100
Malicious
This predictive confidence of maliciousness for this sample is 100%.
1979d07792f6dbbdfda182b81adca3d5f19f87422fc70754a5989a1afb659c1b
68.7 kB
2020-09-30 23:00:05
First seen 28 days ago
Windows PE32 Executable

Classification

Full Detail
Ransomware
Low
Trojan
Low
Virus
Low
Banker
Low
Bot
High
Rat
Low
Adware
Low
Infostealer
Low
Worm
High
Spyware
Low

Indicators

Expand All
DeepView™ Indicators
Forced Code Execution
Automatic Sequence Detection
Program Level Indicators
Anti-Sandbox
A process attempted to delay the analysis task.
Anti-Vm
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
Av-Tools
This sample is detected by clamav as: Win.Worm.Lolbot-6787741-0
One or more AV tool detects this sample as malicious: Worm:Win32/Ganelp.E
Bypass
Operates on local firewall's policies and settings
Dropper
Drops a binary and executes it
Generic
Creates executable files on the filesystem
Repeatedly searches for a not-found process, you may want to run a web browser during analysis
Reads data out of its own binary image
Automatic Sequence Detection maliciousness score: 68%
Network
Performs some DNS requests
Packer
Creates a slightly modified copy of itself
Static
Anomalous binary characteristics
Presents an Authenticode digital signature
Stealth
Possible date expiration check, exits too soon after checking local time
Deletes its original binary from disk
image/svg+xml

Yara

Yara Pattern Name Description
IsPE32 No Description Available
HasOverlay Overlay Check
DebuggerException__SetConsoleCtrl No Description Available
image/svg+xml

MITRE ATT&CK®

Show ID

Static Analysis

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000048d6 0x00004a00 6.28626234107
.rdata 0x00006000 0x00000748 0x00000800 5.46017714719
.data 0x00007000 0x0000e000 0x00000a00 2.33775377193
.rsrc 0x00015000 0x0001c000 0x00008800 1.43285971292

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x000150a0 0x000025a8 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x00017648 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

Library KERNEL32.dll:

  • DuplicateHandle
  • ExitProcess
  • FreeEnvironmentStringsA
  • GetCommandLineA
  • GetCurrentProcess
  • GetEnvironmentStrings
  • GetFileType
  • GetLastError
  • GetLocaleInfoA
  • GetModuleFileNameA
  • GetModuleHandleA
  • GetStartupInfoA
  • GetStdHandle
  • GetSystemTimeAsFileTime
  • HeapAlloc
  • HeapCreate
  • HeapDestroy
  • HeapFree
  • HeapReAlloc
  • HeapSize
  • HeapValidate
  • RtlUnwind
  • SetConsoleCtrlHandler
  • SetHandleCount
  • Sleep
  • UnhandledExceptionFilter
  • VirtualAlloc
  • VirtualQuery

