Loading ...

Analysis Report DOC000YUT600.scr

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:648369
Start date:29.08.2018
Start time:09:58:45
Joe Sandbox Product:Cloud
Overall analysis duration:0h 11m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:DOC000YUT600.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@10/5@0/1
EGA Information:
  • Successful, ratio: 33.3%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 90.9%)
  • Quality average: 76.9%
  • Quality standard deviation: 31.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Execution Graph export aborted for target DOC000YUT600.exe, PID 3420 because it is empty
  • Execution Graph export aborted for target Regdriver.exe, PID 3484 because it is empty
  • Execution Graph export aborted for target regdrv.exe, PID 3452 because it is empty
  • Execution Graph export aborted for target regdrv.exe, PID 3532 because it is empty
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\Videos\Regdriver.exeAvira: Label: HEUR/AGEN.1032427
Source: C:\Users\user\Music\regdrv.exeAvira: Label: HEUR/AGEN.1032427
Antivirus detection for submitted fileShow sources
Source: DOC000YUT60.exeAvira: Label: HEUR/AGEN.1032427
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\Music\regdrv.exevirustotal: Detection: 60%Perma Link
Source: C:\Users\user\Videos\Regdriver.exevirustotal: Detection: 60%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: DOC000YUT60.exevirustotal: Detection: 60%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 5.2.regdrv.exe.2580000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.0.regdrv.exe.400000.4.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.2.regdrv.exe.400000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.0.regdrv.exe.400000.4.unpackAvira: Label: BDS/DarkKomet.GS
Source: 2.2.regdrv.exe.25d0000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.1.regdrv.exe.400000.0.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.0.regdrv.exe.400000.5.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.2.regdrv.exe.400000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.0.regdrv.exe.400000.5.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.1.regdrv.exe.400000.0.unpackAvira: Label: BDS/DarkKomet.GS
Yara signature matchShow sources
Source: 00000006.00000000.479399059.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000001.481410763.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000001.481410763.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000000.479399059.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000003.450764221.7F370000.00000004.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000005.00000002.491857687.02580000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000005.00000002.491857687.02580000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.462554403.025D0000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000002.00000002.462554403.025D0000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000001.447610474.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000001.447610474.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000002.699224479.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000002.699224479.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000000.479959577.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000000.479959577.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000002.482534154.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000002.482534154.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000000.446776706.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000000.446776706.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000005.00000003.485657484.7F370000.00000004.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000000.446217367.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000000.446217367.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 5.2.regdrv.exe.2580000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 5.2.regdrv.exe.2580000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 2.2.regdrv.exe.25d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 2.2.regdrv.exe.25d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 5.2.regdrv.exe.2580000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 5.2.regdrv.exe.2580000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 2.2.regdrv.exe.25d0000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 2.2.regdrv.exe.25d0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00342EA8 FindFirstFileA,GetLastError,1_3_00342EA8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040A488 FindFirstFileA,GetLastError,3_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00480FEC FindFirstFileA,3_2_00480FEC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002A66A8 FindFirstFileA,GetLastError,4_3_002A66A8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0040A488 FindFirstFileA,GetLastError,6_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,6_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00480FEC FindFirstFileA,6_2_00480FEC

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.82:49188 -> 95.140.125.42:1908
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00473560 FtpPutFileA,3_2_00473560
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00473560 FtpPutFileA,6_2_00473560
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: ORIONTELEKOM-ASRS ORIONTELEKOM-ASRS
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004865E0 Sleep,TranslateMessage,DispatchMessageA,PeekMessageA,socket,ntohs,inet_addr,gethostbyname,connect,recv,shutdown,closesocket,3_2_004865E0
Urls found in memory or binary dataShow sources
Source: regdrv.exe, 00000002.00000002.451751956.013B0000.00000004.sdmpString found in binary or memory: http://SAC.home-page.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: [ESC]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F1]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F2]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [INS]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [SNAPSHOT]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [LEFT]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [RIGHT]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DOWN]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [UP]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [ESC]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F1]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F2]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [INS]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [SNAPSHOT]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [LEFT]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [RIGHT]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DOWN]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [UP]6_2_004818F8
Contains functionality to log keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,3_2_004818F8
Contains functionality to log keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,6_2_004818F8
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00481ED8 SetWindowsHookExA 0000000D,004818F8,00000000,000000003_2_00481ED8
Installs a global keyboard hookShow sources
Source: C:\Users\user\Music\regdrv.exeWindows user hook set: 0 keyboard low level C:\Users\user\Music\regdrv.exeJump to behavior
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040838E OpenClipboard,3_2_0040838E
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00428418 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,3_2_00428418
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00428B08 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_00428B08
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,3_2_004818F8

