Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

• Malicious Indicators 2

• External Systems
  • Sample was identified as malicious by a trusted Antivirus engine

    details

    No specific details available

    source

    External System

    relevance

    5/10

  • Sample was identified as malicious by at least one Antivirus engine

    details

    2/37 Antivirus vendors marked sample as malicious (5% detection rate)
    3/71 Antivirus vendors marked sample as malicious (4% detection rate)

    source

    External System

    relevance

    8/10

• Suspicious Indicators 13

• Anti-Reverse Engineering
  • Possibly checks for known debuggers/analysis tools

    details

    "http://live.sysinternals.com/procdump.exe" (Indicator: "sysinternals")
    "http://live.sysinternals.com/procdump64.exe" (Indicator: "sysinternals")
    "Software\Sysinternals\ProcDump" (Indicator: "sysinternals")
    "Please download it manually from the SysInternals website" (Indicator: "sysinternals")
    "ProcDumpUrl = http://live.sysinternals.com/procdump.exe" (Indicator: "sysinternals")
    "ProcDump64Url = http://live.sysinternals.com/procdump64.exe" (Indicator: "sysinternals")

    source

    File/Memory

    relevance

    2/10

• Environment Awareness
  • Possibly tries to implement anti-virtualization techniques

    details

    "QEMU Drive detected - accept it as 'blu-ray' drive - Vendor >" (Indicator: "qemu")
    "VMware drive detected - assume bluray compatibility" (Indicator: "vmware")
    "Oracle Virtualbox 'VBOX CD-ROM' detected, continue with enumeration" (Indicator: "vbox")
    "Oracle Virtualbox 'VBOX CD-ROM' detected, continue with enumeration" (Indicator: "virtualbox")
    "VBOX CD-ROM" (Indicator: "vbox")
    "Oracle Virtualbox 'VBOX CD-ROM' detected - accept it as 'blu-ray' drive" (Indicator: "vbox")
    "Oracle Virtualbox 'VBOX CD-ROM' detected - accept it as 'blu-ray' drive" (Indicator: "virtualbox")
    "VBOX drive in 'passthrough' mode detected - assume it's a 'virtual' drive" (Indicator: "vbox")

    source

    File/Memory

    relevance

    4/10

    ATT&CK ID

    T1497 (Show technique in the MITRE ATT&CK™ matrix)

• External Systems
  • Found an IP/URL artifact that was identified as malicious by at least one reputation engine

    details

    2/88 reputation engines marked "http://example.com" as malicious (2% detection rate)

    source

    External System

    relevance

    10/10

• General
  • Reads configuration files

    details

    "FindVUK.exe" read file "C:\config\FindVUK.ini"

    source

    API Call

    relevance

    4/10

• Network Related
  • Found potential IP address in binary/memory

    details

    Potential IP "127.0.0.1" found in string "127.0.0.1/"
    "2.5.29.18"
    "2.5.29.19"
    "2.5.29.17"
    Potential IP "10.0.4.9" found in string "ERROR! Starting with DVDfab 10.0.4.9 the VUK is not available in memory any longer!"
    Potential IP "9.2.1.2" found in string "ERROR! Starting with Passkey 9.2.1.2 the VUK is not available im memory any longer!"

    source

    File/Memory

    relevance

    3/10

  • Sends traffic on typical HTTP outbound port, but without HTTP header

    details

    TCP traffic to 162.55.0.134 on port 80 is sent without HTTP header

    source

    Network Traffic

    relevance

    5/10

    ATT&CK ID

    T1043 (Show technique in the MITRE ATT&CK™ matrix)

  • Uses a User Agent typical for browsers, although no browser was ever launched

    details

    Found user agent(s): Mozilla/5.0 Gecko/41.0 Firefox/41.0

    source

    Network Traffic

    relevance

    10/10

• Remote Access Related
  • Reads terminal service related keys (often RDP related)

    details

    "FindVUK.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")

    source

    Registry Access

    relevance

    10/10

    ATT&CK ID

    T1076 (Show technique in the MITRE ATT&CK™ matrix)

• Unusual Characteristics
  • Imports suspicious APIs

    details

    RegCloseKey
    RegOpenKeyExW
    GetDriveTypeW
    GetFileAttributesA
    GetFileAttributesW
    UnhandledExceptionFilter
    GetTempPathW
    DeviceIoControl
    CopyFileW
    GetModuleFileNameW
    CreateThread
    TerminateProcess
    SleepEx
    CreateToolhelp32Snapshot
    LoadLibraryW
    GetVersionExW
    GetTickCount
    VirtualProtect
    LoadLibraryA
    GetFileSize
    OpenProcess
    CreateDirectoryW
    DeleteFileW
    GetProcAddress
    GetFileSizeEx
    FindNextFileW
    FindFirstFileW
    CreateFileW
    CreateFileA
    Process32NextW
    GetCommandLineW
    Process32FirstW
    GetModuleHandleA
    GetModuleHandleW
    WriteFile
    CreateProcessW
    Sleep
    VirtualAlloc
    ShellExecuteExW
    GetWindowThreadProcessId
    FindWindowExW
    FindWindowW
    accept
    WSAStartup
    connect
    closesocket
    send
    listen
    recv
    socket
    bind

