4f44cc16...74c2 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 98/100
Dynamic Analysis Report
Classification: Trojan, Dropper

4f44cc16a1854f91e48261ccfebc5bbe8997215e50513bc3080c6127031774c2 (SHA256)

AQSZPL.exe

Windows Exe (x86-32)

Created at 2018-09-03 11:32:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "21 minutes" to "3 minutes, 30 seconds" to reveal dormant functionality.

Filters:
Filename Category Type Severity Actions
C:\Users\CIiHmnxMn6Ps\Desktop\AQSZPL.exe Sample File Binary
Blacklisted
...
»
Mime Type application/x-dosexec
File Size 452.50 KB
MD5 6e22b841b513058900e3807ca6cf7064 Copy to Clipboard
SHA1 94904c2f2a6d1e315dfb5bbd9647797c2ebac85a Copy to Clipboard
SHA256 4f44cc16a1854f91e48261ccfebc5bbe8997215e50513bc3080c6127031774c2 Copy to Clipboard
SSDeep 6144:nUNdDUb3MoihmQU73Yhp0/J9J5nysgw9bh2aldJmyAsB:MdfoAmQ3Afh2aiyJ Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2018-09-02 08:36 (UTC+2)
Last Seen 2018-09-03 13:26 (UTC+2)
Names Win32.Trojan.Generickdz
Families Generickdz
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x45035e
Size Of Code 0x4e400
Size Of Initialized Data 0x22c00
File Type executable
Subsystem windows_gui
Machine Type i386
Compile Timestamp 2018-08-31 06:41:24+00:00
Version Information (9)
»
Assembly Version 0.0.2.3
LegalCopyright @FBUSP
InternalName AQSZPL.exe
FileVersion 0.0.2.3
Comments FBUSP
ProductName FBUSP
ProductVersion 0.0.2.3
FileDescription FBUSP
OriginalFilename AQSZPL.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x4e3d2 0x4e400 0x200 cnt_code, mem_execute, mem_read 6.2
.rsrc 0x452000 0x22850 0x22a00 0x4e600 cnt_initialized_data, mem_read 4.03
.reloc 0x476000 0xc 0x200 0x71000 cnt_initialized_data, mem_discardable, mem_read 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x45036c 0x50338 0x4e538 0x0
Icons (1)
»
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b Modified File Stream
Whitelisted
...
»
Also Known As c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b (Created File)
Mime Type application/octet-stream
File Size 0.05 KB
MD5 eca0470178275ac94e5de381969ed232 Copy to Clipboard
SHA1 d6de27e734eec57d1dda73489b4a6d6eecae3038 Copy to Clipboard
SHA256 353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2013-03-17 16:12 (UTC+1)
Last Seen 2018-09-01 07:19 (UTC+2)
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe Created File Binary
Whitelisted
...
»
Mime Type application/x-dosexec
File Size 34.35 KB
MD5 a412dedac6a1ff7ba06feb3b6725495e Copy to Clipboard
SHA1 bcae71ba4068be87f9d5739afec8f7081d00a97e Copy to Clipboard
SHA256 b4853f76dfe066a5b2aeb3166bac4d6ff1548e9119205f65ac6cab6d165f9850 Copy to Clipboard
SSDeep 768:a9ng5dqluvtOnVZPn/mW1GT3Qk1P7kGB:Kg5dvcTP/BGT3Q0P7k Copy to Clipboard
ImpHash e7c7977a9a81de6269643983b71b739c Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2015-07-29 11:24 (UTC+2)
Last Seen 2018-08-08 02:13 (UTC+2)
PE Information
»
Image Base 0x400000
Entry Point 0x402720
Size Of Code 0x3c00
Size Of Initialized Data 0x2800
File Type executable
Subsystem windows_gui
Machine Type i386
Compile Timestamp 2015-07-10 03:25:45+00:00
Version Information (8)
»
LegalCopyright © Microsoft Corporation. All rights reserved.
