Search in progress...
Play interactive tour
Edit tourAnalysis Report zbetcheckin_tracker_propan.exe
Overview
General Information |
|---|
| Joe Sandbox Version: | 23.0.0 |
| Analysis ID: | 48850 |
| Start date: | 03.10.2018 |
| Start time: | 11:14:04 |
| Joe Sandbox Product: | Cloud |
| Overall analysis duration: | 0h 3m 39s |
| Hypervisor based Inspection enabled: | true |
| Report type: | full |
| Sample file name: | zbetcheckin_tracker_propan.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 7 x64 HVM (Office 2010, IE11, FF 50.1, Chrome 54.0, Java 1.8.0_111, Adobe Reader DC 2015.02) |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies |
|
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal80.bank.evad.winEXE@4/6@1/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 80 | 0 - 100 | Report FP / FN |  | |
Confidence |
|---|
| Strategy | Score | Range | Further Analysis Required? | Confidence | |
|---|---|---|---|---|---|
| Threshold | 5 | 0 - 5 | false |   | |
Classification |
|---|
Signature Overview |
|---|
Click to jump to signature section
AV Detection: |   |
|---|
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | virustotal: | Perma Link | ||
| Antivirus detection for unpacked file | Show sources | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Networking: | |
|---|
| Creates a COM Internet Explorer object | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | COM instance created: | Jump to behavior | ||
| Downloads files | Show sources | ||
| Source: | File created: | Jump to behavior | ||
| Downloads files from webservers via HTTP | Show sources | ||
| Source: | HTTP traffic detected: | ||
| Performs DNS lookups | Show sources | ||
| Source: | DNS traffic detected: | ||
E-Banking Fraud: | |
|---|
| Detected Ursnif banking trojan | Show sources | ||
| Source: | Code function: | 1_2_00401C7A | |
System Summary: | |
|---|
| Contains functionality to create processes via WMI | Show sources | ||
| Source: | Code function: | 1_2_002D42BD | |
| Source: | Code function: | 1_2_002D42BD | |
| Source: | Code function: | 1_2_002D42BD | |
| Source: | Binary or memory string: | ||
| Starts Internet Explorer in hidden mode | Show sources | ||
| Source: | Window hidden: | Jump to behavior | ||
| Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc) | Show sources | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Contains functionality to call native functions | Show sources | ||
| Source: | Code function: | 1_2_004022EC | |
| Source: | Code function: | 1_2_004018F0 | |
| Source: | Code function: | 1_2_004012F6 | |
| Source: | Code function: | 1_2_004027FD | |
| Source: | Code function: | 1_2_0040192F | |
| Source: | Code function: | 1_2_0040143E | |
| Source: | Code function: | 1_2_00402749 | |
| Source: | Code function: | 1_2_0040276A | |
| Source: | Code function: | 1_2_0040318D | |
| Source: | Code function: | 1_2_00402F20 | |
| Source: | Code function: | 1_2_004027AD | |
| Source: | Code function: | 1_2_002D4615 | |
| Source: | Code function: | 1_2_002DE040 | |
| Source: | Code function: | 1_2_002DE297 | |
| Source: | Code function: | 1_2_002DE2D6 | |
| Source: | Code function: | 1_1_00401800 | |
| Detected potential crypto function | Show sources | ||
| Source: | Code function: | 1_2_00402F6C | |
| Source: | Code function: | 1_2_002D92AC | |
| Source: | Code function: | 1_2_002D2BC6 | |
| Source: | Code function: | 1_2_00414449 | |
| Source: | Code function: | 1_2_004160BE | |
| Source: | Code function: | 1_2_00413F07 | |
| Source: | Code function: | 1_2_0040E71E | |
| Source: | Code function: | 1_2_0041498B | |
| Source: | Code function: | 1_1_00414449 | |
| Source: | Code function: | 1_1_00404A60 | |
| Source: | Code function: | 1_1_0040D4F0 | |
| Source: | Code function: | 1_1_004160BE | |
| Source: | Code function: | 1_1_00413F07 | |
