Windows
Analysis Report
remover.exe
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
remover.exe (PID: 7800 cmdline:
"C:\Users\ user\Deskt op\remover .exe" MD5: 832E3AC5462158C38460B0F7E4496B18)
- cleanup
- • AV Detection
- • Compliance
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • E-Banking Fraud
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | DNS query: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: |
Source: | .Net Code: |
Source: | Windows user hook set: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process Stats: |
Source: | Code function: | 0_2_00007FFC3DC8E502 | |
Source: | Code function: | 0_2_00007FFC3DC8D756 | |
Source: | Code function: | 0_2_00007FFC3DC8A15D | |
Source: | Code function: | 0_2_00007FFC3DC8BF2D |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FFC3DC8816A | |
Source: | Code function: | 0_2_00007FFC3DC87C6D | |
Source: | Code function: | 0_2_00007FFC3DC87C5D | |
Source: | Code function: | 0_2_00007FFC3DC891F7 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | 21 Input Capture | 1 Query Registry | Remote Services | 1 Screen Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Disable or Modify Tools | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | 21 Input Capture | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Archive Collected Data | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Software Packing | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Timestomp | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | 2 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
33% | Virustotal | Browse | ||
31% | ReversingLabs | ByteCode-MSIL.Trojan.Zilla | ||
100% | Avira | TR/Dropper.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
then-amanda.gl.at.ply.gg | 147.185.221.27 | true | false | unknown | |
ip-api.com | 208.95.112.1 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | false | |
147.185.221.27 | then-amanda.gl.at.ply.gg | United States | 12087 | SALSGIVERUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1643247 |
Start date and time: | 2025-03-19 17:15:16 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 8m 22s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | remover.exe |
Detection: | MAL |
Classification: | mal80.spyw.evad.winEXE@1/5@2/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, WMIADAP.exe, SIHCli ent.exe, SgrmBroker.exe, conho st.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 23.60.203.209, 4.2 45.163.56 - Excluded domains from analysis
(whitelisted): a-ring-fallbac k.msedge.net, fs.microsoft.com , ocsp.digicert.com, slscr.upd ate.microsoft.com, fe3cr.deliv ery.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
208.95.112.1 | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ip-api.com | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SALSGIVERUS | Get hash | malicious | Njrat | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Python Stealer, Exela Stealer, Njrat | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm, zgRAT | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber, Umbral Stealer, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
TUT-ASUS | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\SharpDX.DXGI.dll | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Orcus | Browse | |||
Get hash | malicious | Orcus | Browse | |||
C:\Users\user\AppData\Local\Temp\SharpDX.Direct3D11.dll | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Orcus | Browse | |||
Get hash | malicious | Orcus | Browse |
Process: | C:\Users\user\Desktop\remover.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 128512 |
Entropy (8bit): | 5.974873724347634 |
Encrypted: | false |
SSDEEP: | 1536:taSL4xpOaI0PXSgMkPXsHIrPQkrNCivO5Ib6VU3x8w85SMxcnqNojG5JW/UlibAs:taSLYpfI0fTtP8HIbQkreK |
MD5: | 2B44C70C49B70D797FBB748158B5D9BB |
SHA1: | 93E00E6527E461C45C7868D14CF05C007E478081 |
SHA-256: | 3762D43C83AF69CD38C9341A927CA6BD00F6BAE8217C874D693047D6DF4705BF |
SHA-512: | FACED62F6ECBFA2EE0D7A47E300302D23030D1F28758CBE9C442E9D8D4F8359C59088AA6237A28103E43D248C8EFC7EEAF2C184028701B752DF6CCE92D6854D0 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\remover.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 278016 |
