100
Malicious
This predictive confidence of maliciousness for this sample is 100%.
eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4
968.5 kB
2020-09-18 08:49:08
First seen 38 days ago
Windows PE32 Executable

Classification

Full Detail

Ransomware
Low
Trojan
High
Virus
Low
Banker
Low
Bot
Low
Rat
High
Adware
Low
Infostealer
Low
Worm
Low
Spyware
Low

Indicators

Expand All

DeepView™ Indicators
Forced Code Execution
Automatic Sequence Detection
Program Level Indicators
Anti-Analysis
Attempts to repeatedly call a single API many times in order to delay analysis time
Anti-Debug
Checks for the presence of known devices from debuggers and forensic tools
Checks for the presence of known windows from debuggers and forensic tools
Anti-Emulation
Detects the presence of Wine emulator
Anti-Vm
Detects VMWare through the in instruction feature
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
Av-Tools
This sample is detected by clamav as: Win.Malware.Zusy-6622765-0
One or more AV tool detects this sample as malicious: Backdoor:Win32/Xtrat
Generic
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Creates executable files on the filesystem
Expresses interest in specific running processes
One or more of the buffers contains an embedded PE file
Automatic Sequence Detection maliciousness score: 56%
Http
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Injection
Executed a process and injected code into it, probably while unpacking
Network
Sample contacts servers at uncommon ports
Packer
The executable has PE anomalies (could be a false positive)
The binary likely contains encrypted or compressed data.
Allocates read-write-execute memory (usually to unpack itself)
Creates a slightly modified copy of itself
The following process appear to have been packed with Themida: eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe
Persistence
Installs itself for autorun at Windows startup
Program-Level-Features
Contains obfuscated control-flow to defeat static analysis.
Rat
Creates known XtremeRAT mutexes
Creates known XtremeRAT files, registry keys or mutexes
Static
This sample contains high entropy sections
This sample contains low entropy sections
Anomalous binary characteristics
image/svg+xml

Yara


Yara Pattern Name Description
IsPE32 No Description Available
HasOverlay Overlay Check
HasRichSignature Rich Signature Check
image/svg+xml

MITRE ATT&CK®

Show ID

Static Analysis


Version Infos

Translation:
0x0409 0x04b0
InternalName:
Spy24
FileVersion:
40.01.0001
CompanyName:
Microsoft Corp.
LegalTrademarks:
Microsoft
ProductName:
Remote Service Application
ProductVersion:
40.01.0001
FileDescription:
Microsoft .NET
OriginalFilename:
Spy24.exe

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
\x00 0x00001000 0x00032000 0x00017000 7.95973685056
.rsrc 0x00033000 0x00006d4c 0x00004000 7.52345432813
.idata 0x0003a000 0x00001000 0x00001000 0.220958014954
0x0003b000 0x000f3000 0x00001000 0.0421692483801
nhgxrnnn 0x0012e000 0x000cb000 0x000cb000 7.86137014116
zgwhklkc 0x001f9000 0x00001000 0x00001000 0.712098118577

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_ICON 0x001f7e3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x001f82a4 0x00000078 LANG_NEUTRAL SUBLANG_NEUTRAL MS Windows icon resource - 8 icons, 48x48
RT_VERSION 0x001f831c 0x000002d4 LANG_ENGLISH SUBLANG_ENGLISH_US data

