d51fa8b0...9135 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: -
Threat Names:
Generic.Ransom.Buhtrap.B55F719F
Generic.Ransom.Buhtrap.24E9F485
Generic.Ransom.Buhtrap.5EB69276

CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe

Windows Exe (x86-32)

Created at 2020-01-20T20:01:00

...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 378.86 KB
MD5 f9b3b185b1538fa9c5b0c4e43b05f396 Copy to Clipboard
SHA1 fc5eb4f7d59ab7ac7a542fd383d252c31f3c91e0 Copy to Clipboard
SHA256 d51fa8b0bd6f3f95c54c44c5c35c0a12ad6b9a8a573d9488168e40a98c439135 Copy to Clipboard
SSDeep 6144:2ia1vcaEre+HPsKSAzG44DQFu/U3buRKlemZ9DnGAeWBJR1+Gd:2HcthvzSAx4DQFu/U3buRKlemZ9DnGA3 Copy to Clipboard
ImpHash 8acb34bed3caa60cae3f08f75d53f727 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x4305dc
Size Of Code 0x2ea00
Size Of Initialized Data 0x8400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-01-16 01:10:38+00:00
Packer BobSoft Mini Delphi -> BoB / BobSoft
Sections (9)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x2d3c0 0x2d400 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.61
.itext 0x42f000 0x15f8 0x1600 0x2d800 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.78
.data 0x431000 0x1754 0x1800 0x2ee00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.08
.bss 0x433000 0x104d4c 0x0 0x30600 IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.idata 0x538000 0x14e6 0x1600 0x30600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.91
.tls 0x53a000 0xc 0x0 0x31c00 IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rdata 0x53b000 0x18 0x200 0x31c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.21
.reloc 0x53c000 0x2930 0x2a00 0x31e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.65
.rsrc 0x53f000 0x29dc 0x2a00 0x34800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.1
Imports (15)
»
oleaut32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysFreeString 0x0 0x538458 0x138140 0x30740 0x0
SysReAllocStringLen 0x0 0x53845c 0x138144 0x30744 0x0
SysAllocStringLen 0x0 0x538460 0x138148 0x30748 0x0
advapi32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegQueryValueExA 0x0 0x538468 0x138150 0x30750 0x0
RegOpenKeyExA 0x0 0x53846c 0x138154 0x30754 0x0
RegCloseKey 0x0 0x538470 0x138158 0x30758 0x0
user32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetKeyboardType 0x0 0x538478 0x138160 0x30760 0x0
DestroyWindow 0x0 0x53847c 0x138164 0x30764 0x0
LoadStringA 0x0 0x538480 0x138168 0x30768 0x0
MessageBoxA 0x0 0x538484 0x13816c 0x3076c 0x0
CharNextA 0x0 0x538488 0x138170 0x30770 0x0
kernel32.dll (33)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetACP 0x0 0x538490 0x138178 0x30778 0x0
Sleep 0x0 0x538494 0x13817c 0x3077c 0x0
VirtualFree 0x0 0x538498 0x138180 0x30780 0x0
VirtualAlloc 0x0 0x53849c 0x138184 0x30784 0x0
GetTickCount 0x0 0x5384a0 0x138188 0x30788 0x0
QueryPerformanceCounter 0x0 0x5384a4 0x13818c 0x3078c 0x0
GetCurrentThreadId 0x0 0x5384a8 0x138190 0x30790 0x0
InterlockedDecrement 0x0 0x5384ac 0x138194 0x30794 0x0
InterlockedIncrement 0x0 0x5384b0 0x138198 0x30798 0x0
VirtualQuery 0x0 0x5384b4 0x13819c 0x3079c 0x0
WideCharToMultiByte 0x0 0x5384b8 0x1381a0 0x307a0 0x0
