File details Download PDF Report | |
---|---|
File type: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
File size: | 725.34 KB (742744 bytes) |
Compile time: | 2020-10-01 08:44:12 |
MD5: | aa7ad8fdea021577637b6e0520046686 |
SHA1: | f847d66c48d910ec01127d5e188ceaf4919d418f |
SHA256: | 7a77b516c563c8bbe904af3b90cfb89148b879b807aa34d93be3b1a2eb93a016 |
Import hash: | 59b4d90ccd42d8a41fe8c5f5161ddef8 |
Sections 9 | .text .rdata .data51 .data .datx .dat .data5 .rsrc .reloc |
Directories 4 | import resource relocation security |
First submission: | 2022-01-31 19:27:06 |
Last submission: | 2022-02-14 14:45:08 |
Filename detected: |
- fn58ds.pdf (1) - fxses076.jpg (1) |
URL file hosting |
---|
hXXps://count.mail.163.com.impactmedfoundation.com/fn58ds.pdf![]() |
hXXps://krisbadminton.com/fxses076.jpg![]() |
Antivirus Report | |||
---|---|---|---|
Report Date | Detection Ratio | Permalink | Update |
No report available |
PE Sections 1 suspicious | |||||
---|---|---|---|---|---|
Name | VAddress | VSize | Size | MD5 | SHA1 |
.text | 0x1000 | 0x8ba88 | 572416 | b8289b40868fa61474ba4cd33b9668bd | 794479f87054106ca3aefd77d1b31c5d1a629c3f |
.rdata | 0x8d000 | 0x5146 | 20992 | 61cd7c929f58ffce15a4c363ae698a7c | fc5811765828af6611537a4dc3c7cfcff14158ad |
.data51 | 0x93000 | 0x3e8 | 1024 | 52d7f5264a1804b35b46379a2934ffc6 | 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5 |
.data | 0x94000 | 0x1018 | 4096 | d103bdd61783b36df290bfbc51c66af2 | 39ff21e964da7128687769c65ef06b8737f98d8a |
.datx | 0x96000 | 0x3e8 | 1024 | 52d7f5264a1804b35b46379a2934ffc6 | 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5 |
.dat | 0x97000 | 0x3e8 | 1024 | 52d7f5264a1804b35b46379a2934ffc6 | 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5 |
.data5 | 0x98000 | 0x3e8 | 1024 | 52d7f5264a1804b35b46379a2934ffc6 | 4523ed5dcc5873ac6211ce44c51dc2430f7d77c5 |
.rsrc | 0x99000 | 0x12c04 | 77312 | ab94f0740aca8a0bea8ccfd65d4dbe54 | 660c3aa2e0cfaf10ca402273a572d3c5674da795 |
.reloc | 0xac000 | 0xdee0 | 57344 | 585d8643bc257c00cb72ab33e9e87f8b | 1c301c046f9a2ffae87ab732d4dfcb1e3709854a |
Meta Info | |
---|---|
No Meta found in this file |
XOR | |
---|---|
No XOR informations found in this file. |
Signature | |
---|---|
MD5: | cea1af3e010d37421873ad7e9f66d5f4 |
SHA1: | d1c63090f164f72310ab6119040d94d686744543 |
Block Size: | 5464 |
Virtual Address: | 737280 |
Packer(s) | |
---|---|
Borland Delphi 3.0 (???) |
File found | |
---|---|
FIle type: XML | |
Overview.Style.StartOpt.xml | |
FIle type: Library | |
ADVAPI32.dll | |
USER32.dll | |
KERNEL32.dll | |
GDI32.dll |
IP Found | |
---|---|
No IP detected |
URL(s) | |
---|---|
http://ocsp.sectigo.com0 | |
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0% | |
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v | |
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# | |
http://ocsp.usertrust.com0 | |
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t | |
http://schemas.microsoft.com/SMI/2005/WindowsSettings | |
https://sectigo.com/CPS0D |
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven06_64 | Seven06_64 | VirtualBox | 2022-01-31 19:17:46 | 2022-01-31 19:20:53 | 187 |
5 Behaviors detected by system signatures
Creates RWX memory
Severity: Medium
Confidence: Medium
Dynamic (imported) function loading detected
Severity: Medium
Confidence: Very High
- DynamicLoader: kernel32.dll/VirtualAllocEx
- DynamicLoader: KERNELBASE.dll/LoadLibraryExA
- DynamicLoader: kernel32.dll/GetProcAddress
- DynamicLoader: kernel32.dll/VirtualAlloc
- DynamicLoader: kernel32.dll/VirtualFree
- DynamicLoader: kernel32.dll/UnmapViewOfFile
- DynamicLoader: kernel32.dll/VirtualProtect
- DynamicLoader: kernel32.dll/LoadLibraryExA
- DynamicLoader: kernel32.dll/GetModuleHandleA
- DynamicLoader: kernel32.dll/CreateFileA
- DynamicLoader: kernel32.dll/SetFilePointer
- DynamicLoader: kernel32.dll/WriteFile