Imports

  • lstrcpy
  • InitCommonControls

Strings

  • !This program cannot be run in DOS mode.
  • .idata
  • nhgxrnnn
  • zgwhklkc
  • _j.: yI
  • Lmzev:
  • _oF7}VY
  • vDc/fU
  • !F[f!r
  • 3p#m*Pr
  • Dmy"Rl+%NO
  • `NH[H9vS 1
  • r}XN^:T6
  • z}}8#B
  • OY@.oJ
  • W\F}Fg
  • %oR,{d
  • hE0HZN
  • 64N|Jn
  • w}iIB^
  • `\mf@K
  • G,a._H
  • nNZ9u:
  • h@<(Tp
  • nR?blr(
  • ,?:8RvNu
  • @>:I`RAB|
  • W9Mb$ca
  • 6Ilg8}
  • 9s^$ycZ
  • P*.&X_
  • %hsP6nvgF
  • yE`<}
  • /:+~9j
  • `:|\G6
  • 1hnN&4^
  • #9R^N(
  • IYHzXC,
  • ~gE%p`5Rs2%
  • F.&W7zD
  • \u+V~6
  • k:.LGsQ
  • HhjNtD
  • bIL9'x
  • ']?B1}
  • ?r5%KE
  • <FcQz{+
  • ?.\UcJ
  • ^>8$,TQ
  • aT/9\;
  • .|PN>3y
  • ]tH.FZ3
  • hi0u*{
  • Ro~m6!O
  • C="`=?
  • M|y^RA
  • S-".ZG
  • PB8,{F(
  • g0%LK#c
  • UT*-A
  • bVCNB$'%
  • uXDRNi
  • Fg9%8T(
  • s3(_,V
  • $gmk5KN
  • `G.DIM
  • SU?$kN
  • <#C3gF
  • bz$yua
  • C)WFl\
  • n_IU"\s
  • RXDkM,
  • lq^ ?y
  • M?EH@7M
  • ${:etA
  • 20ue'}
  • $HH\IK
  • 2zJQ+,
  • +QUJ5oz,^m
  • WxBJ*Y
  • l"IkmW
  • '|^gKw
  • f%P.Xp
  • AzsB^wR
  • n|>:Pn3
  • n(~uTR
  • ngn|zm)
  • %$d@KW
  • bCSoGd
  • Q(p&]yQ
  • fBA2|W
  • Mu(40j
  • -lz7Cm
  • A_R_j`
  • K:IcM:
  • G9%LK&
  • vV$FMi@MNq
  • MLzVQ-
  • o($/L)g*L
  • Bb-n)d {
  • "G@r.V
  • tBPJ7E
  • fZ$[qsE
  • Kbx Ab
  • ,u9$Z
  • H!gqyX
  • ih(,Eh
  • >8c`nP
  • 5dOHN
  • NjHW..L@qY
  • .n`y&
  • +llCM8
  • k|z2'z
  • LG^WC
  • 3/hu2A
  • 9\h%|ht
  • ft(@~O
  • NVj-
  • xAIxaulj
  • I:Eu.pl1
  • !GrWtIo
  • I4{(>R
  • :miii&
  • bB|FDn
  • B/`(lx
  • <6Wum'
  • w49&\X
  • F>$orL&\J
  • :lyT+N
  • F ()'__
  • n^bDCi
  • zy6c:xW
  • VG_k8p
  • >UD/Fc
  • 1@O`0&
  • =g`O C
  • 4U{d$g
  • nmZGnJ
  • UgiABpz
  • E{>UD
  • 3,$q9F
  • J{](wl
  • :CR=nV-
  • 0=pI%s
  • l(_f}<
  • $}jd+nK
  • cQX2qN
  • *1f|v93
  • ~"|YN`
  • =dZvSk
  • zi\KGg,
  • p=&hN9
  • ;_4p[7
  • kB]RMi
  • )r\Qjr'P
  • qO^G&^
  • KZGD."
  • -\B<x\
  • YP]J>r
  • F^LsEH 0K
  • `J(?\Wv
  • oHdBCbm
  • 8C< R:
  • czH'Hq
  • ^^Nu{B
  • d}%;P=
  • !adr ad
  • oR<^TV
  • oN<*TW
  • Oy$zH:d
  • vg8?+K
  • lk?JvjS
  • n;E|jM
  • #]<IY_
  • IDF+(Uz #
  • GGhn*P#
  • E&LNRt
  • 48A+U`
  • d6$Q&6gdp
  • jJh6ng
  • 1?\r;3
  • X;`"Xx
  • $~/<6f
  • "U~|NF
  • <2"]EW
  • Un|~+.
  • rNDT;fIb
  • `N@zgL
  • .jfa*i
  • N& 6Xy
  • VGLx']kf
  • *yW?T(~
  • S4j:cAe<N6T
  • zo?km9h
  • H\BIe
  • ol6FBNO
  • u6Pw}}W
  • $ZCu&U|
  • #A&/$^Db,
  • Xa"V<2
  • k706o4w
  • LP}+_!R
  • Js1n:5
  • ;YF50Ef
  • #$ZM&
  • u}4(bZ
  • jV+%1N
  • ^zn=UQT
  • ZZp=/~+
  • 4)&~9/
  • ,<8Y2F?$f
  • cHMtUL5|C
  • J}wB-fN
  • #n=+~~
  • #|K'YnP7ZV
  • 5hF;$n:!
  • t! F!)
  • /x2e#b
  • Oc?`|y%
  • z_Lr.f
  • cV<mRBV
  • v{T<f^8y
  • \n=s"0h
  • ="R?oupt
  • v8RS:k
  • ;nx/D9px
  • 9x*tTC
  • `V^#!J[d
  • ;8}>8S
  • /WXN`t
  • _~`g&P
  • AOw%mL
  • 'y.Qd~
  • ~Et$dQ
  • EHA0PX^
  • Xo<unh
  • Nn&%}It
  • #$Xs2>TH
  • l:AZ.I
  • v0Ws}52Y
  • C&-yr&
  • YlLjwR
  • bn%ah_L
  • +RfsFV
  • @hQ<NoP
  • 0`R]4]0
  • -fs6VXp
  • t1#7(y_
  • fsFV\p+
  • `NpX#FV
  • Y4J#E@
  • `*pD#F
  • QzT/ xo,f
  • X(S3D$
  • V88|]
  • | VoZU
  • ]4N#ED
  • `.px#F
