Windows
Analysis Report
iThmbConverterSetup.exe
Overview
General Information
| Sample name: | iThmbConverterSetup.exe |
| Analysis ID: | 1668989 |
| MD5: | a796f67c500657acf8b8c607cff5f8b1 |
| SHA1: | 4834c2c2207d6f47d8d944f3f8fa75186387c08c |
| SHA256: | 326e915a44a8474ddd740b68d7d1f3e07d0a8c1bd9f3ea0bb9ec95dae08fc003 |
| Infos: |  |
 |
|
Detection
| Score: | 24 |
| Range: | 0 - 100 |
| Confidence: | 20% |
Signatures
Detected VMProtect packer
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Classification
| Source: |
Static PE information: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
IP Address: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
System Summary |
  |
|---|
| Source: |
Static PE information: |
||
| Source: |
Memory allocated: |
Jump to behavior | ||
| Source: |
Memory allocated: |
Jump to behavior | ||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Static PE information: |
||
| Source: |
Classification label: |
||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key value created or modified: |
Jump to behavior | ||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
LNK file: |
||
| Source: |
LNK file: |
||
| Source: |
Key value created or modified: |
Jump to behavior | ||
| Source: |
Window found: |
Jump to behavior | ||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
Automated click: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Window detected: |
||
| Source: |
Static file information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection |
|
|---|
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Memory written: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Binary or memory string: |
||
| Source: |
Process information queried: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
Behavior
Click here to start
Slideshow Behavior Animation
Slideshow Behavior Animation
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Contacted Public IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 37.140.192.138 | ithmbconverter.com | Russian Federation | 197695 | AS-REGRU | false |
Contacted Domains
| Name | IP | Active |
|---|---|---|
| ithmbconverter.com | 37.140.192.138 | true |
| www.ithmbconverter.com | unknown | unknown |
Contacted URLs
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
|
unknown |