Try VMRay Platform
Malicious
Classifications

Backdoor

Threat Names

Gh0st RAT Mal/Generic-S Gen:Trojan.Heur.SFM.Rq2baK!oczbj Gen:Variant.Symmi.3611 +1

Dynamic Analysis Report

Created on 2021-08-22T20:39:00

83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x02000005): The operating system was rebooted during the analysis because the sample installed a new system service.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6.exe Sample File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 696.41 KB
MD5 37900245e5856d53be7737a5adf5ac8d Copy to Clipboard
SHA1 692cb886cfae78532f7cd07465d4a95032613535 Copy to Clipboard
SHA256 83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6 Copy to Clipboard
SSDeep 12288:4v1EY7o5XC9FqGDbsRwj9VP1THHk8S18F6OnuDw9l:017uXCPqYsRwj9/bHkFS9l Copy to Clipboard
ImpHash 0f87eef679691562a6afad06bf1aae21 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
AV Matches (1)
»
Threat Name Verdict
Gen:Trojan.Heur.SFM.Rq2baK!oczbj
malicious
PE Information
»
Image Base 0x400000
Entry Point 0x558001
Size Of Code 0x2000
Size Of Initialized Data 0x154200
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2015-06-23 05:54:50+00:00
Packer ASPack v2.12 -> Alexey Solodovnikov
Version Information (8)
»
CompanyName 360.cn
FileDescription 360驱动大师主程序
FileVersion 2.0.0.1540
InternalName 360DrvMgr.exe
LegalCopyright (C) 360.cn Inc. All Rights Reserved.
OriginalFilename 360DrvMgr.exe
ProductName 360驱动大师
ProductVersion 2.0.0.1540
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x2000 0x1000 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.92
.rsrc 0x403000 0x155000 0x61a00 0x1400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 8.0
.aspack 0x558000 0x48000 0x47c00 0x62e00 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.58
.adata 0x5a0000 0x1000 0x0 0xaaa00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
Imports (5)
»
kernel32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcAddress - 0x558fb8 0x158fb8 0x63db8 0x0
GetModuleHandleA - 0x558fbc 0x158fbc 0x63dbc 0x0
LoadLibraryA - 0x558fc0 0x158fc0 0x63dc0 0x0
user32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetInputState - 0x5590b0 0x1590b0 0x63eb0 0x0
advapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegOpenKeyExA - 0x5590b8 0x1590b8 0x63eb8 0x0
msvcrt.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_XcptFilter - 0x5590c0 0x1590c0 0x63ec0 0x0
netapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NetUserGetLocalGroups - 0x5590c8 0x1590c8 0x63ec8 0x0
Digital Signature Information
»
Verification Status Failed
Verification Error The signature hash does not match the file contents
Certificate: Beijing Qihu Technology Co., Ltd.
»
Issued by Beijing Qihu Technology Co., Ltd.
Parent Certificate DigiCert Assured ID Code Signing CA-1
Country Name CN
Valid From 2019-11-22 01:00 (UTC+1)
Valid Until 2023-02-04 13:00 (UTC+1)
Algorithm sha1_rsa
Serial Number 0A 1F 3A 05 7A 1D CE 4B F7 D7 6D 0C 7A DF 83 7E
Thumbprint 82 79 B8 7C 89 50 7B C6 E2 09 A7 BD 8B 5C 24 B3 1F B9 A6 DC
Certificate: DigiCert Assured ID Code Signing CA-1
»
Issued by DigiCert Assured ID Code Signing CA-1
Country Name US
Valid From 2011-02-11 13:00 (UTC+1)
Valid Until 2026-02-10 13:00 (UTC+1)
Algorithm sha1_rsa
Serial Number 0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD
Thumbprint 40 9A A4 A7 4A 0C DA 7C 0F EE 6B D0 BB 88 23 D1 6B 5F 18 75
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6.exe 1 0x00400000 0x005A0FFF First Execution False 32-bit 0x00558001 False False
...
83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6.exe 1 0x00400000 0x005A0FFF Content Changed False 32-bit 0x00401CC0 False False
...
