(cache) Free Automated Malware Analysis Service

malicious

Threat Score: 100/100 AV Multiscan: 47% Gen:Variant.Barys

web refle.exe

Analyzed on August 29th 2016 11:36:47 (CEST) running the Kernelmode monitor and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by VxStream Sandbox v5.00 © Payload Security

Sample not shared VirusTotal Report Re-analyze

Incident Response

Risk Assessment

Persistence: Spawns a lot of processes
Fingerprint: Reads the active computer name

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 7
External Systems
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  27/57 Antivirus vendors marked sample as malicious (47% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  27/57 Antivirus vendors marked sample as malicious (47% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
Unusual Characteristics
- Spawns a lot of processes
  
  details
  
  Spawned process "<Input Sample>" (UID: 00026014-00002536)
  Spawned process "cmd.exe" with commandline "/c "%TEMP%\EF4.tmp\EFF.bat C:\19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe"" (UID: 00026731-00003056)
  Spawned process "taskkill.exe" with commandline "taskkill /f /t /im mshta.exe" (UID: 00027050-00003496)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v webrefle" (UID: 00028384-00002668)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Webrefle /f" (UID: 00028645-00002656)
  
  source
  
  Monitored Target
  
  relevance
  
  8/10
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 16
Anti-Detection/Stealthyness
- Sets the process error mode to suppress error box
  
  details
  
  "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
  
  source
  
  API Call
  
  relevance
  
  8/10
General
- Contains ability to find and load resources of a specific module
  
  details
  
  FindResourceA@KERNEL32.DLL at PID 00002536 (Show Stream)
  FindResourceA@KERNEL32.DLL at PID 00002536 (Show Stream)
  FindResourceA@KERNEL32.DLL at PID 00002536 (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- Reads configuration files
  
  details
  
  "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
  
  source
  
  API Call
  
  relevance
  
  4/10
Installation/Persistance
- Touches files in the Windows directory
  
  details
  
  "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
  "<Input Sample>" touched file "C:\Windows\system32\cmd.exe"
  
  source
  
  API Call
  
  relevance
  
  7/10
System Destruction
- Marks file for deletion
  
  details
  
  "C:\19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe" marked "%TEMP%\EF4.tmp" for deletion
  "C:\19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe" marked "%TEMP%\EF4.tmp\EFF.tmp" for deletion
  
  source
  
  API Call
  
  relevance
  
  10/10
- Opens file with deletion access rights
  
  details
  
  "<Input Sample>" opened "%TEMP%\EF4.tmp" with delete access
  "<Input Sample>" opened "%TEMP%\EF4.tmp\EFF.tmp" with delete access
  
  source
  
  API Call
  
  relevance
  
  7/10
System Security
- Modifies proxy settings
  
  details
  
  "<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Queries sensitive IE security settings
  
  details
  
  "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  
  source
  
  Registry Access
  
  relevance
  
  8/10
- Queries the display settings of system associated file extensions
  
  details
  
  "<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "ALWAYSSHOWEXT")
  "<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "NEVERSHOWEXT")
  
  source
  
  Registry Access
  
  relevance
  
  7/10
- Tries to obtain the highest possible privilege level without UAC dialog
  
  details
  
  "<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3"> <v3:security> <v3:requestedPrivileges> ... level can be "asInvoker", "highestAvailable", or "requireAdministrator" --> <v3:requestedExecutionLevel level="highestAvailable" /> </v3:requestedPrivileges> </v3:security> </v3:trustInfo> </assembly> PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD" (Indicator: "requestedExecutionLevel level="highestAvailable"")
  
  source
  
  String
  
  relevance
  
  7/10
Unusual Characteristics
- Imports suspicious APIs
  
  details
  
  CreateDirectoryA
  CreateFileA
  DeleteFileA
  FindResourceA
  GetCommandLineA
  GetFileSize
  GetModuleFileNameA
  GetModuleHandleA
  GetProcAddress
  GetTempFileNameA
  GetTempPathA
  GetVersionExA
  LoadLibraryA
  Sleep
  TerminateProcess
  WriteFile
  ShellExecuteExA
  GetWindowThreadProcessId
  
  source
  
  Static Parser
  
  relevance
  
  1/10
- Installs hooks/patches the running process
  
  details
  
  "taskkill.exe" wrote bytes "4053c5775858c677186ac677653cc7770000000000bf32760000000056cc3276000000007cca3276000000003768e2756a2cc777d62dc777000000002069e2750000000029a6327600000000a48de27500000000f70e327600000000" to virtual address "0x77DA1000" (part of module "NSI.DLL")
  "reg.exe" wrote bytes "4053c5775858c677186ac677653cc7770000000000bf32760000000056cc3276000000007cca3276000000003768e2756a2cc777d62dc777000000002069e2750000000029a6327600000000a48de27500000000f70e327600000000" to virtual address "0x77DA1000" (part of module "NSI.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
- Reads information about supported languages
  