Entropy (8bit): | 5.936561200969171 |
Encrypted: | false |
SSDEEP: | 3072:6ccUvNf/AThDrcfiSDt0XN3ZDoyz91Sy0KwbwgG5OHDyGQsnHZ09K3vJqlQ1VcTS:zRfi+SmNgOHDyGQsucvJqW6Ts4dDjJZ |
MD5: | 98EB5BA5871ACDEAEBF3A3B0F64BE449 |
SHA1: | C965284F60EF789B00B10B3DF60EE682B4497DE3 |
SHA-256: | D7617D926648849CBFEF450B8F48E458EE52E2793FB2251A30094B778AA8848C |
SHA-512: | A60025E304713D333E4B82B2D0BE28087950688B049C98D2DB5910C00B8D45B92E16D25AC8A58FF1318DE019DE3A9A00C7CBF8A6AD4B5BB1CB175DAFA1B9BEA2 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\remover.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 252928 |
Entropy (8bit): | 6.009569774467475 |
Encrypted: | false |
SSDEEP: | 6144:/yx2FKVw+6LRnencMdWqtFhdpGFfnbJoeeYr:6w+Ienc1qf6bJrd |
MD5: | FFB4B61CC11BEC6D48226027C2C26704 |
SHA1: | FA8B9E344ACCBDC4DFFA9B5D821D23F0716DA29E |
SHA-256: | 061542FF3FB36039B7BBFFDF3E07B66176B264C1DFD834A14B09C08620717303 |
SHA-512: | 48AA6130BF1F5BD6DE19256BBDF754C0158B43DD122CEC47BB801A7A7B56F2DA268BFDEC24D135621764A23278EAD3DCC35911A057E2DFA55A348BAE8EF7B8A9 |
Malicious: | false |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\remover.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2422 |
Entropy (8bit): | 7.832922049963086 |
Encrypted: | false |
SSDEEP: | 48:ePNlqTcq1ZMemaeWJJtlgGdYu/mwLHQHOjKVgFArOSi4:eFMTc6Me4WJjltd/wA1SV |
MD5: | AA977A186DF6BF03B9E07E2F5E03199B |
SHA1: | 83472F5367F2BDBD36369E207C2BDBAFB8AAE0D1 |
SHA-256: | 7EF1AE410CCC5E3A58171E2BDD83B0A24595483344677B342741E5DEC5BFF06C |
SHA-512: | D26C1DD22F762CF51032F087B91D63772002755FE327EE80416C3FB83758B9111C5F0F09F2DD82E073CFD70D8DC64DFB16C90A4B55F8ED5F1FFDFA29E6AC58C2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\remover.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2422 |
Entropy (8bit): | 7.832922049963086 |
Encrypted: | false |
SSDEEP: | 48:ePNlqTcq1ZMemaeWJJtlgGdYu/mwLHQHOjKVgFArOSi4:eFMTc6Me4WJjltd/wA1SV |
MD5: | AA977A186DF6BF03B9E07E2F5E03199B |
SHA1: | 83472F5367F2BDBD36369E207C2BDBAFB8AAE0D1 |
SHA-256: | 7EF1AE410CCC5E3A58171E2BDD83B0A24595483344677B342741E5DEC5BFF06C |
SHA-512: | D26C1DD22F762CF51032F087B91D63772002755FE327EE80416C3FB83758B9111C5F0F09F2DD82E073CFD70D8DC64DFB16C90A4B55F8ED5F1FFDFA29E6AC58C2 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.086581572371092 |
TrID: |
|
File name: | remover.exe |
File size: | 1'352'192 bytes |
MD5: | 832e3ac5462158c38460b0f7e4496b18 |
SHA1: | e609c94be05236b2e204eede3c19557607c63a9c |
SHA256: | 98f65823ee47007d5c436c7615cca74b6aaef450f438b2464b5c3a6b9faeaf01 |
SHA512: | 20409c45c1344807bebd64b8d9c21ad30092769ad1f9bbaf4a28793033a48aa539e336c264e88bd8f83b10453f6d135b653fc658f83ffee18bd1bda562f1bc47 |
SSDEEP: | 24576:DBDJ6irZnEY659Mvz5cg9FZo84Q0CK+xfOF06rzf:DG3Y659M75XvpY06rz |
TLSH: | 09558E12BBAC4E37C68F17BEB4B1651743B1D001A552E70F5AA4A95E0EE3380CE1A7D7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x54b60e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x8AFAAF06 [Sat Nov 21 02:10:14 2043 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14b5b8 | 0x53 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x14c000 | 0x5c6 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x14e000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x149614 | 0x149800 | ffce07fc610c55d89c1913a79236fc39 | False | 0.3691776721358118 | data | 6.090283692961319 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x14c000 | 0x5c6 | 0x600 | 931e73c572b6717b5737efb06c7541c3 | False | 0.4114583333333333 | data | 4.097131305222293 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x14e000 | 0xc | 0x200 | 57ceb087ad3dbe3b3d612620c3bbf575 | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x14c0a0 | 0x33c | data | 0.3997584541062802 | ||
RT_MANIFEST | 0x14c3dc | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
Comments | |
CompanyName | |
FileDescription | VT Control Client |
FileVersion | 1.0.0.0 |
InternalName | VT Control Client.exe |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | VT Control Client.exe |
