MalScore
100/100
MalFamily
Cridex

fxses076.jpg

Is DLL Packer Anti Debug Anti VM Signed XOR
File details Download PDF Report
File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size: 725.34 KB (742744 bytes)
Compile time: 2020-10-01 08:44:12
MD5: aa7ad8fdea021577637b6e0520046686
SHA1: f847d66c48d910ec01127d5e188ceaf4919d418f
SHA256: 7a77b516c563c8bbe904af3b90cfb89148b879b807aa34d93be3b1a2eb93a016
Import hash: 59b4d90ccd42d8a41fe8c5f5161ddef8
Sections 9 .text .rdata .data51 .data .datx .dat .data5 .rsrc .reloc
Directories 4 import resource relocation security
First submission: 2022-01-31 19:27:06
Last submission: 2022-02-14 14:45:08
Filename detected: - fn58ds.pdf (1)
- fxses076.jpg (1)
URL file hosting
hXXps://count.mail.163.com.impactmedfoundation.com/fn58ds.pdfVirusTotal
hXXps://krisbadminton.com/fxses076.jpgVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
No report available
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x1000 0x8ba88 572416 b8289b40868fa61474ba4cd33b9668bd 794479f87054106ca3aefd77d1b31c5d1a629c3f
.rdata 0x8d000 0x5146 20992 61cd7c929f58ffce15a4c363ae698a7c fc5811765828af6611537a4dc3c7cfcff14158ad
.data51 0x93000 0x3e8 1024 52d7f5264a1804b35b46379a2934ffc6 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5
.data 0x94000 0x1018 4096 d103bdd61783b36df290bfbc51c66af2 39ff21e964da7128687769c65ef06b8737f98d8a
.datx 0x96000 0x3e8 1024 52d7f5264a1804b35b46379a2934ffc6 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5
.dat 0x97000 0x3e8 1024 52d7f5264a1804b35b46379a2934ffc6 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5
.data5 0x98000 0x3e8 1024 52d7f5264a1804b35b46379a2934ffc6 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5
.rsrc 0x99000 0x12c04 77312 ab94f0740aca8a0bea8ccfd65d4dbe54 660c3aa2e0cfaf10ca402273a572d3c5674da795
.reloc 0xac000 0xdee0 57344 585d8643bc257c00cb72ab33e9e87f8b 1c301c046f9a2ffae87ab732d4dfcb1e3709854a
Meta Info
No Meta found in this file
XOR
No XOR informations found in this file.
Signature
MD5: cea1af3e010d37421873ad7e9f66d5f4
SHA1: d1c63090f164f72310ab6119040d94d686744543
Block Size: 5464
Virtual Address: 737280
Packer(s)
Borland Delphi 3.0 (???)
File found
FIle type: XML
Overview.Style.StartOpt.xml
FIle type: Library
ADVAPI32.dll
USER32.dll
KERNEL32.dll
GDI32.dll
IP Found
No IP detected
URL(s)
http://ocsp.sectigo.com0
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://ocsp.usertrust.com0
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://schemas.microsoft.com/SMI/2005/WindowsSettings
https://sectigo.com/CPS0D
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2022-01-31 19:17:46 2022-01-31 19:20:53 187

5 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2022-01-31 19:17:46 2022-01-31 19:20:53 187

5 Summary items with data

Files

C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.123.Manifest
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.124.Manifest
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\456456856785678567856778
C:\Users\Seven01\AppData\Local\Temp\456456856785678567856778
C:\Windows\System32\456456856785678567856778
C:\Windows\system\456456856785678567856778
C:\Windows\456456856785678567856778
C:\ProgramData\Oracle\Java\javapath\456456856785678567856778
C:\Windows\System32\wbem\456456856785678567856778
C:\Windows\System32\WindowsPowerShell\v1.0\456456856785678567856778

Read Files

C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.123.Manifest
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.124.Manifest
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\fn58ds.pdf.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_CLASSES_ROOT\iNTerface\{b196b287-bab4-101a-b69c-00aa00341d07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\(Default)

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\fn58ds.pdf.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\(Default)

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

kernel32.dll.VirtualAllocEx
kernelbase.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.UnmapViewOfFile
kernel32.dll.VirtualProtect
kernel32.dll.LoadLibraryExA
kernel32.dll.GetModuleHandleA
kernel32.dll.CreateFileA
kernel32.dll.SetFilePointer
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.GetTempPathA
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleFileNameW
kernelbase.dll.VirtualAlloc
kernel32.dll.Sleep
kernel32.dll.OutputDebugStringA
ntdll.dll.NtSetInformationProcess

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2022-01-31 19:17:46 2022-01-31 19:20:53 187

1 HTTP Request(s) detected

http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
  • Hostname: crt.usertrust.com
  • IP Address: 91.199.212.52
  • Port: 80
  • Count: 1

GET /USERTrustRSAAddTrustCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.usertrust.com

#infosec #automation

TheSystem Itself @ 2022-01-31 19:27:08

Detected family: #Cridex

TheSystem Itself @ 2022-01-31 19:33:02