    source

    Static Parser

    relevance

    1/10

  • Installs hooks/patches the running process

    details

    "FindVUK.exe" wrote bytes "c0df87771cf98677ccf886770d64887700000000c011037600000000fc3e037600000000e0130376000000009457f87525e08777c6e0877700000000bc6af77500000000cf310376000000009319f875000000002c32037600000000" to virtual address "0x77821000" (part of module "NSI.DLL")
    "FindVUK.exe" wrote bytes "711167007a3b6600ab8b02007f950200fc8c0200729602006cc805001ecd63007d266300" to virtual address "0x772607E4" (part of module "USER32.DLL")
    "FindVUK.exe" wrote bytes "7d078b7781ed8977ae868877c6e08777effd8a772d16897760148b77478d8877a8e287776089887700000000ad37fd758b2dfd75b641fd7500000000" to virtual address "0x73A81000" (part of module "WSHTCPIP.DLL")
    "FindVUK.exe" wrote bytes "0efc8a7781ed8977ae868877c6e08777effd8a772d168977c0fc8677da8f917760148b77478d8877a8e287776089887700000000ad37fd758b2dfd75b641fd7500000000" to virtual address "0x73A91000" (part of module "WSHIP6.DLL")

    source

    Hook Detection

    relevance

    10/10

    ATT&CK ID

    T1179 (Show technique in the MITRE ATT&CK™ matrix)

• Hiding 3 Suspicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Informative 9

• General
  • Contacts domains

    details

    "fvonline-db.bplaced.net"

    source

    Network Traffic

    relevance

    1/10

  • Contacts server

    details

    "162.55.0.134:80"

    source

    Network Traffic

    relevance

    1/10

  • GETs files from a webserver

    details

    "GET /findvuk/release.ini HTTP/1.1
    Host: fvonline-db.bplaced.net
    User-Agent: Mozilla/5.0 Gecko/41.0 Firefox/41.0
    Accept: */*"

    source

    Network Traffic

    relevance

    5/10

• Installation/Persistence
  • Connects to LPC ports

    details

    "FindVUK.exe" connecting to "\ThemeApiPort"

    source

    API Call

    relevance

    1/10

  • Dropped files

    details

    "FindVUK.ini" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
    "mod.update_Release.ini" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
    "2021-06-26_FindVUK.txt" has type "ASCII text with CRLF line terminators"

    source

    Binary File

    relevance

    3/10

  • Touches files in the Windows directory

    details

    "FindVUK.exe" touched file "%WINDIR%\SysWOW64\tzres.dll"

    source

    API Call

    relevance

    7/10

• Network Related
  • Found potential URL in binary/memory

    details

    Heuristic match: "ftp@example.com"
    Pattern match: "https://curl.haxx.se/docs/http-cookies.html"
    Pattern match: "http://www.w3.org/XML/1998/namespace"
    Pattern match: "http://www.w3.org/2000/xmlns/"
    Pattern match: "http://fvonline-db.bplaced.net/fv_download.php"
    Pattern match: "http://live.sysinternals.com/procdump.exe"
    Pattern match: "http://forum.doom9.org/showthread.php?t=171298"
    Pattern match: "http://forum.doom9.org/showthread.php?t=172914"
    Pattern match: "http://fvonline-db.bplaced.net/fv_upload.php"
    Pattern match: "http://live.sysinternals.com/procdump64.exe"
    Pattern match: "http://fvonline-db.bplaced.net/findvuk/release.ini"
    Pattern match: "http://www.labdv.com/aacs/keydb-upload.php"
    Heuristic match: "fvonline-db.bplaced.net"

    source

    File/Memory

    relevance

    10/10

• System Security
  • Opens the Kernel Security Device Driver (KsecDD) of Windows

    details

    "FindVUK.exe" opened "\Device\KsecDD"

    source

    API Call

    relevance

    10/10

    ATT&CK ID

    T1215 (Show technique in the MITRE ATT&CK™ matrix)

• Unusual Characteristics
  • Matched Compiler/Packer signature

    details

    "310c3cb46b99d3e745b9e612f6a31480822efc0220e3cbc59322e4d35f493328.bin" was detected as "PureBasic 4.x -> Neil Hodgson"

    source

    Static Parser

    relevance

    10/10

    ATT&CK ID

    T1045 (Show technique in the MITRE ATT&CK™ matrix)

File Sections

File Resources

File Imports

• ADVAPI32.dll
• COMCTL32.DLL
• CRYPT32.DLL
• GDI32.DLL
• KERNEL32.dll
• MSVCRT.dll
• OLE32.DLL
• RPCRT4.DLL
• SHELL32.DLL
• USER32.DLL
• VERSION.DLL
• WINMM.DLL
• WS2_32.DLL
• WSOCK32.DLL