MultiByteToWideChar 0x0 0x5384bc 0x1381a4 0x307a4 0x0
lstrlenA 0x0 0x5384c0 0x1381a8 0x307a8 0x0
lstrcpynA 0x0 0x5384c4 0x1381ac 0x307ac 0x0
LoadLibraryExA 0x0 0x5384c8 0x1381b0 0x307b0 0x0
GetThreadLocale 0x0 0x5384cc 0x1381b4 0x307b4 0x0
GetStartupInfoA 0x0 0x5384d0 0x1381b8 0x307b8 0x0
GetProcAddress 0x0 0x5384d4 0x1381bc 0x307bc 0x0
GetModuleHandleA 0x0 0x5384d8 0x1381c0 0x307c0 0x0
GetModuleFileNameA 0x0 0x5384dc 0x1381c4 0x307c4 0x0
GetLocaleInfoA 0x0 0x5384e0 0x1381c8 0x307c8 0x0
GetCommandLineA 0x0 0x5384e4 0x1381cc 0x307cc 0x0
FreeLibrary 0x0 0x5384e8 0x1381d0 0x307d0 0x0
FindFirstFileA 0x0 0x5384ec 0x1381d4 0x307d4 0x0
FindClose 0x0 0x5384f0 0x1381d8 0x307d8 0x0
ExitProcess 0x0 0x5384f4 0x1381dc 0x307dc 0x0
ExitThread 0x0 0x5384f8 0x1381e0 0x307e0 0x0
CreateThread 0x0 0x5384fc 0x1381e4 0x307e4 0x0
WriteFile 0x0 0x538500 0x1381e8 0x307e8 0x0
UnhandledExceptionFilter 0x0 0x538504 0x1381ec 0x307ec 0x0
RtlUnwind 0x0 0x538508 0x1381f0 0x307f0 0x0
RaiseException 0x0 0x53850c 0x1381f4 0x307f4 0x0
GetStdHandle 0x0 0x538510 0x1381f8 0x307f8 0x0
kernel32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TlsSetValue 0x0 0x538518 0x138200 0x30800 0x0
TlsGetValue 0x0 0x53851c 0x138204 0x30804 0x0
LocalAlloc 0x0 0x538520 0x138208 0x30808 0x0
GetModuleHandleA 0x0 0x538524 0x13820c 0x3080c 0x0
user32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TranslateMessage 0x0 0x53852c 0x138214 0x30814 0x0
PeekMessageA 0x0 0x538530 0x138218 0x30818 0x0
MsgWaitForMultipleObjects 0x0 0x538534 0x13821c 0x3081c 0x0
MessageBoxA 0x0 0x538538 0x138220 0x30820 0x0
LoadStringA 0x0 0x53853c 0x138224 0x30824 0x0
GetSystemMetrics 0x0 0x538540 0x138228 0x30828 0x0
DispatchMessageA 0x0 0x538544 0x13822c 0x3082c 0x0
CharNextW 0x0 0x538548 0x138230 0x30830 0x0
CharLowerBuffW 0x0 0x53854c 0x138234 0x30834 0x0
CharNextA 0x0 0x538550 0x138238 0x30838 0x0
CharLowerBuffA 0x0 0x538554 0x13823c 0x3083c 0x0
CharLowerA 0x0 0x538558 0x138240 0x30840 0x0
CharUpperA 0x0 0x53855c 0x138244 0x30844 0x0
CharToOemA 0x0 0x538560 0x138248 0x30848 0x0
mpr.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WNetOpenEnumW 0x0 0x538568 0x138250 0x30850 0x0
WNetEnumResourceW 0x0 0x53856c 0x138254 0x30854 0x0
WNetCloseEnum 0x0 0x538570 0x138258 0x30858 0x0
kernel32.dll (82)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WriteProcessMemory 0x0 0x538578 0x138260 0x30860 0x0
WriteFile 0x0 0x53857c 0x138264 0x30864 0x0
WaitForSingleObject 0x0 0x538580 0x138268 0x30868 0x0
VirtualQuery 0x0 0x538584 0x13826c 0x3086c 0x0
VirtualAllocEx 0x0 0x538588 0x138270 0x30870 0x0
TerminateThread 0x0 0x53858c 0x138274 0x30874 0x0
TerminateProcess 0x0 0x538590 0x138278 0x30878 0x0
SetLastError 0x0 0x538594 0x13827c 0x3087c 0x0
SetFileTime 0x0 0x538598 0x138280 0x30880 0x0
SetFilePointer 0x0 0x53859c 0x138284 0x30884 0x0
SetFileAttributesW 0x0 0x5385a0 0x138288 0x30888 0x0
SetEvent 0x0 0x5385a4 0x13828c 0x3088c 0x0
SetEndOfFile 0x0 0x5385a8 0x138290 0x30890 0x0
ResumeThread 0x0 0x5385ac 0x138294 0x30894 0x0
ResetEvent 0x0 0x5385b0 0x138298 0x30898 0x0
ReadFile 0x0 0x5385b4 0x13829c 0x3089c 0x0
OpenProcess 0x0 0x5385b8 0x1382a0 0x308a0 0x0
MoveFileW 0x0 0x5385bc 0x1382a4 0x308a4 0x0
LoadLibraryA 0x0 0x5385c0 0x1382a8 0x308a8 0x0
