2.1
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.75
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Mydoom-BJ [Wrm] | 20200607 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200607 | 2013.8.14.323 |
| McAfee | W32/Mytob.gen@MM.i | 20200607 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0c1b8 | 20200607 | 1.0.0.1 |
静态指标
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545292.499625 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545297.172125 IsDebuggerPresent |
failed | 0 | 0 |
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(3 个事件)
| section | 2940ualq |
| section | 32y1ndgu |
| section | 329yfwvx |
一个或多个进程崩溃
(8 个事件)
动态指标
在文件系统上创建可执行文件
(6 个事件)
| file | C:\Windows\System32\shervans.dll |
| file | C:\Windows\System32\grcopy.dll |
| file | C:\Windows\System32\zipfi.dll |
| file | C:\Windows\System32\zipfiaq.dll |
| file | C:\Windows\System32\satornas.dll |
| file | C:\Windows\System32\ctfmen.exe |
创建隐藏或系统文件
(1 个事件)
检查系统上可疑权限的本地唯一标识符
(1 个事件)
网络通信
通过SCSI磁盘标识符技巧检测虚拟化软件
(2 个事件)
| registry | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 |
| registry | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 |
在 Windows 启动时自我安装以实现自动运行
(2 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen | reg_value | C:\Windows\system32\ctfmen.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen | reg_value | C:\Windows\system32\ctfmen.exe | ||||||
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | Trojan.GenericKDZ.66635 |
| APEX | Malicious |
| AVG | Win32:Mydoom-BJ [Wrm] |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKDZ.66635 |
| AhnLab-V3 | Dropper/Win32.Mudrop.C84237 |
| Antiy-AVL | Trojan[Dropper]/Win32.Mudrop |
| Arcabit | Trojan.Generic.D1044B |
| Avast | Win32:Mydoom-BJ [Wrm] |
| Avira | TR/Proxy.Gen |
| BitDefender | Trojan.GenericKDZ.66635 |
| BitDefenderTheta | AI:Packer.5B604FCE1D |
| CAT-QuickHeal | Trojan.Small.S5091480 |
| CMC | Trojan-Dropper.Win32x!O |
| ClamAV | Win.Dropper.Mudrop-6801241-0 |
| Comodo | Packed.Win32.MUPX.Gen@24tbus |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.42d413 |
| Cylance | Unsafe |
| Cyren | W32/S-e4365596!Eldorado |
| DrWeb | Trojan.DownLoader8.56532 |
| ESET-NOD32 | a variant of Win32/Agent.NHB |
| Emsisoft | Trojan.GenericKDZ.66635 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-e4365596!Eldorado |
| F-Secure | Trojan.TR/Proxy.Gen |
| FireEye | Generic.mg.2bceff542d4135b5 |
| Fortinet | W32/Agent.NHB!worm |
| GData | Trojan.GenericKDZ.66635 |
| Ikarus | Trojan.Win32.Mydoom |
| Invincea | heuristic |
| Jiangmin | TrojanDropper.Mudrop.bpo |
| K7AntiVirus | Trojan ( 004d7c651 ) |
| K7GW | Trojan ( 004d7c651 ) |
| Kaspersky | Trojan.Win32.Small.acli |
| MAX | malware (ai score=86) |
| Malwarebytes | Worm.MyDoom |
| MaxSecure | Trojan.Win32.Small.acli |
| McAfee | W32/Mytob.gen@MM.i |