Strings

  • !This program cannot be run in DOS mode.
  • .rdata
  • @.data
  • VC20XC00U
  • ;t$$v,
  • /Downs/HelpVer.hlp
  • /Downs/Help.hlp
  • Help.hlp
  • /Private/
  • Pfile.hlp
  • \VirtualDevice.vxd
  • ProgramFiles
  • ?>D85<9>EH
  • 6D@]DB9@?4]3?=
  • gdaheb
  • eedeia
  • 7B9@D?<?:9]8?CD\54]>5D
  • gdaheb123
  • 5<571>0ghfddd
  • 5<571>0ghfddd]5<]6E>@93]?B7
  • B57549D]5H5
  • !B?7B1=v9<5C
  • $?6DG1B5]aaaaaaaaaaaaaaaaa]sEBB5>D'5BC9?>]#E>
  • e.gteeixrde
  • \Java\jre-
  • gFsomeralPri
  • \RLN06530
  • \RLN06527
  • \RLT6990
  • \RLT6989
  • \RLT6988
  • \RLT6987
  • DtlgeaAelVeReeu
  • CtygaeAeeKxRreE
  • $*$%u}-sEBB5>Ds?>DB?<$5D-$5BF935C-$81B54q335CC-!1B1=5D5BC-v9B5G1<<!?<93I-$D1>41B4!B?69<5-qED8?B9J54q@@<931D9?>C-|9CD
  • bd:ael*nE::
  • leeexthEuSlcA
  • l.e2lh3lsld
  • PipFAtteFul
  • etsnteoaennlHlIrCed
  • GipFAtteFel
  • etnAtentnnocIrCe
  • etnteennpIrOA
  • i.ntlielwnd
  • CegsyeoeRlK
  • SaEgVeetuARelx
  • OKxgnEeeyRpeA
  • a2lv3ldidap.
  • broFlleGae
  • bloAclloGal
  • FSteeelzGii
  • dealeiRF
  • tliirFWee
  • aieFAreeCtl
  • snoaelHlCed
  • c3xosersNPe2t
  • c3rosirsFtPe2s
  • CerstrPedertcIGunos
  • aoe2pteTh3aorelpnhCtolSs
  • LcrSntiDeiAeglvrsGoaitg
  • DeetvpeiyGrTA
  • eilFAeeeDtl
  • oitAmDcyeeerRvro
  • dsnoilFCe
  • dtenxlieiFNFA
  • dslnriiiFAFFte
  • VmfantunmoelIriGoeotA
  • WoitAtdDcyenserGiwro
  • yeploiCFA
  • EreabtimVaAevntieGnonrl
  • MllmtuiaedFNAGoeee
  • aitAeDcyreerCtro
  • FAieterteltuASitbs
  • erebyrirFLa
  • drAabyoirLLa
  • MlnAtuaeedHlGoed
  • PAetcreodsGrds
  • n2lr3leldke.
  • 0123456789abcdefghijklmnopqrstuvwxyz
  • !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_abcdefghijklmnopqrstuvwxyz{|}~
  • aa1vd2apeJUt
  • JUth1naac2uvdSdSapee
  • GetModuleHandleA
  • GetLastError
  • GetLocaleInfoA
  • KERNEL32.dll
  • GetStartupInfoA
  • ExitProcess
  • RtlUnwind
  • HeapCreate
  • HeapDestroy
  • HeapAlloc
  • HeapReAlloc
  • HeapFree
  • HeapSize
  • HeapValidate
  • GetSystemTimeAsFileTime
  • GetFileType
  • GetStdHandle
  • GetCurrentProcess
  • DuplicateHandle
  • SetHandleCount
  • GetCommandLineA
  • GetModuleFileNameA
  • GetEnvironmentStrings
  • FreeEnvironmentStringsA
  • UnhandledExceptionFilter
  • SetConsoleCtrlHandler
  • VirtualAlloc
  • VirtualQuery
  • ICONMD5.6c78a9c3
  • c:4<g>99kB<DoFAAsJDLwNII{RLT
  • 85878:;>@=@?@BCFHEHGHJKNPMPOPRSVXUXWXZ[^`]`_`bcfhehghjkna:h4=96@iBp<EA>HqJxDMIFPyR
  • d9:5i:hilAB=qBpqtIJEyJxy|QRM
  • 1d48g7<79l<@o?D?AtDHwGLGI|LP
  • _d_ac56d68klk=>l>@stsEFtFH{|{MN|NP
  • 4ddf9<?@<llnADGHDttvILOPL||~QTWXT
  • 4e85i;g:<m@=qCoBDuHEyKwJL}PM
  • c:4<g>99kB<DoFAAsJDLwNII{RLT
