertical-align:top;cursor:pointer}.s-top-right .s-top-right-text:h
Jul 5, 2024 08:07:42.506660938 CEST	1236	IN	Data Raw: 20 68 72 65 66 3d 22 2f 2f 6d 61 70 2e 62 61 69 64 75 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 63 6c 61 73 73 3d 22 6d 6e 61 76 20 63 2d 66 6f 6e 74 2d 6e 6f 72 6d 61 6c 20 63 2d 63 6f 6c 6f 72 2d 74 22 3e e5 9c b0 e5 Data Ascii: href="//map.baidu.com/" target="_blank" class="mnav c-font-normal c-color-t"></a><a href="//live.baidu.com/" target="_blank" class="mnav c-font-normal c-color-t"></a><a href="//haokan.baidu.com/?sfrom=baidu-top" target="_blank" cl
Jul 5, 2024 08:07:42.506675005 CEST	328	IN	Data Raw: 22 3e 3c 61 72 65 61 20 73 74 79 6c 65 3d 22 6f 75 74 6c 69 6e 65 3a 30 22 20 68 69 64 65 66 6f 63 75 73 3d 22 74 72 75 65 22 20 73 68 61 70 65 3d 22 72 65 63 74 22 20 63 6f 6f 72 64 73 3d 22 30 2c 30 2c 32 37 30 2c 31 32 39 22 20 68 72 65 66 3d Data Ascii: "><area style="outline:0" hidefocus="true" shape="rect" coords="0,0,270,129" href="//www.baidu.com/s?wd=%E7%99%BE%E5%BA%A6%E7%83%AD%E6%90%9C&sa=ire_dl_gh_logo_texing&rsv_dl=igh_logo_pcs" target="_blank" title="
Jul 5, 2024 08:07:42.506750107 CEST	1236	IN	Data Raw: 22 66 22 20 61 63 74 69 6f 6e 3d 22 2f 2f 77 77 77 2e 62 61 69 64 75 2e 63 6f 6d 2f 73 22 20 63 6c 61 73 73 3d 22 66 6d 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 69 65 22 20 76 61 6c 75 65 3d 22 75 74 Data Ascii: "f" action="//www.baidu.com/s" class="fm"><input type="hidden" name="ie" value="utf-8"> <input type="hidden" name="f" value="8"> <input type="hidden" name="rsv_bp" value="1"> <input type="hidden" name="rsv_idx" value="1"> <input type="hidden"
Jul 5, 2024 08:07:42.511569023 CEST	1070	IN	Data Raw: 70 20 63 6c 61 73 73 3d 22 6c 68 22 3e 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 63 6f 6c 6f 72 22 20 68 72 65 66 3d 22 2f 2f 69 72 2e 62 61 69 64 75 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 41 62 6f 75 74 20 42 61 Data Ascii: p class="lh"><a class="text-color" href="//ir.baidu.com/" target="_blank">About Baidu</a></p><p class="lh"><a class="text-color" href="//www.baidu.com/duty" target="_blank"></a></p><p class="lh"><a class="text-color" href=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	14.29.101.160	80	1812	C:\Users\user\Desktop\ViKing-R2.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 08:07:42.583467960 CEST	159	OUT	GET /ipJson.jsp HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: whois.pconline.com.cn Cache-Control: no-cache
Jul 5, 2024 08:07:44.494996071 CEST	581	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 05 Jul 2024 06:07:44 GMT Content-Type: text/html; charset=GBK Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Cache-Control: no-cache Age: 1 Ctl-Cache-Status: MISS from hb-wuhan9-ca05, MISS from gd-guangzhou8-ca23, MISS from gd-guangzhou8-ca25 Request-Id: 65a066878daf0e1db498512b753ed5b4 Data Raw: 63 37 0d 0a 0a 0a 0a 0a 0a 69 66 28 77 69 6e 64 6f 77 2e 49 50 43 61 6c 6c 42 61 63 6b 29 20 7b 49 50 43 61 6c 6c 42 61 63 6b 28 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 70 72 6f 22 3a 22 22 2c 22 70 72 6f 43 6f 64 65 22 3a 22 39 39 39 39 39 39 22 2c 22 63 69 74 79 22 3a 22 22 2c 22 63 69 74 79 43 6f 64 65 22 3a 22 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 22 2c 22 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 30 22 2c 22 61 64 64 72 22 3a 22 20 c3 c0 b9 fa 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 73 22 3a 22 22 2c 22 65 72 72 22 3a 22 6e 6f 70 72 6f 76 69 6e 63 65 22 7d 29 3b 7d 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c7if(window.IPCallBack) {IPCallBack({"ip":"8.46.123.33","pro":"","proCode":"999999","city":"","cityCode":"0","region":"","regionCode":"0","addr":" ","regionNames":"","err":"noprovince"});}0

Target ID:	0
Start time:	02:07:00
Start date:	05/07/2024
Path:	C:\Users\user\Desktop\ViKing-R2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ViKing-R2.exe"
Imagebase:	0x400000
File size:	12'681'216 bytes
MD5 hash:	C39554BDAB22961D0AC64C5C2E607915
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ViKing-R2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\libCzf.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
ViKing-R2.exe