  • <kG"Y6au
  • Of)li3
  • 9 |]+Z4
  • }_YWLf8+eT
  • hV<YQ"
  • }]CZ4H*
  • }_}W0fW
  • hj<=Q"d
  • 9l|]gZ4
  • 9(|]#Z4
  • 9p]#F[
  • V+},l*6
  • 1R]5\p
  • _8sU!h
  • LOJq~K
  • 4s'7?
  • ;t#Vt
  • $z;jV
  • mhO3;V`sx
  • Y]&3EHk
  • /r8lyF
  • )dlFQe
  • "e^^U
  • z%*]g5
  • |2;9WjP
  • nap[SH
  • %OM`8O
  • NE*n*7=$
  • 7r6B03
  • I>wosh
  • ?sOlP=
  • })YvtYW
  • Y%xHM2
  • UGZ0WET0
  • YgIxp^
  • ((oIW/>
  • !lD1-
  • _Ptg)N
  • lstrcpy
  • InitCommonControls
  • kernel32.dll
  • comctl32.dll
  • K4V$JD<BJI
  • ?$'!L$%F
  • [I<xg#
  • 1#7ZLE"
  • 6a,Ig
  • 20<W]<
  • @!!g{;
  • /aRRNO
  • X(2C0c`
  • |M:,LX
  • @~>15b
  • XCX&cD
  • YihP6\
  • D;RO(q
  • 1|#d&y
  • 0d)"j:
  • pQmR(?2P
  • HTa,.;
  • 6I4l_Q
  • -tPF-UBd
  • vK8 B
  • $\%E,
  • FG(DR&
  • 8'^D4!
  • D-BdF
  • ,5u(~PIH
  • P'igQ<
  • t-B|DP
  • {P)J.
  • lo`/:
  • i"T;q}
  • h0l)PU@qD
  • nGq&t
  • #4z}9s
  • v&l1`Gy
  • ;9p}sVc
  • pTqs(
  • {2d:hI
  • @0[%XR
  • Q~A 6
  • =vp=b}
  • Sfp@.Z
  • 8-piud
  • =>%{VJx
  • (2CPpz
  • ?5,KS_
  • 93W TA?G
  • hBIq0'
  • \^T1k|
  • /LXS@x0
  • QfgU'F
  • mxQ.T^
  • 7G|L`U
  • ]84G@:
  • M$M,Lx
  • H+i1 t
  • Gh'!7f
  • +ZS2%I{C
  • 1I!U5`
  • ^Juf+?
  • Er?uNx2
  • ZpcM1('Us
  • 0Z%p?k
  • xH0xx*
  • W'du Yj
  • ,N^?S
  • {~IYd1
  • _2'xA`
  • zSux0[
  • }^%:fs
  • i2OB
  • hPmw$X
  • o<?#a^Uh
  • 4#XAF&[P
  • +9#oxJ
  • b_C B%NUJp
  • @0CS~}
  • C+/aUq
  • /3.kKh'
  • 3xdR>%
  • /P]H|5
  • G1l,%]
  • Igw+e`
  • YX<.)J
  • yX!E;`
  • HhyhtZ413
  • uw0DHa
  • *]h"\E&
  • sSLd7'
  • MQ$QOZW
  • v2%Z6~Z
  • ,Y UeQ
  • )NH`2@
  • R%Xd.@
  • ,`}&Ph\Jr
  • \]SFJ-
  • ~{$R:l
  • =FH1~3W
  • N8=5s+J
  • $@-$tz
  • .N]XUY
  • I^B?04-
  • _$'-Ke
  • S%q6PY%<(L
  • 0`[fh-
  • (,5z/
  • y!Lyv8
  • Nbm@tA/
  • T]hgA]
  • lzy1^[
  • +:C/@1
  • K\gL| A
  • b,wfu,
  • h~J-Trd
  • h(f-_5
  • omCaB=%
  • JJ]Xe
  • A?8,U}
  • 9ln?%~
  • Uh&QeY
  • 2{I{ ZOV
  • <;[`^T;
  • _e$Ah
  • /I'pD%!k^|b&z
  • Vb>mZ_
  • hs~F<Z`
  • .SalOY
  • WQ+Ij_c
  • uZqxK~
  • eq?Hp
  • *3jV 6
  • Shb<%+npT,
  • -`-pS
  • ; 5ht;
  • u3f<z>)
  • ;&+F_
  • c b3~S
  • v~06\?
  • @'k5)>
  • gY-.Mb?
  • <^|CUS:
  • "_`Na(/FS~
  • "Wo&f%M
  • uycWV=0
  • ktxKZZ
  • S@4u%H
  • @p<JF5{
  • H&pZ>*
  • rHsA,
  • $y\,RTn
  • d#)F+9
  • ~/P*qi
  • [qVD-S 0C
  • 0KhtM
  • C{q[Z1
  • Z/@|[P
  • [hj5(\
  • p7{6J
  • FC4E0/y
  • 4J]D[T
  • L%5B@9
  • fJTC.B
  • ByI5u!
  • [hUJ)'
  • WT0|akv$
  • J?h%!q
  • fI'~#A
  • %UEei\
  • mF18T^?'n
  • HAHf%8
  • h~^Ad@
  • 4k^,V"]
  • VUWhZS6G
  • Shw>]j
  • e?0kY!
  • `XSjcN)
  • Rq%_jdW
  • Y8PMsK
  • 5-*[NW
  • df8uLw
  • ,!HHl?
  • C<Hp@@
  • hTQ^7f
  • !khj&v
  • g/hbK5
  • ~eT&tXN
  • 8>0ca$;
  • QAX@~~@
  • aP ;O2
  • `&y*Uc
  • iO1'U+
  • gf{'PT^#
  • }^z&=Z
  • `04o$K
  • OH4P2
  • 2k!_('
  • h7_HV,Q
  • h8U$-NPZ
  • G SkM>:
  • 9A-{K|
  • 5Jn!:HR
  • a6o=O>
  • !xi-! |6A
  • qmtzJ"
  • T]y&,+
  • `+H52|
  • )u-+(.8c
  • "wtnU\:
  • Hbv}mX
  • 8/B|h9
  • <J8t 
  • -|yI9
  • b%x~^Vb@
  • ,GY0f(
  • \OLI
  • -<5 '>+
  • &x.7ra:1`
  • ,jf? u#
  • l0.KCR
  • ".ukO)h
  • Lz{R.b@
  • `[mNX6
  • Ah%l'l&LP
  • -[4iUGH
  • %wYsS (o