- DynamicLoader: kernel32.dll/CloseHandle
- DynamicLoader: kernel32.dll/GetTempPathA
- DynamicLoader: kernel32.dll/lstrlenA
- DynamicLoader: kernel32.dll/lstrcatA
- DynamicLoader: kernel32.dll/GetModuleFileNameA
- DynamicLoader: kernel32.dll/GetModuleFileNameW
- DynamicLoader: KERNELBASE.dll/VirtualAlloc
- DynamicLoader: kernel32.dll/Sleep
- DynamicLoader: kernel32.dll/OutputDebugStringA
- DynamicLoader: ntdll.dll/NtSetInformationProcess
- DynamicLoader: KERNELBASE.dll/VirtualAlloc
- DynamicLoader: fn58ds.pdf.dll/DllMainW
- DynamicLoader: fn58ds.pdf.dll/DllMainA
- DynamicLoader: fn58ds.pdf.dll/DllMain
Network activity detected but not expressed in API logs
Severity: Medium
Confidence: Very High
Performs some HTTP requests
Severity: Medium
Confidence: Low
- url: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
Presents an Authenticode digital signature
Severity: Low
Confidence: Low
- md5_fingerprint: 845b43a572b8e2f6861377b6d4299e6e
- sha1_fingerprint: 742a13d6c77e90ff07e5ccf1ddfea8a888e03b50
- cn: INPESRTCVCBHTFAXMU
- sn: 128258497252950363624943541709778056697
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven06_64 | Seven06_64 | VirtualBox | 2022-01-31 19:17:46 | 2022-01-31 19:20:53 | 187 |
5 Summary items with data
Files
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.123.Manifest C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.124.Manifest C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.2.Manifest C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\456456856785678567856778 C:\Users\Seven01\AppData\Local\Temp\456456856785678567856778 C:\Windows\System32\456456856785678567856778 C:\Windows\system\456456856785678567856778 C:\Windows\456456856785678567856778 C:\ProgramData\Oracle\Java\javapath\456456856785678567856778 C:\Windows\System32\wbem\456456856785678567856778 C:\Windows\System32\WindowsPowerShell\v1.0\456456856785678567856778
Read Files
C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.123.Manifest C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.124.Manifest C:\Users\Seven01\AppData\Local\Temp\fn58ds.pdf.dll.2.Manifest C:\Windows\SysWOW64\rundll32.exe
Write Files
Nothing to display
Delete Files
Nothing to display
Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\fn58ds.pdf.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode HKEY_CLASSES_ROOT\iNTerface\{b196b287-bab4-101a-b69c-00aa00341d07} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\(Default)
Read Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\fn58ds.pdf.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\(Default)
Write Keys
Nothing to display
Delete Keys
Nothing to display
Mutexes
Resolved APIs
kernel32.dll.VirtualAllocEx kernelbase.dll.LoadLibraryExA kernel32.dll.GetProcAddress kernel32.dll.VirtualAlloc kernel32.dll.VirtualFree kernel32.dll.UnmapViewOfFile kernel32.dll.VirtualProtect kernel32.dll.LoadLibraryExA kernel32.dll.GetModuleHandleA kernel32.dll.CreateFileA kernel32.dll.SetFilePointer kernel32.dll.WriteFile kernel32.dll.CloseHandle kernel32.dll.GetTempPathA kernel32.dll.lstrlenA kernel32.dll.lstrcatA kernel32.dll.GetModuleFileNameA kernel32.dll.GetModuleFileNameW kernelbase.dll.VirtualAlloc kernel32.dll.Sleep kernel32.dll.OutputDebugStringA ntdll.dll.NtSetInformationProcess
Execute Commands
Nothing to display
Started Services
Nothing to display
Created Services
Nothing to display
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven06_64 | Seven06_64 | VirtualBox | 2022-01-31 19:17:46 | 2022-01-31 19:20:53 | 187 |
1 HTTP Request(s) detected
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
- Hostname: crt.usertrust.com
- IP Address: 91.199.212.52
- Port: 80
- Count: 1
GET /USERTrustRSAAddTrustCA.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: crt.usertrust.com
Detected family: #Cridex
TheSystem Itself @ 2022-01-31 19:33:02
#infosec #automation
TheSystem Itself @ 2022-01-31 19:27:08