| McAfee-GW-Edition | BehavesLike.Win32.Mytob.cm |
| MicroWorld-eScan | Trojan.GenericKDZ.66635 |
| Microsoft | Trojan:Win32/Mydoom |
| NANO-Antivirus | Trojan.Win32.Mudrop.ijmve |
| Panda | W32/MyDoom.IC.worm |
| Qihoo-360 | HEUR/QVM02.0.BD4C.Malware.Gen |
| Rising | Trojan.Agent!1.C364 (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-MalPE |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Behav-104 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
1ab4a64725d1bc79627f25a38a864ecb
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| 2940ualq | 0x00001000 | 0x00013000 | 0x00013000 | 6.411091846276216 |
| 32y1ndgu | 0x00014000 | 0x0000a000 | 0x00009c00 | 2.079989436047124 |
| 329yfwvx | 0x0001e000 | 0x00001000 | 0x00000c00 | 2.9105328874956578 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0001e3c0 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0001e3c0 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0001e4ec | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.DLL:
• 0x419368 AddAtomA
• 0x41936c CloseHandle
• 0x419370 CopyFileA
• 0x419374 CreateFileA
• 0x419378 CreateFileMappingA
• 0x41937c CreateMutexA
• 0x419380 CreateProcessA
• 0x419384 CreateSemaphoreA
• 0x419388 CreateThread
• 0x41938c CreateToolhelp32Snapshot
• 0x419390 DeleteFileA
• 0x419394 ExitProcess
• 0x419398 FindAtomA
• 0x41939c FindClose
• 0x4193a0 FindFirstFileA
• 0x4193a4 FindNextFileA
• 0x4193a8 FreeLibrary
• 0x4193ac GetAtomNameA
• 0x4193b0 GetCurrentProcess
• 0x4193b4 GetCurrentProcessId
• 0x4193b8 GetDriveTypeA
• 0x4193bc GetFileSize
• 0x4193c0 GetFileTime
• 0x4193c4 GetLastError
• 0x4193c8 GetLocalTime
• 0x4193cc GetModuleFileNameA
• 0x4193d0 GetModuleHandleA
• 0x4193d4 GetProcAddress
• 0x4193d8 GetProcessHeap
• 0x4193dc GetSystemDirectoryA
• 0x4193e0 GetSystemTime
• 0x4193e4 GetTickCount
• 0x4193e8 GetVersionExA
• 0x4193ec GlobalAlloc
• 0x4193f0 GlobalFree
• 0x4193f4 HeapAlloc
• 0x4193f8 HeapFree
• 0x4193fc HeapReAlloc
• 0x419400 InterlockedDecrement
• 0x419404 InterlockedIncrement
• 0x419408 IsBadReadPtr
• 0x41940c IsDebuggerPresent
• 0x419410 LoadLibraryA
• 0x419414 MapViewOfFile
• 0x419418 OpenProcess
• 0x41941c Process32First
• 0x419420 Process32Next
• 0x419424 ReadFile
• 0x419428 ReleaseSemaphore
• 0x41942c SetErrorMode
• 0x419430 SetFilePointer
• 0x419434 SetFileTime
• 0x419438 SetLastError
• 0x41943c SetUnhandledExceptionFilter
• 0x419440 Sleep
• 0x419444 TerminateProcess
• 0x419448 TerminateThread
• 0x41944c TlsAlloc
• 0x419450 TlsFree
• 0x419454 TlsGetValue
• 0x419458 TlsSetValue
• 0x41945c UnmapViewOfFile
• 0x419460 WaitForSingleObject
• 0x419464 WriteFile
• 0x419468 lstrcatA
• 0x41946c lstrcmpA
• 0x419470 lstrcpyA
• 0x419474 lstrcpynA
• 0x419478 lstrlenA
Library ADVAPI32.DLL:
• 0x419328 AdjustTokenPrivileges
• 0x41932c CryptAcquireContextA
• 0x419330 CryptCreateHash
• 0x419334 CryptDestroyHash