ProductName | VT Control Client |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Download Network PCAP: filtered – full
- Total Packets: 21
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 19, 2025 17:16:14.758472919 CET | 49719 | 4305 | 192.168.2.4 | 147.185.221.27 |
Mar 19, 2025 17:16:14.763264894 CET | 4305 | 49719 | 147.185.221.27 | 192.168.2.4 |
Mar 19, 2025 17:16:14.763353109 CET | 49719 | 4305 | 192.168.2.4 | 147.185.221.27 |
Mar 19, 2025 17:16:14.786218882 CET | 49719 | 4305 | 192.168.2.4 | 147.185.221.27 |
Mar 19, 2025 17:16:14.791001081 CET | 4305 | 49719 | 147.185.221.27 | 192.168.2.4 |
Mar 19, 2025 17:16:16.445288897 CET | 4305 | 49719 | 147.185.221.27 | 192.168.2.4 |
Mar 19, 2025 17:16:16.450767994 CET | 49719 | 4305 | 192.168.2.4 | 147.185.221.27 |
Mar 19, 2025 17:16:16.455558062 CET | 4305 | 49719 | 147.185.221.27 | 192.168.2.4 |
Mar 19, 2025 17:16:16.869287968 CET | 4305 | 49719 | 147.185.221.27 | 192.168.2.4 |
Mar 19, 2025 17:16:16.917426109 CET | 49719 | 4305 | 192.168.2.4 | 147.185.221.27 |
Mar 19, 2025 17:16:17.138489008 CET | 4305 | 49719 | 147.185.221.27 | 192.168.2.4 |
Mar 19, 2025 17:16:17.182926893 CET | 49719 | 4305 | 192.168.2.4 | 147.185.221.27 |
Mar 19, 2025 17:16:17.328738928 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:16:17.333549023 CET | 80 | 49720 | 208.95.112.1 | 192.168.2.4 |
Mar 19, 2025 17:16:17.333623886 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:16:17.333847046 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:16:17.338565111 CET | 80 | 49720 | 208.95.112.1 | 192.168.2.4 |
Mar 19, 2025 17:16:18.093405008 CET | 80 | 49720 | 208.95.112.1 | 192.168.2.4 |
Mar 19, 2025 17:16:18.102837086 CET | 49719 | 4305 | 192.168.2.4 | 147.185.221.27 |
Mar 19, 2025 17:16:18.107685089 CET | 4305 | 49719 | 147.185.221.27 | 192.168.2.4 |
Mar 19, 2025 17:16:18.136179924 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:16:55.944859028 CET | 80 | 49720 | 208.95.112.1 | 192.168.2.4 |
Mar 19, 2025 17:16:55.944957018 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:17:58.105806112 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:17:58.417926073 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:17:59.027420998 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:18:00.230469942 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:18:02.636727095 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:18:07.449235916 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Mar 19, 2025 17:18:17.058875084 CET | 49720 | 80 | 192.168.2.4 | 208.95.112.1 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 19, 2025 17:16:14.741954088 CET | 51510 | 53 | 192.168.2.4 | 1.1.1.1 |
Mar 19, 2025 17:16:14.754338980 CET | 53 | 51510 | 1.1.1.1 | 192.168.2.4 |
Mar 19, 2025 17:16:17.316421032 CET | 49253 | 53 | 192.168.2.4 | 1.1.1.1 |
Mar 19, 2025 17:16:17.325267076 CET | 53 | 49253 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 19, 2025 17:16:14.741954088 CET | 192.168.2.4 | 1.1.1.1 | 0x151d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 19, 2025 17:16:17.316421032 CET | 192.168.2.4 | 1.1.1.1 | 0x8959 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 19, 2025 17:16:14.754338980 CET | 1.1.1.1 | 192.168.2.4 | 0x151d | No error (0) | 147.185.221.27 | A (IP address) | IN (0x0001) | false | ||
Mar 19, 2025 17:16:17.325267076 CET | 1.1.1.1 | 192.168.2.4 | 0x8959 | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49720 | 208.95.112.1 | 80 | 7800 | C:\Users\user\Desktop\remover.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Mar 19, 2025 17:16:17.333847046 CET | 89 | OUT | |
Mar 19, 2025 17:16:18.093405008 CET | 294 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 12:16:13 |
Start date: | 19/03/2025 |
Path: | C:\Users\user\Desktop\remover.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x157ef080000 |
File size: | 1'352'192 bytes |
MD5 hash: | 832E3AC5462158C38460B0F7E4496B18 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 17.6% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 3 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|