C:\Windows\system32\singhy.dll Dropped File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 97.10 KB
MD5 fe59e2026feb220a6e0cbe6004643e02 Copy to Clipboard
SHA1 2583c67ec41915471baddee3f75ac46afcf07877 Copy to Clipboard
SHA256 0f759fc2c4b903dfde3d3e413c90768d1b0649b3025fb9fdc867b14099939987 Copy to Clipboard
SSDeep 3072:QJRRGd+eSRbie3PowlDB4s8KoaNomYd/BUkCVVe9l:aRMd+eSRbDQ4DyTramv/BTCV4v Copy to Clipboard
ImpHash 1d83ecbb040bed546b53c8f99225ed5b Copy to Clipboard
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
AV Matches (1)
»
Threat Name Verdict
Gen:Variant.Symmi.3611
malicious
PE Information
»
Image Base 0x10000000
Entry Point 0x100112ea
Size Of Code 0x10a00
Size Of Initialized Data 0x7a00
File Type FileType.dll
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2015-06-23 05:54:55+00:00
Version Information (8)
»
CompanyName 360.cn
FileDescription 360 升级库
FileVersion 1, 2, 0, 1062
InternalName LiveUpd360.dll
LegalCopyright (C) 360.cn Inc. All Rights Reserved.
OriginalFilename LiveUpd360.dll
ProductName 360 升级库
ProductVersion 1, 2, 0, 1062
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x10885 0x10a00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.46
.rdata 0x10012000 0x36f7 0x3800 0x10e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.27
.data 0x10016000 0x1f88 0x1c00 0x14600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.71
.rsrc 0x10018000 0x1000 0x1000 0x16200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.6
.reloc 0x10019000 0x1090 0x1200 0x17200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.47
Imports (16)
»
KERNEL32.dll (93)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTickCount - 0x100120e8 0x13d7c 0x12b7c 0x1d5
HeapFree - 0x100120ec 0x13d80 0x12b80 0x20c
GetProcessHeap - 0x100120f0 0x13d84 0x12b84 0x19b
MapViewOfFile - 0x100120f4 0x13d88 0x12b88 0x25e
CreateFileMappingA - 0x100120f8 0x13d8c 0x12b8c 0x4e
HeapAlloc - 0x100120fc 0x13d90 0x12b90 0x206
UnmapViewOfFile - 0x10012100 0x13d94 0x12b94 0x365
GlobalFree - 0x10012104 0x13d98 0x12b98 0x1f5
GlobalUnlock - 0x10012108 0x13d9c 0x12b9c 0x200
GlobalLock - 0x1001210c 0x13da0 0x12ba0 0x1f9
GlobalAlloc - 0x10012110 0x13da4 0x12ba4 0x1ee
GlobalSize - 0x10012114 0x13da8 0x12ba8 0x1fd
GetStartupInfoA - 0x10012118 0x13dac 0x12bac 0x1af
CreatePipe - 0x1001211c 0x13db0 0x12bb0 0x5f
DisconnectNamedPipe - 0x10012120 0x13db4 0x12bb4 0x85
VirtualAllocEx - 0x10012124 0x13db8 0x12bb8 0x376
ExpandEnvironmentStringsA - 0x10012128 0x13dbc 0x12bbc 0xb2
WaitForMultipleObjects - 0x1001212c 0x13dc0 0x12bc0 0x383
ReleaseMutex - 0x10012130 0x13dc4 0x12bc4 0x2b8
OpenEventA - 0x10012134 0x13dc8 0x12bc8 0x273
SetErrorMode - 0x10012138 0x13dcc 0x12bcc 0x30a
CreateMutexA - 0x1001213c 0x13dd0 0x12bd0 0x5a
SetUnhandledExceptionFilter - 0x10012140 0x13dd4 0x12bd4 0x33d
FreeConsole - 0x10012144 0x13dd8 0x12bd8 0xec