  details
  
  "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
  "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Informative 9
Anti-Reverse Engineering
- Contains ability to register a top-level exception handler (often used as anti-debugging trick)
  
  details
  
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002536 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002536 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002536 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002536 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002536 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002536 (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
Environment Awareness
- Contains ability to query the machine version
  
  details
  
  GetVersionExA@KERNEL32.DLL at PID 00002536 (Show Stream)
  GetVersionExA@KERNEL32.DLL at PID 00002536 (Show Stream)
  GetVersionExA@KERNEL32.DLL at PID 00002536 (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
General
- Creates a writable file in a temporary directory
  
  details
  
  "<Input Sample>" created file "%TEMP%\EF4.tmp\EFF.bat"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Runs shell commands
  
  details
  
  "/c "%TEMP%\EF4.tmp\EFF.bat C:\19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe"" on 2016-8-29.02:50:00.660
  
  source
  
  Monitored Target
  
  relevance
  
  5/10
- Spawns new processes
  
  details
  
  Spawned process "cmd.exe" with commandline "/c "%TEMP%\EF4.tmp\EFF.bat C:\19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe"" (UID: 00026731-00003056)
  Spawned process "taskkill.exe" with commandline "taskkill /f /t /im mshta.exe" (UID: 00027050-00003496)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v webrefle" (UID: 00028384-00002668)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Webrefle /f" (UID: 00028645-00002656)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Connects to LPC ports
  
  details
  
  "<Input Sample>" connecting to "\ThemeApiPort"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Dropped files
  
  details
  
  "EFF.bat" has type "ASCII text with CRLF line terminators"
  
  source
  
  Extracted File
  
  relevance
  
  3/10
System Security
- Opens the Kernel Security Device Driver (KsecDD) of Windows
  
  details
  
  "<Input Sample>" opened "\Device\KsecDD"
  
  source
  
  API Call
  
  relevance
  
  10/10

File Details

All Details:

web refle.exe

Filename: web refle.exe
Size: 136KiB (138752 bytes)
Type: PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
: 32 Bit
SHA256
: 19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79
MD5
: 38920fd74d94cca4ba7e49a592ef731e
SHA1
: ad65a4d9bf296e286c04fc54bbc853b4b4d9b4c1
SHA512
: 8f91a8243dc069409fb3f196ce4d53e236f03402824fe0d6511af521b5b6e2b6dd213e5962da1c19e6724c342cce17bb7b5a0c0f19ca8b7e7b05a5bc6a379681
ssdeep
: 1536:evosBknP2Uo+GjDZwue3jzFfc5hghUdyWv1RmxLLZVoGyAV:evVMCcHVc5hghUvDmxLLfp
imphash
: db509f0d296d268770c3b20bf5581bd7
authentihash
: b9b4aeb5f21f497bc8323361744bb3c1d9bcd9a82f9201772b3e1ce77aa365c9
Compiler/Packer
: PureBasic 4.x -> Neil Hodgson

Resources

Language
: NEUTRAL
Icon

Visualization

Input File (PortEx)

Version Info

LegalCopyright: copyright(C) 2016 crara06 all rights reserved
ProductVersion: 1.0.0.0
ProductName: remover web refle
FileVersion: 1,0,0,0
CompanyName: crara06
Translation: 0x0000 0x04e4

Classification (TrID)

64.4% (.EXE) Win32 Executable MS Visual C++ (generic)
13.5% (.DLL) Win32 Dynamic Link Library (generic)
9.3% (.EXE) Win32 Executable (generic)
4.2% (.EXE) Win16/32 Executable Delphi generic
4.1% (.EXE) Generic Win/DOS Executable