• 0x419338 CryptGetHashParam
• 0x41933c CryptHashData
• 0x419340 CryptReleaseContext
• 0x419344 LookupPrivilegeValueA
• 0x419348 OpenProcessToken
• 0x41934c RegCloseKey
• 0x419350 RegCreateKeyExA
• 0x419354 RegOpenKeyExA
• 0x419358 RegQueryValueExA
• 0x41935c RegSetValueExA
Library DNSAPI.DLL:
• 0x41953c DnsQuery_A
Library msvcrt.dll:
• 0x419490 __getmainargs
• 0x419494 __p__environ
• 0x419498 __p__fmode
• 0x41949c __set_app_type
• 0x4194a0 _cexit
• 0x4194a4 _iob
• 0x4194a8 _onexit
• 0x4194ac _setmode
• 0x4194b0 abort
• 0x4194b4 atexit
• 0x4194b8 atoi
• 0x4194bc fclose
• 0x4194c0 fflush
• 0x4194c4 fgetc
• 0x4194c8 fopen
• 0x4194cc fprintf
• 0x4194d0 fread
• 0x4194d4 free
• 0x4194d8 fseek
• 0x4194dc ftell
• 0x4194e0 malloc
• 0x4194e4 memcpy
• 0x4194e8 memmove
• 0x4194ec memset
• 0x4194f0 rand
• 0x4194f4 realloc
• 0x4194f8 rewind
• 0x4194fc signal
• 0x419500 sprintf
• 0x419504 srand
• 0x419508 sscanf
• 0x41950c strcat
• 0x419510 strchr
• 0x419514 strcmp
• 0x419518 strcpy
• 0x41951c strstr
• 0x419520 strtok
Library msvcrt.dll:
• 0x419484 _itoa
Library WININET.DLL:
• 0x419548 InternetGetConnectedState
Library WS2_32.DLL:
• 0x419554 WSAConnect
• 0x419558 WSASocketA
• 0x41955c WSAStartup
• 0x419560 closesocket
• 0x419564 connect
• 0x419568 gethostbyname
• 0x41956c gethostname
• 0x419570 htons
• 0x419574 inet_addr
• 0x419578 inet_ntoa
• 0x41957c recv
• 0x419580 send
• 0x419584 sendto
• 0x419588 setsockopt
• 0x41958c socket
2940ualq
32y1ndgu
329yfwvx
U(]u}]
U(]u}]
]u}]UWVS
[^_]U(]u}E
UWVS,E
e[^_]U
CIu[^]
&lipfD
&winfD
)hGET
)h HTT
)lP/1.
)tost:f
)hUser
)l-Age
)pnt:
)hexpl
tQE$D$
UWVS\u
EevlkErdohfElpE
\[^_]UWVS\
e[^_]UWVS
@`TVdX
$wt5dD$
e[^_]UWVS,
<$e[^_]UWVS|
e[^_]US
4$X~e[^]
pD$ tD$
]USTD$
e[^_]US4D$
e[^]US$]
e[^]US
\[]UVS
u[^]US
[]UWVSL
ue[^_]UHu
]UWVS\}
EONEUM
E$IEUU
e[^]US4D$
]UWVSLD$
e[^_]UVS
(4$&t$
$e[^]US
ED$$\$ D$
$]UWVSL
C9|t.D$
X4$>D$
$~e[^]
UWVS|E`@
EEEj_@
e[^_]UWVS,E
e[^_]US
UWVS|U
D$$\$ D$
X4$xt$
&lipfD
&winfD
)hGET
)h HTT
)lP/1.
)tost:f
;T}#D$
;T}4D$
hC ~D$
;T}LXD$
XC;T|D$
uPp=$AA
uGp`D$
HD$$h|$ D$
h<$tD$
h<$WD$
;T}LXD$
XC;T|P
$[E2wrwEb=xfEpav'Eg{smE#~gpE
CNu[^_]U(E
e[^_]UWVS
EfEEfE4$E
fEfEfE
e[^_]%HA
<t6p t<~ @tO
x7EZ[^_]
UW1V1S
wd$`1A
eEEE`@
++CCUNG
pP EtB(dB$
R \tp@$
hUhU`hu
llU6hU(Et
E!t#XtEXM~t
$]u}E`@
UpPl1|pl
UEXEE]u}E`@
;u ]]$}}
4$Yt8 M
]1u}];] tIF
UWVS|U$E
E|[^_]
1|[^_]
UWVSL}
$DtbEN
UEXEE]u}E`@
++C B4CUNGB
t-S4C0
$]u}E`@
$]u}E`@
UEhEE]u}E`@
E]u}]E
$EUEhEE]u}E`@
tB1u2=@
UEXEE]u}E`@
80S4C0
t(S4C0
x9JtD|IS
:dY[]1=
e[^_]EAAAA1A
uEAAAAEAAAAE1A
EAAAAEAAAAE1A
EAAAAEAAAAE1A
EAAAAE
S C0C,
t(C,1D$
S0x]u]
t3[4u$&
t$B0x=B0uVB(
z(]u}]
H0x4P0uMX(]
UWVS,A
]t"x0xFp0u X(EP J
UWVS,@
tLEtt$
tEp0x^X0uw@(UEEE
]tAH0xFP0u
X(EP J
X(EP J
H0us@(EUE
x0uaX(EP J
<$&]u}]
taH0xkP0uu@(
e[^_]A
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Your account in System is successfully created, please read the instructions.
