APT27,Iron Tiger | 506c946ecc08

Remarks

Maximum Dump Total Size Reached (0x0200005D): 92 additional dumps with the reason "Content Changed" and a total of 303 MB were skipped because the respective maximum limit was reached.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\dhl-lvse.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	60.06 KB
MD5	e3a85d48bf8710f3d038d9d8d4fc6ff1
SHA1	67fc0fd066d898a93966c0d5d71e7e71ba478db0
SHA256	506c946ecc0877b13de8fb977de24a7b9e14054d44ca547e518084c914334a6b
SSDeep	768:3e1iZNbQAKrWGOkGQeN70ZqL37FsKBBmbUt4i:36iZNer5GQvkSath
ImpHash	45faf44fe201670daca333d176faea38

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x00403644
Size Of Code	0x00008000
Size Of Initialized Data	0x00006000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2015-04-13 11:40 (UTC)

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x0000713A	0x00008000	0x00001000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.12
.rdata	0x00409000	0x000005A0	0x00001000	0x00009000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	2.19
.data	0x0040A000	0x00002E04	0x00003000	0x0000A000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.84
.idata	0x0040D000	0x00000678	0x00001000	0x0000D000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.6
.reloc	0x0040E000	0x00000724	0x00001000	0x0000E000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	3.69

Imports (3)

imagehlp.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
MakeSureDirectoryPathExists	-	0x0040D238	0x0000D140	0x0000D140	0x0000001E

WININET.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
InternetOpenA	-	0x0040D224	0x0000D12C	0x0000D12C	0x00000092
InternetOpenUrlA	-	0x0040D228	0x0000D130	0x0000D130	0x00000093
InternetReadFile	-	0x0040D22C	0x0000D134	0x0000D134	0x0000009A
InternetCloseHandle	-	0x0040D230	0x0000D138	0x0000D138	0x00000069

KERNEL32.dll (54)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ExitProcess	-	0x0040D148	0x0000D050	0x0000D050	0x000000B9
GetStringTypeW	-	0x0040D14C	0x0000D054	0x0000D054	0x000001BD
GetStringTypeA	-	0x0040D150	0x0000D058	0x0000D058	0x000001BA
LCMapStringW	-	0x0040D154	0x0000D05C	0x0000D05C	0x00000245
LCMapStringA	-	0x0040D158	0x0000D060	0x0000D060	0x00000244
MultiByteToWideChar	-	0x0040D15C	0x0000D064	0x0000D064	0x00000275
SetConsoleCtrlHandler	-	0x0040D160	0x0000D068	0x0000D068	0x000002EE
HeapAlloc	-	0x0040D164	0x0000D06C	0x0000D06C	0x00000210
GetProcessHeap	-	0x0040D168	0x0000D070	0x0000D070	0x000001A3
VirtualAlloc	-	0x0040D16C	0x0000D074	0x0000D074	0x00000381
VirtualProtect	-	0x0040D170	0x0000D078	0x0000D078	0x00000386
VirtualFree	-	0x0040D174	0x0000D07C	0x0000D07C	0x00000383
GetProcAddress	-	0x0040D178	0x0000D080	0x0000D080	0x000001A0
LoadLibraryA	-	0x0040D17C	0x0000D084	0x0000D084	0x00000252
IsBadReadPtr	-	0x0040D180	0x0000D088	0x0000D088	0x00000233
HeapFree	-	0x0040D184	0x0000D08C	0x0000D08C	0x00000216
FreeLibrary	-	0x0040D188	0x0000D090	0x0000D090	0x000000F8
CloseHandle	-	0x0040D18C	0x0000D094	0x0000D094	0x00000034
WriteFile	-	0x0040D190	0x0000D098	0x0000D098	0x000003A4
CreateFileA	-	0x0040D194	0x0000D09C	0x0000D09C	0x00000053
ReadFile	-	0x0040D198	0x0000D0A0	0x0000D0A0	0x000002B5
GetFileSize	-	0x0040D19C	0x0000D0A4	0x0000D0A4	0x00000163
SetFilePointer	-	0x0040D1A0	0x0000D0A8	0x0000D0A8	0x0000031B
Sleep	-	0x0040D1A4	0x0000D0AC	0x0000D0AC	0x00000356
HeapReAlloc	-	0x0040D1A8	0x0000D0B0	0x0000D0B0	0x0000021A
RtlUnwind	-	0x0040D1AC	0x0000D0B4	0x0000D0B4	0x000002D7
RaiseException	-	0x0040D1B0	0x0000D0B8	0x0000D0B8	0x000002A7
GetModuleHandleA	-	0x0040D1B4	0x0000D0BC	0x0000D0BC	0x0000017F
GetStartupInfoA	-	0x0040D1B8	0x0000D0C0	0x0000D0C0	0x000001B7
GetCommandLineA	-	0x0040D1BC	0x0000D0C4	0x0000D0C4	0x00000110
GetVersion	-	0x0040D1C0	0x0000D0C8	0x0000D0C8	0x000001E8
IsBadWritePtr	-	0x0040D1C4	0x0000D0CC	0x0000D0CC	0x00000236
GetModuleFileNameA	-	0x0040D1C8	0x0000D0D0	0x0000D0D0	0x0000017D
GetEnvironmentVariableA	-	0x0040D1CC	0x0000D0D4	0x0000D0D4	0x00000158
GetVersionExA	-	0x0040D1D0	0x0000D0D8	0x0000D0D8	0x000001E9
HeapDestroy	-	0x0040D1D4	0x0000D0DC	0x0000D0DC	0x00000214
HeapCreate	-	0x0040D1D8	0x0000D0E0	0x0000D0E0	0x00000212
SetUnhandledExceptionFilter	-	0x0040D1DC	0x0000D0E4	0x0000D0E4	0x0000034A
TerminateProcess	-	0x0040D1E0	0x0000D0E8	0x0000D0E8	0x0000035E
GetCurrentProcess	-	0x0040D1E4	0x0000D0EC	0x0000D0EC	0x00000142
UnhandledExceptionFilter	-	0x0040D1E8	0x0000D0F0	0x0000D0F0	0x0000036E
FreeEnvironmentStringsA	-	0x0040D1EC	0x0000D0F4	0x0000D0F4	0x000000F6
FreeEnvironmentStringsW	-	0x0040D1F0	0x0000D0F8	0x0000D0F8	0x000000F7
WideCharToMultiByte	-	0x0040D1F4	0x0000D0FC	0x0000D0FC	0x00000394
GetEnvironmentStrings	-	0x0040D1F8	0x0000D100	0x0000D100	0x00000155
GetEnvironmentStringsW	-	0x0040D1FC	0x0000D104	0x0000D104	0x00000157
SetHandleCount	-	0x0040D200	0x0000D108	0x0000D108	0x00000324
GetStdHandle	-	0x0040D204	0x0000D10C	0x0000D10C	0x000001B9
GetFileType	-	0x0040D208	0x0000D110	0x0000D110	0x00000166
IsBadCodePtr	-	0x0040D20C	0x0000D114	0x0000D114	0x00000230
GetCPInfo	-	0x0040D210	0x0000D118	0x0000D118	0x00000104
GetACP	-	0x0040D214	0x0000D11C	0x0000D11C	0x000000FD
GetOEMCP	-	0x0040D218	0x0000D120	0x0000D120	0x00000193
GetLastError	-	0x0040D21C	0x0000D124	0x0000D124	0x00000171

