d00ee0e6...12a6 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Hacktool, Trojan, Dropper, Exploit

d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6 (SHA256)

out.exe

Windows Exe (x86-32)

Created 6 years ago

...

Notifications (2/3)

Every worker has a preconfigured RAM disk size for temporary changes for all VMs and analyses. During this analysis, the amount of free RAM disk space dropped to a value below the minimum configured level, and as an result, the analysis was terminated prematurely.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The operating system was rebooted during the analysis.

Severity Category Operation Classification
5/5
Device Writes to Master Boot Record (MBR) -
5/5
YARA YARA match Hacktool
  • Rule "EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1" from ruleset "APTs" has matched for "c:\windows\temp\svchostbs.exe"
    ...
  • Rule "ChineseHacktools_WinEggDrop" from ruleset "Hacktools" has matched for "\Users\5p5NrGJn0jS HALPmcxz\Desktop\out.exe"
    ...
4/5
File System Known malicious file Trojan, Exploit
  • File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\out.exe" is a known malicious file.
    ...
2/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection -
2/5
Network Attempts to connect to unavailable TCP servers -
2/5
File System Known suspicious file Hacktool
1/5
File System Modifies operating system directory -
  • Creates file "c:\windows\temp\KillDuplicate.cmd" in the OS directory.
    ...
1/5
Process Creates process with hidden window -
  • The process "C:\Windows\system32\cmd.exe" starts with hidden window.
    ...
1/5
Process Reads from memory of another process -
  • "c:\windows\temp\m64.exe" reads from "c:\windows\system32\lsass.exe".
    ...
1/5
Network Performs DNS request -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: c:\windows\temp\svchostp.exe.
    ...
1/5
PE The PE file was created with a packer -
1/5
PE Drops PE file Dropper
1/5
PE Executes dropped PE file -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image