| Source: | Code function: | 1_1_0040E71E | |
| Source: | Code function: | 1_1_0041498B | |
| Source: | Code function: | 1_1_004151B9 | |
| Found potential URLs in runtime VBA strings | Show sources | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| PE file contains strange resources | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Classification label | Show sources | ||
| Source: | Classification label: | ||
| Contains functionality to instantiate COM classes | Show sources | ||
| Source: | Code function: | 1_2_002D5457 | |
| Creates files inside the user directory | Show sources | ||
| Source: | File created: | Jump to behavior | ||
| Creates temporary files | Show sources | ||
| Source: | File created: | Jump to behavior | ||
| PE file has an executable .text section and no other executable section | Show sources | ||
| Source: | Static PE information: | ||
| Reads ini files | Show sources | ||
| Source: | File read: | Jump to behavior | ||
| Reads software policies | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Sample is known by Antivirus | Show sources | ||
| Source: | virustotal: | ||
| Spawns processes | Show sources | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Uses an in-process (OLE) Automation server | Show sources | ||
| Source: | Key value queried: | Jump to behavior | ||
Data Obfuscation: | |
|---|
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: | Code function: | 1_1_00412282 | |
| Uses code obfuscation techniques (call, push, ret) | Show sources | ||
| Source: | Code function: | 1_2_00402F6B | |
| Source: | Code function: | 1_2_00407222 | |
| Source: | Code function: | 1_2_002D92AB | |
| Source: | Code function: | 1_1_0040D4E4 | |
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Writes registry values via WMI | Show sources | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Disables application error messsages (SetErrorMode) | Show sources | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Found evasive API chain (may stop execution after checking locale) | Show sources | ||
| Source: | Evasive API call chain: | graph_1-7457 | ||
| Tries to detect sandboxes / dynamic malware analysis system (cursor check) | Show sources | ||
| Source: | Code function: | 1_2_004010ED | |
| May sleep (evasive loops) to hinder dynamic analysis | Show sources | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Sample execution stops while process was sleeping (likely an evasion) | Show sources | ||
| Source: | Last function: | ||
| Program exit points | Show sources | ||
| Source: | API call chain: | graph_1-7347 | ||
Anti Debugging: | |
|---|
| Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources | ||
| Source: | System information queried: | Jump to behavior | ||
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) | Show sources | ||
| Source: | Code function: | 1_2_004012F6 | |
| Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources | ||
| Source: | Code function: | 1_2_0040FE9A | |
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: | Code function: | 1_1_00412282 | |
| Contains functionality to read the PEB | Show sources | ||
| Source: | Code function: | 1_2_0025052B | |
| Source: | Code function: | 1_2_00250000 | |
| Source: | Code function: | 1_2_00250000 | |
| Source: | Code function: | 1_2_002506F5 | |
| Source: | Code function: | 1_2_002506F5 | |
| Source: | Code function: | 1_2_00250AFD | |
| Source: | Code function: | 1_2_00290000 | |
| Source: | Code function: | 1_2_00290000 | |
| Source: | Code function: | 1_2_00290408 | |
| Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources | ||
| Source: | Code function: | 1_1_0040C832 | |
| Contains functionality to register its own exception handler | Show sources | ||
| Source: | Code function: | 1_2_0040FE9A | |
| Source: | Code function: | 1_2_00413BEE | |