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048BB34 SystemParametersInfoA,6_2_0048BB34
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00489E9C SystemParametersInfoA,6_2_00489E9C

System Summary:

barindex
PE file contains more sections than normalShow sources
Source: Regdriver.exe.1.drStatic PE information: Number of sections : 11 > 10
Source: DOC000YUT60.exeStatic PE information: Number of sections : 11 > 10
Source: regdrv.exe.1.drStatic PE information: Number of sections : 11 > 10
PE file has a writeable .text sectionShow sources
Source: DOC000YUT60.exeStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: regdrv.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: Regdriver.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004865E0 Sleep,TranslateMessage,DispatchMessageA,PeekMessageA,socket,ntohs,inet_addr,gethostbyname,connect,recv,shutdown,closesocket,3_2_004865E0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004801FC socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,send,recv,recv,recv,shutdown,closesocket,3_2_004801FC
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004821A0 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,sendto,Sleep,closesocket,ExitThread,3_2_004821A0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048851C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,mouse_event,shutdown,closesocket,3_2_0048851C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00460628 inet_addr,ntohs,3_2_00460628
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00482630 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,3_2_00482630
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004607A4 getservbyname,ntohs,3_2_004607A4
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00480880 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,shutdown,closesocket,shutdown,closesocket,3_2_00480880
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00486918 recv,recv,send,send,recv,send,send,send,send,send,recv,recv,recv,gethostbyname,ntohs,socket,connect,getsockname,send,select,recv,send,recv,send,Sleep,closesocket,closesocket,3_2_00486918
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048298C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,closesocket,ExitThread,closesocket,ExitThread,3_2_0048298C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,3_2_00486E2C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048317C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,3_2_0048317C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00489244 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,3_2_00489244
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0047F4E0 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,recv,shutdown,closesocket,3_2_0047F4E0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004836D8 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,3_2_004836D8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0047FA8C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,GetDeviceCaps,BitBlt,send,recv,SelectObject,DeleteObject,DeleteObject,ReleaseDC,shutdown,closesocket,3_2_0047FA8C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004801FC socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,send,recv,recv,recv,shutdown,closesocket,6_2_004801FC
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004821A0 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,sendto,Sleep,closesocket,ExitThread,6_2_004821A0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048851C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,mouse_event,shutdown,closesocket,6_2_0048851C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004865E0 Sleep,TranslateMessage,DispatchMessageA,PeekMessageA,socket,ntohs,inet_addr,gethostbyname,connect,recv,shutdown,closesocket,6_2_004865E0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00460628 inet_addr,ntohs,6_2_00460628
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00482630 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,6_2_00482630
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004607A4 getservbyname,ntohs,6_2_004607A4
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00480880 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,shutdown,closesocket,shutdown,closesocket,6_2_00480880
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00486918 recv,recv,send,send,recv,send,send,send,send,send,recv,recv,recv,gethostbyname,ntohs,socket,connect,getsockname,send,select,recv,send,recv,send,Sleep,closesocket,closesocket,6_2_00486918
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048298C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,closesocket,ExitThread,closesocket,ExitThread,6_2_0048298C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,6_2_00486E2C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048317C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,6_2_0048317C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00489244 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,6_2_00489244
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0047F4E0 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,recv,shutdown,closesocket,6_2_0047F4E0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004836D8 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,6_2_004836D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0047FA8C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,GetDeviceCaps,BitBlt,send,recv,SelectObject,DeleteObject,DeleteObject,ReleaseDC,shutdown,closesocket,6_2_0047FA8C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00487B54 CoInitialize,socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,send,recv,shutdown,closesocket,6_2_00487B54
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0047FE20 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,send,shutdown,closesocket,6_2_0047FE20
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00485F40 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,6_2_00485F40
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00487F2C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,Sleep,send,recv,shutdown,closesocket,6_2_00487F2C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00473F34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,6_2_00473F34
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004715B0 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,3_2_004715B0
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,3_2_0048A070
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,6_2_0048A070
Creates mutexesShow sources
Source: C:\Users\user\Music\regdrv.exeMutant created: \Sessions\1\BaseNamedObjects\DCMIN_MUTEX-JY7PNMH
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D07E1_3_0034D07E
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D9FC1_3_0034D9FC
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003472001_3_00347200
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D29E1_3_0034D29E
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003513311_3_00351331
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034DBD81_3_0034DBD8
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D4BC1_3_0034D4BC
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CCD11_3_0034CCD1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D5661_3_0034D566
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D5681_3_0034D568
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CDD61_3_0034CDD6
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00347DCA1_3_00347DCA