LocalSize - 0x10012148 0x13ddc 0x12bdc 0x257
Process32Next - 0x1001214c 0x13de0 0x12be0 0x28e
Process32First - 0x10012150 0x13de4 0x12be4 0x28c
CreateToolhelp32Snapshot - 0x10012154 0x13de8 0x12be8 0x6c
lstrcmpiA - 0x10012158 0x13dec 0x12bec 0x3b6
GetCurrentThreadId - 0x1001215c 0x13df0 0x12bf0 0x13e
WriteProcessMemory - 0x10012160 0x13df4 0x12bf4 0x3a0
CreateRemoteThread - 0x10012164 0x13df8 0x12bf8 0x64
GetCurrentProcess - 0x10012168 0x13dfc 0x12bfc 0x13a
GetLocalTime - 0x1001216c 0x13e00 0x12c00 0x16b
MoveFileExA - 0x10012170 0x13e04 0x12c04 0x265
PeekNamedPipe - 0x10012174 0x13e08 0x12c08 0x287
OpenProcess - 0x10012178 0x13e0c 0x12c0c 0x27c
GetSystemDirectoryA - 0x1001217c 0x13e10 0x12c10 0x1b9
SetLastError - 0x10012180 0x13e14 0x12c14 0x31d
GetModuleFileNameA - 0x10012184 0x13e18 0x12c18 0x175
MoveFileA - 0x10012188 0x13e1c 0x12c1c 0x264
WriteFile - 0x1001218c 0x13e20 0x12c20 0x397
SetFilePointer - 0x10012190 0x13e24 0x12c24 0x310
ReadFile - 0x10012194 0x13e28 0x12c28 0x2ab
CreateFileA - 0x10012198 0x13e2c 0x12c2c 0x4d
GetFileSize - 0x1001219c 0x13e30 0x12c30 0x15b
RemoveDirectoryA - 0x100121a0 0x13e34 0x12c34 0x2ba
LocalAlloc - 0x100121a4 0x13e38 0x12c38 0x24e
FindFirstFileA - 0x100121a8 0x13e3c 0x12c3c 0xc9
LocalReAlloc - 0x100121ac 0x13e40 0x12c40 0x255
FindNextFileA - 0x100121b0 0x13e44 0x12c44 0xd3
LocalFree - 0x100121b4 0x13e48 0x12c48 0x252
FindClose - 0x100121b8 0x13e4c 0x12c4c 0xc5
GetLogicalDriveStringsA - 0x100121bc 0x13e50 0x12c50 0x16e
GetVolumeInformationA - 0x100121c0 0x13e54 0x12c54 0x1e1
GetDiskFreeSpaceExA - 0x100121c4 0x13e58 0x12c58 0x146
GetDriveTypeA - 0x100121c8 0x13e5c 0x12c5c 0x14b
CreateProcessA - 0x100121cc 0x13e60 0x12c60 0x60
GetFileAttributesA - 0x100121d0 0x13e64 0x12c64 0x156
CreateDirectoryA - 0x100121d4 0x13e68 0x12c68 0x45
GetLastError - 0x100121d8 0x13e6c 0x12c6c 0x169
DeleteFileA - 0x100121dc 0x13e70 0x12c70 0x7c
GetVersionExA - 0x100121e0 0x13e74 0x12c74 0x1df
GetPrivateProfileStringA - 0x100121e4 0x13e78 0x12c78 0x194
lstrcmpA - 0x100121e8 0x13e7c 0x12c7c 0x3b3
WideCharToMultiByte - 0x100121ec 0x13e80 0x12c80 0x389
MultiByteToWideChar - 0x100121f0 0x13e84 0x12c84 0x26b
LoadLibraryA - 0x100121f4 0x13e88 0x12c88 0x248
GetProcAddress - 0x100121f8 0x13e8c 0x12c8c 0x198
FreeLibrary - 0x100121fc 0x13e90 0x12c90 0xef
GetWindowsDirectoryA - 0x10012200 0x13e94 0x12c94 0x1e9
lstrcatA - 0x10012204 0x13e98 0x12c98 0x3b0
GetPrivateProfileSectionNamesA - 0x10012208 0x13e9c 0x12c9c 0x191
lstrlenA - 0x1001220c 0x13ea0 0x12ca0 0x3bf
Sleep - 0x10012210 0x13ea4 0x12ca4 0x349
CancelIo - 0x10012214 0x13ea8 0x12ca8 0x24
InterlockedExchange - 0x10012218 0x13eac 0x12cac 0x21f
lstrcpyA - 0x1001221c 0x13eb0 0x12cb0 0x3b9
ResetEvent - 0x10012220 0x13eb4 0x12cb4 0x2c4
VirtualAlloc - 0x10012224 0x13eb8 0x12cb8 0x375