| Source: | Code function: | 1_1_0040CA26 | |
| Source: | Code function: | 1_1_0040FE9A | |
| Source: | Code function: | 1_1_00413BEE | |
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| May try to detect the Windows Explorer process (often used for injection) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Language, Device and Operating System Detection: | |
|---|
| Contains functionality locales information (e.g. system language) | Show sources | ||
| Source: | Code function: | 1_2_0040270C | |
| Source: | Code function: | 1_2_004134B0 | |
| Source: | Code function: | 1_1_004026F0 | |
| Source: | Code function: | 1_1_004134B0 | |
| Contains functionality to query CPU information (cpuid) | Show sources | ||
| Source: | Code function: | 1_2_002D46DF | |
| Contains functionality to query local / system time | Show sources | ||
| Source: | Code function: | 1_2_002D1C3C | |
| Contains functionality to query the account / user name | Show sources | ||
| Source: | Code function: | 1_2_002D46DF | |
| Contains functionality to query windows version | Show sources | ||
| Source: | Code function: | 1_2_00401B9B | |
| Queries the cryptographic machine GUID | Show sources | ||
| Source: | Key value queried: | Jump to behavior | ||
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is maliciousSimulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 11:16:06 | API Interceptor | 149x Sleep call for process: zbetcheckin_tracker_propan.exe modified |
Antivirus Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 44% | virustotal | Browse | ||
| 11% | metadefender | Browse |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Patched.Ren.Gen | ||
| 100% | Avira | TR/Patched.Ren.Gen |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| No Antivirus matches |
|---|
Yara Overview |
|---|
Initial Sample |
|---|
| No yara matches |
|---|
PCAP (Network Traffic) |
|---|
| No yara matches |
|---|
Dropped Files |
|---|
| No yara matches |
|---|
Memory Dumps |
|---|
| No yara matches |
|---|
Unpacked PEs |
|---|
| No yara matches |
|---|
Screenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup |
|---|
|
Created / dropped Files |
|---|
| Process: | C:\Program Files\Internet Explorer\iexplore.exe |
| File Type: | |
| Size (bytes): | 25657 |
| Entropy (8bit): | 2.176978949251122 |
| Encrypted: | false |
| MD5: | 55485BE3EF18BA5AD6355F9FBE25F3CC |
| SHA1: | ABFF4536A8CA1C8C3066997982F831EF6C581715 |
| SHA-256: | 983908AB258F0BA6C99BAF97CF34434D7704BB32E8824690C998A681E9EB2D78 |
| SHA-512: | 9A9DBE0C22478908E5A6E1D230BF577625A6CC99D0F3CDC6135488D5CD8287C0910331BAC430AA30A1C2A62BE47D7B28396EE3F137AC0CC46214826342927BDC |
| Malicious: | false |
| Reputation: | low |
| Process: | C:\Program Files\Internet Explorer\iexplore.exe |
| File Type: | |
| Size (bytes): | 12917 |
| Entropy (8bit): | 1.26396999706028 |
| Encrypted: | false |
| MD5: | 8A18599411937FBE9F25B7F5365779FE |
| SHA1: | 4356788CAEB2FCB84DE904A7B168D7F696E45E17 |
| SHA-256: | 1F5940FFAD29BFDBFDD1726D070CAE1F6D8A5678EA0265E793DD5106B80F9F99 |
| SHA-512: | 268C6AD044318D14509FF2C6BD015A9A4F8ACA9946EDBB8F2323599A9CF0F253477D054838167AF8C6DA393339581B7ED53B32964C413953DF4F7581A489C066 |
| Malicious: | false |
| Reputation: | low |
| Process: | C:\Program Files\Internet Explorer\iexplore.exe |
| File Type: | |
| Size (bytes): | 237 |
| Entropy (8bit): | 6.1480026084285395 |
| Encrypted: | false |
| MD5: | 9FB559A691078558E77D6848202F6541 |
| SHA1: | EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 |
| SHA-256: | 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 |
| SHA-512: | 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B |
| Malicious: | false |
| Reputation: | low |
| Process: | C:\Program Files\Internet Explorer\iexplore.exe |
| File Type: | |
| Size (bytes): | 21592 |
| Entropy (8bit): | 1.7627604255262714 |