Administration has blocked your account.
Your account on the System was removed.
Your account on the system successfully activated.
Closure of your account, please read the instructions.
Change your password, please read the instructions.
Your account is successfully created on the site BigTits.
I Love You more than life, read at verse.
I Wish You all the best.
, .
, .
.
Instruction
Readme
Document
Message
WebMoney Instruction
Administration CyberPlat
PayPal Instruction
RUpay Administration
E-Gold Instruction
EasyPay Instruction
Administration WebMoney
Closure of your account
Change your password
Your account has been blocked due to violation of the rules
Account activation is successful
You have successfully registered on the site BigTits
Server Report
Mail Delivery System
Mail Transaction Failed
Your IP was logged
I Love You
Happy birthday to you
Webmoney
support@wmtransfer.com
admin@wmtransfer.com
support@cyberplat.com
admin@paypal.com
support@rbkmoney.ru
support@e-gold.com
admin@easypay.com
@aol.com
@msn.com
@yahoo.com
@hotmail.com
@gmail.com
@mail.ru
@rambler.ru
@pochta.ru
@yandex.ru
andrew
sandra
claudia
robert
Alexey
Fyodor
Matvey
Nikita
Nikolai
Andrei
Alexander
Valera
Viktor
Vladimir
Ruslan
Stepan
Margarita
Larisa
Ksenia
Valentina
Nastya
Natasha
Khristina
Oksana
milashka
Tamara
mvcsv.qyy
admin@bigtits.com
I_Love_You.zip
Happy_birthday_to_you.zip
mvcsvnd.qyy
symantec
winrar
winzip
icrosoft
norman
norton
noreply
hotmail
mcafee
antivi
bitdefender
agnitum
rating
master
gold-certs
contact
support
borland
update
hosting
certific
clamwin
Software\Microsoft\WAB\WAB4\Wab File Name
tepbcl.qyy
Readme.exe
foto.pif
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba
fgngrz
vqhfre
hfonpgvi
IHYanFuibyan
Flfgrz\PheeragPbagebyFrg\Freivprf\FunerqNpprff
PYFVQ\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\VacebpFreire32
k_fbpxf5nna
user32.dll
fureinaf.qyy
pgszra.rkr
SeDebugPrivilege
virtual
vmware
SYSTEM\ControlSet001\Services\Disk\Enum
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba
jvavarg.qyy
fVISta
192.168.1.2
vqhfre
tepbcl.qyy
user32.dll
ICQ 8.exe
office_crack_all.exe
Winrar 4.exe
K-Lite Codec Pack 7.exe
DivX 8.exe
ACDSee.exe
Winamp 7.exe
serials 2010.txt.exe
crack windows 7.exe
crack windows 8.exe
my_passwords.exe
Fbsgjner\Xnmnn\Genafsre
QyQve0
Fbsgjner\vZrfu\Trareny
QbjaybnqQve
pgszra.rkr
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Eha
user32.dll
3NlrN
=|CK5:Z)
vc\ar"Q.{&
zg,/5>JYkx
<e-f#hkI\ %PCR]d
a$_@-&+<Y
|rkgfhmu
~cTQZo~%]k
`sJ5jb}
1D2l2z
.>tg>Q@
$$;2#9HQRK
7LPy0T*
@,|2 <]$E?
|8eH'1+o
<b"bW_k
P|+r@W
E^/kT8
cBu/JXm
DE;]\\:@
nq-w7,cd
R(hIW}Q+
&{6UJ2t$
';3n46.
