Sample viewer

vx.netlux.org/Virus.DOS.I13.Pombero.2069

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:51:32.076339885Z	205	PC: 142d4 \| UNKNOWN!
2018-12-17T22:51:32.078062281Z	53	PC: 142e1 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:51:32.087575782Z	74	PC: 14340 \| Reallocate memory
2018-12-17T22:51:32.089494026Z	72	PC: 14347 \| Allocate memory
2018-12-17T22:51:32.091565127Z	37	PC: 1436c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:51:32.094223261Z	42	PC: 14370 \| Get date 0x14370: cmp dh, 9 0x14373: jne 0x1438a 0x14375: mov ax, 0x3508 0x14378: int 0x21 0x1437a: mov word ptr [0x236], bx 0x1437e: mov word ptr [0x238], es 0x14382: mov ax, 0x2508 0x14385: mov dx, 0x1fa 0x14388: int 0x21 0x1438a: push cs 0x1438b: push cs 0x1438c: push cs 0x1438d: pop ds 0x1438e: pop es 0x1438f: pop ss 0x14390: lea si, word ptr [bp + 0x449] 0x14394: mov di, 0x100 0x14397: push di 0x14398: cld 0x14399: movsb byte ptr es:[di], byte ptr [si]
2018-12-17T22:51:32.097008413Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/k...). Size=00001770h/0000006000d bytes. ')
2018-12-17T22:51:32.103048028Z	48	PC: 12a8f \| Get DOS version
2018-12-17T22:51:32.105895237Z	53	PC: 9ef73 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:51:32.107835001Z	37	PC: 9ef8a \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:51:32.109758434Z	61	PC: 9efbd \| Open file (Filename = 'A:\TEST.COM')
2018-12-17T22:51:32.12203704Z	87	PC: 9efcb \| Get or set file date and time
2018-12-17T22:51:32.12401159Z	63	PC: 9eff1 \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:51:32.127814925Z	66	PC: 9f2b5 \| Move file pointer
2018-12-17T22:51:32.152791334Z	64	PC: 9f256 \| Write file or device (Write 2069 bytes on handle 5)
2018-12-17T22:51:32.434078141Z	66	PC: 9f2b5 \| Move file pointer
2018-12-17T22:51:32.436215106Z	64	PC: 9f266 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:51:32.440743723Z	87	PC: 9f27e \| Get or set file date and time
2018-12-17T22:51:32.443177806Z	62	PC: 9f285 \| Close file
2018-12-17T22:51:32.454075989Z	37	PC: 9f297 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:51:32.457353977Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-17T22:51:32.465130606Z	93	PC: 12afe \| File sharing functions
2018-12-17T22:51:32.467728496Z	9	PC: 12a86 \| Display string (String= 'Size change=102Ah/04138d. ')
2018-12-17T22:51:32.472376227Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10576,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:28:26.898479269Z	205	PC: 142d4 \| UNKNOWN!