| Encrypted: | false |
| MD5: | A06D7B4CA86645FD6907B1248E3B4775 |
| SHA1: | 6CD6CC371A1B08EE05C14EE8513496A353569982 |
| SHA-256: | 037DC37D0382D95D73B98219FEEBF099F1FDC96F8A51B71A13BAE885B9B05D50 |
| SHA-512: | 7616DA33EB92F11B6270C1BF746C7E339CB67693A321176DD53E7E98E2E3D7186AC638FB3810B70891F29B775D878B9E1D845411A5220840D0815724D35AABFD |
| Malicious: | false |
| Reputation: | low |
| Process: | C:\Program Files\Internet Explorer\iexplore.exe |
| File Type: | |
| Size (bytes): | 16984 |
| Entropy (8bit): | 1.5772396259895078 |
| Encrypted: | false |
| MD5: | 4AA3ABB003514E1CEFC4BD0847C6CBD6 |
| SHA1: | 9677A883402ABFFB3D1226223956FB2302D2884D |
| SHA-256: | 2226D184979E293213BED7F088811E4E8E789E3D28211568A6122DF0E50B3C71 |
| SHA-512: | 14DDE72B90922243F49AC5E8BE62F4B42C91EFF2A1794D97CE169FA7D0231C1FD57F52E0A173BE3094DD94958A49E4581FE069B9E1FFB40FCFC388BDE9BDF0CC |
| Malicious: | false |
| Reputation: | low |
| Process: | C:\Program Files\Internet Explorer\iexplore.exe |
| File Type: | |
| Size (bytes): | 237 |
| Entropy (8bit): | 6.1480026084285395 |
| Encrypted: | false |
| MD5: | 9FB559A691078558E77D6848202F6541 |
| SHA1: | EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 |
| SHA-256: | 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 |
| SHA-512: | 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B |
| Malicious: | false |
| Reputation: | low |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| doc.rendes.at | 47.254.153.156 | true | false | high |
Contacted URLs |
|---|
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | unknown |
Contacted IPs |
|---|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.528337649042211 |
| TrID: |
|
| File name: | zbetcheckin_tracker_propan.exe |
| File size: | 183296 |
| MD5: | 7e17f0f35d50f49407841372f24fbd38 |
| SHA1: | 921ad55a3f593239b906163cf1bb8001194822f3 |
| SHA256: | 934c3445fe9d1a3d4cca4d3ec09c9191d8f9067e13e58fa0b288cb520cd40785 |
| SHA512: | 8200be71fc9015e9160ce7a3f665a917e058c8ee8753c178f43cf62a519154cafd83125787b565748c9061d9fcbe3c96f65edfa2dbc01c17f0e20f540386a1d1 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.."l..ql..ql..qK0.q...qK0.q:..q...qe..ql..q...qK0.qp..qK0.qm..qr..qm..qRichl..q........................PE..L....v.[........... |
File Icon |
|---|
 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x40ca12 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5BB076BF [Sun Sep 30 07:09:51 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 65787a6837f68f71463896efdbebc84c |
Entrypoint Preview |
|---|
| Instruction |
|---|
| call 00007FBDAD823FE1h |
| jmp 00007FBDAD820A8Bh |
| mov eax, dword ptr [esp+04h] |
| mov dword ptr [00436074h], eax |
| ret |
| push ebp |
| lea ebp, dword ptr [esp-000002A8h] |
| sub esp, 00000328h |
| mov eax, dword ptr [0042C4A0h] |
| xor eax, ebp |
| mov dword ptr [ebp+000002A4h], eax |
| push esi |
| mov dword ptr [ebp+00000088h], eax |
| mov dword ptr [ebp+00000084h], ecx |
| mov dword ptr [ebp+00000080h], edx |
| mov dword ptr [ebp+7Ch], ebx |
| mov dword ptr [ebp+78h], esi |
| mov dword ptr [ebp+74h], edi |
| mov word ptr [ebp+000000A0h], ss |
| mov word ptr [ebp+00000094h], cs |
| mov word ptr [ebp+70h], ds |
| mov word ptr [ebp+6Ch], es |
| mov word ptr [ebp+68h], fs |
| mov word ptr [ebp+64h], gs |
| pushfd |
| pop dword ptr [ebp+00000098h] |
| mov esi, dword ptr [ebp+000002ACh] |
| lea eax, dword ptr [ebp+000002ACh] |
| mov dword ptr [ebp+0000009Ch], eax |
| mov dword ptr [ebp-28h], 00010001h |
| mov dword ptr [ebp+00000090h], esi |
| mov eax, dword ptr [eax-04h] |
| push 00000050h |
| mov dword ptr [ebp+0000008Ch], eax |
| lea eax, dword ptr [ebp-80h] |
| push 00000000h |
| push eax |
| call 00007FBDAD823FDEh |
| lea eax, dword ptr [ebp-80h] |
| mov dword ptr [ebp-30h], eax |
| lea eax, dword ptr [ebp-28h] |
| add esp, 0Ch |
