Windows
Analysis Report
hBB2KnTndI
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
hBB2KnTndI.exe (PID: 6828 cmdline:
"C:\Users\ user\Deskt op\hBB2KnT ndI.exe" MD5: B413FF6E943C415AFC26640FF535C724) conhost.exe (PID: 6836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) AppLaunch.exe (PID: 6060 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 6807F903AC06FF7E1670181378690B22) orxds.exe (PID: 6188 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\a10b8d fb5f\orxds .exe" MD5: 6807F903AC06FF7E1670181378690B22) WerFault.exe (PID: 6220 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 828 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
Click to see the 2 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Dropped File: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static file information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Last function: |
Source: | Code function: |
Source: | Evaded block: |
Source: | API coverage: | ||
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Memory allocated: |
Source: | Memory written: |
Source: | Code function: |
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Native API | Path Interception | 511 Process Injection | 1 Virtualization/Sandbox Evasion | 1 Input Capture | 2 System Time Discovery | Remote Services | 1 Screen Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 511 Process Injection | LSASS Memory | 4 Security Software Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Archive Collected Data | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 3 Obfuscated Files or Information | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 2 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 14 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
2% | Metadefender | Browse | ||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1237917 | Download File | ||
100% | Avira | HEUR/AGEN.1237910 | Download File |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 635800 |
Start date and time: 29/05/202219:32:06 | 2022-05-29 19:32:06 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 8s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | hBB2KnTndI (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.spyw.evad.winEXE@7/5@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, B ackgroundTransferHost.exe, Wer Fault.exe, backgroundTaskHost. exe, SgrmBroker.exe, conhost.e xe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.40.129.122, 20. 189.173.20 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, store-images.s-microsoft.c om, login.live.com, blobcollec tor.events.data.trafficmanager .net, onedsblobprdwus15.westus .cloudapp.azure.com, arc.traff icmanager.net, iris-de-prod-az sc-frc.francecentral.cloudapp. azure.com, watson.telemetry.mi crosoft.com, arc.msn.com - Not all processes where analyz
ed, report is missing behavior information - Report size exceeded maximum c
apacity and may have missing d isassembly code. - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
19:33:20 | API Interceptor |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6829987815203323 |
Encrypted: | false |
SSDEEP: | 96:eEFJo531hDNH7DAfFpXIQcQvc6QcEDMcw3Dz+HbHg/5VG4rmMOyWZAXGng5FMTP/:HDo53F8HBUZMXwjlq/u7sTS274ItE |
MD5: | 5B5EA8AF84945A314F06185BEB825769 |
SHA1: | 3E34A503CC4E9725C5609FB483F1AA1B023D4D16 |
SHA-256: | 5771E8F70785FBB148B119707D9530C20736187595F2C181684E3235DBED5C72 |
SHA-512: | 51099F32A4546EEFEF1BFAABDF76D62077AC34F04291EF53BFCA95F21584AAB71D75E838D83408EE6F7806CB2A43D955F7153C45B023017985D42E13AA15CAE2 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32426 |
Entropy (8bit): | 2.022186547098741 |
Encrypted: | false |
SSDEEP: | 192:7ToTR5OehwDu8DusI0LrIPm7QMcU8irraOTgntPw:/e+y8Du7G0mQPHiv |
MD5: | 9CFC1F9C7F8E9B23594FE26427E5253D |
SHA1: | 01F0CDD0A22805105883C4B3930AD44CDFA9E350 |
SHA-256: | 7D63809B96E2686DE1BCE10CF9129283E9A7FFFF43CD05F60E52F22FA920D66B |
SHA-512: | C6AD471D4EBB3A31C42374A5F74E7C4BA120C85C91B646D90FFAE261EDDC7B69D39F73E8E4BF5AA86DE60273CA07CC0D69B82B361DEE73A923694CCB7163A158 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8290 |