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034AFC91_3_0034AFC9
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_004021D81_2_004021D8
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034AFD41_3_0034AFD4
Source: C:\Users\user\Music\regdrv.exeCode function: 2_2_004021D82_2_004021D8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004023703_2_00402370
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004064C03_2_004064C0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0043E6443_2_0043E644
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004389B43_2_004389B4
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0045EC783_2_0045EC78
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0046ADBC3_2_0046ADBC
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0046797C3_2_0046797C
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B087E4_3_002B087E
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B11FC4_3_002B11FC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AAA004_3_002AAA00
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0A9E4_3_002B0A9E
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B4B314_3_002B4B31
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B13D84_3_002B13D8
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0CBC4_3_002B0CBC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B04D14_3_002B04D1
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0D684_3_002B0D68
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0D664_3_002B0D66
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AB5CA4_3_002AB5CA
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B05D64_3_002B05D6
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AE7C94_3_002AE7C9
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_2_004021D84_2_004021D8
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AE7D44_3_002AE7D4
Source: C:\Users\user\Music\regdrv.exeCode function: 5_2_004021D85_2_004021D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004023706_2_00402370
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004064C06_2_004064C0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0043E6446_2_0043E644
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004389B46_2_004389B4
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0045EC786_2_0045EC78
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0046ADBC6_2_0046ADBC
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0046797C6_2_0046797C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00469B906_2_00469B90
Enables driver privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: Load DriverJump to behavior
Enables security privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: SecurityJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00407B10 appears 276 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004735E8 appears 75 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00407688 appears 36 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00407B08 appears 65 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004100C4 appears 40 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405584 appears 117 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00406F68 appears 32 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00474D58 appears 46 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 0040EF4C appears 42 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004055C8 appears 72 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004043B0 appears 46 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 0041163C appears 38 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405974 appears 32 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00404F34 appears 36 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405818 appears 40 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00404F10 appears 162 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004218E4 appears 149 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00404A1C appears 32 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405554 appears 31 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405530 appears 130 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004104C4 appears 42 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405864 appears 57 times
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: String function: 00404F10 appears 81 times
Source: C:\Users\user\Videos\Regdriver.exeCode function: String function: 00404F10 appears 81 times
PE file contains strange resourcesShow sources
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: DOC000YUT60.exeBinary or memory string: OriginalFilenamePeaZip. vs DOC000YUT60.exe
PE file has a writable .reloc sectionShow sources
Source: DOC000YUT60.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: regdrv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: Regdriver.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
PE file contains an invalid data directoryShow sources
Source: DOC000YUT60.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: regdrv.exe.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: Regdriver.exe.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@10/5@0/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00425A70 GetLastError,FormatMessageA,3_2_00425A70
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048AEA8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,3_2_0048AEA8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,3_2_0048A070
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048AEA8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,6_2_0048AEA8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,6_2_0048A070
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040A746 GetDiskFreeSpaceA,3_2_0040A746
Contains functionality to create servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00471850
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00471850
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00407D92 CoCreateInstance,1_2_00407D92
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048DDE0 FindResourceA,LoadResource,SizeofResource,LockResource,FreeResource,3_2_0048DDE0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004714B8 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,3_2_004714B8
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile created: C:\Users\user\Music\regdrv.exeJump to behavior
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Videos\Regdriver.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: DOC000YUT60.exevirustotal: Detection: 60%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\DOC000YUT600.exe 'C:\Users\user\Desktop\DOC000YUT600.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exe
Source: unknownProcess created: C:\Users\user\Videos\Regdriver.exe 'C:\Users\user\Videos\Regdriver.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exe
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe' Jump to behavior
Source: C:\Users\user\Music\regdrv.exeProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exeJump to behavior
Source: C:\Users\user\Videos\Regdriver.exeProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe' Jump to behavior
Source: C:\Users\user\Music\regdrv.exeProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: DOC000YUT60.exeStatic file information: File size 1816064 > 1048576
PE file has a big raw sectionShow sources
Source: DOC000YUT60.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16f800