AVobyLheX^}:;
6TH6}m[
W`|Hb[
+TCD}H
WtoN+I[gpz
O8pnGUK
Si& 0~g)aI;
TABkG=a
e=.#2p
1XiwYH
{97zHc=0_/G
|`,U`\z7|
>6CBUh|
Z{mE`_y>za
%1w4-,]
l%h m#
/RMKfkS~
yU8B5-@
'4V)nwl
>a6RVaK8v
aZ5rOF^
VbsI{`2pfQN
a~qCg/
-fF>bf4q
~^!,8av] U^M
-$j2aZZlk
}hTx1~d
NFE_<zxIpc
5{s[R#
}|DXt@=pp;
}Ru Mm^m(%L?h/O^
~N6jxh>q-+H
kT>)YmJ
'60r'ch
KMtP ]p,+\
bO-o/&2
sfi_c| A
5hj-V-
st.+`h1S9$
JP>qz1X%v&.A(
/{7xQ_ur
$gbx6J
-Rw.h2
+=*u_>6
E qJZH
jZ'9O,(E
(0e%/-%cE
JbLBQG>
ZMr5]oI
N)=CPds ]k_l
GQF["Y
N.4H|"kE
O%!$p]h
Mp<o^XSVy
$\JoEL
9YH[+ E@;&
dJ&x)_
]p$Cw>
QU,<0=w&
(I,@Z&us
~Spv_5
7zjB[7
l)f?HJ'Tk
v}&UaO
dv^%LZ#i
(GP,@:_
-WO2cr~
Sl`TAM&
RANOSYKu
h<wpD,EBC
L7Y;}"
KRQ+W-
<UXCYt
NKYGVV
-MOR2C
$p3hyTTyG28(Bqo5
.:aS1(jm
{}6|\h
-B~#@\APxG
5=kzXN
)Q N&?nkJ#9
!'+ 7[T rt
`uz\UlC_M4+)e
A?X{ MV
jQZhwy
*PuVz%
#p=|Wmcce\`
_|Tmp\9S37
i*6e}C
BA#=2zubd
1}[#p]hFZ
).a"7*%N
8c?U:x
3x1p:rO
kTkdMj5{W0(
Hl64zIZ
lcfu"O
G5f1k2
bQ6wQG
Fgs=[\>
[ l/w3C
SL<uouZ|
?U[/X +:<cI71>!J
\sDU{zZP>!
91?c@\OfJ"-*pO2k
TFh7sO
:0%dt^t
F{,mB2=c6
%.:I[p
~Y@32=Tw
F5?d!j3
ylb[WVX]ep~
nSDAJ_
%:Rm!N~ \"j
a'l-eD/&)eS}
KKNT]ix\
T|fSC6,
"'/:H
YBJByyYV
`/F5cbx
ww9k+*
;V`! B
_=?t).sUCg
BK$?._%[
c:FvW>9
O e&G'3
DfGnVFq
g9 tHz
,mF){1
ou%MuzpS
(^bcWnQ
[gD%e[F
3Q@OA+6Q
u\(X]R5rc
vF(3l2Pg
{k^TMIHJOWbp
7o)mKDX `E63<Qr
==@FO[j|
zaTS^u
3NlrN
=|CK5:Z)
vc\ar"Q.{&
7Wz$V<}
U7[,,/5>JYkx
<e-f#hI
\%PCB]d
.Z8c&m
a$_@-&+<Y
|rkgfhmu
!Y#OfG
~cTQZo~%]
1R2l2z
Q.QrPwS
vj]YyZ
@IPt5PU!
pr9I^~?ForW#
JiR`R\j}8e`
9j)4S.(8
,an$0[VF
vOYP/yY@
E4vbE6sW
!@w*{/2
--B0ae0:j
aaF&LQTVl7T,
%T?(MQ;v
,|}L}R+
QLI:LI
hd]MiL<
#M bXHg
]M}2Io
_pN^>VnH4d,;;D[k<nuh
YfuFK"bJ^
T92>@ h* u
c?>Yi;4
v[1[Z)X~js$!%6K<
zo_? g8
*>$i*3n:
"0!Z-;5
&gm\6,
+yVq`Zzh\#VNc7
'AT,^=}4+8e"
RM%tV;s
zWRh>VpzL8YC=
0)kYo"z1$A!