DNS Requests

Domain	Address	Registrar	Country
fvonline-db.bplaced.net OSINT Associated Artifacts for fvonline-db.bplaced.net Whois Field Value Address Erdbergstr. 81 - 27 City Wien Country AT Creation Date 2007-09-05T00:00:00 Creation Date 2007-11-05T09:02:12 DNSSEC unsigned Domain Name BPLACED.NET Domain Name bplaced.net EMail en.complaint@cps-datensysteme.de EMail xrmb2@hotmail.com Expiration Date 2017-09-05T00:00:00 Expiration Date 2017-09-04T23:00:00 name Miroslav Bozic Name Server NS1.BPLACED.NET Name Server ns3.bplaced.net Organization - Referral URL http://www.cps-datensysteme.de Reigstrar CPS-Datensysteme GmbH State - Status clientTransferProhibited https://icann.org/epp#clientTransferProhibited Status local_query Last Update 2017-03-25T00:00:00 Last Update 2017-03-25T16:09:25 Whois Server whois.cps-datensysteme.de Zip Code 1030	162.55.0.134 TTL: 599	CPS-Datensysteme GmbH Organization: - Name Server: NS1.BPLACED.NET Creation Date: 2007-09-05T00:00:00	United States

Contacted Hosts

IP Address	Port/Protocol	Associated Process	Details
162.55.0.134 OSINT Associated Artifacts for 162.55.0.134 Details Associated URL Threat Level Positives Scan Date Reference Associated URL http://eternitygen.bplaced.net/panel/gate.php Threat Level malicious Positives 2/88 Scan Date 06/25/2021 21:48:08 Reference - http://eternitygen.bplaced.net/panel/gate.php malicious 2/88 06/25/2021 21:48:08 - Associated URL http://www.jentivecode.com/Programs/ Threat Level suspicious Positives 1/88 Scan Date 06/24/2021 19:24:18 Reference - http://www.jentivecode.com/Programs/ suspicious 1/88 06/24/2021 19:24:18 - Associated URL http://phpmyadmin.h2o.bplaced.net/ Threat Level malicious Positives 3/88 Scan Date 06/23/2021 11:49:22 Reference - http://phpmyadmin.h2o.bplaced.net/ malicious 3/88 06/23/2021 11:49:22 - Associated URL http://phpmyadmin.inno.bplaced.net/ Threat Level malicious Positives 2/88 Scan Date 06/23/2021 11:42:08 Reference - http://phpmyadmin.inno.bplaced.net/ malicious 2/88 06/23/2021 11:42:08 - Associated URL http://phpmyadmin.lichtenstein.bplaced.net/ Threat Level malicious Positives 2/88 Scan Date 06/23/2021 11:15:52 Reference - http://phpmyadmin.lichtenstein.bplaced.net/ malicious 2/88 06/23/2021 11:15:52 - Details Domain Threat Level Positives Last Resolved Reference Domain allaboutsec.de Threat Level - Positives - Last Resolved 06/25/2021 20:49:46 VirusTotal Report allaboutsec.de - - 06/25/2021 20:49:46 Report Domain donaldtest.bplaced.net Threat Level - Positives - Last Resolved 06/25/2021 12:01:34 VirusTotal Report donaldtest.bplaced.net - - 06/25/2021 12:01:34 Report Domain exzessiv-andersartig.de Threat Level - Positives - Last Resolved 06/25/2021 11:14:07 VirusTotal Report exzessiv-andersartig.de - - 06/25/2021 11:14:07 Report Domain graldron.bplaced.net Threat Level - Positives - Last Resolved 06/25/2021 14:04:37 VirusTotal Report graldron.bplaced.net - - 06/25/2021 14:04:37 Report Domain humanreflection.square7.ch Threat Level - Positives - Last Resolved 06/25/2021 14:12:44 VirusTotal Report humanreflection.square7.ch - - 06/25/2021 14:12:44 Report	80 TCP	findvuk.exe PID: 4024	United States

HTTP Traffic

     0 : AC 1F 6B 0D DB 84 08 00 27 52 08 9E 08 00 45 00 [..k.....'R....E.]
    10 : 00 AA 00 88 40 00 80 06 A3 CB C0 A8 F2 94 A2 37 [....@..........7]
    20 : 00 86 C0 0C 00 50 2E 2A 58 70 54 DE 11 57 50 18 [.....P.*XpT..WP.]
    30 : 01 00 2F CB 00 00 47 45 54 20 2F 66 69 6E 64 76 [../...GET /findv]
    40 : 75 6B 2F 72 65 6C 65 61 73 65 2E 69 6E 69 20 48 [uk/release.ini H]
    50 : 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 66 [TTP/1.1..Host: f]
    60 : 76 6F 6E 6C 69 6E 65 2D 64 62 2E 62 70 6C 61 63 [vonline-db.bplac]
    70 : 65 64 2E 6E 65 74 0D 0A 55 73 65 72 2D 41 67 65 [ed.net..User-Age]
    80 : 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 [nt: Mozilla/5.0 ]
    90 : 47 65 63 6B 6F 2F 34 31 2E 30 20 46 69 72 65 66 [Gecko/41.0 Firef]
    A0 : 6F 78 2F 34 31 2E 30 0D 0A 41 63 63 65 70 74 3A [ox/41.0..Accept:]
    B0 : 20 2A 2F 2A 0D 0A 0D 0A [ */*....]