fec56ffb...3cb1 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Keylogger
Backdoor
Spyware
Threat Names:
Vermin
Quasar
xRAT
...

office82.exe

Windows Exe (x86-32)

Created at 2020-05-09T20:51:00

...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "2 minutes, 15 seconds" to "1 minute, 30 seconds" to reveal dormant functionality.

Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\office82.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\FD1HVy\AppData\Roaming\SubDir\Client.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 348.00 KB
MD5 ee6b41b84b38df2ca1ababd9d3d8f4a0 Copy to Clipboard
SHA1 2df1f670d50cb1736a3623dd04973de093e2d512 Copy to Clipboard
SHA256 fec56ffb3c5a61bffba235044da127eae17d9772dbd3817b8a5ce8cad0e93cb1 Copy to Clipboard
SSDeep 6144:7V6bPXhLApfpTEmWBtEJA7+bM7dJ++reUHqznQa:hmhApymCeJA5LpHq7Qa Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x4581ae
Size Of Code 0x56200
Size Of Initialized Data 0xc00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-04-19 02:39:10+00:00
Version Information (11)
»
Assembly Version 1.3.0.0
Comments -
CompanyName -
FileDescription -
FileVersion 1.3.0.0
InternalName Client.exe
LegalCopyright -
LegalTrademarks -
OriginalFilename Client.exe
ProductName -
ProductVersion 1.3.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x561b4 0x56200 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.45
.rsrc 0x45a000 0xa00 0xa00 0x56400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.24
.reloc 0x45c000 0xc 0x200 0x56e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain 0x0 0x402000 0x58184 0x56384 0x0
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
office82.exe 1 0x006B0000 0x0070DFFF Relevant Image True 32-bit - True True
...
office82.exe 1 0x006B0000 0x0070DFFF Final Dump True 32-bit - True True
...
office82.exe 1 0x006B0000 0x0070DFFF Process Termination True 32-bit - True True
...
client.exe 7 0x00760000 0x007BDFFF Relevant Image True 32-bit - True True
...
Local AV Matches (1)
»
Threat Name Severity
Generic.MSIL.PasswordStealerA.52B5089F
Malicious
YARA Matches (5)
»
Rule Name Rule Description Classification Score Actions
Vermin_Keylogger_Jan18_1 Vermin keylogger Backdoor, Spyware
5/5
...
Quasar_RAT_1 Quasar RAT Backdoor, Spyware
5/5
...
Quasar_RAT_2 Quasar RAT Backdoor, Spyware
5/5
...
xRAT_1 xRAT malware Backdoor
5/5
...
xrat_quasarrat xRAT malware Backdoor
5/5
...
C:\Users\FD1HVy\AppData\Roaming\Logs\05-09-2020 Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 224 Bytes
MD5 57f556747fa372da6d5f3a16f4c25bc6 Copy to Clipboard
SHA1 549317a07c3b29118c7b56cb12bccf85cf1caf66 Copy to Clipboard
SHA256 e44e53535fbefd8484138c9511f4ec99cbd118b39574915ec966f55e2816c511 Copy to Clipboard
SSDeep 6:oTOquSAWslAl478pi9AVBhKWE9WMYIl1a9:kO4Are2nGBJE9hYIva9 Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image