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5
Name .code Entropy 5.06729654764 Virtual Address 0x1000 Virtual Size 0x320f Raw Size 0x3400 MD5 8a9d401399465ef07aea0d20db4e3e5b	.code	5.06729654764	0x1000	0x320f	0x3400	8a9d401399465ef07aea0d20db4e3e5b
Name .text Entropy 6.57622898175 Virtual Address 0x5000 Virtual Size 0xb30b Raw Size 0xb400 MD5 3ed6f95c321ef7b728d7b775017b8ae5	.text	6.57622898175	0x5000	0xb30b	0xb400	3ed6f95c321ef7b728d7b775017b8ae5
Name .rdata Entropy 6.61505592377 Virtual Address 0x11000 Virtual Size 0x986 Raw Size 0xa00 MD5 4770f66539d1d3273544f30fbf101075	.rdata	6.61505592377	0x11000	0x986	0xa00	4770f66539d1d3273544f30fbf101075
Name .data Entropy 5.39562751103 Virtual Address 0x12000 Virtual Size 0x1c18 Raw Size 0x1600 MD5 c079140ea117227153b1fe58351e1dbc	.data	5.39562751103	0x12000	0x1c18	0x1600	c079140ea117227153b1fe58351e1dbc
Name .rsrc Entropy 4.4177995446 Virtual Address 0x14000 Virtual Size 0x110cc Raw Size 0x11200 MD5 a7ee5bfd093fd335b73e0dbf156305bf	.rsrc	4.4177995446	0x14000	0x110cc	0x11200	a7ee5bfd093fd335b73e0dbf156305bf

File Imports

InitCommonControlsEx

BitBlt

CreateBitmap

CreateCompatibleDC

CreateDIBSection

CreateSolidBrush

DeleteDC

DeleteObject

GetDIBits

GetObjectA

GetObjectType

GetStockObject

GetTextExtentPoint32A

SelectObject

SetBkColor

SetPixel

SetTextColor

CloseHandle

CreateDirectoryA

CreateFileA

DeleteCriticalSection

DeleteFileA

EnterCriticalSection

ExitProcess

FindResourceA

FreeLibrary

GetCommandLineA

GetCurrentDirectoryA

GetCurrentProcess

GetCurrentProcessId

GetCurrentThreadId

GetEnvironmentVariableA

GetExitCodeProcess

GetFileSize

GetModuleFileNameA

GetModuleHandleA

GetNativeSystemInfo

GetProcAddress

GetShortPathNameA

GetSystemDirectoryA

GetTempFileNameA

GetTempPathA

GetVersionExA

GetWindowsDirectoryA

HeapAlloc

HeapCreate

HeapDestroy

HeapFree

HeapReAlloc

HeapSize

InitializeCriticalSection

LeaveCriticalSection

LoadLibraryA

LoadResource

MultiByteToWideChar

ReadFile

RemoveDirectoryA

SetCurrentDirectoryA

SetEnvironmentVariableA

SetFileAttributesA

SetFilePointer

SetLastError

SetUnhandledExceptionFilter

SizeofResource

Sleep

TerminateProcess

TlsAlloc

WideCharToMultiByte

WriteFile

_stricmp

_strnicmp

ceil

fabs

fclose

floor

free

malloc

memcpy

memmove

memset

sprintf

strcmp

strcpy

strlen

strncmp

strncpy

strstr

tolower

CoInitialize

CoTaskMemFree

RevokeDragDrop

ShellExecuteExA

PathAddBackslashA

PathGetArgsA

PathQuoteSpacesA

PathRenameExtensionA

PathUnquoteSpacesA

AdjustWindowRectEx

CallWindowProcA

CharLowerA

CharUpperA

CreateAcceleratorTableA

CreateWindowExA

DefFrameProcA

DefWindowProcA

DestroyAcceleratorTable

DestroyIcon

DestroyWindow

DispatchMessageA

DrawTextA

EnableWindow

EnumChildWindows

EnumWindows

FillRect

GetActiveWindow

GetClassNameA

GetClientRect

GetDC

GetFocus

GetForegroundWindow

GetKeyState

GetMessageA

GetParent

GetPropA

GetSysColor

GetSysColorBrush

GetSystemMetrics

GetWindow

GetWindowLongA

GetWindowRect

GetWindowTextA

GetWindowTextLengthA

GetWindowThreadProcessId

IsChild

IsWindowEnabled

IsWindowVisible

LoadCursorA

LoadIconA

MessageBoxA

MsgWaitForMultipleObjects

PeekMessageA

PostMessageA

RedrawWindow

RegisterClassA

RegisterWindowMessageA

ReleaseDC

RemovePropA

SendMessageA

SetActiveWindow

SetFocus

SetPropA

SetRect

SetWindowLongA

SetWindowPos

ShowWindow

TranslateAcceleratorA

TranslateMessage

UnregisterClassA

timeBeginPeriod

Screenshots

Loading content, please wait...

Hybrid Analysis

Loading content, please wait...