LeaveCriticalSection 0x0 0x5385c4 0x1382ac 0x308ac 0x0
InitializeCriticalSection 0x0 0x5385c8 0x1382b0 0x308b0 0x0
GlobalUnlock 0x0 0x5385cc 0x1382b4 0x308b4 0x0
GlobalReAlloc 0x0 0x5385d0 0x1382b8 0x308b8 0x0
GlobalHandle 0x0 0x5385d4 0x1382bc 0x308bc 0x0
GlobalLock 0x0 0x5385d8 0x1382c0 0x308c0 0x0
GlobalFree 0x0 0x5385dc 0x1382c4 0x308c4 0x0
GlobalAlloc 0x0 0x5385e0 0x1382c8 0x308c8 0x0
GetVersionExA 0x0 0x5385e4 0x1382cc 0x308cc 0x0
GetUserDefaultLangID 0x0 0x5385e8 0x1382d0 0x308d0 0x0
GetTickCount 0x0 0x5385ec 0x1382d4 0x308d4 0x0
GetThreadLocale 0x0 0x5385f0 0x1382d8 0x308d8 0x0
GetStdHandle 0x0 0x5385f4 0x1382dc 0x308dc 0x0
GetProcAddress 0x0 0x5385f8 0x1382e0 0x308e0 0x0
GetModuleHandleA 0x0 0x5385fc 0x1382e4 0x308e4 0x0
GetModuleFileNameW 0x0 0x538600 0x1382e8 0x308e8 0x0
GetModuleFileNameA 0x0 0x538604 0x1382ec 0x308ec 0x0
GetLocaleInfoA 0x0 0x538608 0x1382f0 0x308f0 0x0
GetLocalTime 0x0 0x53860c 0x1382f4 0x308f4 0x0
GetLastError 0x0 0x538610 0x1382f8 0x308f8 0x0
GetFullPathNameA 0x0 0x538614 0x1382fc 0x308fc 0x0
GetFileAttributesW 0x0 0x538618 0x138300 0x30900 0x0
GetFileAttributesA 0x0 0x53861c 0x138304 0x30904 0x0
GetExitCodeThread 0x0 0x538620 0x138308 0x30908 0x0
GetEnvironmentVariableW 0x0 0x538624 0x13830c 0x3090c 0x0
GetEnvironmentVariableA 0x0 0x538628 0x138310 0x30910 0x0
GetDriveTypeA 0x0 0x53862c 0x138314 0x30914 0x0
GetDiskFreeSpaceA 0x0 0x538630 0x138318 0x30918 0x0
GetDateFormatA 0x0 0x538634 0x13831c 0x3091c 0x0
GetCurrentThreadId 0x0 0x538638 0x138320 0x30920 0x0
GetCurrentProcess 0x0 0x53863c 0x138324 0x30924 0x0
GetCommandLineW 0x0 0x538640 0x138328 0x30928 0x0
GetCPInfo 0x0 0x538644 0x13832c 0x3092c 0x0
InterlockedIncrement 0x0 0x538648 0x138330 0x30930 0x0
InterlockedExchange 0x0 0x53864c 0x138334 0x30934 0x0
InterlockedDecrement 0x0 0x538650 0x138338 0x30938 0x0
FreeLibrary 0x0 0x538654 0x13833c 0x3093c 0x0
FormatMessageA 0x0 0x538658 0x138340 0x30940 0x0
FindNextFileW 0x0 0x53865c 0x138344 0x30944 0x0
FindFirstFileW 0x0 0x538660 0x138348 0x30948 0x0
FindClose 0x0 0x538664 0x13834c 0x3094c 0x0
FileTimeToLocalFileTime 0x0 0x538668 0x138350 0x30950 0x0
FileTimeToDosDateTime 0x0 0x53866c 0x138354 0x30954 0x0
ExitThread 0x0 0x538670 0x138358 0x30958 0x0
ExitProcess 0x0 0x538674 0x13835c 0x3095c 0x0
EnumCalendarInfoA 0x0 0x538678 0x138360 0x30960 0x0
EnterCriticalSection 0x0 0x53867c 0x138364 0x30964 0x0
DuplicateHandle 0x0 0x538680 0x138368 0x30968 0x0
DeleteFileW 0x0 0x538684 0x13836c 0x3096c 0x0
DeleteCriticalSection 0x0 0x538688 0x138370 0x30970 0x0
CreateThread 0x0 0x53868c 0x138374 0x30974 0x0
CreateRemoteThread 0x0 0x538690 0x138378 0x30978 0x0
CreateProcessW 0x0 0x538694 0x13837c 0x3097c 0x0
CreateProcessA 0x0 0x538698 0x138380 0x30980 0x0
CreatePipe 0x0 0x53869c 0x138384 0x30984 0x0
CreateFileW 0x0 0x5386a0 0x138388 0x30988 0x0
CreateFileA 0x0 0x5386a4 0x13838c 0x3098c 0x0
CreateEventA 0x0 0x5386a8 0x138390 0x30990 0x0
CreateDirectoryW 0x0 0x5386ac 0x138394 0x30994 0x0
CopyFileW 0x0 0x5386b0 0x138398 0x30998 0x0
CompareStringW 0x0 0x5386b4 0x13839c 0x3099c 0x0
CompareStringA 0x0 0x5386b8 0x1383a0 0x309a0 0x0
CloseHandle 0x0 0x5386bc 0x1383a4 0x309a4 0x0