  • QIDQ)K
  • 1.[SMo
  • _,0aL@
  • @%B]~6n
  • F.1)VTvh^
  • D(wh'1<V
  • "B4Yhy
  • %\VsBk
  • yhc3qh
  • sqE@hxy
  • ZPRqZh
  • gQ_Y-5;e
  • Uh[y<u]
  • Y! B{[
  • u{-s$39
  • %]HEh3
  • vU)#{`&_
  • \`\h;g
  • !c]m*!
  • n`)orT[!
  • Od/-Nj
  • Ac5[1Z
  • &@PE$[
  • YIl{(^
  • h#D}4L
  • _/h~b/
  • vRX_^&hT
  • XhE"}f!
  • bf:M@h*
  • SA3O({
  • Ur/Mp`tq
  • Yh"R:`
  • H[!-vGx
  • C~{y/'
  • IR_wg`
  • c+%pW
  • 0<OH7xN
  • i}d'z\
  • o0?h7m
  • Ub>cVP^
  • '_8+2h
  • PkQ{Jii
  • `z~o= c%
  • 5O,IwS
  • EDHk49=
  • `X|)MJ
  • X8nL>h
  • 3uV1`6M
  • d X}[K
  • ]9 hqDz2
  • @{LkE'i
  • ^XKj@
  • 4[_^6z]
  • |iS2p]
  • GOe5v3
  • fW4A` yT\6
  • yG|zUp
  • w9g0:N
  • Cg w@x(
  • ]]`_+c0
  • mbKWwf
  • QPh|[4
  • |0l(Zh
  • ^-K_'#
  • x!/,F|5
  • UeC-;)`
  • V1j5B[
  • I}q5'uM
  • >fhBlvSA
  • -o)n'R
  • 0x(@B-JO
  • LY%%J.Z
  • it^~j%u
  • @T[Ph8NBp
  • \`B:rk
  • :'BHp5
  • xX5Qg:
  • Z00Ws:
  • h-x9aX
  • q3'x2'
  • Ye`}d9
  • :0GO.s
  • +\'(CR
  • K$h}a1[*
  • YaBwpUNs
  • 7F%GB#
  • Ml<-7'+z
  • tvWxVz_
  • Z^h/]X
  • cS4 Ov
  • !XhC,>
  • @ZhuL=
  • h^6^Y`
  • 0mWh=?
  • nj1 lBNV
  • [Zhf^I
  • c#o^1
  • };!/<U
  • l]6qW@
  • 1<X;zeV
  • H1`r#z
  • 3y;;!)h
  • <=v>Si
  • NL_:N@
  • Qs=)B
  • "(X.Kw
  • fLJp''d
  • BlC!1jF
  • GB~/ly
  • &*`4iU
  • ^iXRR
  • |; ?H)
  • N/@=^]K:
  • %Wlh_b *8Md'X){
  • a>N8r%m
  • %]EZi+0
  • <OYD!`>Nw
  • *'~d,6_
  • '\aq$
  • =/)Dq
  • dU:dwt
  • hI-'_0w0
  • T0OhTi
  • y5CA'w
  • y-z~Vs'z
  • :AT 2
  • dowq00K(
  • =RW:0Ud
  • b[I?Zu\
  • @-p.0{
  • -YAD&(
  • T%d,x0
  • R^4D/)
  • .}Detj-
  • _ $891
  • +;JGXCt>
  • 6 y\_1
  • zT%\ZP
  • rj:v,e
  • FP/X')0#
  • w05-TF
  • J-h^|Zb
  • hY6PtZ
  • -}qUm]k
  • hQ;%/2
  • hwD.0m
  • 5b^zCz%
  • [!`c5,>
  • #A~K``
  • YEky~E
  • h'v}V=
  • \?O%&H
  • ef/B?@
  • j"DDJ[
  • gM/Azg
  • :#I*1*
  • hNZ->O
  • `ZD#FXi`J
  • ju`WGVr
  • 1|]D]
  • J%]w>Q
  • 8W#c_`
  • (-6N`
  • S%b}Ri
  • 2'9B$y
  • PM}Q/j
  • Y9v{J
  • DvoZ_s
  • drP`/@
  • b$fo<
  • OZZ*}R
  • aVOAhV,?5
  • vhbk5R
  • D1XR@
  • \F<*N@b
  • h1|_^
  • tqIbVN
  • V\@od]V
  • -'('jSt
  • nr6SbY
  • ak.5:4L
  • h&Hfu}
  • R'][1e
  • Gxg\\u
  • @qG8h^
  • hu#'wnU
  • XY{@WWUh
  • }(USER32
  • ADVePI1
  • - Vcs#
  • `oA\.21A
  • UcX(_*~
  • yubd``
  • (M1k
  • R!_>H,
  • k(7g/&i#
  • 3`G)Rx
  • 6~u`l$&H
  • p((4;y*
  • *@5,:pG
  • hq63Sx$
  • S$\as03
  • F#[0.L
  • a8|5",p
  • L[tRV@0
  • Hts&%<
  • yxp(Lhj
  • T67? g
  • dA]N}ptS
  • |`O9?n
  • XAL60Tv
  • E`CH4#
  • cKg$ba!
  • qCq+8@
  • amA]t
  • ,SJ38a
  • E r1A&
  • ]<<:so(
  • WU+/TS&
  • JhH!ZjB
  • 'x.jMT
  • R:/:>V
  • h4gNr!
  • ,s0iH!<
  • 7d0xzI
  • 7}n s0
  • H0v1
  • avrc0z
  • ,=N{FD
  • dMl|H9
  • [zL:,&
  • Of+Hx4
  • <xpB(7k
  • 07MT<e4
  • i-jDflM
  • z@aTYQ
  • 6@+~.(Y
  • <^7 @A@f_
  • *%#U:KV
  • 1hzu2j"
  • !u+BLh`
  • 8Ehqi#r
  • Z`>9m}
  • D-`z?&K
  • D`Tn?A=
  • j(VLauMo
  • =Ig_<Z6
  • O[0Jh?6
  • 5;`W$>
  • Mht;V,
  • +gVa,h
  • R1\UV.
  • \H3N61
  • zB%d!DLP
  • Except
  • ion I7farmaG
  • sfwYr
  • nCTRL+
  • T;%UGU
  • E&?`Z
  • 8;q%Xwn
  • I9$`('Q%
  • x.JG >
  • UWj@Zm+
  • 13Y/`.
  • ZhMNuK
  • O@_UPh
