0761d457...5af4 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan

ShrugTwo.exe

Windows Exe (x86-32)

Created at 2019-12-26T06:25:00

...

Remarks (1/1)

(0x2000007): The operating system was rebooted during the analysis because the sample modified the master boot record (MBR).

Master Boot Record Changes
»
Sector Number Sector Size Actions
2063 512 bytes
...
Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ShrugTwo.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 566.00 KB
MD5 e1a0d2c243b13462fae23efc1c153832 Copy to Clipboard
SHA1 d981f405e8426bae262fa203eefdfc9057b7f7b1 Copy to Clipboard
SHA256 0761d457fc499631b8da39898ac7207530cb419cb6cbf8b01c689dcc6d635af4 Copy to Clipboard
SSDeep 12288:tRXEyRxsMGLHc95PaC0qtLGvLLSkkg6z5eTHIxG6F/KTdRZ5pnr09m:tR0EOMkw5Payt6vxHa4Elit3r09m Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
Parser Error Remark Static engine was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Blacklisted
First Seen 2019-12-26 04:21 (UTC+1)
Last Seen 2019-12-26 06:22 (UTC+1)
Names ByteCode-MSIL.Trojan.Shrug
Families Shrug
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x48e06e
Size Of Code 0x8c200
Size Of Initialized Data 0x1400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2018-07-11 19:52:03+00:00
Version Information (11)
»
Assembly Version 1.0.0.0
Comments -
CompanyName -
FileDescription ShrugTwo
FileVersion 1.0.0.0
InternalName ShrugTwo.exe
LegalCopyright Copyright © 2018
LegalTrademarks -
OriginalFilename ShrugTwo.exe
ProductName ShrugTwo
ProductVersion 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x8c074 0x8c200 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.96
.rsrc 0x490000 0x1017 0x1200 0x8c400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.77
.reloc 0x492000 0xc 0x200 0x8d600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x8e040 0x8c240 0x0
Memory Dumps (11)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Points AV YARA Actions
shrugtwo.exe 1 0x011C0000 0x01253FFF Relevant Image - 32-bit - False False
...
buffer 1 0x04AB7000 0x04ABDFFF First Execution - 32-bit 0x04ABD3D6 False False
...
buffer 1 0x00243000 0x00243FFF First Execution - 32-bit 0x00243260 False False
...
buffer 1 0x0020B000 0x0020BFFF First Execution - 32-bit 0x0020B3C1 False False
...
buffer 1 0x0020B000 0x0020BFFF Content Changed - 32-bit 0x0020B3C1 False False
...
buffer 1 0x00243000 0x00243FFF Content Changed - 32-bit 0x0024336C False False
...
buffer 1 0x00243000 0x00243FFF Content Changed - 32-bit 0x00243D90 False False
...
shrugtwo.exe 1 0x011C0000 0x01253FFF Final Dump - 32-bit - False False
...
buffer 1 0x00244000 0x00244FFF First Execution - 32-bit 0x00244270 False False
...
buffer 1 0x00245000 0x00245FFF First Execution - 32-bit 0x00245070 False False
...
buffer 1 0x00245000 0x00245FFF Content Changed - 32-bit 0x002450D9 False False
...
Local AV Matches (1)
»
Threat Name Severity
Generic.Ransom.Hiddentear.A.BC591C6C
Malicious
c:\users\5p5nrgjn0js halpmcxz\appdata\local\gdipfontcachev1.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 106.27 KB
MD5 92e128dcb152d05f07faf5da64bd1c91 Copy to Clipboard
SHA1 2174814ca563fc2b9679fffbf1b40bdf3ac9abec Copy to Clipboard
SHA256 11437a99f5f9c0a6df09c64abc8828ad3ecd8cf4fa601340ded86b8945edff43 Copy to Clipboard
SSDeep 768:i8HrbdvVyZHgTl7ho5sZWN/Ys9byFRQ+AwqGuGyZoVyOF7rrlqTIyMnm:/pVyZHgTl7h6tKR7AwqlGyZQVO1Mnm Copy to Clipboard
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.SHRUG2 Dropped File Stream
Unknown
...
»
Also Known As C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml (Modified File)
