Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'VueScan x32 v9.7.50+ Patcher v1.2.exe'

malicious

Threat Score: 100/100 AV Detection: 73% Labeled as: HackTool.Patcher

VueScan x32 v9.7.50+ Patcher v1.2.exe

This report is generated from a file or URL submitted to this webservice on June 10th 2021 13:18:17 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.48.8 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Report False-Positive Request Report Deletion

Incident Response

Risk Assessment

Evasive: Marks file for deletion

MITRE ATT&CK™ Techniques Detection

This report has 5 indicators that were mapped to 7 attack techniques and 5 tactics. View all details

Persistence
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1179	Hooking	Persistence Privilege Escalation Credential Access	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Learn more		Installs hooks/patches the running process
T1215	Kernel Modules and Extensions	Persistence	Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Learn more			Opens the Kernel Security Device Driver (KsecDD) of Windows
Privilege Escalation
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1179	Hooking	Persistence Privilege Escalation Credential Access	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Learn more		Installs hooks/patches the running process
Defense Evasion
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1107	File Deletion	Defense Evasion	Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Learn more		Marks file for deletion
T1045	Software Packing	Defense Evasion	Software packing is a method of compressing or encrypting an executable. Learn more			Matched Compiler/Packer signature
Credential Access
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1179	Hooking	Persistence Privilege Escalation Credential Access	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Learn more		Installs hooks/patches the running process
Discovery
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1012	Query Registry	Discovery	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Learn more		Reads information about supported languages

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 5
External Systems
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  44/67 Antivirus vendors marked sample as malicious (65% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  44/67 Antivirus vendors marked sample as malicious (65% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- The analysis extracted a file that was identified as malicious
  
  details
  
  37/67 Antivirus vendors marked dropped file "dup2patcher.dll" as malicious (classified as "HackTool.Patcher" with 55% detection rate)
  
  source
  
  Binary File
  
  relevance
  
  10/10
Pattern Matching
- YARA signature match
  
  details
  
  YARA signature "CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen" matched file "1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin" as "Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe" based on indicators: "<description>Patch</description>,\dup2patcher.dll,load_patcher" (Reference: Disclosed CN Honker Pentest Toolset, Author: Florian Roth)
  YARA signature "CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen" matched file "all.bstring" as "Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe" based on indicators: "<description>Patch</description>,\dup2patcher.dll,load_patcher" (Reference: Disclosed CN Honker Pentest Toolset, Author: Florian Roth)
  
  source
  
  YARA Signature
  
  relevance
  
  10/10
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 8
Anti-Reverse Engineering
- PE file has unusual entropy sections
  
  details
  
  .rsrc with unusual entropies 7.74497265598
  
  source
  
  Static Parser
  
  relevance
  
  10/10
Installation/Persistence
- Drops executable files
  
  details
  
  "dup2patcher.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  
  source
  
  Binary File
  
  relevance
  
  10/10
System Destruction
- Marks file for deletion
  
  details
  
  "C:\VueScanx32v9.7.50_Patcherv1.2.exe" marked "%TEMP%\dup2patcher.dll" for deletion
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1107 (Show technique in the MITRE ATT&CK™ matrix)
- Opens file with deletion access rights
  
  details
  
  "VueScanx32v9.7.50_Patcherv1.2.exe" opened "%TEMP%\dup2patcher.dll" with delete access
  
  source
  
  API Call
  
  relevance
  
  7/10
Unusual Characteristics
- CRC value set in PE header does not match actual value
  
  details
  
  "1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin" claimed CRC 60637 while the actual is CRC 132893
  "dup2patcher.dll" claimed CRC 104727 while the actual is CRC 74355
  
  source
  
  Static Parser
  
  relevance
  
  10/10
- Imports suspicious APIs
  
  details
  
  GetTempPathA
  GetModuleHandleA
  DeleteFileA
  WriteFile
  CreateFileA
  GetProcAddress
  FindResourceA
  VirtualAlloc
  LoadLibraryA
  RegCloseKey
  RegDeleteValueA
  RegCreateKeyExA
  RegOpenKeyExA
  GetFileAttributesA
  CopyFileA
  GetVersionExA
  GetModuleFileNameA
  GetFileSize
  CreateDirectoryA
  GetCommandLineA
  CreateThread
  MapViewOfFile
  FindFirstFileA
  CreateFileMappingA
  CreateProcessA
  Sleep
  ShellExecuteExA
  ShellExecuteA
  GetCursorPos
  