Entropy (8bit): | 3.6987520698451015 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi996e6YWtSU4X7gmfcSUCprx89bb0sfzJm:RrlsNiX6e6YsSU4X7gmfcSCbnfg |
MD5: | DECA573E041E2262792347A316BC7F16 |
SHA1: | 388E343B14FA0F2D7D468F83D0AAAFE62C3FB592 |
SHA-256: | 33694A7A970FFD265D0B2E5B6F9DC34874D560E79F9E1EE2762D6965BC0AA37E |
SHA-512: | F4BEA1B1B851077E9D35A85F3D10483FB09CE95C3672F33698307AD33BC6F18E43E065A89D12A29B74AD359C9AB2D7B7489FFBC1AFAE9AE957B9CC56B6F532FE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4568 |
Entropy (8bit): | 4.461858019240563 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs4JgtWI9hj1XWgc8sqYjf8fm8M4J0HFHz+q8QJ02jKlgd:uITf+4j1mgrsqYQJAz02jegd |
MD5: | 1361281EBE1DED37788E6218F3B30E8D |
SHA1: | 9B859030FD96C44D20AEA8638A4CB00482FEC9DC |
SHA-256: | 7824E5E7F7903D4A2BE8B7441D46C0D301E98E11749BCCFA08354A24EF0DBF78 |
SHA-512: | D11482242AB2E98D88258A1FD043FF8D6ACBDFDAE73794C5CE223FB85923799C64375A29B85E8A1AE1D7D8CB578653B7A2C4E80EA8B1C9DF0BDE1BB2E370BD1F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 98912 |
Entropy (8bit): | 6.288162510609848 |
Encrypted: | false |
SSDEEP: | 1536:mdCQC+TbenjRV4hbdZ7Fbk7zrbITCFcnMeaYNVq7B7d:mdCQZTbejTHXACFcnMjiMJ |
MD5: | 6807F903AC06FF7E1670181378690B22 |
SHA1: | 901EC730ADC4A7C8531E8DA343A977E04FDE8B03 |
SHA-256: | 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5 |
SHA-512: | 37CC7812BFD4F5A4D81D7D4B5B5906D35928856BFAF7B532481B4233AFA36E9C41C3D42D84290288A0DEB47F5D8CD54FE1280C1E0F639B8240F9AB2638716EEB |
Malicious: | true |
Antivirus: | |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.357132284261992 |
TrID: |
|
File name: | hBB2KnTndI.exe |
File size: | 2476494 |
MD5: | b413ff6e943c415afc26640ff535c724 |
SHA1: | fcc13d52bf28416f3b8a594d58113fd8828a4093 |
SHA256: | 7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb |
SHA512: | ca5ac0fc7aa0ed1a615ccd628b8b97b3d83b31e0da58b9d9e23e4e9f97bfa598920119e8afbbdac6e97c994e8739651083fd1afe69384d25a1fd6bc4702ce815 |
SSDEEP: | 24576:dofQL0YjKOTrGRTnFZUDt4KZHD6XyeOjuTfedlb0hv4d7KXl8p+NauQ5V3h357:dofQL0YjKOTrGJ7C5iOjuTWdlxd7Kc |
TLSH: | 1CB51A135A8B0E75DDC23BB4A1CB633E9734EE30CA2A9B7FF609C53559532C5681A702 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..b.j...R...........\...H...............p....@...................................&....... ............................ |
Icon Hash: | 00828e8e8686b000 |
Entrypoint: | 0x4012e0 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x6290AF3D [Fri May 27 11:00:13 2022 UTC] |
TLS Callbacks: | 0x41bc40, 0x41bbf0 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | d0dfe559e003c7370c899d20dea7dea8 |
Signature Valid: | false |
Signature Issuer: | CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | D15B2B9631F8B37BA8D83A5AE528A8BB |
Thumbprint SHA-1: | 8740DF4ACB749640AD318E4BE842F72EC651AD80 |
Thumbprint SHA-256: | 2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21 |
Serial: | 33000002528B33AAF895F339DB000000000252 |
Instruction |
---|
sub esp, 1Ch |
mov dword ptr [esp], 00000001h |
call dword ptr [005372F0h] |
call 00007F0C60A25320h |
lea esi, dword ptr [esi+00h] |
lea edi, dword ptr [edi+00000000h] |
sub esp, 1Ch |
mov dword ptr [esp], 00000002h |
call dword ptr [005372F0h] |
call 00007F0C60A25300h |
lea esi, dword ptr [esi+00h] |
lea edi, dword ptr [edi+00000000h] |
jmp dword ptr [00537328h] |
lea esi, dword ptr [esi+00h] |
lea edi, dword ptr [edi+00000000h] |
jmp dword ptr [00537318h] |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
push ebp |
mov ebp, esp |
push esi |
push ebx |
sub esp, 10h |
mov dword ptr [esp], 004F1000h |
call 00007F0C60A4F479h |
sub esp, 04h |
test eax, eax |
je 00007F0C60A25517h |
mov dword ptr [esp], 004F1000h |
mov ebx, eax |
call 00007F0C60A4F420h |
sub esp, 04h |
mov dword ptr [00536A54h], eax |
mov dword ptr [esp+04h], 004F1013h |
mov dword ptr [esp], ebx |
call 00007F0C60A4F440h |
sub esp, 08h |
mov esi, eax |
mov dword ptr [esp+04h], 004F1029h |
mov dword ptr [esp], ebx |
call 00007F0C60A4F42Bh |
sub esp, 08h |
mov dword ptr [004B7000h], eax |
test esi, esi |
je 00007F0C60A25473h |