  • 85878:;>@=@?@BCFHEHGHJKNPMPOPRSVXUXWXZ[^`]`_`bcfhehghjkna:h4=96@iBp<EA>HqJxDMIFPyR
  • d9:5i:hilAB=qBpqtIJEyJxy|QRM
  • 1d48g7<79l<@o?D?AtDHwGLGI|LP
  • _d_ac56d68klk=>l>@stsEFtFH{|{MN|NP
  • 4ddf9<?@<llnADGHDttvILOPL||~QTWXT
  • 4e85i;g:<m@=qCoBDuHEyKwJL}PM
  • hebd3e8<>9jl;m@DFArtCuHLNIz|K}PTVQ
  • bd3e8<>9jl;m@DFArtCuHLNIz|K}PTVQ
  • 4954;g?k<A=<CoGsDIEDKwO{LQMLS
  • died41g:fijm<9oBnqruDAwJvyz}LI
  • j4gh8;9gk<op@CAosDwxHKIw{L
  • h196gg86:9A>oo@>BAIFwwHFJIQN
  • PNRQYV
  • XVZYa^
  • `^baf93gh66inA;op>>qvICwxFFy~QK
  • 81;48fl9@9C<@ntAHAKDHv|IPISLP~
  • QXQ[TX
  • Y`Yc\`
  • ahakdh
  • i39gi476m;Aoq<?>uCIwyDGF}KQ
  • e5de=6gim=lmE>oquEtuMFwy}M|}UN
  • e5de=6gim=lmE>oquEtuMFwy}M|}UN
  • 41gff=hl<9onnEptDAwvvMx|LI
  • b1ei8g6?j9mq@o>GrAuyHwFOzI}
  • c83ej8k7k@;mr@s?sHCuzH{G{PK}
  • ed745hh
  • ml?<=pp
  • utGDExx
  • 89d8;j=8@Al@CrE@HItHKzMHPQ|PS
  • mh76758>>h?>?=@FFpGFGEHNNxONOMPVV
  • WVWUX^^
  • _^_]`ff
  • gfgehnn57cff87h=?knn@?pEGsvvHGxMO{~~PO
  • 4b3f4g=l<j;n<oEtDrCvDwM|LzK~L
  • 1g67=k8l9o>?Es@tAwFGM{H|I
  • a2e:<e>>
  • :mBDmFF
  • BuJLuNN
  • J}RT}VVR
  • 26294i6;:>:A<q>CBFBIDyFKJNJQL
  • NSRVRYT
  • V[Z^Za\
  • ^cbfd9gi9i8=lAoqAq@EtIwyIyHM|Q
  • 3c;ggjl;;kCoortCCsKwwz|KK{S
  • k7gg4<5>l?oo<D=FtGwwDLEN|O
  • dlen338h<<8i;;@pDD@qCCHxLLHyKKP
  • cch23;7=k8;:;C?Es@CBCKGM{HKJKSOU
  • PSRS[W]
  • X[Z[c_e
  • `cbcc767;:6=k?>?CB>EsGFGKJFM{ONOSRNU
  • WVW[ZV]
  • _^_cb^e
  • gfgkjfm
  • onosrnu
  • wvw{zv}
  • 9ee68i77Amm>@q??IuuFHyGGQ}}NP
  • ggq89:i=j=;@ABqErECHIJyMzMKPQR
  • mk51365;h?=9;>=CpGEACFEKxOMIKNMS
  • WUQSVU[
  • _]Y[^]c
  • geacfedg94j<<;loA<rDDCtwIDzLLK|
  • a448gj7li<<@or?tqDDHwzG|yLLP
  • 452759=h<=:?=AEpDEBGEIMxLMJOMQU
  • TURWUY]
  • \]Z_]ae
  • debg5724;6<
  • =?:<C>D
  • EGBDKFL
  • MOJLSNTUWRT[V\']_Z\c^d/egbdk4gg78g89<oo?@o@ADwwGHwHIL
  • ga3c6=j9=i;k>ErAEqCsFMzIMyK{NU
  • 68337977>@;;?A??FHCCGIGGNPKKOQOOVXSSWYWW^`[[_a__fhccgi58;h4k7l=@Cp<s?tEHKxD{G|MPS
  • d5e7gfgk
  • =m?onos
  • EuGwvw{
  • 6d4378k=>l<;?@sEFtDCGH{MN|LKOP
  • dcgh23:84f9l:;B@<nAtBCJHDvI|JKRPL~Q
  • bcbd3;;h:ljl;CCpBtrtCKKxJ|z|KSS
  • 1495hk>99<A=psFAADIEx{NIILQM
  • VQQTYU
  • ^YY\a]
  • faad3258jlhl;:=@rtptCBEHz|x|KJMP
  • c699g9=:k>AAoAEBsFIIwIMJ{NQQ
  • c:e:67=kkBmB>?EssJuJFGM{{R}RNOU
  • 43e47977<;m<?A??DCuDGIGGLK}LOQOOTS
  • TWYWW\[
  • \_a__dc
  • dd2h3;f:ll:p;CnBttBxCKvJ||J
  • 68de9579>@lmA=?AFHtuIEGINP|}QMOQVX
  • YUWY^`
  • a]_afh
  • ie8d;:hhl?@lCBpptGHtKJxx|OP|SR
  • ofd58j67?nl=@r>?GvtEHzFGO~|MP
  • 4g3<<g?=<o;DDoGEDwCLLwOML
  • cl73cd5kgh?;kl=sopGCstE{wxOK{|M
  • 9d79j<>lAl?ArDFtItGIzLN|Q|OQ
  • q46f4:=j8<>n<BEr@DFvDJMzHLN~LRU
  • d5f8f=k<h=n@nEsDpEvHvM{LxM~P~U