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FD78 LoadLibraryA,GetProcAddress,GetModuleHandleA,1_3_0034FD78
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .data
PE file contains an invalid checksumShow sources
Source: Regdriver.exe.1.drStatic PE information: real checksum: 0xf110a should be: 0x1bf325
Source: DOC000YUT60.exeStatic PE information: real checksum: 0xf110a should be: 0x1bf325
Source: regdrv.exe.1.drStatic PE information: real checksum: 0xf110a should be: 0x1bf325
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00344D14 push 00344D51h; ret 1_3_00344D49
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003421DD push eax; ret 1_3_00342219
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034C1D9 push esp; retn 0034h1_3_0034C1E9
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034E24C push ecx; mov dword ptr [esp], edx1_3_0034E251
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003422AD push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FB3C push ebx; ret 1_3_0034FB5D
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FB3C push eax; ret 1_3_0034FB81
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034232E push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003423AB push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00342410 push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0035049E push eax; ret 1_3_003504CB
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CCD1 push ecx; mov dword ptr [esp], edx1_3_0034CCF1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CDD6 push ecx; mov dword ptr [esp], edx1_3_0034CDDD
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00347DCA push ecx; mov dword ptr [esp], eax1_3_00347DE1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0040E17C push ecx; mov dword ptr [esp], edx1_2_0040E181
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041F100 push ecx; mov dword ptr [esp], edx1_2_0041F105
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041B238 push ecx; mov dword ptr [esp], edx1_2_0041B23A
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_004172A8 push ecx; mov dword ptr [esp], edx1_2_004172AD
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_004194A4 push ecx; mov dword ptr [esp], edx1_2_004194A5
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00417504 push ecx; mov dword ptr [esp], edx1_2_00417509
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00417668 push ecx; mov dword ptr [esp], edx1_2_0041766D
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00417624 push ecx; mov dword ptr [esp], edx1_2_00417629
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041E6B0 push ecx; mov dword ptr [esp], edx1_2_0041E6B2
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041577C push 004157C9h; ret 1_2_004157C1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0040E816 push 0040EAC2h; ret 1_2_0040EABA
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00403B70 push eax; ret 1_2_00403BAC
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00414D6E push 00414DE6h; ret 1_2_00414DDE
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041FE36 push 0041FEE3h; ret 1_2_0041FEDB
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00406E8E push 00406EEBh; ret 1_2_00406EE3
Source: C:\Users\user\Music\regdrv.exeCode function: 2_2_0040E17C push ecx; mov dword ptr [esp], edx2_2_0040E181
Source: C:\Users\user\Music\regdrv.exeCode function: 2_2_0041F100 push ecx; mov dword ptr [esp], edx2_2_0041F105

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile created: C:\Users\user\Music\regdrv.exeJump to dropped file
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile created: C:\Users\user\Videos\Regdriver.exeJump to dropped file