  source
  
  Static Parser
  
  relevance
  
  1/10
- Installs hooks/patches the running process
  
  details
  
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "c04ed0772054d177e065d177b538d2770000000000d0bc7600000000c5eabc760000000088eabc7600000000e968c2758228d277ee29d27700000000d269c275000000007dbbbc760000000009bec27500000000ba18bc7600000000" to virtual address "0x77E31000" (part of module "NSI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A783C4" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A78364" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A783C0" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A783E0" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f8110000" to virtual address "0x75A612CC" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "da45bc7652bebd76cda6bc7687f1bc7613dbbc76bccebc76c483be7685debc76ca9ebc766058d0774557bc765ac6bc7681a8bc7688eabc7681ecbc763f87bb761656bd7600000000" to virtual address "0x00EB2000" (part of module "VUESCANX32V9.7.50_PATCHERV1.2.EXE")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A7834C" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f8110000" to virtual address "0x75A61408" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "b890121170ffe0" to virtual address "0x75A61248" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A78348" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A78368" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "b880111170ffe0" to virtual address "0x76F91368" (part of module "WS2_32.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "68130000" to virtual address "0x76F91680" (part of module "WS2_32.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "48120000" to virtual address "0x75A6139C" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "48120000" to virtual address "0x75A612DC" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A783DC" (part of module "SSPICLI.DLL")
  "VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "b810151170ffe0" to virtual address "0x75A611F8" (part of module "SSPICLI.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1179 (Show technique in the MITRE ATT&CK™ matrix)
- Reads information about supported languages
  
  details
  
  "VueScanx32v9.7.50_Patcherv1.2.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)

Informative 6
General
- Creates a writable file in a temporary directory
  
  details
  
  "VueScanx32v9.7.50_Patcherv1.2.exe" created file "%TEMP%\dup2patcher.dll"
  
  source
  
  API Call
  
  relevance
  
  1/10
Installation/Persistence
- Connects to LPC ports
  
  details
  
  "VueScanx32v9.7.50_Patcherv1.2.exe" connecting to "\ThemeApiPort"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Dropped files
  
  details
  
  "dup2patcher.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  
  source
  
  Binary File
  
  relevance
  
  3/10
- Touches files in the Windows directory
  
  details
  
  "VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
  "VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
  "VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
  "VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\System32\en-US\user32.dll.mui"
  
  source
  
  API Call
  
  relevance
  
  7/10
System Security
- Opens the Kernel Security Device Driver (KsecDD) of Windows
  
  details
  
  "VueScanx32v9.7.50_Patcherv1.2.exe" opened "\Device\KsecDD"
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1215 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Matched Compiler/Packer signature
  
  details
  
  "1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin" was detected as "Safeguard v1.03 -> Simonzh"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1045 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

VueScan x32 v9.7.50+ Patcher v1.2.exe

Filename: VueScan x32 v9.7.50+ Patcher v1.2.exe
Size: 78KiB (79872 bytes)
Type: peexe executable
Description: PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
: WINDOWS
SHA256
: 1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc
MD5
: 82d9249cf0a8216c4dd1dff20321e26f
SHA1
: 13124c9c7601883476fd63358db213585900a0cd
ssdeep
: 1536:GhN0rbd6+w4dqlDC0jg5+VEaUMxd95U+ZObe5ySdvP1k:Gho6gqlDXsMVuMn95U+QSAQvP1
imphash
: dc73a9bd8de0fd640549c85ac4089b87
authentihash
: fdfdd2b9dae4d30d84c0ac6ca0865cb2a8090a9d79d750d5b347f9ee82428a12
Compiler/Packer
: Safeguard v1.03 -> Simonzh

Resources

Language
: NEUTRAL
Icon

Visualization

Input File (PortEx)

Classification (TrID)

61.7% (.EXE) Win64 Executable (generic)
14.7% (.DLL) Win32 Dynamic Link Library (generic)
10.0% (.EXE) Win32 Executable (generic)
4.5% (.EXE) OS/2 Executable (generic)
4.4% (.EXE) Generic Win/DOS Executable