EnterCriticalSection - 0x10012228 0x13ebc 0x12cbc 0x8f
LeaveCriticalSection - 0x1001222c 0x13ec0 0x12cc0 0x247
VirtualFree - 0x10012230 0x13ec4 0x12cc4 0x378
DeleteCriticalSection - 0x10012234 0x13ec8 0x12cc8 0x7a
InitializeCriticalSection - 0x10012238 0x13ecc 0x12ccc 0x219
CreateThread - 0x1001223c 0x13ed0 0x12cd0 0x69
ResumeThread - 0x10012240 0x13ed4 0x12cd4 0x2c7
SetEvent - 0x10012244 0x13ed8 0x12cd8 0x30b
CreateEventA - 0x10012248 0x13edc 0x12cdc 0x49
WaitForSingleObject - 0x1001224c 0x13ee0 0x12ce0 0x385
TerminateThread - 0x10012250 0x13ee4 0x12ce4 0x352
CloseHandle - 0x10012254 0x13ee8 0x12ce8 0x2e
TerminateProcess - 0x10012258 0x13eec 0x12cec 0x351
USER32.dll (51)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetCapture - 0x10012334 0x13fc8 0x12dc8 0x243
WindowFromPoint - 0x10012338 0x13fcc 0x12dcc 0x2d2
SetCursorPos - 0x1001233c 0x13fd0 0x12dd0 0x24e
mouse_event - 0x10012340 0x13fd4 0x12dd4 0x2d4
CloseClipboard - 0x10012344 0x13fd8 0x12dd8 0x42
SetClipboardData - 0x10012348 0x13fdc 0x12ddc 0x249
EmptyClipboard - 0x1001234c 0x13fe0 0x12de0 0xc1
OpenClipboard - 0x10012350 0x13fe4 0x12de4 0x1f5
SendMessageA - 0x10012354 0x13fe8 0x12de8 0x23a
SystemParametersInfoA - 0x10012358 0x13fec 0x12dec 0x298
SetRect - 0x1001235c 0x13ff0 0x12df0 0x26b
MapVirtualKeyA - 0x10012360 0x13ff4 0x12df4 0x1d5
GetDesktopWindow - 0x10012364 0x13ff8 0x12df8 0x10e
ReleaseDC - 0x10012368 0x13ffc 0x12dfc 0x229
GetCursorInfo - 0x1001236c 0x14000 0x12e00 0x10a
GetCursorPos - 0x10012370 0x14004 0x12e04 0x10b
SetProcessWindowStation - 0x10012374 0x14008 0x12e08 0x267
OpenWindowStationA - 0x10012378 0x1400c 0x12e0c 0x1fa
GetProcessWindowStation - 0x1001237c 0x14010 0x12e10 0x148
ExitWindowsEx - 0x10012380 0x14014 0x12e14 0xe1
GetWindowThreadProcessId - 0x10012384 0x14018 0x12e18 0x17b
IsWindow - 0x10012388 0x1401c 0x12e1c 0x1ad
BlockInput - 0x1001238c 0x14020 0x12e20 0xe
GetDC - 0x10012390 0x14024 0x12e24 0x10c
keybd_event - 0x10012394 0x14028 0x12e28 0x2d3
GetSystemMetrics - 0x10012398 0x1402c 0x12e2c 0x15d
DispatchMessageA - 0x1001239c 0x14030 0x12e30 0xa1
GetKeyNameTextA - 0x100123a0 0x14034 0x12e34 0x11f
CallNextHookEx - 0x100123a4 0x14038 0x12e38 0x1a
SetWindowsHookExA - 0x100123a8 0x1403c 0x12e3c 0x289
UnhookWindowsHookEx - 0x100123ac 0x14040 0x12e40 0x2ad
LoadCursorA - 0x100123b0 0x14044 0x12e44 0x1b9
GetClipboardData - 0x100123b4 0x14048 0x12e48 0x101
DestroyCursor - 0x100123b8 0x1404c 0x12e4c 0x95
TranslateMessage - 0x100123bc 0x14050 0x12e50 0x2a9
GetMessageA - 0x100123c0 0x14054 0x12e54 0x13a
wsprintfA - 0x100123c4 0x14058 0x12e58 0x2d5
CharNextA - 0x100123c8 0x1405c 0x12e5c 0x2a
GetWindowTextA - 0x100123cc 0x14060 0x12e60 0x177
GetActiveWindow - 0x100123d0 0x14064 0x12e64 0xeb
CloseWindow - 0x100123d4 0x14068 0x12e68 0x44
CreateWindowExA - 0x100123d8 0x1406c 0x12e6c 0x60
PostMessageA - 0x100123dc 0x14070 0x12e70 0x201