Memory Dumps (33)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
dhl-lvse.exe	1	0x00400000	0x0040EFFF	Relevant Image	32-bit	0x0040518F	... Actions Go to Process Download Dump
buffer	1	0x00199000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
dhl-lvse.exe	1	0x00400000	0x0040EFFF	First Network Behavior	32-bit	0x00402C40	... Actions Go to Process Download Dump
counters.dat	1	0x00710000	0x00710FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x10000000	0x1034AFFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x10000000	0x1034AFFF	First Execution	32-bit	0x10348DF0	... Actions Go to Process Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x100289A5	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10022730	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10065EF0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10067B30	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x1006A050	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x100023A0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x1000A800	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x1000CBC0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10012270	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x1001B6C0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x1001D500	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10007890	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10006710	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10004960	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x100128F0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10003E50	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10005E61	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10004040	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10005E61	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10004040	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10004040	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x100040FB	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10005E61	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10004040	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x10000000	0x1034AFFF	Content Changed	32-bit	0x10004040	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x027D0000	0x0280CFFF	Image In Buffer	32-bit	-	... Actions Go to Process Download Dump
dhl-lvse.exe	1	0x00400000	0x0040EFFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump

C:\Program Files\AppPatch\8.77.dll

Downloaded File

Stream

Also Known As	8.77.dll (Downloaded File) c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\sxga2vja\8.77[1].dll (Extracted File, Downloaded File)
MIME Type	application/octet-stream
File Size	240.03 KB
MD5	0a74e0bffbce3cc5466796739cfdeb44
SHA1	c3b50df0a1de18b7053bff1b0293f5512f824055
SHA256	cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30
SSDeep	6144:E1w+HzW2d3ivIkXcRlfW08ALYmvI+7m5WMq:1+HzJd3gBifoALfI+i9q
ImpHash	-

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat

Modified File

Stream

MIME Type	application/octet-stream
File Size	128 Bytes
MD5	cc90851958032b8c8bbb7b24ec6271dd
SHA1	e027ad2ea4049374a3b01af2e3626b667dc816bc
SHA256	c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858
SSDeep	3:Fl:
ImpHash	-

Remarks (1/1)

Remarks

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information