File Metadata

1 .OBJ Files (COFF) linked with LINK.EXE 10.10 (Visual Studio 2010) (build: 30319)
1 .RES Files linked with CVTRES.EXE 10.00 (Visual Studio 2010) (build: 30319)
1 .ASM Files assembled with MASM 10.00 (Visual Studio 2010) (build: 30319)

3 .LIB Files generated with LIB.EXE 10.00 (Visual Studio 2010) (build: 30319)
1 .ASM Files assembled with MASM 6.14 (Visual Studio 6 SP2) (build: 8444)

File contains assembly code
File appears to contain raw COFF/OMF content
File is the product of a small codebase (1 files)

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5	Characteristics
Name .text Entropy 5.06407990051 Virtual Address 0x1000 Virtual Size 0x1f6 Raw Size 0x200 MD5 4c584307e5aa70f515ee8c3d942e5f6c	.text	5.06407990051	0x1000	0x1f6	0x200	4c584307e5aa70f515ee8c3d942e5f6c	-
Name .rdata Entropy 4.27063873433 Virtual Address 0x2000 Virtual Size 0x1d8 Raw Size 0x200 MD5 e5aa65265e17d8a1b524adbc10c0a1ad	.rdata	4.27063873433	0x2000	0x1d8	0x200	e5aa65265e17d8a1b524adbc10c0a1ad	-
Name .data Entropy 0.568988040426 Virtual Address 0x3000 Virtual Size 0x34 Raw Size 0x200 MD5 f8fedf1be1122ff5cd0e5b4716311cc5	.data	0.568988040426	0x3000	0x34	0x200	f8fedf1be1122ff5cd0e5b4716311cc5	-
Name .rsrc Entropy 7.74497265598 Virtual Address 0x4000 Virtual Size 0x12a04 Raw Size 0x12c00 MD5 d3aab901673e23f16e42dc02d45edd1c	.rsrc	7.74497265598	0x4000	0x12a04	0x12c00	d3aab901673e23f16e42dc02d45edd1c	-
Name .reloc Entropy 0.736046433021 Virtual Address 0x17000 Virtual Size 0x52 Raw Size 0x200 MD5 2e6554ffc943448b686d85ad68f9ec9a	.reloc	0.736046433021	0x17000	0x52	0x200	2e6554ffc943448b686d85ad68f9ec9a	-

File Resources

Details	Name	RVA	Size	Type	Language
Name RT_ICON RVA 0x4198 Size 0x468 Type GLS_BINARY_LSB_FIRST Language Neutral	RT_ICON	0x4198	0x468	GLS_BINARY_LSB_FIRST	Neutral
Name RT_ICON RVA 0x4600 Size 0x10a8 Type data Language Neutral	RT_ICON	0x4600	0x10a8	data	Neutral
Name RT_ICON RVA 0x56a8 Size 0x25a8 Type data Language Neutral	RT_ICON	0x56a8	0x25a8	data	Neutral
Name RT_RCDATA RVA 0x7c50 Size 0xea00 Type data Language Neutral	RT_RCDATA	0x7c50	0xea00	data	Neutral
Name RT_GROUP_ICON RVA 0x16650 Size 0x30 Type MS Windows icon resource - 3 icons, 16x16 Language Neutral	RT_GROUP_ICON	0x16650	0x30	MS Windows icon resource - 3 icons, 16x16	Neutral
Name RT_MANIFEST RVA 0x16680 Size 0x382 Type XML 1.0 document, ASCII text, with CRLF line terminators Language Neutral	RT_MANIFEST	0x16680	0x382	XML 1.0 document, ASCII text, with CRLF line terminators	Neutral

File Imports

kernel32.dll

CloseHandle

CreateFileA

DeleteFileA

ExitProcess

FindResourceA

FlushFileBuffers

FreeLibrary

GetModuleHandleA

GetProcAddress

GetTempPathA

LoadLibraryA

LoadResource

lstrcatA

RtlMoveMemory

SizeofResource

VirtualAlloc

WriteFile

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total (System Resource Monitor).