InternalName svchost.exe
FileVersion 10.0.10240.16384 (th1.150709-1700)
CompanyName Microsoft Corporation
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.10240.16384
FileDescription Host Process for Windows Services
OriginalFilename svchost.exe
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x3ad8 0x3c00 0x400 cnt_code, mem_execute, mem_read 5.83
.data 0x405000 0x3d8 0x200 0x4000 cnt_initialized_data, mem_read, mem_write 0.16
.idata 0x406000 0x1002 0x1200 0x4200 cnt_initialized_data, mem_read 4.53
.didat 0x408000 0x14 0x200 0x5400 cnt_initialized_data, mem_read, mem_write 0.21
.rsrc 0x409000 0x810 0xa00 0x5600 cnt_initialized_data, mem_read 3.74
.reloc 0x40a000 0x458 0x600 0x6000 cnt_initialized_data, mem_discardable, mem_read 5.51
Imports (23)
»
api-ms-win-core-crt-l2-1-0.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_initterm 0x0 0x406034 0x63d8 0x45d8 0x6
_initterm_e 0x0 0x406038 0x63dc 0x45dc 0x7
__wgetmainargs 0x0 0x40603c 0x63e0 0x45e0 0x1
api-ms-win-core-profile-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
QueryPerformanceCounter 0x0 0x4060d0 0x6474 0x4674 0x0
api-ms-win-core-processthreads-l1-1-2.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExitProcess 0x0 0x4060b0 0x6454 0x4654 0x8
GetCurrentProcessId 0x0 0x4060b4 0x6458 0x4658 0xd
SetProcessAffinityUpdateMode 0x0 0x4060b8 0x645c 0x465c 0x39
OpenProcessToken 0x0 0x4060bc 0x6460 0x4660 0x30
GetCurrentThreadId 0x0 0x4060c0 0x6464 0x4664 0x11
TerminateProcess 0x0 0x4060c4 0x6468 0x4668 0x4b
GetCurrentProcess 0x0 0x4060c8 0x646c 0x466c 0xc
api-ms-win-core-sysinfo-l1-2-1.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTickCount 0x0 0x406134 0x64d8 0x46d8 0x18
GetSystemTimeAsFileTime 0x0 0x406138 0x64dc 0x46dc 0x14
api-ms-win-core-errorhandling-l1-1-1.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetErrorMode 0x0 0x406050 0x63f4 0x45f4 0xc
GetLastError 0x0 0x406054 0x63f8 0x45f8 0x5
SetUnhandledExceptionFilter 0x0 0x406058 0x63fc 0x45fc 0xf
UnhandledExceptionFilter 0x0 0x40605c 0x6400 0x4600 0x11
api-ms-win-service-winsvc-l1-2-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegisterServiceCtrlHandlerW 0x0 0x406178 0x651c 0x471c 0xd
api-ms-win-service-core-l1-1-1.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetServiceStatus 0x0 0x40616c 0x6510 0x4710 0x6
StartServiceCtrlDispatcherW 0x0 0x406170 0x6514 0x4714 0x7
api-ms-win-core-libraryloader-l1-2-0.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
FreeLibrary 0x0 0x40608c 0x6430 0x4630 0xb
LoadLibraryExW 0x0 0x406090 0x6434 0x4634 0x17
GetProcAddress 0x0 0x406094 0x6438 0x4638 0x14
api-ms-win-core-synch-l1-2-0.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ReleaseSRWLockShared 0x0 0x406114 0x64b8 0x46b8 0x25
InitializeSRWLock 0x0 0x406118 0x64bc 0x46bc 0x1b
AcquireSRWLockShared 0x0 0x40611c 0x64c0 0x46c0 0x1
LeaveCriticalSection 0x0 0x406120 0x64c4 0x46c4 0x1d
EnterCriticalSection 0x0 0x406124 0x64c8 0x46c8 0x11
AcquireSRWLockExclusive 0x0 0x406128 0x64cc 0x46cc 0x0
ReleaseSRWLockExclusive 0x0 0x40612c 0x64d0 0x46d0 0x24
