'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-10-31 17:31:14.361973 2016-10-31 17:32:35.610333 81 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-10-31 17:31:15 2016-10-31 17:32:35

File Details

File name 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
File size 50861 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 F634B5FD
MD5 46bfd4f1d581d7c0121d2b19a005d3df
SHA1 5b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512 b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
Ssdeep 768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2016-10-24 16:40:10
Detection Rate: 50/55 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=0, VT[1477935161]=100): Snort Events=0, AV Events=2
Total Score=125

CLAMAV DETECTED:
Win.Trojan.Agent-1716741 FOUND
Win.Trojan.Satana-3 FOUND

Dropped File/Buffer Yara Signatures:
1062aadc923921102d2589517a9106cc2c8f0693 [BUFFER]: embedded_win_api
1062aadc923921102d2589517a9106cc2c8f0693 [BUFFER]: shellcode

Signatures

has_pdb details
dumped_buffer details
injection_runpe details

Screenshots

No screenshots available.

Static Analysis

Sections

Resources

Imports

Strings

Dropped Files

Nothing to display.

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Users\Harry Dresden\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin" PID: 5516, Parent PID: 4304

"C:\Users\Harry Dresden\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin" PID: 3956, Parent PID: 5516

Volatility

Nothing to display.