ZqH*zAc`
A)NhS5
oNa;TS_fn}
>W@]J;
CypO9Kf
N AWfncX
CuTB<e
eJk/cU-
>,ddN8
pUl[:G$g8nkM
PrYSG@R
&6%wbp
_"/?04Bu;'Hqw&K
G-_fq
=Tx;za/
+# =/E1
(ufSDSP)-iO$a
Ql8!|=V4I!nMiJ!}Z<
Z:nqj4?.fP
36A9TVl
bIQ_ w
M!W>MO
CXh=IC
jsNI-3
{)hFLc
U>g)FNko5lGg8A
kcDWUY@gO5P
#.<Max
rS@9>Ol.i
Z/| u*P
d# :Ibw
6_3z"{,Q
vfYOHDCEJR]k|!Gp2j$hF?S
[@1.7Lm
2Es3Q
%@g88;AJVew"Is
u\ONYp
sX)=nW
d%Yf8W:
Gkr"---
%s, %d %s %d %d:%d:%d GMT
HELO %s
MAIL FROM: <%s>
RCPT TO: <%s>
FROM: <%s>
TO: <%s>
Date: %s
MIME-Version: 1.0
Subject: %s
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Content-type: Multipart/Mixed; boundary=xContext
--xContext
Content-type: text/plain; charset=Windows-1251
Content-type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Content-type: Application/Octet-stream; name="%s"; type:unknown
Content-Disposition: attachment; filename="%s"
Content-Transfer-Encoding: base64
--xContext--
nhgbeha.vas
fngbeanf.qyy
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
GET %s HTTP/1.1
Connection: Keep-Alive
User-Agent: %s
Host: %s
Accept: */*
urlmon.dll
URLDownloadToFileA
donzx.dll
spamon
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba
fgngrz
down_file
restart
fzaff.rkr
pgszra.rkr
timeout
socksa
flash_on
hfonpgvi
flash_off
p515p225982son69p76q604qp7s97975
2317q129n58non7o3148por15qs741r3
command
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
%s:%u: failed assertion `%s'
../../gcc/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
N10__cxxabiv117__class_type_infoE
N10__cxxabiv120__si_class_type_infoE
N10__cxxabiv121__vmi_class_type_infoE
St10bad_typeid
St13bad_exception
St8bad_cast
St9bad_alloc
St9exception
St9type_info
AddAtomA
CloseHandle
CopyFileA
CreateFileA
CreateFileMappingA
CreateMutexA
CreateProcessA
CreateSemaphoreA
CreateThread
CreateToolhelp32Snapshot
DeleteFileA
ExitProcess
FindAtomA
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetAtomNameA
GetCurrentProcess
GetCurrentProcessId
GetDriveTypeA
GetFileSize
GetFileTime
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetSystemDirectoryA
GetSystemTime
GetTickCount
GetVersionExA
GlobalAlloc
GlobalFree
HeapAlloc
HeapFree
HeapReAlloc
InterlockedDecrement
InterlockedIncrement
IsBadReadPtr
IsDebuggerPresent
LoadLibraryA
MapViewOfFile
OpenProcess
Process32First
Process32Next
ReadFile
ReleaseSemaphore
SetErrorMode
SetFilePointer
SetFileTime
SetLastError
SetUnhandledExceptionFilter
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnmapViewOfFile
WaitForSingleObject
WriteFile
lstrcatA
lstrcmpA
lstrcpyA
lstrcpynA
lstrlenA
AdjustTokenPrivileges