  • Q%tmK7a
  • sT^h6i
  • jhz[M04H?K
  • i~UtkG
  • Zj:H,01V
  • s=O| =
  • thO^[1B
  • "X)3/8
  • -`i@OT
  • Aj|+:N
  • (\UnijU}S
  • vI*jL^
  • KQ7k44)
  • `J9-oM
  • ")rp1{
  • %V_]^6%
  • a5+oRA-/(*
  • xiD]sj
  • KM>Q P
  • g ,;[ry~
  • dq`Q t
  • BZsT~#
  • a>9Uu}
  • >&8;<%
  • WzjH@E
  • :h%QS`
  • h+*gm
  • qxK.!m
  • @Z~N+t
  • >}B#`i
  • 0ruNO[X
  • Tx@9A*
  • _|/ia$
  • rQJx'G
  • %TU`R5
  • Ra%1?
  • l$k<PX
  • 35pId!
  • 5p3\0u
  • 5C*^K+
  • -cXNDY
  • C&b&=}D
  • `_E@Gx
  • '>Fu D
  • K@Z`,@
  • snMy&,kBy/a?
  • a^hq^H
  • ZUs@/u
  • `LTd,i$X
  • Z$]SPL
  • Ov+$0A
  • @p}~|(
  • 0]KP,E
  • sS(9<o
  • TDU_p1
  • WDY,y_
  • 8E_6DX
  • RmL`t"X
  • <"?^H.
  • ?Ja/`#
  • up*JG"D
  • -m`qdaX
  • a4E+/l#
  • XU81PL
  • A`~n7|
  • F HU O
  • >:A[%H
  • :,K"-z
  • %q.xT,
  • D0Eg!x{
  • 60Yq~n
  • 5= Nu%5
  • PqO%m#
  • (R@\_w
  • =LfF2IH
  • :wNa5qI
  • <`BNy
  • V8*A6c%0%
  • x `8L
  • r~sx@L
  • P$)R4@
  • Df3'~$
  • &!$9=
  • 'Z$o_q
  • ;iWV?v]
  • v \q,j
  • "Z`*`h-m
  • q-xzTA(
  • AZ 0p.
  • CES|\U
  • aZ@B&-
  • ^p3|%_
  • j0(t\0
  • d!eDit
  • |~ltF#
  • N0|UQzL
  • V:f\X`@
  • :z"L*s
  • PLI-9
  • >=& 3E
  • 0N|ayMZ
  • xQ-zyc|
  • |^}%[,
  • ^fR,\0,
  • $IzYT
  • t[.0Lg
  • 1V^4ZX
  • H?FbxSA!
  • i2oP@~3
  • 71Pvc/
  • 1H}xx<O
  • BCk3[)z
  • ]vlcSM
  • awIH^[Z
  • +F:^dz`/W_
  • x!I`D$
  • i{_xQZnS
  • tT%{~d
  • B5Y^`@
  • hrJX3
  • /NDLC'1
  • hF+LNY`
  • }QHW?*.
  • V&h1R!3,R
  • '*G&4qQ`
  • $POA3_
  • {61EhbN
  • =<?C;T
  • tJj/ty
  • D%&,'
  • k0@*}s
  • S$zjhvF
  • FK@TND_K
  • 4`q+vH
  • H{8Ozl
  • |Dj`l,
  • t@o@ou
  • .v)7V<a
  • yG24%P
  • K~8^Fl
  • HKDjl
  • 4%'gYH
  • Tl7j=M
  • ,!#'&;e
  • We 't(@79?
  • zW-oks
  • EW/k$#
  • wy@CQY/
  • +lk-d_
  • u;N2s9/
  • `aPSR`
  • dek_0F
  • E_A)c%
  • %0{6J/
  • GY^d<B`
  • kn<dd[
  • i(/9B:
  • pC*b!5
  • TmI2n\
  • TRD7Y`
  • yd%b!qD
  • \QQWov
  • sX&|ad$0%m(
  • IWsvpC*,O
  • =QL)@J
  • #2 JjM
  • THu)T"
  • fl%RZ]j
  • D^10ul
  • eu/'+U).TV.
  • iS=P@k
  • ;!4%eD=
  • 8-S-pE9,0:
  • %#r\Q(1-
  • w_h|k
  • |n;m L
  • M[@h`^)
  • Nz2n[\
  • I-Qh/v+'
  • /=boj2
  • R~M%YtkT
  • f&z%bo
  • y\aPQYo
  • RrZ?D[
  • _K ()J
  • 0dt5:/x,
  • fq3-6i
  • {\Rd8
  • *EV0Z|
  • p|ZfEo
  • _$/qp*
  • =&g z$
  • yQ)W8/
  • GLtDV-
  • |#,0K&]
  • uTSl_I
  • ]J.La_
  • 0_{UItl
  • $?1.ud
  • 6n.[Q7~
  • }LJ?`9
  • /9R(@b
  • UJE0.X
  • Cy0FB
  • $t:1=W
  • Dd.vp2
  • ,nD@:C
  • TZq<7{
  • 3D' ,)
  • JC*HK,LL
  • _`4kHD|
  • 2k_p<#Vj
  • j;(?zr
  • @\~5qT
  • !#Qx:@
  • h*0NC
  • ON4G?g
  • v~lpzrc
  • >mR49p?
  • z9P;0cl
  • VF$JZ{
  • :(WVCpM
  • TDP!f1
  • ecAX0y
  • O`A,ets
  • n,,#M$d
  • A`H-|v(z
  • B`hNIA
  • p@P81,
  • AB$T!:
  • [%CAd*
  • kbmysf
  • O$W,P
  • (~Y'31
  • 1pQh`
  • !PdF% H
  • Hkwd87@u.,
  • EXOrFX
  • T`|&!(
  • Y(!<m"
  • bAdu7W0bP)
  • y5F%"I
  • }LKl f>
  • :7006!X
  • a<JR>_
  • `|&?02
  • dS!@(;r
  • j#RAX{
  • =fd@oGP
  • .0FJ|)
  • D(@{d2
  • Vt7M>8
  • fFKT~
  • YST(^
  • W84px@
  • xh0_/n:X
  • ;za,iEaI
  • @H,s??b
  • R4 xNo
  • c3"d])
  • P qBT)(y
  • D<9H!A
  • Q(y!Ts?
  • H]`L}5
  • Ta^(Hr
  • &5iZO$d
  • #MtSnAL
  • (Cvl2J