2018-12-25T12:28:26.900348144Z	53	PC: 142e1 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:28:26.901421475Z	74	PC: 14340 \| Reallocate memory
2018-12-25T12:28:26.902556447Z	72	PC: 14347 \| Allocate memory
2018-12-25T12:28:26.904182959Z	37	PC: 1436c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:28:26.905405076Z	42	PC: 14370 \| Get date 0x14370: cmp dh, 9 0x14373: jne 0x1438a 0x14375: mov ax, 0x3508 0x14378: int 0x21 0x1437a: mov word ptr [0x236], bx 0x1437e: mov word ptr [0x238], es 0x14382: mov ax, 0x2508 0x14385: mov dx, 0x1fa 0x14388: int 0x21 0x1438a: push cs 0x1438b: push cs 0x1438c: push cs 0x1438d: pop ds 0x1438e: pop es 0x1438f: pop ss 0x14390: lea si, word ptr [bp + 0x449] 0x14394: mov di, 0x100 0x14397: push di 0x14398: cld 0x14399: movsb byte ptr es:[di], byte ptr [si]
2018-12-25T12:28:26.907680926Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/k...). Size=00001770h/0000006000d bytes. ')
2018-12-25T12:28:26.913906187Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:28:26.915107053Z	53	PC: 9ef73 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:26.916206307Z	37	PC: 9ef8a \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:26.917805947Z	61	PC: 9efbd \| Open file (Filename = 'A:\TEST.COM')
2018-12-25T12:28:26.92559384Z	87	PC: 9efcb \| Get or set file date and time
2018-12-25T12:28:26.927148444Z	63	PC: 9eff1 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:28:26.929832407Z	66	PC: 9f2b5 \| Move file pointer
2018-12-25T12:28:26.946095056Z	64	PC: 9f256 \| Write file or device (Write 2069 bytes on handle 5)
2018-12-25T12:28:27.6883738Z	66	PC: 9f2b5 \| Move file pointer (See above)
2018-12-25T12:28:27.689307987Z	64	PC: 9f266 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:28:27.691529733Z	87	PC: 9f27e \| Get or set file date and time
2018-12-25T12:28:27.692893645Z	62	PC: 9f285 \| Close file
2018-12-25T12:28:27.851938498Z	37	PC: 9f297 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:27.85382868Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:28:27.861061578Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:28:27.863268793Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:28:27.868942164Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":9,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10576,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:28:26.922520222Z	205	PC: 142d4 \| UNKNOWN!
2018-12-25T12:28:26.926741603Z	53	PC: 142e1 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:28:26.928230002Z	74	PC: 14340 \| Reallocate memory
2018-12-25T12:28:26.929675809Z	72	PC: 14347 \| Allocate memory
2018-12-25T12:28:26.933133029Z	37	PC: 1436c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:28:26.934366868Z	42	PC: 14370 \| Get date 0x14370: cmp dh, 9 0x14373: jne 0x1438a 0x14375: mov ax, 0x3508 0x14378: int 0x21 0x1437a: mov word ptr [0x236], bx 0x1437e: mov word ptr [0x238], es 0x14382: mov ax, 0x2508 0x14385: mov dx, 0x1fa 0x14388: int 0x21 0x1438a: push cs 0x1438b: push cs 0x1438c: push cs 0x1438d: pop ds 0x1438e: pop es 0x1438f: pop ss 0x14390: lea si, word ptr [bp + 0x449] 0x14394: mov di, 0x100 0x14397: push di 0x14398: cld 0x14399: movsb byte ptr es:[di], byte ptr [si]
2018-12-25T12:28:26.936657083Z	53	PC: 1437a \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:28:26.938444969Z	37	PC: 1438a \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:28:26.939901124Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/k...). Size=00001770h/0000006000d bytes. ')
2018-12-25T12:28:26.945159737Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:28:26.946454242Z	53	PC: 9ef73 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:26.947577137Z	37	PC: 9ef8a \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:26.948780765Z	61	PC: 9efbd \| Open file (Filename = 'A:\TEST.COM')
2018-12-25T12:28:26.95488857Z	87	PC: 9efcb \| Get or set file date and time
2018-12-25T12:28:26.957496376Z	63	PC: 9eff1 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:28:26.959913411Z	66	PC: 9f2b5 \| Move file pointer
2018-12-25T12:28:26.976211831Z	64	PC: 9f256 \| Write file or device (Write 2069 bytes on handle 5)
2018-12-25T12:28:28.248384515Z	66	PC: 9f2b5 \| Move file pointer (See above)
2018-12-25T12:28:28.249770071Z	64	PC: 9f266 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:28:28.252391071Z	87	PC: 9f27e \| Get or set file date and time
2018-12-25T12:28:28.25419443Z	62	PC: 9f285 \| Close file
2018-12-25T12:28:28.262330092Z	37	PC: 9f297 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:28.263454908Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:28:28.271042599Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:28:28.273276216Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:28:28.27764765Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')