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004714B8 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,3_2_004714B8
Creates an autostart registry keyShow sources
Source: C:\Users\user\Music\regdrv.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Registry DriverJump to behavior
Source: C:\Users\user\Music\regdrv.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Registry DriverJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0042E370 IsIconic,GetWindowPlacement,GetWindowRect,3_2_0042E370
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00458910 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,3_2_00458910
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004576CC IsIconic,GetCapture,3_2_004576CC
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0043B75C IsIconic,3_2_0043B75C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0043B7D8 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,3_2_0043B7D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0042E370 IsIconic,GetWindowPlacement,GetWindowRect,6_2_0042E370
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00458910 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,6_2_00458910
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004576CC IsIconic,GetCapture,6_2_004576CC
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0043B75C IsIconic,6_2_0043B75C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0043B7D8 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,6_2_0043B7D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00457FD4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,6_2_00457FD4
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00460AC0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00460AC0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Videos\Regdriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Music\regdrv.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-39469
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,3_2_00471640
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,6_2_00471640
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Music\regdrv.exeEvasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Music\regdrv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-38102
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Music\regdrv.exeAPI coverage: 6.5 %
Source: C:\Users\user\Music\regdrv.exeAPI coverage: 4.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Music\regdrv.exe TID: 3516Thread sleep count: 92 > 30Jump to behavior
Source: C:\Users\user\Music\regdrv.exe TID: 3516Thread sleep time: -92000s >= -60000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Music\regdrv.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00342EA8 FindFirstFileA,GetLastError,1_3_00342EA8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040A488 FindFirstFileA,GetLastError,3_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00480FEC FindFirstFileA,3_2_00480FEC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002A66A8 FindFirstFileA,GetLastError,4_3_002A66A8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0040A488 FindFirstFileA,GetLastError,6_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,6_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00480FEC FindFirstFileA,6_2_00480FEC
Program exit pointsShow sources
Source: C:\Users\user\Music\regdrv.exeAPI call chain: ExitProcess graph end nodegraph_3-39280
Source: C:\Users\user\Music\regdrv.exeAPI call chain: ExitProcess graph end nodegraph_3-39338
Source: C:\Users\user\Music\regdrv.exeAPI call chain: ExitProcess graph end node

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Users\user\Music\regdrv.exeFile opened: SIWDEBUG
Source: C:\Users\user\Music\regdrv.exeFile opened: NTICE
Source: C:\Users\user\Music\regdrv.exeFile opened: SICE
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FD78 LoadLibraryA,GetProcAddress,GetModuleHandleA,1_3_0034FD78
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00466038 FreeLibrary,VirtualFree,GetProcessHeap,HeapFree,3_2_00466038
Enables debug privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00473F34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,6_2_00473F34
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Music\regdrv.exeMemory written: C:\Users\user\Music\regdrv.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Music\regdrv.exeMemory written: C:\Users\user\Music\regdrv.exe base: 400000 value starts with: 4D5AJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Music\regdrv.exeThread register set: target process: 3468Jump to behavior
Source: C:\Users\user\Music\regdrv.exeThread register set: target process: 3540Jump to behavior
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048A218 ShellExecuteExA,3_2_0048A218
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048B42C keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,3_2_0048B42C
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048851C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,mouse_event,shutdown,closesocket,3_2_0048851C
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: regdrv.exeBinary or memory string: Shell_TrayWnd
Source: regdrv.exeBinary or memory string: Progman
Source: 2018-08-29-4.dc.3.drBinary or memory string: :: Program Manager (10:00:23 AM)
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_TrayWndjjh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Progmanjhh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndTrayNotifyWndjh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: ProgmanU
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: ButtonShell_TrayWndj
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndReBarWindow32jh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndReBarWindow32jhD
Source: regdrv.exeBinary or memory string: Shell_traywnd
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_TrayWndPjjh

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: GetLocaleInfoA,1_3_00343A28
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: GetLocaleInfoA,1_3_00343A74
Source: C:\Users\user\Music\regdrv.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_00406C2C
Source: C:\Users\user\Music\regdrv.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_00406D38
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,3_2_0048CEEC
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,3_2_0040D334
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,3_2_0040D380
Source: C:\Users\user\Videos\Regdriver.exeCode function: GetLocaleInfoA,4_3_002A7228
Source: C:\Users\user\Videos\Regdriver.exeCode function: GetLocaleInfoA,4_3_002A7274
Source: C:\Users\user\Music\regdrv.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,6_2_00406C2C
Source: C:\Users\user\Music\regdrv.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,6_2_00406D38
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,6_2_0048CEEC
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,6_2_0040D334
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,6_2_0040D380
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034C02C cpuid 1_3_0034C02C
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Music\regdrv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Music\regdrv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003439A4 GetLocalTime,1_3_003439A4
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048CE74 GetUserNameA,3_2_0048CE74
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00344440 GetVersionExA,1_3_00344440

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,3_2_00486E2C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,6_2_00486E2C

