Lotus Blossom Malspam | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2016 | ms_office
Classification: Trojan, Dropper, Downloader

d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411 (SHA256)

DoNotOpen2.doc

Word Document

Created at 2018-02-02 16:47:00

...

Notifications (2/2)

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Files Information

Number of sample files submitted for analysis 1
Number of files created and extracted during analysis 4
Number of files modified and extracted during analysis 0
c:\users\aetadzjz\desktop\DoNotOpen2.doc
Blacklisted
»
File Properties
Names c:\users\aetadzjz\desktop\DoNotOpen2.doc (Sample File)
Size 254.97 KB
Hash Values MD5: f12fc711529b48bcef52c5ca0a52335a
SHA1: 5f89a6b2f1f38b581c65e9a1117c43a3060bfdc1
SHA256: d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Win32.Trojan.CVE-2017-11882
Families CVE-2017-11882
Classification Trojan
c:\users\aetadzjz\appdata\roaming\microsoft\windows\caches\navshext.dll
Blacklisted
»
File Properties
Names c:\users\aetadzjz\appdata\roaming\microsoft\windows\caches\navshext.dll (Created File)
Size 71.00 KB
Hash Values MD5: cd36bbd7f949cf017edba0e6aaadf28c
SHA1: 2fde32f2695bc7b3b702a1e3b53a8c38e60b7402
SHA256: 6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Win32.Trojan.Agent
Families Agent
Classification Trojan
PE Information
»
Information Value
Image Base 0x10000000
Entry Point 0x10003017
Size Of Code 0x2600
Size Of Initialized Data 0xf200
Size Of Uninitialized Data 0x0
Format x86
Type Dll
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2018-01-12 18:59:58
Compiler/Packer Unknown
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x2537 0x2600 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.63
.rdata 0x10004000 0x787 0x800 0x2a00 CNT_INITIALIZED_DATA, MEM_READ 4.76
.data 0x10005000 0xe144 0xde00 0x3200 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 8.0
.rsrc 0x10014000 0x520 0x600 0x11000 CNT_INITIALIZED_DATA, MEM_READ 4.49
.reloc 0x10015000 0x550 0x600 0x11600 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 2.42
Imports (44)
»
msvcrt.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
_amsg_exit 0x0 0x10004088 0x43bc 0x2dbc
_initterm 0x0 0x1000408c 0x43c0 0x2dc0
free 0x0 0x10004090 0x43c4 0x2dc4
malloc 0x0 0x10004094 0x43c8 0x2dc8
_XcptFilter 0x0 0x10004098 0x43cc 0x2dcc
memcpy 0x0 0x1000409c 0x43d0 0x2dd0
memset 0x0 0x100040a0 0x43d4 0x2dd4
memmove 0x0 0x100040a4 0x43d8 0x2dd8
??2@YAPAXI@Z 0x0 0x100040a8 0x43dc 0x2ddc
??3@YAXPAX@Z 0x0 0x100040ac 0x43e0 0x2de0
_errno 0x0 0x100040b0 0x43e4 0x2de4
__CxxFrameHandler 0x0 0x100040b4 0x43e8 0x2de8
KERNEL32.dll (31)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetModuleFileNameA 0x0 0x10004000 0x4334 0x2d34
GetSystemTimeAsFileTime 0x0 0x10004004 0x4338 0x2d38
GetCurrentProcessId 0x0 0x10004008 0x433c 0x2d3c
GetCurrentThreadId 0x0 0x1000400c 0x4340 0x2d40
GetTickCount 0x0 0x10004010 0x4344 0x2d44
QueryPerformanceCounter 0x0 0x10004014 0x4348 0x2d48
SetUnhandledExceptionFilter 0x0 0x10004018 0x434c 0x2d4c
UnhandledExceptionFilter 0x0 0x1000401c 0x4350 0x2d50
GetCurrentProcess 0x0 0x10004020 0x4354 0x2d54
TerminateProcess 0x0 0x10004024 0x4358 0x2d58
InterlockedCompareExchange 0x0 0x10004028 0x435c 0x2d5c
Sleep 0x0 0x1000402c 0x4360 0x2d60
InterlockedExchange 0x0 0x10004030 0x4364 0x2d64
RtlUnwind 0x0 0x10004034 0x4368 0x2d68
OutputDebugStringA 0x0 0x10004038 0x436c 0x2d6c
IsDebuggerPresent 0x0 0x1000403c 0x4370 0x2d70
GetExitCodeThread 0x0 0x10004040 0x4374 0x2d74
LoadLibraryA 0x0 0x10004044 0x4378 0x2d78
VirtualFreeEx 0x0 0x10004048 0x437c 0x2d7c
GetModuleHandleW 0x0 0x1000404c 0x4380 0x2d80
WaitForSingleObject 0x0 0x10004050 0x4384 0x2d84
LoadLibraryExA 0x0 0x10004054 0x4388 0x2d88
GetModuleHandleA 0x0 0x10004058 0x438c 0x2d8c
CreateFileMappingA 0x0 0x1000405c 0x4390 0x2d90
GetProcAddress 0x0 0x10004060 0x4394 0x2d94
UnmapViewOfFile 0x0 0x10004064 0x4398 0x2d98
MapViewOfFile 0x0 0x10004068 0x439c 0x2d9c
CloseHandle 0x0 0x1000406c 0x43a0 0x2da0
CreateMutexA 0x0 0x10004070 0x43a4 0x2da4
GetLastError 0x0 0x10004074 0x43a8 0x2da8
MultiByteToWideChar 0x0 0x10004078 0x43ac 0x2dac
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SHGetSpecialFolderPathA 0x0 0x10004080 0x43b4 0x2db4
Exports (1)
»
Api name EAT Address Ordinal
Setting 0x1000223d 0x1
c:\users\aetadzjz\appdata\local\temp\eqnedt32.exe_c2rdll(20180123223931acc).log
»
File Properties
Names c:\users\aetadzjz\appdata\local\temp\eqnedt32.exe_c2rdll(20180123223931acc).log (Created File)
Size 0.00 KB
Hash Values MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
c:\users\aetadzjz\appdata\local\microsoft\windows\explorer\thumbcache_1cd60.db
»
File Properties
Names c:\users\aetadzjz\appdata\local\microsoft\windows\explorer\thumbcache_1cd60.db (Created File)
Size 0.60 KB
Hash Values MD5: 03c3522b1a7dfb3054acbf3ccf79cfa6
SHA1: cd4e3b68caf0c97b0769b3ab8ccbac75f8af1212
SHA256: d9841b834b021d7f25169ff246836ad3a113b2bf32ebc9d00a8465f6ff416f29
Actions
...
c:\users\aetadzjz\appdata\local\microsoft\windows\explorer\thumbcache_1cd60.db
»
File Properties
Names c:\users\aetadzjz\appdata\local\microsoft\windows\explorer\thumbcache_1cd60.db (Created File)
Size 0.60 KB
Hash Values MD5: 304e99268cd232e5199bd0b2c7874fa3
SHA1: 64806d3a9e8b49bbf0b69017c82c1ede9d7d3b70
SHA256: 4e54d25220759023a83de1c1f807545a43485d028fe298dfcd524e25ed628fb6
Actions
...
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image