  • m48446=;i<@<<>ECqDHDDFMKyLPLLNUS
  • TXTTV][
  • \`\\^ec
  • dhdd294f76k::A<n?>sBBIDvGF{JJQL~ON
  • bbif:e4gfj9nBm<onrAvJuDwvzI~R}L
  • e3e5h>==m;m=pFEEuCuExNMM}K}M
  • 42d:ik<l<:lBqsDtDBtJy{L|LJ|R
  • jcd;e4<<;klCm<DDCstKuDLLK{|S}LTTS
  • a989ikh?iA@AqspGqIHIy{xOyQPQ
  • 152885=?9=:@@=EGAEBHHEMOIMJPPMUWQURXXU]_Y]Z``]egacd69f9;;kl>AnACCstFIvIKK{|NQ~QSS
  • c3d5jhjhk;l=rprpsCtEzxzx{K|M
  • 875:9:6<@?=BAB>DHGEJIJFLPOMRQRNTXWUZYZV\`_]bab^dhgejijfld28:=gl=l:@BEotEtBHJMw|M|JPRU
  • 7d439j=m?l<;ArEuGtDCIzM}O|LKQ
  • mfbg::=iknjoBBEqsvrwJJMy{~z
  • b4c<e7>;j<kDm?FCrDsLuGNKzL{T}OVS
  • 6deg<gi:>lmoDoqBFtuwLwyJN|}
  • fd94i6<jnlA<q>DrvtIDyFLz~|QL
  • b56<=j9lj=>DErAtrEFLMzI|zMNTU
  • a72<;j99i?:DCrAAqGBLKzIIyOJTS
  • 77:9:;>
  • ??BABCF
  • GGJIJKN
  • OORQRSVWWZYZ[^'__babcf/ggjijkne1::<=>?m9BBDEFGuAJJLMNO}IRRTUVW
  • QZZ\]^_
  • Ybbdefg
  • ajjlmno
  • irrtuvw
  • qzz|}~
  • 2g69eh<k:o>AmpDsBwFIuxL{J
  • 5:74ighm=B?<qopuEJGDywx}MROL
  • 7e6ehk>
  • ?m>mpsF
  • GuFux{N
  • ne85ef;6
  • m@=mnC>
  • uHEuvKF
  • }PM}~SN
  • bbgg597jjjoo=A?rrrwwEIGzzz
  • 9769hf;;A?>ApnCCIGFIxvKKQONQ
  • ~SSYWVY
  • [[a_^a
  • ccigfi
  • kkqcdggigh7klooqop?stwwywxG{|
  • 73h<<8>h?;pDD@FpGCxLLHNxOK
  • llhn14h545hl9<p=<=ptADxEDEx|IL
  • a6d9<8gll>lAD@ottFtILHw||N|QTP
  • 9fe8fk>;Anm@nsFCIvuHv{NKQ~}P~
  • nkq1ddg4;g@9llo<CoHAttwDKwPI||
  • ha2f7f=5h@:n?nE=pHBvGvMExPJ~O~UM
  • e:8fg>6;mB@noF>CuJHvwNFK}RP~
  • egg:6jg9mooB>roAuwwJFzwI}
  • f679i78?n>?Aq?@GvFGIyGHO~NOQ
  • d4:675?hl<B>?=GptDJFGEOx|LRNOMW
  • TZVWU_
  • \b^_]g
  • djfgeo
  • lrnomw
  • 7::6<<<l?BB>DDDtGJJFLLL|ORRNTTT
  • WZZV\\\
  • _bb^ddd
  • gjjflll5:h94:8h=BpA<B@pEJxIDJHxMR
  • id6d9;e>i:>lACmFqBFtIKuNyJN|QS}V
  • n7e8:ek6=?m@Bms>EGuHJu{FMO}PR}
  • fc68:jijhk>@BrqrpsFHJzyzx{NPR
  • 4f7:6hk9<n?B>psADvGJFx{IL~ORN
  • gj9g:e6g=;AoBm>oECIwJuFwMKQ
  • mkq6d9;e>i:>lACmFqBFtIKuNyJN|QS}V
  • n28dej;=h:@lmrCEpBHtuzKMxJP|}
  • bh8fhijg<h@npqroDpHvxyzwLxP~
  • 72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj55gd887===ol@@?EEEwtHHGMMM
  • |PPOUUU
  • XXW]]]
  • ``_eee
  • hb8f786i?j@n?@>qGrHvGHFyOzP~OPN
  • 72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj6d9;e>i:>lACmFqBFtIKuNyJN|QS}V
  • n72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj6d9;e>i:>lACmFqBFtIKuNyJN|QS}V
  • n72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj72f5g=:>?:n=oEBFGBvEwMJNOJ~M
  • mj9f27hj8?An:?pr@GIvBGxzHOQ~JO
  • hoqd9g585k=lAo=@=sEtIwEHE{M|Q
  • 8bh6=j<
  • @jp>ErD
  • HrxFMzL
  • l7bf:fj8g@jnBnr@oHrvJvzHwPz~R~
  • 6d9;e>i:>lACmFqBFtIKuNyJN|QS}V
  •  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Dropped Files