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648369 Sample: DOC000YUT600.scr Startdate: 29/08/2018 Architecture: WINDOWS Score: 100 34 Antivirus detection for submitted file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 PE file contains more sections than normal 2->38 40 3 other signatures 2->40 7 DOC000YUT600.exe 5 2->7         started        10 Regdriver.exe 1 2->10         started        process3 file4 24 C:\Users\user\Videos\Regdriver.exe, PE32 7->24 dropped 26 C:\Users\user\Music\regdrv.exe, PE32 7->26 dropped 28 C:\Users\...\Regdriver.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\...\regdrv.exe:Zone.Identifier, ASCII 7->30 dropped 13 regdrv.exe 1 7->13         started        46 Antivirus detection for dropped file 10->46 48 Multi AV Scanner detection for dropped file 10->48 16 regdrv.exe 10->16         started        signatures5 process6 signatures7 50 Antivirus detection for dropped file 13->50 52 Multi AV Scanner detection for dropped file 13->52 54 Contains functionality to log keystrokes 13->54 60 6 other signatures 13->60 18 regdrv.exe 3 13->18         started        56 Modifies the context of a thread in another process (thread injection) 16->56 58 Injects a PE file into a foreign processes 16->58 22 regdrv.exe 1 16->22         started        process8 dnsIp9 32 95.140.125.42, 1908, 49188 ORIONTELEKOM-ASRS Serbia 18->32 42 Installs a global keyboard hook 18->42 signatures10 44 Detected TCP or UDP traffic on non-standard ports 32->44

Simulations

Behavior and APIs

TimeTypeDescription
09:59:41API Interceptor2x Sleep call for process: DOC000YUT600.exe modified
09:59:48API Interceptor6x Sleep call for process: regdrv.exe modified
09:59:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry Driver C:\Users\user\Videos\Regdriver.exe
09:59:56API Interceptor2x Sleep call for process: Regdriver.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
DOC000YUT60.exe61%virustotalBrowse
DOC000YUT60.exe9%metadefenderBrowse
DOC000YUT60.exe100%AviraHEUR/AGEN.1032427

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Videos\Regdriver.exe100%AviraHEUR/AGEN.1032427
C:\Users\user\Music\regdrv.exe100%AviraHEUR/AGEN.1032427
C:\Users\user\Music\regdrv.exe61%virustotalBrowse
C:\Users\user\Music\regdrv.exe9%metadefenderBrowse
C:\Users\user\Videos\Regdriver.exe61%virustotalBrowse
C:\Users\user\Videos\Regdriver.exe9%metadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLink
5.2.regdrv.exe.2580000.3.unpack100%AviraBDS/DarkKomet.GS
6.0.regdrv.exe.400000.4.unpack100%AviraBDS/DarkKomet.GS
6.2.regdrv.exe.400000.3.unpack100%AviraBDS/DarkKomet.GS
3.0.regdrv.exe.400000.4.unpack100%AviraBDS/DarkKomet.GS
2.2.regdrv.exe.25d0000.3.unpack100%AviraBDS/DarkKomet.GS
6.1.regdrv.exe.400000.0.unpack100%AviraBDS/DarkKomet.GS
6.0.regdrv.exe.400000.5.unpack100%AviraBDS/DarkKomet.GS
3.2.regdrv.exe.400000.3.unpack100%AviraBDS/DarkKomet.GS
3.0.regdrv.exe.400000.5.unpack100%AviraBDS/DarkKomet.GS
3.1.regdrv.exe.400000.0.unpack100%AviraBDS/DarkKomet.GS

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://SAC.home-page.org0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000006.00000000.479399059.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000001.481410763.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000001.481410763.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000006.00000000.479399059.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000002.00000003.450764221.7F370000.00000004.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000005.00000002.491857687.02580000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000005.00000002.491857687.02580000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000002.00000002.462554403.025D0000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000002.00000002.462554403.025D0000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000001.447610474.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000001.447610474.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000002.699224479.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000002.699224479.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000006.00000000.479959577.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000000.479959577.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000006.00000002.482534154.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000002.482534154.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000000.446776706.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000000.446776706.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000005.00000003.485657484.7F370000.00000004.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000000.446217367.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000000.446217367.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>