OpenDesktopA - 0x100123e0 0x14074 0x12e74 0x1f6
GetThreadDesktop - 0x100123e4 0x14078 0x12e78 0x161
GetUserObjectInformationA - 0x100123e8 0x1407c 0x12e7c 0x166
OpenInputDesktop - 0x100123ec 0x14080 0x12e80 0x1f9
SetThreadDesktop - 0x100123f0 0x14084 0x12e84 0x278
CloseDesktop - 0x100123f4 0x14088 0x12e88 0x43
EnumWindows - 0x100123f8 0x1408c 0x12e8c 0xde
IsWindowVisible - 0x100123fc 0x14090 0x12e90 0x1b1
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteDC - 0x100120b4 0x13d48 0x12b48 0x8c
CreateCompatibleDC - 0x100120b8 0x13d4c 0x12b4c 0x2d
CreateCompatibleBitmap - 0x100120bc 0x13d50 0x12b50 0x2c
CreateDIBSection - 0x100120c0 0x13d54 0x12b54 0x32
BitBlt - 0x100120c4 0x13d58 0x12b58 0x12
DeleteObject - 0x100120c8 0x13d5c 0x12b5c 0x8f
SelectObject - 0x100120cc 0x13d60 0x12b60 0x20e
GetDIBits - 0x100120d0 0x13d64 0x12b64 0x16a
ADVAPI32.dll (41)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LookupAccountNameA - 0x10012000 0x13c94 0x12a94 0x145
IsValidSid - 0x10012004 0x13c98 0x12a98 0x13e
GetTokenInformation - 0x10012008 0x13c9c 0x12a9c 0x119
LookupAccountSidA - 0x1001200c 0x13ca0 0x12aa0 0x147
SetServiceStatus - 0x10012010 0x13ca4 0x12aa4 0x239
RegisterServiceCtrlHandlerA - 0x10012014 0x13ca8 0x12aa8 0x201
RegCreateKeyExA - 0x10012018 0x13cac 0x12aac 0x1cd
RegDeleteKeyA - 0x1001201c 0x13cb0 0x12ab0 0x1d0
RegDeleteValueA - 0x10012020 0x13cb4 0x12ab4 0x1d2
LsaClose - 0x10012024 0x13cb8 0x12ab8 0x154
LsaRetrievePrivateData - 0x10012028 0x13cbc 0x12abc 0x182
LsaOpenPolicy - 0x1001202c 0x13cc0 0x12ac0 0x173
LsaFreeMemory - 0x10012030 0x13cc4 0x12ac4 0x162
RegCloseKey - 0x10012034 0x13cc8 0x12ac8 0x1c9
RegQueryValueA - 0x10012038 0x13ccc 0x12acc 0x1eb
RegOpenKeyExA - 0x1001203c 0x13cd0 0x12ad0 0x1e2
CloseServiceHandle - 0x10012040 0x13cd4 0x12ad4 0x3e
DeleteService - 0x10012044 0x13cd8 0x12ad8 0xaf
ControlService - 0x10012048 0x13cdc 0x12adc 0x42
QueryServiceStatus - 0x1001204c 0x13ce0 0x12ae0 0x1c1
OpenServiceA - 0x10012050 0x13ce4 0x12ae4 0x1ad
OpenSCManagerA - 0x10012054 0x13ce8 0x12ae8 0x1ab
RegSetValueExA - 0x10012058 0x13cec 0x12aec 0x1f9
RegCreateKeyA - 0x1001205c 0x13cf0 0x12af0 0x1cc
RegQueryValueExA - 0x10012060 0x13cf4 0x12af4 0x1ec
RegOpenKeyA - 0x10012064 0x13cf8 0x12af8 0x1e1
CloseEventLog - 0x10012068 0x13cfc 0x12afc 0x3d
ClearEventLogA - 0x1001206c 0x13d00 0x12b00 0x39
OpenEventLogA - 0x10012070 0x13d04 0x12b04 0x1a8
AdjustTokenPrivileges - 0x10012074 0x13d08 0x12b08 0x1c
LookupPrivilegeValueA - 0x10012078 0x13d0c 0x12b0c 0x14d
OpenProcessToken - 0x1001207c 0x13d10 0x12b10 0x1aa
FreeSid - 0x10012080 0x13d14 0x12b14 0xe1
SetSecurityDescriptorDacl - 0x10012084 0x13d18 0x12b18 0x22f
AddAccessAllowedAce - 0x10012088 0x13d1c 0x12b1c 0x10
InitializeAcl - 0x1001208c 0x13d20 0x12b20 0x131
GetLengthSid - 0x10012090 0x13d24 0x12b24 0xf6
