Xcitium Cloud Verdict

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x00000000, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0000ffec, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0001ffd8, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0002ffc4, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0003ffb0, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0004ff9c, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0005ff88, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0006ff74, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0007ff60, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0008ff4c, length: 0x00010000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0009dc14, length: 0x00001000
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0009dc28, length: 0x00000200
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0009dcbf, length: 0x00000200
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x0009dcdb, length: 0x000aab72
api_process_name	process: b2965a7783b66b66618be73bf8115e92dab29b57.exe, pid: 2576, offset: 0x00148845, length: 0x00000008

Static Anomaly

Anomalous binary characteristics Show sources

static_pe_anomaly

Actual checksum does not match that reported in PE header

Malware Analysis System Evasion

Network activity detected but not expressed in API logs

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

File Name: Odeme_Onay_Kopyas.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: b2965a7783b66b66618be73bf8115e92dab29b57

MD5: 706aa6e6ec6c73d221f82bd4ab0d12c8