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
DnsQuery_A
__getmainargs
__p__environ
__p__fmode
__set_app_type
_cexit
_onexit
_setmode
atexit
fclose
fflush
fprintf
malloc
memcpy
memmove
memset
realloc
rewind
signal
sprintf
sscanf
strcat
strchr
strcmp
strcpy
strstr
strtok
CharLowerA
wsprintfA
InternetGetConnectedState
WSAConnect
WSASocketA
WSAStartup
closesocket
connect
gethostbyname
gethostname
inet_addr
inet_ntoa
sendto
setsockopt
socket
P`.data
`.rdata
`@.bss
`.idata
0.rsrc
_@cEO@
U>g)FNko5lGg8A
cDWUlgO[
#.<Max
+IjM<o
rS@9>Ol.i
/'~zy{
Z/| u*P
{2ig0# :Ibw}
6_3z-"{,Q
YOHDCEJR]k|
Gp2j$hF?S[@1.7,m
2Es3Q
%@g;AJVew"Is
u\ONYp
d%Yf8W:
JaFeb<
ND%los, %d
CAIL FROM: <
RCPT TO
l:KIME--V9i
!Q4 Outlook Ex[
-typnMtip
A/Ex);m
y=x(-+4wxt5
/Min;E=
=We +-1251w3d_ISO-:59-1/)YT-Esa6<8bi
^seami[e="5l"
zn1f"{
bvba64&@
ek5JK:
EeYFGHIJKYeYLMNOPeYeQRSTUeYVWXYZnh]hQQ.v
([kXp$bMq
SV1)7`^th;5-%
U1ru-RQ
rv:9.1.4) GD-
Iox/3.L4.NE:CLR
30729mUX2~MFM1{322LO72I6msMuPht41'
d(8:iX
ImRPZh$)Br7
r510)(
gG,\TGr5
*/**urlm2j;>URLDpUadTo U
*a@:frM
Ubk@v5p
82>n69p76q604q
5#2317q129n
48vo8qs741r3
-LIBGCCWEF
SJLJ-GTHR
_ze ==
(:_2__SHARED)u
g/i386/`we--f.c
Kl Am]Am
,t,ws$m)!0g_
d43td@
__cxxav|uK7
B"ra?1vm@ElrSt=d,Rg
9S4do`g?9*
cg0Cl]
i$<P^p]iS 4M
4M4&6R`n4Mzs4M
,<Rfixsi
i*BRfvi4
44M<PbnxM4M
,:iiLV^hti|ili
*4M4M<FPZdn@6x
4M4&.:FNc
MV`nod22L&&dd2LL&d2L&d22L&&dd2LL&d2L&d22L&&dd2LL&d2L&d2U
AddDQAtomADeH
Mzm'+Q
Sem/horCTh
ool:32S|
n(s)txDeleE
%heLib
Cur nb
yp6[SmO
TimLaEf@
Ma,odul
xrQlaH/p
DecA,`
ckCT;T
K+4bA`
INH3lm.D{ m%
InsBR=DnPtr
UViewOf
Unh\ 8dE<,
WaiS`3n
fKre <[^
mppyZKn
Pcqu]L
KgKey{f
m6__w@ngs
%0ab5s
fcffKf}
3Zk4H_
?scs(v<c
pystZmkA,f
,CKrwhwmumA 'HD
.wStTWk,SA
Au0FIs
'@).r(J{lU'V
XPTPSWXaD$j
wwwwwwwwwwpp
KERNEL32.DLL
ADVAPI32.DLL
DNSAPI.DLL
msvcrt.dll
USER32.dll
WININET.DLL
WS2_32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
DnsQuery_A
wsprintfA
InternetGetConnectedState
gE2a17xeko2f70pwcsc126irko
lh64zxrb7h30kmvk77z1kfrn
2a17xeko2f70pwcsc126irko
lh64zxrb7h30kmvk77z1kfrn
2f826dfb4afd9cd7ac42d
@�@�@�@�@�@�@�
@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�
Process Tree
-
0421695db9e7f02901d5be78489304eccd09c9ee0dca61da96803d661f356670.exe (2108)
"C:\Users\Administrator\AppData\Local\Temp\0421695db9e7f02901d5be78489304eccd09c9ee0dca61da96803d661f356670.exe"
-
ctfmen.exe (2504)
ctfmen.exe
- smnss.exe (1464) C:\Windows\system32\smnss.exe
-
ctfmen.exe (2504)
ctfmen.exe
0421695db9e7f02901d5be78489304eccd09c9ee0dca61da96803d661f356670.exe, PID: 2108, Parent PID: 1848
default registry file network process services synchronisation iexplore office pdf
Hosts
No hosts contacted.