AllocateAndInitializeSid - 0x10012094 0x13d28 0x12b28 0x1d
InitializeSecurityDescriptor - 0x10012098 0x13d2c 0x12b2c 0x132
RegEnumValueA - 0x1001209c 0x13d30 0x12b30 0x1d9
RegEnumKeyExA - 0x100120a0 0x13d34 0x12b34 0x1d6
SHELL32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderPathA - 0x10012320 0x13fb4 0x12db4 0xc4
SHGetFileInfoA - 0x10012324 0x13fb8 0x12db8 0xac
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHDeleteKeyA - 0x1001232c 0x13fc0 0x12dc0 0x8d
MSVCRT.dll (25)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_strnicmp - 0x1001228c 0x13f20 0x12d20 0x1c5
_strcmpi - 0x10012290 0x13f24 0x12d24 0x1bd
_adjust_fdiv - 0x10012294 0x13f28 0x12d28 0x9d
_initterm - 0x10012298 0x13f2c 0x12d2c 0x10f
??1type_info@@UAE@XZ - 0x1001229c 0x13f30 0x12d30 0xe
calloc - 0x100122a0 0x13f34 0x12d34 0x240
_beginthreadex - 0x100122a4 0x13f38 0x12d38 0xa6
wcstombs - 0x100122a8 0x13f3c 0x12d3c 0x2f1
atoi - 0x100122ac 0x13f40 0x12d40 0x23d
realloc - 0x100122b0 0x13f44 0x12d44 0x2a7
strncat - 0x100122b4 0x13f48 0x12d48 0x2bf
strncpy - 0x100122b8 0x13f4c 0x12d4c 0x2c1
strrchr - 0x100122bc 0x13f50 0x12d50 0x2c3
_except_handler3 - 0x100122c0 0x13f54 0x12d54 0xca
free - 0x100122c4 0x13f58 0x12d58 0x25e
malloc - 0x100122c8 0x13f5c 0x12d5c 0x291
strchr - 0x100122cc 0x13f60 0x12d60 0x2b7
_CxxThrowException - 0x100122d0 0x13f64 0x12d64 0x41
strstr - 0x100122d4 0x13f68 0x12d68 0x2c5
_ftol - 0x100122d8 0x13f6c 0x12d6c 0xf1
ceil - 0x100122dc 0x13f70 0x12d70 0x241
memmove - 0x100122e0 0x13f74 0x12d74 0x298
__CxxFrameHandler - 0x100122e4 0x13f78 0x12d78 0x49
??3@YAXPAX@Z - 0x100122e8 0x13f7c 0x12d7c 0x10
??2@YAPAXI@Z - 0x100122ec 0x13f80 0x12d80 0xf
WINMM.dll (16)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
waveOutClose - 0x10012418 0x140ac 0x12eac 0xb7
waveOutReset - 0x1001241c 0x140b0 0x12eb0 0xc6
waveInClose - 0x10012420 0x140b4 0x12eb4 0xa7
waveInUnprepareHeader - 0x10012424 0x140b8 0x12eb8 0xb5
waveInReset - 0x10012428 0x140bc 0x12ebc 0xb2
waveInStop - 0x1001242c 0x140c0 0x12ec0 0xb4
waveOutWrite - 0x10012430 0x140c4 0x12ec4 0xcc
waveInStart - 0x10012434 0x140c8 0x12ec8 0xb3
waveInAddBuffer - 0x10012438 0x140cc 0x12ecc 0xa6
waveInPrepareHeader - 0x1001243c 0x140d0 0x12ed0 0xb1
waveOutGetNumDevs - 0x10012440 0x140d4 0x12ed4 0xbd
waveInOpen - 0x10012444 0x140d8 0x12ed8 0xb0
waveInGetNumDevs - 0x10012448 0x140dc 0x12edc 0xad
waveOutPrepareHeader - 0x1001244c 0x140e0 0x12ee0 0xc5
waveOutUnprepareHeader - 0x10012450 0x140e4 0x12ee4 0xcb
waveOutOpen - 0x10012454 0x140e8 0x12ee8 0xc3
WS2_32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
gethostname 0x39 0x1001245c 0x140f0 0x12ef0 -
send 0x13 0x10012460 0x140f4 0x12ef4 -
select 0x12 0x10012464 0x140f8 0x12ef8 -
WSACleanup 0x74 0x10012468 0x140fc 0x12efc -
WSAIoctl - 0x1001246c 0x14100 0x12f00 0x28
setsockopt 0x15 0x10012470 0x14104 0x12f04 -