VueScanx32v9.7.50_Patcherv1.2.exe (PID: 2408) 44/67

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

Download All Memory Strings (612B)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

&F9n;(<=t

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

/>&9(>"3)

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

/help : show help menu

Ansi based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

00060101.00060101

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

0______D9

Ansi based on Image Processing (screen_2.png)

0hI8keB8ckup,

Ansi based on Image Processing (screen_2.png)

181>1D1J1P1V1\1b1h1n1t1z1

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

3m&OpHhcT

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="2.0.0.0" processorArchitecture="X86" name="Patch" type="win32" /> <description>Patch</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

?__;?,___gq_,9,

Ansi based on Image Processing (screen_0.png)

\dup2patcher.dll

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

\ThemeApiPort

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

_?__?_?v?______

Ansi based on Image Processing (screen_0.png)

__0____q__

Ansi based on Image Processing (screen_2.png)

___________

Ansi based on Image Processing (screen_2.png)

______q0_____

Ansi based on Image Processing (screen_2.png)

_A_n8teVueSc8n

Ansi based on Image Processing (screen_2.png)

_F_len8me_

Ansi based on Image Processing (screen_2.png)

`hv&9(5kJ

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

C@=5ZVRWYUSkDA>xkea

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

Cl0seVueSc8n

Ansi based on Image Processing (screen_2.png)

CloseHandle

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

Com+Enabled

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

CompatDll

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

CreateFileA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

CWDIllegalInDLLSearch

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

DataFilePath

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

DeleteFileA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

DINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

DisableMetaFiles

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

EnableAnchorContext

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

ExitProcess

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

FindResourceA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

FlushFileBuffers

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

FreeLibrary

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetModuleHandleA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetProcAddress

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetTempPathA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

h_8__y1___0_1

Ansi based on Image Processing (screen_2.png)

Inst8lIVueSc8n

Ansi based on Image Processing (screen_2.png)

kernel32.dll

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

Language Hotkey

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

Layout Hotkey

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

load_patcher

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

LoadAppInit_DLLs

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

LoadLibraryA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

LoadResource

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

MachinePreferredUILanguages

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

MaxSxSHashCount

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PageAllocatorSystemHeapIsPrivate

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PageAllocatorUseSystemHeap

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PreferExternalManifest

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PreferredUILanguages

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

RtlMoveMemory

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

SafeDllSearchMode

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

SizeofResource

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

ThemeApiConnectionRequest

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

TransparentEnabled

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

TurnOffSPIAnimations

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

VirtualAlloc

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

vuescan_av9.7S0+_atcherv1_

Ansi based on Image Processing (screen_2.png)

WriteFile

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

\ThemeApiPort

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

Com+Enabled

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

CompatDll

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

ExitProcess

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetModuleHandleA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetProcAddress

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetTempPathA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

Inst8lIVueSc8n

Ansi based on Image Processing (screen_2.png)

Language Hotkey

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

Layout Hotkey

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

ThemeApiConnectionRequest

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

vuescan_av9.7S0+_atcherv1_

Ansi based on Image Processing (screen_2.png)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

&F9n;(<=t

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

/>&9(>"3)

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

181>1D1J1P1V1\1b1h1n1t1z1

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

3m&OpHhcT

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

\dup2patcher.dll

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

`hv&9(5kJ

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

C@=5ZVRWYUSkDA>xkea

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

CloseHandle

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

CreateFileA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

DeleteFileA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

ExitProcess

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

FindResourceA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

FlushFileBuffers

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

FreeLibrary

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetModuleHandleA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetProcAddress

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

GetTempPathA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

kernel32.dll

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

load_patcher

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

LoadLibraryA

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

LoadResource

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

RtlMoveMemory

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

SizeofResource

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

VirtualAlloc

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

WriteFile

Ansi based on Memory/File Scan (1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin)

/help : show help menu

Ansi based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

00060101.00060101

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

\ThemeApiPort

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

Com+Enabled

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

CompatDll

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

CWDIllegalInDLLSearch

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

DataFilePath

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

DisableMetaFiles

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

EnableAnchorContext

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

Language Hotkey

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

Layout Hotkey

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

LoadAppInit_DLLs

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

MachinePreferredUILanguages

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

MaxSxSHashCount

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PageAllocatorSystemHeapIsPrivate

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PageAllocatorUseSystemHeap

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PreferExternalManifest

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

PreferredUILanguages

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

SafeDllSearchMode

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

ThemeApiConnectionRequest

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

TransparentEnabled

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

TurnOffSPIAnimations

Unicode based on Runtime Data (VueScanx32v9.7.50_Patcherv1.2.exe )

0______D9

Ansi based on Image Processing (screen_2.png)

0hI8keB8ckup,

Ansi based on Image Processing (screen_2.png)