Unpacked PEs

SourceRuleDescriptionAuthor
6.1.regdrv.exe.400000.0.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.1.regdrv.exe.400000.0.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
5.2.regdrv.exe.2580000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
5.2.regdrv.exe.2580000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.2.regdrv.exe.400000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.2.regdrv.exe.400000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.5.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.5.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
2.2.regdrv.exe.25d0000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
2.2.regdrv.exe.25d0000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
5.2.regdrv.exe.2580000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
5.2.regdrv.exe.2580000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
2.2.regdrv.exe.25d0000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
2.2.regdrv.exe.25d0000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.4.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.4.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.1.regdrv.exe.400000.0.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.1.regdrv.exe.400000.0.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.2.regdrv.exe.400000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.2.regdrv.exe.400000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.5.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.5.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.2.regdrv.exe.400000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.2.regdrv.exe.400000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.4.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.4.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.2.regdrv.exe.400000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.2.regdrv.exe.400000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.5.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.5.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.4.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.4.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.5.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.5.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.4.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.4.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.1.regdrv.exe.400000.0.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.1.regdrv.exe.400000.0.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.1.regdrv.exe.400000.0.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.1.regdrv.exe.400000.0.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ORIONTELEKOM-ASRS79SWIFT COPY,pdf-INV I086#.exef1df846ab638f0356f84a9fe14eaeb1cf98c17fb410ac1308c144c0683c89ed8maliciousBrowse
  • 95.140.125.9
23RFQ-15-0798101-1296.jaraca07b5c2399523b768b7cafd3d33975900d50d05073974a93c0b74683aabc32maliciousBrowse
  • 95.140.125.118
payment advice 20_03 2018.docc95780a21ae219e68bc2431a6e98aa1ead481129a293b9aee739a82d80ffc668maliciousBrowse
  • 77.105.36.181
SWIFT COPY 02.js23b46da625d2d17af9daf2640f05769eb9e2166b27d82b3f09f09e13d2bfd067maliciousBrowse
  • 95.140.125.117
Contract Cop.exeaf88f00b02c7fafa486e46001e29f1aae1205fd83ff962b9ff857293640c7332maliciousBrowse
  • 95.140.125.81
536ffa992-491508d-ca0354e-52f32a3-7a679a53a.docd5f72d16015ba479d1200f68515efb1602622b3b1bcab6dbda633e63caca82eemaliciousBrowse
  • 93.93.196.254
Inv 54869 - PO #4F634410.doce39be590fb6dfa04ae6d6720588694aea026cb4d6d68f60b56d3bcea85f13455maliciousBrowse
  • 77.105.36.132
SCAN_9097765.js13b5960a44dabd990e8326bf9d675a4c335d9be6b06db81875cc2e4a2c7b9a2cmaliciousBrowse
  • 95.140.125.119
SCAN_9097765.js13b5960a44dabd990e8326bf9d675a4c335d9be6b06db81875cc2e4a2c7b9a2cmaliciousBrowse
  • 95.140.125.119
atmos_weber.exef95938b4343d5a2c7250472f71850aacb6ef3575cdc52de5c9b86e2106a3b3ebmaliciousBrowse
  • 95.140.125.108
04172018HSBCJSZZH_app.doc496930937ee43a2c13fd371cdadf77dc0a4c9c6b366c0c89b95acb9b8edf63famaliciousBrowse
  • 79.175.102.12
66DHL SHIPMENT INF.exe3e81efc218937fca3b8ca1beb162bf08b12bf19f508140510c771e9e325fc567maliciousBrowse
  • 95.140.125.82
66DHL SHIPMENT INF.exe3e81efc218937fca3b8ca1beb162bf08b12bf19f508140510c771e9e325fc567maliciousBrowse
  • 95.140.125.82
Inv 54869 - PO #4F634410.doce39be590fb6dfa04ae6d6720588694aea026cb4d6d68f60b56d3bcea85f13455maliciousBrowse
  • 77.105.36.132
35PO#ORDER$9880.exe70c4a701c97b89afa03e1e092cc7e3b11fb4c364ce8f66103228287d24cb3d74maliciousBrowse
  • 95.140.125.50
SWIFT COPY 02.js23b46da625d2d17af9daf2640f05769eb9e2166b27d82b3f09f09e13d2bfd067maliciousBrowse
  • 95.140.125.117

Dropped Files

No context

Screenshots