| mov dword ptr [ebp-80h], C000000Dh |
| mov dword ptr [ebp-74h], esi |
| mov dword ptr [ebp-2Ch], eax |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2ab50 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37000 | 0x1458 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x18b68 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x17000 | 0x218 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1562a | 0x15800 | False | 0.545387445494 | data | 6.51475744719 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x17000 | 0x146f6 | 0x14800 | False | 0.76806640625 | data | 6.25790724155 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2c000 | 0xac18 | 0x1200 | False | 0.344835069444 | data | 3.39487152334 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x37000 | 0x1458 | 0x1600 | False | 0.437144886364 | data | 4.50632518873 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_CURSOR | 0x374d8 | 0x134 | data | ||
| RT_CURSOR | 0x37628 | 0x134 | data | ||
| RT_ICON | 0x37788 | 0x568 | GLS_BINARY_LSB_FIRST | ||
| RT_ICON | 0x37cf0 | 0x468 | GLS_BINARY_LSB_FIRST | ||
| RT_DIALOG | 0x372f0 | 0xe2 | data | ||
| RT_DIALOG | 0x373d8 | 0xe2 | data | ||
| RT_GROUP_CURSOR | 0x374c0 | 0x14 | Lotus 1-2-3 | ||
| RT_GROUP_CURSOR | 0x37610 | 0x14 | Lotus 1-2-3 | ||
| RT_GROUP_ICON | 0x37760 | 0x22 | MS Windows icon resource - 2 icons, 16x16, 256-colors | ||
| RT_VERSION | 0x38158 | 0x19c | data | ||
| RT_MANIFEST | 0x382f8 | 0x15a | ASCII text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| USER32.dll | DefWindowProcA, MessageBoxA, DestroyWindow, UpdateWindow, ShowWindow, GetMenu, AdjustWindowRect, EndDialog, InvalidateRect, wsprintfA, SetWindowTextA, DrawMenuBar, BeginPaint, EndPaint, IsIconic, MoveWindow, PostQuitMessage, GetWindowLongA, DialogBoxParamA, LoadStringA, EnableMenuItem, GetWindowRect, SendMessageA, SetWindowPos, PostMessageA, GetMessageA, TranslateMessage, DispatchMessageA, MessageBeep, LoadIconA, LoadCursorA, RegisterClassA, GetSystemMetrics, CreateWindowExA |
| comdlg32.dll | GetOpenFileNameA |
| VERSION.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
| KERNEL32.dll | GetDateFormatA, RtlUnwind, InitializeCriticalSection, Sleep, CompareStringA, GetCurrentProcessId, InterlockedDecrement, GetCurrentThreadId, SetLastError, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, IsDebuggerPresent, GetVersionExA, CompareStringW, GlobalFindAtomW, GlobalAddAtomW, GlobalFlags, GetTickCount, GetACP, GetLocaleInfoA, RaiseException, HeapFree, HeapAlloc, GetProcessHeap, GetStartupInfoW, GetSystemTimeAsFileTime, ExitProcess, VirtualAlloc, GetProcAddress, GetModuleHandleA, GetVersion, GetCurrentProcess, WideCharToMultiByte, WriteFile, LoadLibraryA, lstrcpyA, LCMapStringW, MultiByteToWideChar, CreatePipe, GetExitCodeProcess, SetFilePointer, GetDriveTypeA, GetCurrentDirectoryA, CreateFileA, SetEnvironmentVariableW, SetEnvironmentVariableA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, IsValidLocale, EnumSystemLocalesA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, GetTimeFormatA, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetStartupInfoA, SetHandleCount, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStdHandle, FlushFileBuffers, LCMapStringA, IsValidCodePage, GetOEMCP, GetCPInfo, VirtualQuery, GetSystemInfo, VirtualProtect, HeapSize, GetFileType, SetStdHandle, HeapReAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess |
Version Infos |
|---|
| Description | Data |
|---|---|
| InternalName | IMSG |
| FileDescription | Parser |
| FileVersion | 1748 |
| CompanyName | loxlox |
| Translation | 0x0409 0x04b0 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 3, 2018 11:16:29.028738976 CEST | 55984 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:29.415028095 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:29.426309109 CEST | 49233 | 80 | 192.168.2.2 | 47.254.153.156 |