connect 0x4 0x10012474 0x14108 0x12f08 -
htons 0x9 0x10012478 0x1410c 0x12f0c -
gethostbyname 0x34 0x1001247c 0x14110 0x12f10 -
socket 0x17 0x10012480 0x14114 0x12f14 -
ntohs 0xf 0x10012484 0x14118 0x12f18 -
recv 0x10 0x10012488 0x1411c 0x12f1c -
getsockname 0x6 0x1001248c 0x14120 0x12f20 -
closesocket 0x3 0x10012490 0x14124 0x12f24 -
WSAStartup 0x73 0x10012494 0x14128 0x12f28 -
MSVCP60.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z - 0x10012260 0x13ef4 0x12cf4 0x34a
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB - 0x10012264 0x13ef8 0x12cf8 0x32d
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB - 0x10012268 0x13efc 0x12cfc 0x661
?_Xran@std@@YAXXZ - 0x1001226c 0x13f00 0x12d00 0x406
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ - 0x10012270 0x13f04 0x12d04 0x3f2
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z - 0x10012274 0x13f08 0x12d08 0x3f8
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z - 0x10012278 0x13f0c 0x12d0c 0x3e9
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z - 0x1001227c 0x13f10 0x12d10 0x392
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z - 0x10012280 0x13f14 0x12d14 0x420
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ - 0x10012284 0x13f18 0x12d18 0xe9
IMM32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ImmReleaseContext - 0x100120d8 0x13d6c 0x12b6c 0x65
ImmGetContext - 0x100120dc 0x13d70 0x12b70 0x35
ImmGetCompositionStringA - 0x100120e0 0x13d74 0x12b74 0x32
WININET.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InternetOpenA - 0x10012404 0x14098 0x12e98 0x92
InternetOpenUrlA - 0x10012408 0x1409c 0x12e9c 0x93
InternetReadFile - 0x1001240c 0x140a0 0x12ea0 0x9a
InternetCloseHandle - 0x10012410 0x140a4 0x12ea4 0x69
AVICAP32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
capGetDriverDescriptionA - 0x100120a8 0x13d3c 0x12b3c 0x3
capCreateCaptureWindowA - 0x100120ac 0x13d40 0x12b40 0x1
MSVFW32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ICSeqCompressFrame - 0x100122f4 0x13f88 0x12d88 0x26
ICSendMessage - 0x100122f8 0x13f8c 0x12d8c 0x25
ICOpen - 0x100122fc 0x13f90 0x12d90 0x22
ICClose - 0x10012300 0x13f94 0x12d94 0x13
ICCompressorFree - 0x10012304 0x13f98 0x12d98 0x16
ICSeqCompressFrameEnd - 0x10012308 0x13f9c 0x12d9c 0x27
ICSeqCompressFrameStart - 0x1001230c 0x13fa0 0x12da0 0x28
PSAPI.DLL (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetModuleFileNameExA - 0x10012314 0x13fa8 0x12da8 0xe
EnumProcessModules - 0x10012318 0x13fac 0x12dac 0x4
WTSAPI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WTSFreeMemory - 0x1001249c 0x14130 0x12f30 0x8
WTSQuerySessionInformationA - 0x100124a0 0x14134 0x12f34 0xc
Exports (1)
»
Api name EAT Address Ordinal
ServiceMain 0x9c70 0x1
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
GhostDragon_Gh0stRAT Gh0st RAT Backdoor
5/5
...