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

All Details: Download All Memory Strings (3.6KiB)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

%d:%d:%d:%d

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

/c "%TEMP%\EF4.tmp\EFF.bat C:\19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe"

Ansi based on Process Commandline (cmd.exe)

19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3"> <v3:security> <v3:requestedPrivileges> ... level can be "asInvoker", "highestAvailable", or "requireAdministrator" --> <v3:requestedExecutionLevel level="highestAvailable" /> </v3:requestedPrivileges> </v3:security> </v3:trustInfo> </assembly> PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe, 00026014-00002536.00000002.32509.00414000.00000002.mdmp)

@.data

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

@shift /0

Ansi based on Dropped File (EFF.bat)

@shift /0echo ontaskkill /f /t /im mshta.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v webreflereg delete HKEY_CURRENT_USER\Software\Webrefle /frmdir "%ALLUSERSPROFILE%\refle" /s /qpauseexit

Ansi based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

\ThemeApiPort

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

`\??\Volume{8177f4e8-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

cmd.exe

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

COMCTL32.DLL

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

command

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

Unicode based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

DisableLocalOverride

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

Division by zero (floating-point)

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

DllGetVersion

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

Floating-point overflow (exponent to great)

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

Floating-point underflow (exponent too small)

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetCommandLineA

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetCurrentProcess

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetCurrentProcessId

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetExitCodeProcess

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetForegroundWindow

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetKeyState

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetNativeSystemInfo

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetProcAddress

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetVersionExA

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

GetWindowThreadProcessId

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

Local

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

LocalizedName

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

LocalRedirectOnly

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

msimg32.dll

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

PathGetArgsA

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

PB_GadgetStack_%i

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

PB_MDI_Gadget

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v webrefle

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Webrefle /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v webrefle

Ansi based on Dropped File (EFF.bat)

reg delete HKEY_CURRENT_USER\Software\Webrefle /f

Ansi based on Dropped File (EFF.bat)

rmdir "%ALLUSERSPROFILE%\refle" /s /q

Ansi based on Dropped File (EFF.bat)

taskkill /f /t /im mshta.exe

Ansi based on Process Commandline (taskkill.exe)

taskkill /f /t /im mshta.exe

Ansi based on Dropped File (EFF.bat)

VS_VERSION_INFO

Unicode based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

%d:%d:%d:%d

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

*?\BFINOPSX

Unicode based on Hybrid Analysis (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

,,?,__,,,,,

Ansi based on Image Processing (screen_0.png)

,,__?,,,,,

Ansi based on Image Processing (screen_0.png)

-InitOnceExecuteOnce

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

.code

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

.rsrc

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

/c "%TEMP%\EF4.tmp\EFF.bat C:\19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe"

Ansi based on Process Commandline (cmd.exe)

0123456789abcdef

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

07D4DAA997062DF8370A38F262CA6E27 A5AFF3CB7F7D1D45782E2C1278281A8F F61520796AC427B514F7FF462596CEA2

Unicode based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

Unicode based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe , 00026014-00002536.00000002.32509.00414000.00000002.mdmp)

2147483648

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

3CDBD1C7

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe , 00026014-00002536.00000002.32509.00414000.00000002.mdmp)

?___?_

Ansi based on Image Processing (screen_0.png)

?GetLongPathNameA

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

@.data

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

@shift /0

Ansi based on Dropped File (EFF.bat)

Ansi based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

\ThemeApiPort

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

_,,,,qJ,,

Ansi based on Image Processing (screen_0.png)

_,_J,,,,,

Ansi based on Image Processing (screen_0.png)

_00__

Ansi based on Image Processing (screen_0.png)

__,,,

Ansi based on Image Processing (screen_0.png)

___,q?,?,m__?__q_,q_?_J??vm,,,,,

Ansi based on Image Processing (screen_0.png)

_____

Ansi based on Image Processing (screen_0.png)

_stricmp

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe , 00026014-00002536.00000002.32509.00412000.00000004.mdmp)

_strnicmp

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

`.rdata

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

`.text

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

`\??\Volume{8177f4e8-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

AdjustWindowRectEx

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

AlphaBlend

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

AlwaysShowExt

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

AppData

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

Array bounds exceeded

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

Attributes

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

AuthenticodeEnabled

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

AutoCheckSelect

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

AutoDetect

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

BitBlt

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe , 00026014-00002536.00000002.32509.00412000.00000004.mdmp)

BrowseInPlace

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

Button

Ansi based on Hybrid Analysis (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

Cache

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

CallForAttributes

Unicode based on Runtime Data (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe )

CallWindowProcA

Ansi based on Memory/File Scan (19bb5e470504916a6db62b213fe5c9f4d18465b345adad3ad2ef13df36d0db79.exe.bin)

Loading VxStream Sandbox Report for "web refle.exe" ...

web refle.exe

Incident Response

Risk Assessment

Indicators

Malicious Indicators 7

Suspicious Indicators 16

Informative 9

File Details

web refle.exe

Resources

Visualization

Version Info

Classification (TrID)

File Sections

File Imports

Screenshots

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

HTTP Traffic

Extracted Strings