mov dword ptr [eax+eax+00h], 00000000h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x137000 | 0xb98 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x25a206 | 0x27c8 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x139004 | 0x18 | .tls |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x137230 | 0x1cc | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb5b5c | 0xb5c00 | False | 0.379203114254 | data | 6.26139811273 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.data | 0xb7000 | 0x39ce8 | 0x39e00 | False | 0.75697725432 | data | 7.53280661319 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.rdata | 0xf1000 | 0xb1d8 | 0xb200 | False | 0.318929950843 | data | 5.61563738189 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/4 | 0xfd000 | 0x38a80 | 0x38c00 | False | 0.180035965033 | data | 4.78722613482 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.bss | 0x136000 | 0xb60 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.idata | 0x137000 | 0xb98 | 0xc00 | False | 0.4052734375 | data | 4.97230024056 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.CRT | 0x138000 | 0x18 | 0x200 | False | 0.046875 | data | 0.118369631259 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.tls | 0x139000 | 0x20 | 0x200 | False | 0.05859375 | data | 0.22482003451 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/14 | 0x13a000 | 0xd8 | 0x200 | False | 0.189453125 | data | 1.05435750986 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/29 | 0x13b000 | 0x14e37 | 0x15000 | False | 0.38714890253 | data | 6.07122897105 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/41 | 0x150000 | 0x13b8 | 0x1400 | False | 0.25234375 | data | 4.72334895544 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/55 | 0x152000 | 0x1f23 | 0x2000 | False | 0.54150390625 | data | 6.21611847392 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/67 | 0x154000 | 0x38 | 0x200 | False | 0.1171875 | TIM image, (3080,1028) | 0.668238434502 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/80 | 0x155000 | 0x2ae | 0x400 | False | 0.3525390625 | data | 3.87768624749 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/91 | 0x156000 | 0x829a | 0x8400 | False | 0.315814393939 | data | 4.14712052349 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
/102 | 0x15f000 | 0xcd8 | 0xe00 | False | 0.345145089286 | data | 3.1533400052 | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
KERNEL32.dll | CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReleaseSemaphore, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte |
msvcrt.dll | _fdopen, _fstat, _lseek, _read, _strdup, _stricoll, _write |
msvcrt.dll | __getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _errno, _filbuf, _flsbuf, _fmode, _fpreset, _fullpath, _iob, _isctype, _onexit, _pctype, _setmode, abort, atexit, atoi, calloc, fclose, fflush, fopen, fputc, fputs, fread, free, fseek, ftell, fwrite, getenv, getwc, iswctype, localeconv, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, putwc, realloc, setlocale, setvbuf, signal, sprintf, strchr, strcmp, strcoll, strerror, strftime, strlen, strtod, strtoul, strxfrm, tolower, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm |
USER32.dll | MessageBoxW |
Click to jump to process
Target ID: | 0 |
Start time: | 19:33:03 |
Start date: | 29/05/2022 |
Path: | C:\Users\user\Desktop\hBB2KnTndI.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 2476494 bytes |
MD5 hash: | B413FF6E943C415AFC26640FF535C724 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 19:33:03 |
Start date: | 29/05/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c9170000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 19:33:13 |
Start date: | 29/05/2022 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1270000 |
File size: | 98912 bytes |
MD5 hash: | 6807F903AC06FF7E1670181378690B22 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Target ID: | 7 |
Start time: | 19:33:15 |
Start date: | 29/05/2022 |
Path: | C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 98912 bytes |
MD5 hash: | 6807F903AC06FF7E1670181378690B22 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: | |
Reputation: | high |
Target ID: | 8 |
Start time: | 19:33:15 |
Start date: | 29/05/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb10000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |