15a9c963...9cdc | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Trojan
Threat Names:
Win32.Trojan.Genkryptik

0AJTD.txt.exe

Windows Exe (x86-32)

Created at 2020-01-13T12:01:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0AJTD.txt.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 88.00 KB
MD5 b3c84d5c7cde6b094a0e2c7b9a2004fd Copy to Clipboard
SHA1 f32a43ac984e3ed11f374f69281539aa62acd6dd Copy to Clipboard
SHA256 15a9c96372795124730f77034d64357fa50a82d71ebbc4dc5384c23d13e99cdc Copy to Clipboard
SSDeep 1536:AO6ayqCgtrA/xR+R6qzRayqCgtrA/xRIO:9ZxXlexMYqzcxXlexD Copy to Clipboard
ImpHash 0d752340c040aec272d06f0ff2a5afa7 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2020-01-13 11:11 (UTC+1)
Last Seen 2020-01-13 11:14 (UTC+1)
Names Win32.Trojan.Genkryptik
Families Genkryptik
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x401288
Size Of Code 0xb000
Size Of Initialized Data 0xa000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2011-10-30 15:18:46+00:00
Version Information (6)
»
CompanyName Martyre5
FileVersion 1.00
InternalName Krslerne
OriginalFilename Krslerne.exe
ProductName Absorber4
ProductVersion 1.00
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0xa6d0 0xb000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.26
.data 0x40c000 0x9f0 0x1000 0xc000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x40d000 0x8d90 0x9000 0xd000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.46
Imports (1)
»
MSVBVM60.DLL (57)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos 0x0 0x401000 0xb30c 0xb30c 0x53
_adj_fptan 0x0 0x401004 0xb310 0xb310 0x1b3
__vbaVarMove 0x0 0x401008 0xb314 0xb314 0x178
__vbaFreeVar 0x0 0x40100c 0xb318 0xb318 0xb1
__vbaFreeVarList 0x0 0x401010 0xb31c 0xb31c 0xb2
_adj_fdiv_m64 0x0 0x401014 0xb320 0xb320 0x1aa
_adj_fprem1 0x0 0x401018 0xb324 0xb324 0x1b2
__vbaStrCat 0x0 0x40101c 0xb328 0xb328 0x133
__vbaHresultCheckObj 0x0 0x401020 0xb32c 0xb32c 0xc0
_adj_fdiv_m32 0x0 0x401024 0xb330 0xb330 0x1a8
(by ordinal) 0x29a 0x401028 0xb334 0xb334 -
(by ordinal) 0x253 0x40102c 0xb338 0xb338 -
(by ordinal) 0x254 0x401030 0xb33c 0xb33c -
_adj_fdiv_m16i 0x0 0x401034 0xb340 0xb340 0x1a7
_adj_fdivr_m16i 0x0 0x401038 0xb344 0xb344 0x1ac
__vbaFpR8 0x0 0x40103c 0xb348 0xb348 0xab
_CIsin 0x0 0x401040 0xb34c 0xb34c 0x56
__vbaChkstk 0x0 0x401044 0xb350 0xb350 0x6f
EVENT_SINK_AddRef 0x0 0x401048 0xb354 0xb354 0x11
__vbaStrCmp 0x0 0x40104c 0xb358 0xb358 0x134
__vbaVarTstEq 0x0 0x401050 0xb35c 0xb35c 0x193
__vbaI2I4 0x0 0x401054 0xb360 0xb360 0xc5
_adj_fpatan 0x0 0x401058 0xb364 0xb364 0x1b0
(by ordinal) 0x2a4 0x40105c 0xb368 0xb368 -
EVENT_SINK_Release 0x0 0x401060 0xb36c 0xb36c 0x15
_CIsqrt 0x0 0x401064 0xb370 0xb370 0x57
EVENT_SINK_QueryInterface 0x0 0x401068 0xb374 0xb374 0x14
__vbaExceptHandler 0x0 0x40106c 0xb378 0xb378 0x8e
_adj_fprem 0x0 0x401070 0xb37c 0xb37c 0x1b1
_adj_fdivr_m64 0x0 0x401074 0xb380 0xb380 0x1af
(by ordinal) 0x2ca 0x401078 0xb384 0xb384 -
__vbaFPException 0x0 0x40107c 0xb388 0xb388 0x93
__vbaStrVarVal 0x0 0x401080 0xb38c 0xb38c 0x149
_CIlog 0x0 0x401084 0xb390 0xb390 0x55
__vbaNew2 0x0 0x401088 0xb394 0xb394 0xf7
_adj_fdiv_m32i 0x0 0x40108c 0xb398 0xb398 0x1a9
_adj_fdivr_m32i 0x0 0x401090 0xb39c 0xb39c 0x1ae
__vbaFreeStrList 0x0 0x401094 0xb3a0 0xb3a0 0xb0
_adj_fdivr_m32 0x0 0x401098 0xb3a4 0xb3a4 0x1ad
_adj_fdiv_r 0x0 0x40109c 0xb3a8 0xb3a8 0x1ab
(by ordinal) 0x64 0x4010a0 0xb3ac 0xb3ac -
__vbaVarTstNe 0x0 0x4010a4 0xb3b0 0xb3b0 0x198
(by ordinal) 0x2b1 0x4010a8 0xb3b4 0xb3b4 -
(by ordinal) 0x262 0x4010ac 0xb3b8 0xb3b8 -
__vbaVarDup 0x0 0x4010b0 0xb3bc 0xb3bc 0x162
__vbaStrComp 0x0 0x4010b4 0xb3c0 0xb3c0 0x135
__vbaFpI4 0x0 0x4010b8 0xb3c4 0xb3c4 0xa9
_CIatan 0x0 0x4010bc 0xb3c8 0xb3c8 0x52
__vbaStrMove 0x0 0x4010c0 0xb3cc 0xb3cc 0x13f
(by ordinal) 0x21c 0x4010c4 0xb3d0 0xb3d0 -
(by ordinal) 0x21f 0x4010c8 0xb3d4 0xb3d4 -
_allmul 0x0 0x4010cc 0xb3d8 0xb3d8 0x1b4
(by ordinal) 0x221 0x4010d0 0xb3dc 0xb3dc -
_CItan 0x0 0x4010d4 0xb3e0 0xb3e0 0x58
_CIexp 0x0 0x4010d8 0xb3e4 0xb3e4 0x54
__vbaFreeStr 0x0 0x4010dc 0xb3e8 0xb3e8 0xaf
__vbaFreeObj 0x0 0x4010e0 0xb3ec 0xb3ec 0xad
Icons (1)
»
Memory Dumps (11)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
0ajtd.txt.exe 1 0x00400000 0x00415FFF Relevant Image True 32-bit 0x00401288 False False
...
buffer 1 0x003B0000 0x003BFFFF Marked Executable False 32-bit - False False
...
buffer 1 0x003B0000 0x003BFFFF First Execution False 32-bit 0x003B6338 False False
...
buffer 1 0x02300000 0x02309FFF First Execution False 32-bit 0x02300000 False False
...
buffer 1 0x02300000 0x02309FFF Content Changed False 32-bit 0x02303A1D False False
...
ntdll.dll 1 0x77320000 0x7749FFFF First Execution True 32-bit 0x77340028 False False
...
buffer 1 0x02300000 0x02309FFF Content Changed False 32-bit 0x023045BE False False
...
buffer 1 0x02300000 0x02309FFF Content Changed False 32-bit 0x0230240E False False
...
buffer 1 0x02300000 0x02309FFF Content Changed False 32-bit 0x023051CB False False
...
buffer 1 0x02300000 0x02309FFF Content Changed False 32-bit 0x023025C6 False False
...
0ajtd.txt.exe 1 0x00400000 0x00415FFF Process Termination True 32-bit - False False
...
c:\users\5p5nrg~1\appdata\local\temp\~dfb43e4e85b5664870.tmp Dropped File Stream
Whitelisted
...
»
Mime Type application/octet-stream
File Size 48.00 KB
MD5 f4f35d60b3cc18aaa6d8d92f0cd3708a Copy to Clipboard
SHA1 6fecd5769c727e137b7580ae3b1823b06ee6f9d9 Copy to Clipboard
SHA256 2aae7dc846aaf25f1cadf55f1666862046c6db9d65d84bdc07fa039dac405606 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2011-05-27 22:34 (UTC+2)
Last Seen 2019-10-29 20:37 (UTC+1)
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\5p5nrgjn0js_halpmcxz@u.teknik[2].txt Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 196 Bytes
MD5 342773b5366dccbdff585eeee56a7c74 Copy to Clipboard
SHA1 125953d2d1d0ee6fbe060f54ee774b3505cc93fa Copy to Clipboard
SHA256 418bfef41bcb37132b9092c2eee059fa195a2592275bad97f33b9a48b4d3e3ab Copy to Clipboard
SSDeep 6:x1LSaVqY/eLpd6l802fSLKLUrKL4qYMESXl8Y:yLY/e6l3YwKLUrKLFYSXlh Copy to Clipboard
ImpHash None Copy to Clipboard
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\5p5nrgjn0js_halpmcxz@u.teknik[1].txt Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 283 Bytes
MD5 660bfb8d5a5a5e815ace8a25d998e933 Copy to Clipboard
SHA1 e5548c932c60e7837535bad6c949b4708244b4e5 Copy to Clipboard
SHA256 6d7f45c1326c01a9a8617c745a02cb40319b405de119b6e41fc107b545d8f37e Copy to Clipboard
SSDeep 6:x1LSaVqY/eLpd6l802fSLKLUrKL4qYMESXl80h0UVSgx2HqY/eLpdDo8Y:yLY/e6l3YwKLUrKLFYSXl3CUV9Y/eUh Copy to Clipboard
ImpHash None Copy to Clipboard
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\ues1w[1].bin Dropped File Compressed
Unknown
...
»
Mime Type application/zlib
File Size 280.56 KB
MD5 1c60bcd4c2ca2a481d8368313ddb67d6 Copy to Clipboard
SHA1 f9973dbd6a33caf989b40bdaad1f7c60f3433f19 Copy to Clipboard
SHA256 d53eb4c80a752c5f8a5ab5b76c7736f0a8c8e73fb0e27be79ff47b86ebcffcfd Copy to Clipboard
SSDeep 6144:A3sb+HHBhlJaaYjou+g0FkpkseNry7i0O5ZY:Yc+HHBhD+jafFkpkseNE Copy to Clipboard
ImpHash None Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image