  • pmtdLX
  • U.4_0(
  • =+7Q}{
  • [80 q]9
  • E;J{'W@9V
  • WU<_i<
  • ('\689
  • dC}'IH
  • Jk`:tu
  • Nc\oKH{
  • .z#&'&h
  • zVsepC
  • X`Y2f6
  • xV _l)
  • 8>0;iF
  • 2Z K{(
  • TL5`Fu
  • 4m[zX3
  • ?hkxZQ
  • H^Pjqz
  • q,Ol.~
  • . HW:]
  • 60#]9-
  • `Pe:X:0
  • Z7O*T>
  • &0"{!>
  • f0Y<@tA
  • 7f;)q:n
  • AbU@~E
  • KXMB5`
  • ,CUF0A
  • `ptRes
  • &pG Z]
  • 1]`[|AG
  • (`EL0
  • Vmul^"
  • g;W9tHAX
  • |SjIn0
  • P0BsYn
  • 6\-:.7
  • ZpClVQ
  • @*Zi5Js
  • 3tHsbp
  • <A{3C3
  • q_*XEyb
  • YX9p$W
  • yd@@.FT
  • v@w`0z
  • >it}aB
  • l9Fx.n
  • N%Gm~np
  • g:Yt&N
  • E:n@0i8Y
  • kju5Kx|Z
  • ;unL2<
  • aPu0H8
  • @M\L_|}
  • pim%Dl
  • 0#!A/z
  • pb3p0#
  • !R9$`t
  • Il@~N^ @
  • YH{pw-"G
  • "8="^!"
  • Qh|+2C
  • He5wI,
  • )|^6Ub
  • 6h0G2Xq
  • /x`wX,1tz
  • Ht?> )P
  • ~Cn2<D:
  • \%$'2F
  • '46HfBZ"$
  • qMmcygn
  • T7N8@p
  • r2qHbt
  • $?z)?u
  • /JGMEH
  • -!*2K]
  • Z<x#R?
  • ,-='Xh/
  • ~[3&LBhI
  • @p!HAR
  • I=}+;Y
  • `a?YaC)!
  • Lv #GL
  • fd/x@`;
  • =0t]p8{
  • ID"0!W
  • y.=8bc
  • 9n$}g_
  • H>"Ml6
  • S$nFJX.0h
  • FQPbSl
  • $ja1Ds
  • F^Z:A]
  • ?o_z,DQX
  • G=7Dnq
  • HRT$68
  • g-GJK2l
  • F@(xD-X
  • @ lW=A
  • a=d|eL
  • |=CWX~l
  • |`mH8+
  • 0KzC(o
  • -p1JF(
  • 5 )E|=
  • 6FZrEd
  • dxUJ%
  • X 36x+
  • AH@tz
  • N,j$"\
  • 1ty+p
  • Zc{`0G
  • T.I{Pk
  • r|Ap,`N@
  • CrUj.N
  • t3KQzqa
  • HCF<"y
  • $8J;~D
  • hPpvM0
  • ,@1QNo
  • vx%'55|$H
  • ~b%L$<
  • @<M{1.
  • zvI1H>
  • JO,63R
  • F,Lwl$
  • t2\PWZ
  • V3j)!+0`
  • 20si-F
  • \<.(PT
  • ;)AMGY
  • &4@cpq
  • c.PoxYZ
  • C_A&!i
  • @%`y0hG#
  • B;d@?Z
  • 'z@F{P<0
  • 0ZsA%N=
  • Q#s9ba
  • BS6Nj%R[
  • ; ek_~
  • `:(T-S
  • 0(qPBNF
  • b(pNX
  • 5tI!X)
  • :L&YX)H
  • $gp`rH
  • |du>3:
  • 0F4(_2
  • 8SKf0{
  • [RQ1 d
  • XzYH9(
  • t)o(ha
  • Ic$04x
  • =5swD]
  • sl/5ZB
  • !8AcQS`
  • -_3/!\
  • '*(XDY
  • 8 4k'!
  • <a.T.A
  • {aijt7
  • ^BP2?h
  • h596UP
  • ;kV!\U
  • zw}`D(
  • PlP$lp
  • {Wg|Us
  • Vp\1Xa
  • h{_IT0
  • R9g+P*
  • d0$}0b
  • )`p:Rb;a
  • `Oh EqY
  • ye.`wq
  • @H@eb:q
  • |@ePxd
  • !TC7k%
  • 39wXQTB
  • !=^bOD
  • t|4Xr
  • H1i|?@
  • G^LoD
  • +rB5W\
  • O[6|\$o]
  • 09*&mQ
  • ^26S)p
  • Z;"fQAY
  • @v_g^y
  • ;X'$MX(
  • .6^3L,
  • y3)z*c
  • `eM(S0
  • U7Ms0l
  • wZDtIn
  • 0|B03p
  • Nv{`yx
  • A;C[?L
  • FfEHFlH
  • wz-}\(
  • alPmFw
  • NB)Gp
  • x7/{8@
  • ,&)$N$$
  • h$>l"@
  • Oo2A8`
  • n%pRCx
  • &%0E8
  • |TV-@F
  • DH YT&T
  • Dd-Y.
  • PXNGbPf
  • P6y!,y
  • vlO+PH
  • ~,v8&n
  • >6F<IP
  • %)t~O3
  • .M)| =
  • +?w<uX
  • Z1KV`6
  • Xr<\R;
  • B%^;WJf
  • `Dd[ 'P
  • a0-`l2
  • ,27RkM
  • Kk6~Z!}
  • `Lp;x0
  • fIQ bP.
  • N|lP&Z
  • {905U0
  • 1NW5q<
  • 1B'<7s1
  • /7W}%i
  • .($C8,
  • 'B<dl
  • uST_J
  • p td\1
  • lg0'.8
  • ^P8lW\Q
  • ^51MWH
  • e=E<IH
  • N;g=f:
  • EUL-GY
  • &1:>x
  • U.uH#:F
  • N^l>rG|
  • cL4a:$
  • fTHJ4OeLVt
  • va!kjP
  • <Nn0yi
  • n;8 '.
  • Lim`%R
  • kPML&5d
  • ]kus!E
  • g@HtYv
  • [Qpfwn
  • `,BJv!>X+
  • y(&W8
  • =7`a>.
  • 4toz}\
  • vk)&@N}
  • k>`OiD
  • ["0ed0
  • i'Xl88
  • PT,]U73
  • q0|.H
  • 7)SP.X
  • <FS.maA
  • -.x$do
  • $kf<Bx