DNS
No domains contacted.
TCP
No TCP connections recorded.
UDP
No UDP connections recorded.
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | ca6206def19e1a01_ctfmen.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\ctfmen.exe |
| Size | 4.1KB |
| Processes | 2108 (0421695db9e7f02901d5be78489304eccd09c9ee0dca61da96803d661f356670.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | ea9c98f5db12a356dc78bb898334d654 |
| SHA1 | 061157c71cb820995860bcd7b51cef85ffbea6a1 |
| SHA256 | ca6206def19e1a0180e6ee11775c08c4d4b425663f2ab37f801049eb4bfe1c19 |
| CRC32 | 0B847ACF |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 3a9c6613083667f8_zipfi.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\zipfi.dll |
| Size | 118.7KB |
| Processes | 1464 (smnss.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | a01e321f2f2df130bbb285a15389493b |
| SHA1 | ae4210cc3505d4e0efaf07250131f8b0e16567a3 |
| SHA256 | 3a9c6613083667f8dae7ad1f228bf49436c049f528ac979412831238551455d1 |
| CRC32 | 37F7AD43 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | f87c8b3ab6e70ce7_zipfiaq.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\zipfiaq.dll |
| Size | 118.7KB |
| Processes | 1464 (smnss.exe) |
| Type | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5 | b468654fe3e6e0cacfee9f1cbfb8edb8 |
| SHA1 | 4f1279ebc3371db5948ebe70436f40c2d7924531 |
| SHA256 | f87c8b3ab6e70ce7a25f3a34730beb199f58bb67f235ba5a4816d00dd7688090 |
| CRC32 | BA2A3CD7 |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
| Name | b6243261c7ac0203_satornas.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\satornas.dll |
| Size | 183.0B |
| Processes | 2108 (0421695db9e7f02901d5be78489304eccd09c9ee0dca61da96803d661f356670.exe) |
| Type | Microsoft Windows Autorun file |
| MD5 | 272868a749b65ec6f0b77984752bf229 |
| SHA1 | 92ac96c6386a1140b4ef8de940260256a298d09f |
| SHA256 | b6243261c7ac0203a2f7c53ee685922f2eac7ce3ff3f90c9122e2f87eb2bae57 |
| CRC32 | EFE42DDD |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e7256a62ee5c7fab_shervans.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\shervans.dll |
| Size | 8.5KB |
| Processes | 2108 (0421695db9e7f02901d5be78489304eccd09c9ee0dca61da96803d661f356670.exe) |
| Type | PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 5ec82057a4b3f8a45065ec11a40c343a |
| SHA1 | a3332c8a2726be58e4b725953e88a92335638064 |
| SHA256 | e7256a62ee5c7fab27c585af9e885c8aeb7f657b03635de4d19159fca75b0ae6 |
| CRC32 | 1699D261 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 87677be44d61dce2_grcopy.dll |
|---|---|
| Filepath | C:\Windows\SysWOW64\grcopy.dll |
| Size | 118.6KB |
| Processes | 2108 (0421695db9e7f02901d5be78489304eccd09c9ee0dca61da96803d661f356670.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 0e55eaca98790069c612c6b59eca2b0b |
| SHA1 | 07f54da56dcd01595504d38f84fc9b45f61f8c11 |
| SHA256 | 87677be44d61dce2285f9760da93b596210206cdd269e84288b3a89a77bc486a |
| CRC32 | 447AAF3D |
| ssdeep | None |
| Yara |
|
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.