14605e87c5ef7fab67a7626e64bf1020d79730298eec36b8791d40af709b0759 Embedded File Binary
malicious
...
»
Parent File C:\Windows\system32\singhy.dll
MIME Type application/vnd.microsoft.portable-executable
File Size 2.75 KB
MD5 84d6750d18c2084acd3f2f1436c7624c Copy to Clipboard
SHA1 3cb4cf3e25e7723e8c993c8f52567158153ec9c0 Copy to Clipboard
SHA256 14605e87c5ef7fab67a7626e64bf1020d79730298eec36b8791d40af709b0759 Copy to Clipboard
SSDeep 24:enGSZwZG9lTNWEKptrO6omxqgvc09f2NFf4GrtCQNWdWVxzYRwwyEh:IZwZGEEB5M4ggprYWVpYRVp Copy to Clipboard
ImpHash 97a8fcb81cca995ded498133c0d6f73a Copy to Clipboard
File Reputation Information
»
Verdict
malicious
AV Matches (1)
»
Threat Name Verdict
Rootkit.Agent.XN
malicious
PE Information
»
Image Base 0x10000
Entry Point 0x10885
Size Of Code 0x480
Size Of Initialized Data 0x200
File Type FileType.executable
Subsystem Subsystem.native
Machine Type MachineType.i386
Compile Timestamp 2008-05-17 12:46:41+00:00
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10480 0x234 0x280 0x480 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.3
.rdata 0x10700 0xf4 0x100 0x700 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 3.35
.data 0x10800 0x20 0x80 0x800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.38
INIT 0x10880 0x192 0x200 0x880 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.32
.reloc 0x10a80 0x64 0x80 0xa80 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.33
Imports (1)
»
ntoskrnl.exe (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IofCompleteRequest - 0x10700 0x8f4 0x8f4 0x1e0
IoDeleteDevice - 0x10704 0x8f8 0x8f8 0x14e
IoDeleteSymbolicLink - 0x10708 0x8fc 0x8fc 0x150
KeServiceDescriptorTable - 0x1070c 0x900 0x900 0x24f
ProbeForWrite - 0x10710 0x904 0x904 0x341
ProbeForRead - 0x10714 0x908 0x908 0x340
_except_handler3 - 0x10718 0x90c 0x90c 0x581
IoCreateSymbolicLink - 0x1071c 0x910 0x910 0x146
IoCreateDevice - 0x10720 0x914 0x914 0x13d
RtlInitUnicodeString - 0x10724 0x918 0x918 0x419
KeTickCount - 0x10728 0x91c 0x91c 0x263
c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\inetcache\counters.dat Dropped File Stream
clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 f09f35a5637839458e462e6350ecbce4 Copy to Clipboard
SHA1 0ae4f711ef5d6e9d26c611fd2c8c8ac45ecbf9e7 Copy to Clipboard
SHA256 38723a2e5e8a17aa7950dc008209944e898f69a7bd10a23c839d341e935fd5ca Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\inetcache\ie\me[1].jpg Downloaded File Text
clean
...
»
MIME Type text/plain
File Size 44 Bytes
MD5 006c1ff1ca2fe89b20323ef6411083ee Copy to Clipboard
SHA1 197aef8126ae4d0cd4c3543fad16dda3d9c2ee22 Copy to Clipboard
SHA256 f26af5e9fa339611a246a7d0ced2e3f9fdcedeeffba5761ec372b0cf3bad9e1b Copy to Clipboard
SSDeep 3:ttCf0pHcFUYaOtEn:jCfKHcuC2 Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image