  • 4*ldpg(TWI
  • J/5P|-
  • m=0_OI
  • O.df\{
  • > Imr)
  • 5u"Ot;=
  • }Uyj",
  • xMH0Le
  • {4t=Tw
  • 0mO `)
  • P:`)tB
  • }VEP[*q
  • p.Cu7!
  • }9*xq&
  • L# .\40
  • prpN*0q
  • `@cq*l
  • =]k?DU
  • Yh98D^P\<
  • XjG10!
  • 4@HE_h
  • Z#H4r
  • 3I(d@!
  • 80&/DA
  • LU6I<H
  • yPg,QX
  • u<|ITl
  • b[Z_?P
  • .VsR]
  • \n4bA
  • wV!\_*
  • >=Wz.e
  • H>+nhP#4
  • @"k^`Q
  • jz\\Ov
  • ;im$@X
  • s<?P/Ok
  • 7W,o@a
  • 2H|5"H<
  • /O$ >$
  • iW @7au
  • T3*svH
  • GP`?)Di
  • |msiP_@HM
  • fLF!d<
  • "c $I$
  • 5,r}T@`G
  • :T)hP|
  • ?np0PL
  • }X0JC,
  • =)dsAQ @
  • chB:-bz
  • *5AU"%
  • &C\\`H
  • 5IJU|f
  • _&KM/I
  • x+BRl2
  • ,&ei,>
  • Gxl]&@
  • {@t&%><
  • Z5G+>
  • dN2!+X$K
  • 8HR|(Z
  • C,!m>S
  • jzmK?i
  • p5|Q$` z
  • |1Q"4CdBP`d
  • |yF&kV
  • *-|"=D
  • pZ:+L'p
  • 5xp&U
  • gAq B
  • HX$7t
  • b2VxW
  • p$tZu(
  • P TsVl
  • .cqm+@
  • pC%\Nd
  • P=z,<=(!
  • ,l5x?1
  • `PSLU8!
  • (l{@1w2
  • )Kl@|T=
  • ,W x1d
  • BNQvHD
  • #bR8ey.A
  • P@8] Bc
  • #1,_bFTF
  • ,,2ETP_
  • []D} a
  • ^D}o9
  • {)b.7T[l<
  • t_1Y9]K
  • rPX;\
  • "X0}u)
  • s(0XH)a
  • 8}vd).@Iw
  • X,YN``(
  • 4<>)x3
  • d``4!
  • `\vxK"P
  • D/#yVH
  • F$^n1;
  • =Loa;1
  • PK|Aj`
  • mYx@5$`I=
  • Z%^'((
  • O./N=,
  • yC{pTv
  • (Rh2z;L
  • X-7k?,;
  • %yj$/
  • 1"we6EW
  • 8%uh}q
  • :#gCsPz
  • `N1*T0P
  • :OrKx-
  • \]R3)T
  • 7EV6.P
  • P#4(P1
  • 807{),r0;
  • kST>tl
  • /tG`xp8
  • [-{_j6
  • 6APh4r
  • I?5X#>
  • :D4|0F
  • Q@0$RZ
  • zEYOs_
  • _>!ySZ
  • N&fhd
  • !}H'/'(pd
  • D40]/69
  • r$.OY-
  • El =D8
  • 0DB<Z
  • JWA?I:>
  • all.ico
  • """""""
  • !! 
  •  !"
  • 95^^^\@7
  • 8]bbcrrrsrrcb`>
  • :_bcrsyzzzzzysscb`A
  • UJ`cpu{|
  • |{usqbKC[
  • XKapu{
  • xupoKL
  • #'1LNm
  • mNA1,#Q
  • #'13Nhm
  • mjM31'#
  • #',2LNhhkklnlnnnnnnnnnnnlnllhmjMA2/'
  • %,13LMNdddeheehgekgeeeheddddNMH31/%
  • $,124AMMMMMOMeOOOOOOedOOMOMMML421,%
  • $'/1ALLMMMOMeMOdOdMdMOMdMMdMLL310'$
  • #''??BBNNNdddddddddeddddddNNBB??,&$
  • $,EEFFFiiiijjjjjjjjjjiiiiiEFFE?,$
  • $.Y}}}
  • }}}Y'#
  • all.ico
  • UZkkmmkkX:
  • LVinrt
  • #->fe
  • eb/) S
  • "+/>[[]`aaa_]a_^^[f>A+&L
  • !)./EEFFFHFHHHFH>FDD.+#
  • &.=>>>GGHG[HGG[>>>>;("
  • #?@Tcccccdcdcccdcc@?'
  • all.ico
  • )EDDC(
  • ;FSXXYYXXR.
  • _!6hmssrtrrrtqqmI%
  • :'INNPPVVVVPONI6$
  • $'5FGHHHHHH774'"
  • #'666777G7766/%
  • -11JJJIKKJJJ111
  • 0]kkllkllllkl]\
  • +dyyzzzzzzzzyxc
  • g{|||~~~~~}{{[
  • all.ico
  • 3.COTTOB'9
  • (GU\]][R@
  • ?NQSSSRPM&
  • >DEFFFEDA)
  • +,,,-,,*
  • 1<<====<2
  • _8HIIIIIIH!
  • #"JKKLLKKJ
  • :XYYYYW7
  • #VZY;
  • v]Cz_8
  • =5-U<!
  • Qsu%:r
  • X%y{4I
  • S tvLa
  • V#wyNc
  • U"vxEZ
  • Y'{}7L
  • T"vx:O
  • Rsu`u
  • S!uwOd
  • T!uw9N
  • X%y{5K
  • U#wyBW
  • Z(|}cx
  • R tvCX
  • VS_VERSION_INFO
  • VarFileInfo
  • Translation
  • StringFileInfo
  • 040904B0
  • CompanyName
  • Microsoft Corp.
  • FileDescription
  • Microsoft .NET
  • LegalTrademarks
  • Microsoft
  • ProductName
  • Remote Service Application
  • FileVersion
  • 40.01.0001
  • ProductVersion
  • 40.01.0001
  • InternalName
  • OriginalFilename
  • Spy24.exe