advapi32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegSetValueExW 0x0 0x5386c4 0x1383ac 0x309ac 0x0
RegSetValueExA 0x0 0x5386c8 0x1383b0 0x309b0 0x0
RegQueryValueExW 0x0 0x5386cc 0x1383b4 0x309b4 0x0
RegQueryValueExA 0x0 0x5386d0 0x1383b8 0x309b8 0x0
RegOpenKeyExW 0x0 0x5386d4 0x1383bc 0x309bc 0x0
RegOpenKeyExA 0x0 0x5386d8 0x1383c0 0x309c0 0x0
RegEnumKeyExA 0x0 0x5386dc 0x1383c4 0x309c4 0x0
RegDeleteValueA 0x0 0x5386e0 0x1383c8 0x309c8 0x0
RegDeleteKeyA 0x0 0x5386e4 0x1383cc 0x309cc 0x0
RegCreateKeyExW 0x0 0x5386e8 0x1383d0 0x309d0 0x0
RegCreateKeyExA 0x0 0x5386ec 0x1383d4 0x309d4 0x0
RegCloseKey 0x0 0x5386f0 0x1383d8 0x309d8 0x0
OpenProcessToken 0x0 0x5386f4 0x1383dc 0x309dc 0x0
LookupPrivilegeValueA 0x0 0x5386f8 0x1383e0 0x309e0 0x0
AdjustTokenPrivileges 0x0 0x5386fc 0x1383e4 0x309e4 0x0
kernel32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
Sleep 0x0 0x538704 0x1383ec 0x309ec 0x0
wininet.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InternetReadFile 0x0 0x53870c 0x1383f4 0x309f4 0x0
InternetOpenUrlA 0x0 0x538710 0x1383f8 0x309f8 0x0
InternetOpenA 0x0 0x538714 0x1383fc 0x309fc 0x0
InternetConnectA 0x0 0x538718 0x138400 0x30a00 0x0
InternetCloseHandle 0x0 0x53871c 0x138404 0x30a04 0x0
HttpSendRequestA 0x0 0x538720 0x138408 0x30a08 0x0
HttpOpenRequestA 0x0 0x538724 0x13840c 0x30a0c 0x0
HttpAddRequestHeadersA 0x0 0x538728 0x138410 0x30a10 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteW 0x0 0x538730 0x138418 0x30a18 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation 0x0 0x538738 0x138420 0x30a20 0x0
shell32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetPathFromIDListW 0x0 0x538740 0x138428 0x30a28 0x0
SHGetMalloc 0x0 0x538744 0x13842c 0x30a2c 0x0
oleaut32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayPtrOfIndex 0x0 0x53874c 0x138434 0x30a34 0x0
SafeArrayGetUBound 0x0 0x538750 0x138438 0x30a38 0x0
SafeArrayGetLBound 0x0 0x538754 0x13843c 0x30a3c 0x0
SafeArrayCreate 0x0 0x538758 0x138440 0x30a40 0x0
VariantChangeType 0x0 0x53875c 0x138444 0x30a44 0x0
VariantCopy 0x0 0x538760 0x138448 0x30a48 0x0
VariantClear 0x0 0x538764 0x13844c 0x30a4c 0x0
VariantInit 0x0 0x538768 0x138450 0x30a50 0x0
Icons (1)
»
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe 1 0x00040000 0x00181FFF Relevant Image True 32-bit 0x000443F4 True False
...
cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe 1 0x00040000 0x00181FFF Final Dump True 32-bit 0x0004DF04 True False
...
cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe 1 0x00040000 0x00181FFF Process Termination True 32-bit - True False
...
Local AV Matches (1)
»
Threat Name Severity
Generic.Ransom.Buhtrap.B55F719F
Malicious
C:\Users\FD1HVy\AppData\Local\Temp\1A2A6461.zeppelin Dropped File Stream
Whitelisted
...
»
Also Known As C:\Users\FD1HVy\AppData\Local\Temp\5D4CAC51.zeppelin (Dropped File)
Mime Type application/octet-stream
File Size 1 Bytes
MD5 93b885adfe0da089cdf634904fd59f71 Copy to Clipboard
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f Copy to Clipboard
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2011-05-31 22:44 (UTC+2)
Last Seen 2020-01-13 09:28 (UTC+1)
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image