Try VMRay Platform
Malicious
Classifications

Spyware Injector

Threat Names

FormBook XLoader

Dynamic Analysis Report

Created on 2025-01-24T13:31:00+00:00

Product List -Pictures-Specifications-pdf.exe

Windows Exe (x86-32)
...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "11 minutes, 55 seconds" to "317.0 milliseconds" to reveal dormant functionality.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\AppData\Roaming\pyXtVwnfNqei.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\kEecfMwgj\Desktop\Product List -Pictures-Specifications-pdf.exe (Sample File, Accessed File, VM File)
MIME Type application/vnd.microsoft.portable-executable
File Size 700.50 KB
MD5 a49e21ca471ae32c98fbc5bb773ece59 Copy to Clipboard
SHA1 28ed0791915795d94d7092c502e2d871950a92c1 Copy to Clipboard
SHA256 0821dcc73bae68da14a14dd1fd32b614792d213df171f4e2477e1bbaadc6dbc5 Copy to Clipboard
SSDeep 12288:R9Bjx7+JNLIh1QfW7qshKHsGUiuCD4SBMtZdGlxtIctjKaU0jYBchHa0kR:R70JlMQxwKoJZSBMgtXU0cWhq Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004AC672
Size Of Code 0x000AA800
Size Of Initialized Data 0x00001200
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2025-01-24 05:16 (UTC+1)
Version Information (11)
»
Comments PDF document
CompanyName Adobe Reader
FileDescription Microsoft PDF Document
FileVersion 2.0.0.781
InternalName zOvu.exe
LegalCopyright Adobe Inc. All rights reserved
LegalTrademarks PDF document
OriginalFilename zOvu.exe
ProductName Adobe Reader
ProductVersion 2.0.0.781
Assembly Version 2.0.0.781
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x000AA678 0x000AA800 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.69
.rsrc 0x004AE000 0x00000E88 0x00001000 0x000AAA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.33
.reloc 0x004B0000 0x0000000C 0x00000200 0x000ABA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x000AC648 0x000AA848 0x00000000
Digital Signature Information
»
Verification Status Failed
Certificate: Simon Tatham
»
Issued by Simon Tatham
Parent Certificate COMODO RSA Code Signing CA
Country Name GB
Valid From 2018-11-13 01:00 (UTC+1)
Valid Until 2021-11-09 00:59 (UTC+1)
Algorithm sha256_rsa
Serial Number 7C 11 18 CB BA DC 95 DA 37 52 C4 6E 47 A2 74 38
Thumbprint 5B 9E 27 3C F1 19 41 FD 8C 6B E3 F0 38 C4 79 7B BE 88 42 68
Certificate: COMODO RSA Code Signing CA
»
Issued by COMODO RSA Code Signing CA
Parent Certificate COMODO RSA Certification Authority
Country Name GB
Valid From 2013-05-09 02:00 (UTC+2)
Valid Until 2028-05-09 01:59 (UTC+2)
Algorithm sha384_rsa
Serial Number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
Thumbprint B6 9E 75 2B BE 88 B4 45 82 00 A7 C0 F4 F5 B3 CC E6 F3 5B 47
Certificate: COMODO RSA Certification Authority
»
Issued by COMODO RSA Certification Authority
Country Name GB
Valid From 2010-01-19 01:00 (UTC+1)
Valid Until 2038-01-19 00:59 (UTC+1)
Algorithm sha384_rsa
Serial Number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Thumbprint AF E5 D2 44 A8 D1 19 42 30 FF 47 9F E2 F8 97 BB CD 7A 8C B4
Memory Dumps (7)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
product list -pictures-specifications-pdf.exe 1 0x00360000 0x00411FFF Relevant Image False 32-bit - False
...
buffer 1 0x00340000 0x00357FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
product list -pictures-specifications-pdf.exe 1 0x00360000 0x00411FFF Final Dump False 32-bit - False
...
product list -pictures-specifications-pdf.exe 1 0x00360000 0x00411FFF Process Termination False 32-bit - False
...
pyxtvwnfnqei.exe 39 0x00D40000 0x00DF1FFF Relevant Image False 32-bit - False
...
buffer 39 0x00B10000 0x00B27FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
pyxtvwnfnqei.exe 39 0x00D40000 0x00DF1FFF Process Termination False 32-bit - False
...
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 108.52 KB
MD5 31b80c41f2319f8917c559727e143d6c Copy to Clipboard
SHA1 be537904e579a926e9240e4142bff9aaf9c71c2f Copy to Clipboard
SHA256 70b011b2e0c27eb816611271475bf5e1cb34ee51b944d36ca309f96feed41bc1 Copy to Clipboard
SSDeep 768:EU3VHXvjI3HgTllu90RXwSww+nO/fHBBpWkJJpiKNEIa0pWDiAl4eBXooF4:JXvs3HgTllubO/fckJJpiKNGCAtZF Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 8.03 KB
MD5 72fb647b2d0483e680783b144fe9cc8a Copy to Clipboard
SHA1 a91a706ae2b1d6070e2d68c42dfa487baa906731 Copy to Clipboard
SHA256 2be64981c880589971a44f69e41bd016120f06a6475e3ba3aed629edeaecc8a9 Copy to Clipboard
SSDeep 3:5tmlNlv08s:5tmi8s Copy to Clipboard
ImpHash -
C:\Users\kEecfMwgj\AppData\Local\Temp\tmp32A3.tmp Dropped File Text
Clean
...
»
Also Known As C:\Users\kEecfMwgj\AppData\Local\Temp\tmpD57E.tmp (Dropped File, Accessed File)
MIME Type text/xml
File Size 1.56 KB
MD5 284a33d6c9b2f19dc163e373e6ccdc68 Copy to Clipboard
SHA1 8787e76a53dd3502a1f966c30b08dc4693cd8b87 Copy to Clipboard
SHA256 5c0f4d42f8b09d4d092943b2818831174c7ecf45edc79c20c3b37c2f8f7bec8b Copy to Clipboard
SSDeep 48:cgeD1N14YrFdOFzOzN33ODOiDdKrsuTysv:HeD1gYrFdOFzOz6dKrsuGC Copy to Clipboard
ImpHash -
561153de6542ee6624227fa63d6a2e166edd8cb5880b57b9c97856cba2809558 Extracted File Image
Clean
...
»
Parent File C:\Users\kEecfMwgj\AppData\Roaming\pyXtVwnfNqei.exe
MIME Type image/png
File Size 2.47 KB
MD5 83ab8063f39d4e8d25da21ad77ad4108 Copy to Clipboard
SHA1 2bc6ec71d829d97f1755bfb8f4bfc8d4ada503b4 Copy to Clipboard
SHA256 561153de6542ee6624227fa63d6a2e166edd8cb5880b57b9c97856cba2809558 Copy to Clipboard
SSDeep 48:J/6AivR2bzEoOPheJtrXd4CGfFeSiwJUrl9soSSuvEL5UDKSscz2VlyXhLiILj6F:JShG4N2tXdDGfFXi5l2oSsL5CXhZj6S+ Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image