__0____q__

Ansi based on Image Processing (screen_2.png)

___________

Ansi based on Image Processing (screen_2.png)

______q0_____

Ansi based on Image Processing (screen_2.png)

_A_n8teVueSc8n

Ansi based on Image Processing (screen_2.png)

_F_len8me_

Ansi based on Image Processing (screen_2.png)

Cl0seVueSc8n

Ansi based on Image Processing (screen_2.png)

h_8__y1___0_1

Ansi based on Image Processing (screen_2.png)

Inst8lIVueSc8n

Ansi based on Image Processing (screen_2.png)

vuescan_av9.7S0+_atcherv1_

Ansi based on Image Processing (screen_2.png)

?__;?,___gq_,9,

Ansi based on Image Processing (screen_0.png)

_?__?_?v?______

Ansi based on Image Processing (screen_0.png)

Extracted Files

Malicious 1

dup2patcher.dll

Overview Download Disabled Extended File Details VirusTotal Report Hash Seen Before

Size
59KiB (59904 bytes)

Type
pedll executable

Description
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

AV Scan Result
Labeled as "HackTool.Patcher" (37/67)

Runtime Process
VueScanx32v9.7.50_Patcherv1.2.exe (PID: 2408)

MD5

032dca65f80a1c12979837a27e5fed35

SHA1

a385d8f1700e9d2b32d60b3d96d8d6d2db5144a8

SHA256

a6e44ca9e89a094bbd6bea6c9062d86ad4491ff020973ca85ab12aa2d398ae57

Extended File Details

dup2patcher.dll

Filename: dup2patcher.dll
Size: 59KiB (59904 bytes)
Type: pedll executable
Description: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Architecture
: 32 Bit
MD5
: 032dca65f80a1c12979837a27e5fed35
SHA1
: a385d8f1700e9d2b32d60b3d96d8d6d2db5144a8
SHA256
: a6e44ca9e89a094bbd6bea6c9062d86ad4491ff020973ca85ab12aa2d398ae57
SHA512
: 01811bf56c29559bf9043fc3edf3b3a9d46dbff04d5018a81f19f2d769aea6bc5782e43a129df270a59309ed2ca6e2dc08bb9134f52e9f1ffd2f2eb8b364aee5
ssdeep
: 1536:i/Tilc2ldltF9j6RW8HC/1lxC+oU0ODbEI:wTYc2ldltF9jWW8HC/1lxC+oU0ODb
imphash
: 83020f15ee2bf91778ac579a3da17a47
authentihash
: cbcd890d6ab95170e6d4a01a8204beadd6b50160966abc2778b4c9cfac36a376

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5
Name .text Entropy 6.46967941375 Virtual Address 0x1000 Virtual Size 0x984a Raw Size 0x9a00 MD5 630036cb54e7f57d038ff4e758d19300	.text	6.46967941375	0x1000	0x984a	0x9a00	630036cb54e7f57d038ff4e758d19300
Name .rdata Entropy 4.8942902605 Virtual Address 0xb000 Virtual Size 0x1012 Raw Size 0x1200 MD5 9d9e0caf081d12bd2054b1f9f8747760	.rdata	4.8942902605	0xb000	0x1012	0x1200	9d9e0caf081d12bd2054b1f9f8747760
Name .data Entropy 4.92852180606 Virtual Address 0xd000 Virtual Size 0x157b8 Raw Size 0xa00 MD5 80e4d51bc569aa91cd637e3c92bafcc8	.data	4.92852180606	0xd000	0x157b8	0xa00	80e4d51bc569aa91cd637e3c92bafcc8
Name .rsrc Entropy 3.88736089899 Virtual Address 0x23000 Virtual Size 0x24b4 Raw Size 0x2600 MD5 a2ea5317106cdacf889f7badcad387f7	.rsrc	3.88736089899	0x23000	0x24b4	0x2600	a2ea5317106cdacf889f7badcad387f7
Name .reloc Entropy 6.12481938752 Virtual Address 0x26000 Virtual Size 0x95a Raw Size 0xa00 MD5 229327a048e1470575c5f96c41498a2a	.reloc	6.12481938752	0x26000	0x95a	0xa00	229327a048e1470575c5f96c41498a2a

