TDL4 Rootkit | Files
Try VMRay Analyzer
File Information
Sample files count 1
Created files count 1
Modified files count 2
c:\users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe
-
File Properties
Names c:\users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe (Sample File)
Size 225.50 KB (230912 bytes)
Hash Values MD5: cb91b8695d3990b5b5eae8a714bd357e
SHA1: 3cd6ef10dd6cbe6f158a360cf5b112cef2e18304
SHA256: eec6bfe112155ab94029f0f8f27a484edf35b5d743503e0199637084d9520ebc
Actions
PE Information
+
File Properties
Image Base 0x400000
Entry Point 0x40466f
Size Of Code 0xb600
Size Of Initialized Data 0x2cc00
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2011-04-25 00:13:40
Compiler/Packer Unknown
Sections (6)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0xb444 0xb600 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.9
.rdata 0x40d000 0x29ac 0x2a00 0xba00 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 6.75
debug 0x410000 0x2872c 0x800 0xe400 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 5.01
.code 0x439000 0x27351 0x27400 0xec00 CNT_INITIALIZED_DATA, MEM_READ 6.01
.rsrc 0x461000 0x2000 0x2000 0x36000 CNT_INITIALIZED_DATA, MEM_READ 1.41
.reloc 0x463000 0x5e8 0x600 0x38000 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.51
Imports (35)
+
COMCTL32.dll (2)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
InitCommonControlsEx 0x0 0x40d000 0xf13c 0xdb3c
CreatePropertySheetPageA 0x0 0x40d004 0xf140 0xdb40
SHLWAPI.dll (3)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
PathFindExtensionA 0x0 0x40d00c 0xf148 0xdb48
StrToIntA 0x0 0x40d010 0xf14c 0xdb4c
PathIsFileSpecA 0x0 0x40d014 0xf150 0xdb50
USER32.dll (14)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetMessagePos 0x0 0x40d01c 0xf158 0xdb58
IsWindowUnicode 0x0 0x40d020 0xf15c 0xdb5c
IsCharAlphaW 0x0 0x40d024 0xf160 0xdb60
SetDlgItemTextW 0x0 0x40d028 0xf164 0xdb64
SetActiveWindow 0x0 0x40d02c 0xf168 0xdb68
GetWindowPlacement 0x0 0x40d030 0xf16c 0xdb6c
ReplyMessage 0x0 0x40d034 0xf170 0xdb70
MapWindowPoints 0x0 0x40d038 0xf174 0xdb74
DestroyCursor 0x0 0x40d03c 0xf178 0xdb78
SetRect 0x0 0x40d040 0xf17c 0xdb7c
FindWindowExA 0x0 0x40d044 0xf180 0xdb80
EndPaint 0x0 0x40d048 0xf184 0xdb84
LoadStringW 0x0 0x40d04c 0xf188 0xdb88
ClipCursor 0x0 0x40d050 0xf18c 0xdb8c
KERNEL32.dll (10)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GlobalDeleteAtom 0x0 0x40d058 0xf194 0xdb94
IsBadStringPtrW 0x0 0x40d05c 0xf198 0xdb98
LoadLibraryExA 0x0 0x40d060 0xf19c 0xdb9c
LoadLibraryW 0x0 0x40d064 0xf1a0 0xdba0
GetCurrentThread 0x0 0x40d068 0xf1a4 0xdba4
lstrlenA 0x0 0x40d06c 0xf1a8 0xdba8
DeleteAtom 0x0 0x40d070 0xf1ac 0xdbac
CreateEventW 0x0 0x40d074 0xf1b0 0xdbb0
ExitProcess 0x0 0x40d078 0xf1b4 0xdbb4
lstrlenW 0x0 0x40d07c 0xf1b8 0xdbb8
msvcrt.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
exit 0x0 0x40d084 0xf1c0 0xdbc0
GDI32.dll (5)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetNearestColor 0x0 0x40d08c 0xf1c8 0xdbc8
GetMapMode 0x0 0x40d090 0xf1cc 0xdbcc
GetTextAlign 0x0 0x40d094 0xf1d0 0xdbd0
ExtFloodFill 0x0 0x40d098 0xf1d4 0xdbd4
EnumFontFamiliesExW 0x0 0x40d09c 0xf1d8 0xdbd8
Exports (9)
+
Api name EAT Address Ordinal
?JC_C__T__LCKtjaUHBOb@@YGPAHPAKD@Z 0x40403a 0x1
?PSRHGZ_fmtvc_BIq_@@YGNPAFI@Z 0x40a9d8 0x2
?rscu___dsoI@@YGPAXE@Z 0x40a3b1 0x3
?fvrnh___gec_qqipy@@YGIF@Z 0x409d91 0x4
?yjnqKHI_DCmvHKCC_@@YGPAEPAM@Z 0x40228e 0x5
?BXCMBYt_@@YGPAED@Z 0x403a11 0x6
?qq__S_O_GWkhsit_@@YGGFK@Z 0x401000 0x7
?ORu___ubJ_L@@YGEJ@Z 0x401633 0x8
?pyhrySOGUbO_k_w@@YGPAJI@Z 0x401c64 0x9
c:\users\hjrd1k~1\appdata\local\temp\c293.tmp, ...
-
File Properties
Names c:\users\hjrd1k~1\appdata\local\temp\c293.tmp (Created File)
c:\users\hjrd1k~1\appdata\local\temp\3bd8.tmp (Created File)
Size 0.00 KB (0 bytes)
Hash Values MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
-
File Properties
Names c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat (Modified File)
Size 32.00 KB (32768 bytes)
Hash Values MD5: 8dcf461c8fc7008041374a0ff9b872ca
SHA1: 25396fab0ba85edd03df76551c58ea3f14be927a
SHA256: 4c665e25a9e45a718048b8aac9f2eaa05706a4ab64c76ca3c73174b8bdeac271
Actions
c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat, ...
-
File Properties
Names c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat (Modified File)
c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat (Modified File)
Size 16.00 KB (16384 bytes)
Hash Values MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA1: 15740b197555ba8e162c37a60ba655151e3bebae
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
Actions
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 



    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image