api-ms-win-core-registry-l1-1-0.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegGetValueW 0x0 0x4060d8 0x647c 0x467c 0x14
RegOpenKeyExW 0x0 0x4060dc 0x6480 0x4680 0x1e
RegQueryValueExW 0x0 0x4060e0 0x6484 0x4684 0x23
RegCloseKey 0x0 0x4060e4 0x6488 0x4688 0x0
RegEnumKeyExW 0x0 0x4060e8 0x648c 0x468c 0xe
RegDisablePredefinedCacheEx 0x0 0x4060ec 0x6490 0x4690 0xc
api-ms-win-core-processenvironment-l1-2-0.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetCommandLineW 0x0 0x4060a4 0x6448 0x4648 0x5
ExpandEnvironmentStringsW 0x0 0x4060a8 0x644c 0x464c 0x1
api-ms-win-core-string-l1-1-0.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CompareStringOrdinal 0x0 0x406108 0x64ac 0x46ac 0x1
WideCharToMultiByte 0x0 0x40610c 0x64b0 0x46b0 0x7
RPCRT4.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RpcMgmtStopServerListening 0x0 0x406000 0x63a4 0x45a4 0x1af
I_RpcServerDisableExceptionFilter 0x0 0x406004 0x63a8 0x45a8 0x5b
RpcServerRegisterIf 0x0 0x406008 0x63ac 0x45ac 0x1d1
RpcServerUnregisterIfEx 0x0 0x40600c 0x63b0 0x45b0 0x1d8
RpcServerListen 0x0 0x406010 0x63b4 0x45b4 0x1ce
I_RpcMapWin32Status 0x0 0x406014 0x63b8 0x45b8 0x42
RpcServerUseProtseqEpW 0x0 0x406018 0x63bc 0x45bc 0x1e2
RpcServerUnregisterIf 0x0 0x40601c 0x63c0 0x45c0 0x1d7
RpcMgmtSetServerStackSize 0x0 0x406020 0x63c4 0x45c4 0x1ad
RpcMgmtWaitServerListen 0x0 0x406024 0x63c8 0x45c8 0x1b0
api-ms-win-core-heap-l1-2-0.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HeapAlloc 0x0 0x40606c 0x6410 0x4610 0x2
HeapSetInformation 0x0 0x406070 0x6414 0x4614 0xa
GetProcessHeap 0x0 0x406074 0x6418 0x4618 0x0
HeapFree 0x0 0x406078 0x641c 0x461c 0x6
api-ms-win-core-localization-l1-2-1.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LCMapStringW 0x0 0x40609c 0x6440 0x4640 0x32
api-ms-win-security-base-l1-2-0.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetSecurityDescriptorDacl 0x0 0x406148 0x64ec 0x46ec 0x60
InitializeSecurityDescriptor 0x0 0x40614c 0x64f0 0x46f0 0x46
GetLengthSid 0x0 0x406150 0x64f4 0x46f4 0x33
SetSecurityDescriptorGroup 0x0 0x406154 0x64f8 0x46f8 0x61
SetSecurityDescriptorOwner 0x0 0x406158 0x64fc 0x46fc 0x62
GetTokenInformation 0x0 0x40615c 0x6500 0x4700 0x40
AddAccessAllowedAce 0x0 0x406160 0x6504 0x4704 0x7
InitializeAcl 0x0 0x406164 0x6508 0x4708 0x45
api-ms-win-core-heap-l2-1-0.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LocalAlloc 0x0 0x406080 0x6424 0x4624 0x2
LocalFree 0x0 0x406084 0x6428 0x4628 0x3
api-ms-win-core-handle-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CloseHandle 0x0 0x406064 0x6408 0x4608 0x0
api-ms-win-core-sidebyside-l1-1-0.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateActCtxW 0x0 0x4060f4 0x6498 0x4698 0x2
ReleaseActCtx 0x0 0x4060f8 0x649c 0x469c 0x9
ActivateActCtx 0x0 0x4060fc 0x64a0 0x46a0 0x0
DeactivateActCtx 0x0 0x406100 0x64a4 0x46a4 0x3
api-ms-win-core-threadpool-private-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegisterWaitForSingleObjectEx 0x0 0x406140 0x64e4 0x46e4 0x0
ntdll.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EtwEventWrite 0x0 0x406180 0x6524 0x4724 0x3c
EtwEventEnabled 0x0 0x406184 0x6528 0x4728 0x37