File Imports

RegCloseKey

RegCreateKeyExA

RegDeleteValueA

RegOpenKeyExA

RegQueryValueExA

RegSetValueExA

GetOpenFileNameA

GetSaveFileNameA

AddFontResourceA

BitBlt

CreateCompatibleBitmap

CreateCompatibleDC

CreateDIBSection

CreateFontIndirectA

CreateSolidBrush

ExtCreateRegion

GetStockObject

GetTextExtentPointA

RemoveFontResourceA

RoundRect

SelectObject

SetBkColor

SetBkMode

SetTextColor

TextOutA

CloseHandle

CompareStringA

CopyFileA

CreateDirectoryA

CreateFileA

CreateFileMappingA

CreateProcessA

CreateThread

DeleteFileA

ExpandEnvironmentStringsA

FindClose

FindFirstFileA

FindResourceA

FlushFileBuffers

FreeLibrary

GetCommandLineA

GetCurrentDirectoryA

GetFileAttributesA

GetFileSize

GetFileTime

GetModuleFileNameA

GetModuleHandleA

GetProcAddress

GetStdHandle

GetSystemInfo

GetTempPathA

GetVersionExA

GlobalAlloc

GlobalLock

GlobalUnlock

LoadLibraryA

LoadResource

lstrcatA

lstrcmpA

lstrcmpiA

lstrcpyA

lstrlenA

lstrlenW

MapViewOfFile

MoveFileA

MultiByteToWideChar

RtlMoveMemory

RtlZeroMemory

SetCurrentDirectoryA

SetEndOfFile

SetEnvironmentVariableA

SetFileAttributesA

SetFilePointer

SetFileTime

SizeofResource

Sleep

UnmapViewOfFile

VirtualAlloc

VirtualFree

WaitForSingleObject

WideCharToMultiByte

WriteFile

ShellExecuteA

ShellExecuteExA

AppendMenuA

CallWindowProcA

CheckDlgButton

CloseClipboard

CreatePopupMenu

CreateWindowExA

DefWindowProcA

DialogBoxParamA

DrawTextA

EmptyClipboard

EnableWindow

EndDialog

GetActiveWindow

GetCapture

GetClientRect

GetCursorPos

GetDC

GetDlgCtrlID

GetDlgItem

GetDlgItemTextA

GetKeyState

GetParent

GetSysColor

GetSystemMetrics

GetWindowLongA

GetWindowRect

IntersectRect

InvalidateRect

IsDlgButtonChecked

LoadBitmapA

LoadCursorA

LoadIconA

LoadStringA

MessageBoxA

MoveWindow

OffsetRect

OpenClipboard

PtInRect

RedrawWindow

RegisterClassExA

ReleaseCapture

SendMessageA

SetCapture

SetClassLongA

SetClipboardData

SetDlgItemTextA

SetFocus

SetTimer

SetWindowLongA

SetWindowPos

SetWindowRgn

SetWindowTextA

ShowWindow

TrackPopupMenu

UpdateWindow

File Exports

Name	Ordinal	Address
AddMsg	#1	0x100022c0
CloseFileMapping	#2	0x100028d8
CloseFileMapping_readonly	#3	0x100029c2
GetPatcherWindowHandle	#4	0x1000210f
GetPluginDataMemory	#5	0x10002120
GetRegDword	#6	0x10006fa0
GetRegString	#7	0x10006f00
LoadFileMapping	#8	0x10002463
Reg_Delete_Value	#9	0x1000a6f0
SearchAndReplace	#10	0x10006740
SetRegDword	#11	0x1000a740
SetRegString	#12	0x1000a7a0
load_patcher	#13	0x10002109
write_disk_file	#14	0x10006d4c

Notifications

Runtime

Enforcing malicious verdict, as a reliable source indicates high confidence

Network whitenoise filtering was applied

Community

There are no community comments.

You must be logged in to submit a comment.

VueScan x32 v9.7.50+ Patcher v1.2.exe

Incident Response

Risk Assessment

MITRE ATT&CK™ Techniques Detection

Indicators

Malicious Indicators 5

Suspicious Indicators 8

Informative 6

File Details

VueScan x32 v9.7.50+ Patcher v1.2.exe

Resources

Visualization

Classification (TrID)

File Metadata

File Sections

File Resources

File Imports

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

HTTP Traffic

Extracted Strings

Extracted Files

Malicious 1

dup2patcher.dll

Notifications

Runtime

Community

Latest News

Vetting required

Request Report Deletion

Link