82c72762cc639991_jusched.exe

Name
82c72762cc639991_jusched.exe
Size
68.8 kB
Type
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
354c923c0f969acbd61c53096fe71d0f
SHA1
9ef73a81014b162becd4675d533bebe29d785202
SHA256
82c72762cc639991e9243305af0c888e771e2e5a6205f28dfe9fa39fa9be42ca
SHA512
879631045fafce768eeba0d51325cbef01b2bbc8995136cea7ced4855da6b24bc0482975b841c49cb7a7a88c4c2b814e00528fe51310248f575ae1ca51b9f9a7
Ssdeep
768:uflivXrVKpVhKvtxwYHwVFoeAQhmucwUZRLA+ZCvvgvvvgvv9l:QlqrVKprVuQhuRcll

Network

DNS Requests

Domain IP Address Destination Location
griptoloji.host-ed.net Not Available
elegan_786444.el.funpic.org Not Available
ftp.tripod.com 209.202.252.54 US

Hosts Involved

IP Address Country of Origin
87.65.28.27 BE
209.202.252.54 US

Geolocation

Destination Country

US:
67%
BE:
33%
AfghanistanAngolaAlbaniaAlandAndorraUnited Arab EmiratesArgentinaArmeniaAntarcticaFr. S. Antarctic LandsAustraliaAustriaAzerbaijanBurundiBelgium Percent of Connections: 33%BeninBurkina FasoBangladeshBulgariaBahrainBahamasBosnia and Herz.BelarusBelizeBoliviaBrazilBarbadosBruneiBhutanBotswanaCentral African Rep.CanadaSwitzerlandChileChinaCôte d'IvoireCameroonCyprus U.N. Buffer ZoneDem. Rep. CongoCongoColombiaComorosCape VerdeCosta RicaCubaCuraçaoN. CyprusCyprusCzech Rep.GermanyDjiboutiDominicaDenmarkDominican Rep.AlgeriaEcuadorEgyptEritreaDhekeliaSpainEstoniaEthiopiaFinlandFijiFalkland Is.FranceFaeroe Is.MicronesiaGabonUnited KingdomGeorgiaGhanaGibraltarGuineaGambiaGuinea-BissauEq. GuineaGreeceGrenadaGreenlandGuatemalaGuamGuyanaHong KongHeard I. and McDonald Is.HondurasCroatiaHaitiHungaryIndonesiaIsle of ManIndiaIrelandIranIraqIcelandIsraelItalyJamaicaJordanJapanBaikonurSiachen GlacierKazakhstanKenyaKyrgyzstanCambodiaKiribatiKoreaKosovoKuwaitLao PDRLebanonLiberiaLibyaSaint LuciaLiechtensteinSri LankaLesothoLithuaniaLuxembourgLatviaSt-MartinMoroccoMonacoMoldovaMadagascarMexicoMacedoniaMaliMyanmarMontenegroMongoliaMozambiqueMauritaniaMauritiusMalawiMalaysiaNamibiaNew CaledoniaNigerNigeriaNicaraguaNetherlandsNorwayNepalNew ZealandOmanPakistanPanamaPeruPhilippinesPalauPapua New GuineaPolandPuerto RicoDem. Rep. KoreaPortugalParaguayPalestineFr. PolynesiaQatarRomania