Mime Type application/octet-stream
File Size 1.42 KB
MD5 90532c7edb8c2b05f2de62cabbceb203 Copy to Clipboard
SHA1 e9669016ace035990a82deea73b6632487a2fb62 Copy to Clipboard
SHA256 0a1b215995e2bdc60945af3e33781597d103a17b171d4872404ffaa024012f45 Copy to Clipboard
SSDeep 24:cqKavICYJGi4D79Ax3wmA5t7zFWdlP6oQcRwCfbQaOS2Op91VE0vo0n//6E:coQe9Ax3wmAf8lGclfbQgHK0voo Copy to Clipboard
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.SHRUG2 Dropped File Stream
Unknown
...
»
Also Known As C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml (Modified File)
Mime Type application/octet-stream
File Size 1.84 KB
MD5 1a74e1c0bcee30df7ae6fff76907ca87 Copy to Clipboard
SHA1 3bbe9249a4984e8bdeb407720880482c5012e8f4 Copy to Clipboard
SHA256 748d8ddbb0fcd78000379cfa963ceb78e951feb91052529dcff5735ba755112d Copy to Clipboard
SSDeep 48:cE/3UU+P/vTBsP7MSQTHMktt7m0rJxR9sW7xCm:cE/3URPxSYMkr7F9scxf Copy to Clipboard
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 2.40 MB
MD5 80580f4710e354c4b400818abf56c3a5 Copy to Clipboard
SHA1 5e877ac21301e2718e0b0ea5fbc869ca2a9e6c6a Copy to Clipboard
SHA256 10f8322983d7007b9edfbfd71d21377f881a43682b38253891e9031d9cf0b1e5 Copy to Clipboard
SSDeep 49152:tCrfsJRPh3CpXcMntD6KCKgtKt9iK3SznG73QSKSRzrAqdzdFmJD:tC7s0t288Kt9iK3SDG73QSjA0dFmJD Copy to Clipboard
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml Modified File Stream
Unknown
...
»
Also Known As C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.SHRUG2 (Dropped File)
Mime Type application/octet-stream
File Size 1.58 KB
MD5 06120ebd1dce88b90b7a88471fbe5fc3 Copy to Clipboard
SHA1 4b5025f09286437cb2226dbe6319b09c264f65d4 Copy to Clipboard
SHA256 b906f722257ea40454050f1a764f2cee0892171ec8cb20f125f407e797f4f9fe Copy to Clipboard
SSDeep 48:ciM1UiPYAqxZtEsHUpwx7Nj81gDef8RQV:chbPYAQtvqwDjqgDNe Copy to Clipboard
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.SHRUG2 Dropped File Stream
Unknown
...
»
Also Known As C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi (Modified File)
Mime Type application/octet-stream
File Size 2.39 MB
MD5 daf31ce6baaaabf9f501ea0748e7cfca Copy to Clipboard
SHA1 4f0624a0a24d7b0baae3460a54aa8bc93ae2c954 Copy to Clipboard
SHA256 85b1a84219abaee39619085bd008da7969fe7f3e5ed02614b4c58202ebc73f4e Copy to Clipboard
SSDeep 49152:fXUJS1kqAO3B+MD2TSUR+ouZDkyYzlsMV4qc5217qleSmLLd+:cwpAO3Bl6TjR+oBsXqv2mLLd+ Copy to Clipboard
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.SHRUG2 Dropped File Stream
Unknown
...
»
Also Known As C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml (Modified File)
Mime Type application/octet-stream
File Size 1.53 KB
MD5 97f95a1413006993aa86d8e9c9b5d2f7 Copy to Clipboard
SHA1 0d9a21041f235500d325d61f92c706d3a78e3fba Copy to Clipboard
SHA256 6f48c2f51b6ff5eb0dfd86b3ec11b4a83f70ee70fbb32aa8d95ad433ed99402c Copy to Clipboard
SSDeep 24:cLD3IRmPAmQE4XHGvhVjaAfTOeUucdTUQjBpAVjmxPOhqwOeHBFWyW/DM:cLD4kPAmf4XkVjAeUJbdCgxPYBfrW/DM Copy to Clipboard
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.SHRUG2 Dropped File Stream
Unknown
...
»
Also Known As C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml (Modified File)
Mime Type application/octet-stream
File Size 2.38 KB
MD5 83f5316be92c6d9c6f99a709c29c2549 Copy to Clipboard
SHA1 b0daec1ffe1b2a6fdb38d5f338066aef0f58c834 Copy to Clipboard
SHA256 1bee2a3c13d4290ab0570461c31b7f5de70616e1d9671353246f80706dc60505 Copy to Clipboard
SSDeep 48:cJPVZNMcWJ6pW5I5zldrJZlQUF28D69tAx0kP0Ij7sgoOua+uw4pDTQbk+/QDjSQ:cJ9Qc68zrx/l6sx0kPbXsts+u9TB+/WR Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image