EtwEventRegister 0x0 0x406188 0x652c 0x472c 0x39
RtlUnhandledExceptionFilter 0x0 0x40618c 0x6530 0x4730 0x554
RtlSetProcessIsCritical 0x0 0x406190 0x6534 0x4734 0x514
RtlInitializeCriticalSection 0x0 0x406194 0x6538 0x4738 0x40d
RtlSubAuthoritySid 0x0 0x406198 0x653c 0x473c 0x536
RtlLengthRequiredSid 0x0 0x40619c 0x6540 0x4740 0x460
RtlFreeHeap 0x0 0x4061a0 0x6544 0x4744 0x3a8
RtlCopySid 0x0 0x4061a4 0x6548 0x4748 0x2fa
RtlAllocateHeap 0x0 0x4061a8 0x654c 0x474c 0x2a9
RtlInitializeSid 0x0 0x4061ac 0x6550 0x4750 0x41a
RtlSubAuthorityCountSid 0x0 0x4061b0 0x6554 0x4754 0x535
RtlImageNtHeader 0x0 0x4061b4 0x6558 0x4758 0x3f5
NtSetInformationProcess 0x0 0x4061b8 0x655c 0x475c 0x222
api-ms-win-core-delayload-l1-1-1.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DelayLoadFailureHook 0x0 0x406044 0x63e8 0x45e8 0x0
ResolveDelayLoadedAPI 0x0 0x406048 0x63ec 0x45ec 0x1
api-ms-win-core-crt-l1-1-0.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
memcpy 0x0 0x40602c 0x63d0 0x45d0 0x33
Digital Signatures (2)
»
Certificate: Microsoft Windows Publisher
»
Issued by Microsoft Windows Publisher
Parent Certificate Microsoft Windows Production PCA 2011
Country Name US
Valid From 2015-04-08 20:28:14+00:00
Valid Until 2016-07-08 20:28:14+00:00
Algorithm sha256_rsa
Serial Number 33 00 00 00 80 E0 B6 EB 3D EB 7C 8C CB 00 00 00 00 00 80
Thumbprint 39 BA 5A 87 75 D9 07 4F 23 6D 21 B5 27 35 A9 CF 0A 2B AA C0
Certificate: Microsoft Windows Production PCA 2011
»
Issued by Microsoft Windows Production PCA 2011
Country Name US
Valid From 2011-10-19 18:41:42+00:00
Valid Until 2026-10-19 18:51:42+00:00
Algorithm sha256_rsa
Serial Number 61 07 76 56 00 00 00 00 00 08
Thumbprint 58 0A 6F 4C C4 E4 B6 69 B9 EB DC 1B 2B 3E 08 7B 80 D0 67 8D
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck Created File Stream
Whitelisted
...
»
Mime Type application/octet-stream
File Size 0.00 KB
MD5 c4ca4238a0b923820dcc509a6f75849b Copy to Clipboard
SHA1 356a192b7913b04c54574d18c28d46e6395428ab Copy to Clipboard
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b Copy to Clipboard
SSDeep 3:U:U Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2011-06-14 17:40 (UTC+2)
Last Seen 2018-08-21 12:22 (UTC+2)
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb Created File Text
Unknown
...
»
Mime Type text/plain
File Size 0.00 KB
MD5 aee1587391978acd0d0987dde93d05c6 Copy to Clipboard
SHA1 418954d08d2fff0318c94e488c67a7de32f78b58 Copy to Clipboard
SHA256 f10b441a59ec65e42a7075ab6246a5ad8f06541c3e6eae64d4211151d9819dfe Copy to Clipboard
SSDeep 3:O:O Copy to Clipboard
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b Created File Stream
Unknown
...
»
Also Known As c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b (Created File)
Mime Type application/octet-stream
File Size 0.05 KB
MD5 0e74b2d60180ca3a437d55528e1845ff Copy to Clipboard
SHA1 f002adc25ab2fc62b181790d0f5369045b4966e5 Copy to Clipboard
SHA256 75183ca2bd0d0ee61fa5ac42333bb6235eefa8f5210a42fc758ea03223105cfe Copy to Clipboard
SSDeep 3:/l4lQgdocl:exdocl Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image