| Oct 3, 2018 11:16:29.427006006 CEST | 49234 | 80 | 192.168.2.2 | 47.254.153.156 |
| Oct 3, 2018 11:16:29.450634956 CEST | 80 | 49233 | 47.254.153.156 | 192.168.2.2 |
| Oct 3, 2018 11:16:29.450643063 CEST | 80 | 49234 | 47.254.153.156 | 192.168.2.2 |
| Oct 3, 2018 11:16:29.450722933 CEST | 49233 | 80 | 192.168.2.2 | 47.254.153.156 |
| Oct 3, 2018 11:16:29.450733900 CEST | 49234 | 80 | 192.168.2.2 | 47.254.153.156 |
| Oct 3, 2018 11:16:29.452330112 CEST | 49233 | 80 | 192.168.2.2 | 47.254.153.156 |
| Oct 3, 2018 11:16:29.476313114 CEST | 80 | 49233 | 47.254.153.156 | 192.168.2.2 |
| Oct 3, 2018 11:16:32.098453045 CEST | 50783 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:32.103457928 CEST | 51303 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:32.113343000 CEST | 53 | 50783 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:32.118056059 CEST | 53 | 51303 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:32.121105909 CEST | 55522 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:32.135778904 CEST | 53 | 55522 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:33.461882114 CEST | 59398 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:33.471844912 CEST | 55803 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:33.476080894 CEST | 53 | 59398 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:33.486018896 CEST | 53 | 55803 | 8.8.8.8 | 192.168.2.2 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 3, 2018 11:16:29.028738976 CEST | 55984 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:29.415028095 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:32.098453045 CEST | 50783 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:32.103457928 CEST | 51303 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:32.113343000 CEST | 53 | 50783 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:32.118056059 CEST | 53 | 51303 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:32.121105909 CEST | 55522 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:32.135778904 CEST | 53 | 55522 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:33.461882114 CEST | 59398 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:33.471844912 CEST | 55803 | 53 | 192.168.2.2 | 8.8.8.8 |
| Oct 3, 2018 11:16:33.476080894 CEST | 53 | 59398 | 8.8.8.8 | 192.168.2.2 |
| Oct 3, 2018 11:16:33.486018896 CEST | 53 | 55803 | 8.8.8.8 | 192.168.2.2 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Oct 3, 2018 11:16:29.028738976 CEST | 192.168.2.2 | 8.8.8.8 | 0xd536 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Oct 3, 2018 11:16:29.415028095 CEST | 8.8.8.8 | 192.168.2.2 | 0xd536 | No error (0) | 47.254.153.156 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
|---|
|
HTTP Packets |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.2 | 49233 | 47.254.153.156 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Oct 3, 2018 11:16:29.452330112 CEST | 1 | OUT |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 11:14:17 |
| Start date: | 03/10/2018 |
| Path: | C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 183296 bytes |
| MD5 hash: | 7E17F0F35D50F49407841372F24FBD38 |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
General |
|---|
| Start time: | 11:16:07 |
| Start date: | 03/10/2018 |
| Path: | C:\Program Files\Internet Explorer\iexplore.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x13ff20000 |
| File size: | 814288 bytes |
| MD5 hash: | 446332D1A5576870E436B13AEB27CA8E |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
General |
|---|
| Start time: | 11:16:08 |
| Start date: | 03/10/2018 |
| Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 815304 bytes |
| MD5 hash: | F2831268EC600225F611DC02166EACF0 |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|