Dropped Files


Name
28dad3eb8adc0136_windowsdefender.exe
Size
968.5 kB
Type
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
0643d3106f026b9fbf7daafc053a898a
SHA1
085602ebfc97ae8f01e36b7575140ffe723d9599
SHA256
28dad3eb8adc01364cce8d42a791b5189456a77af39ae4dced54db29d33a5184
SHA512
f499e09bd8f20fa7ff488a6fdd52c6590f79fb9303389b4690b285a725c57e8c8700db2e697fc0839985bbac09414f94f744f035046a2f0973b61e8713a26639
Ssdeep
24576:tf7wDf93eeKxs7doDnMmKkUdqeTf8X8R22pQq:tEl1zqnbKTMegMR2GQq

Network


HTTP Requests

GET /1234567890.functions HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 192.168.1.11:777
Connection: Keep-Alive

Hosts Involved

IP Address Country of Origin
88.221.214.41 PL

Geolocation

Destination Country


PL:
100%
AfghanistanAngolaAlbaniaAlandAndorraUnited Arab EmiratesArgentinaArmeniaAntarcticaFr. S. Antarctic LandsAustraliaAustriaAzerbaijanBurundiBelgiumBeninBurkina FasoBangladeshBulgariaBahrainBahamasBosnia and Herz.BelarusBelizeBoliviaBrazilBarbadosBruneiBhutanBotswanaCentral African Rep.CanadaSwitzerlandChileChinaCôte d'IvoireCameroonCyprus U.N. Buffer ZoneDem. Rep. CongoCongoColombiaComorosCape VerdeCosta RicaCubaCuraçaoN. CyprusCyprusCzech Rep.GermanyDjiboutiDominicaDenmarkDominican Rep.AlgeriaEcuadorEgyptEritreaDhekeliaSpainEstoniaEthiopiaFinlandFijiFalkland Is.FranceFaeroe Is.MicronesiaGabonUnited KingdomGeorgiaGhanaGibraltarGuineaGambiaGuinea-BissauEq. GuineaGreeceGrenadaGreenlandGuatemalaGuamGuyanaHong KongHeard I. and McDonald Is.HondurasCroatiaHaitiHungaryIndonesiaIsle of ManIndiaIrelandIranIraqIcelandIsraelItalyJamaicaJordanJapanBaikonurSiachen GlacierKazakhstanKenyaKyrgyzstanCambodiaKiribatiKoreaKosovoKuwaitLao PDRLebanonLiberiaLibyaSaint LuciaLiechtensteinSri LankaLesothoLithuaniaLuxembourgLatviaSt-MartinMoroccoMonacoMoldovaMadagascarMexicoMacedoniaMaliMyanmarMontenegroMongoliaMozambiqueMauritaniaMauritiusMalawiMalaysiaNamibiaNew CaledoniaNigerNigeriaNicaraguaNetherlandsNorwayNepalNew ZealandOmanPakistanPanamaPeruPhilippinesPalauPapua New GuineaPoland Percent of Connections: 100%Puerto RicoDem. Rep. KoreaPortugalParaguayPalestineFr. PolynesiaQatarRomaniaRussiaRwandaW. SaharaSaudi ArabiaSudanS. SudanSenegalSingaporeS. Geo. and S. Sandw. Is.Solomon Is.Sierra LeoneEl SalvadorSan MarinoSomalilandSomaliaSerbiaSão Tomé and PrincipeSurinameSlovakiaSloveniaSwedenSwazilandSint MaartenSyriaChadTogoThailandTajikistanTurkmenistanTimor-LesteTongaTrinidad and TobagoTunisiaTurkeyTaiwanTanzaniaUgandaUkraineUruguayUnited StatesUSNB Guantanamo BayUzbekistanVaticanSt. Vin. and Gren.VenezuelaVietnamVanuatuAkrotiriSamoaYemenSouth AfricaZambiaZimbabwe89%78%67%56%44%33%22%11%0%100%

File


Type
PE32 executable (GUI) Intel 80386, for MS Windows
CRC32
D4FB7B24
MD5
afe12fdbc765db1c392fa3741ba5c61e
SHA1
ef08292fd444fe55130a11d0c13b7ca39a50ade2
SHA256
eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4
SHA512
2ff5d38e8532fbfc10467458ef8bb661bf2128a2abe6e45093b1a62099d3d03f81fe83611dd7448c921c4018cb7e520a1583e74bf47c344b5783246399d60038
Ssdeep
24576:tf7wDf93eeKxs7doDnMmKkUdqeTf8X8R22pQt:tEl1zqnbKTMegMR2GQt
PEiD
None matched

Screenshots


Behavior Summary


  • HKEY_CURRENT_USER\Software\WinLicense
  • HKEY_CURRENT_USER\Software\Wine
  • HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
  • HKEY_CURRENT_USER\Software\WinLicense\CheckIN
  • HKEY_CURRENT_USER\Software\WinLicense\ExitIN
  • HKEY_CURRENT_USER\Software\WinLicense\ProcIN
  • HKEY_CURRENT_USER\Software\WinLicense\ProcOUT
  • HKEY_CURRENT_USER\Software\WinLicense\TpIN

Processes


Name: eea79b7dcdbcb684d19 0d7ce9eb485e...PID: 2468System
Process Name PID Parent PID