Sample viewer

vx.netlux.org/Virus.DOS.BlueNine.1725

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:06:56.992760974Z	48	PC: 12e33 \| Get DOS version
2018-12-17T23:06:56.995007137Z	74	PC: 12e50 \| Reallocate memory
2018-12-17T23:06:56.996392509Z	72	PC: 12e57 \| Allocate memory
2018-12-17T23:06:56.998340242Z	53	PC: 9f590 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:06:57.000383311Z	37	PC: 9f5a9 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:06:57.001587307Z	44	PC: 9f5ca \| Get time 0x9f5ca: cmp dh, 5 0x9f5cd: jne 0x9f5ee 0x9f5cf: mov ax, 3 0x9f5d2: int 0x10 0x9f5d4: mov si, 0x4b2 0x9f5d7: lodsb al, byte ptr [si] 0x9f5d8: or al, al 0x9f5da: je 0x9f5da 0x9f5dc: mov ah, 2 0x9f5de: mov dl, al 0x9f5e0: int 0x21 0x9f5e2: cmp dl, 0x20 0x9f5e5: je 0x9f5d7 0x9f5e7: mov cx, 0xffff 0x9f5ea: loop 0x9f5ea 0x9f5ec: jmp 0x9f5d7 0x9f5ee: xor ax, ax 0x9f5f0: retf 0x9f5f1: cmp cx, 0x29a 0x9f5f5: jne 0x9f586

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":5,"TimeBased":true,"OriginalID":15690,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:44:10.610260141Z	48	PC: 12e33 \| Get DOS version
2018-12-25T12:44:10.612000605Z	74	PC: 12e50 \| Reallocate memory
2018-12-25T12:44:10.613282002Z	72	PC: 12e57 \| Allocate memory
2018-12-25T12:44:10.614762594Z	53	PC: 9f590 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:10.617018758Z	37	PC: 9f5a9 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:10.618222767Z	44	PC: 9f5ca \| Get time 0x9f5ca: cmp dh, 5 0x9f5cd: jne 0x9f5ee 0x9f5cf: mov ax, 3 0x9f5d2: int 0x10 0x9f5d4: mov si, 0x4b2 0x9f5d7: lodsb al, byte ptr [si] 0x9f5d8: or al, al 0x9f5da: je 0x9f5da 0x9f5dc: mov ah, 2 0x9f5de: mov dl, al 0x9f5e0: int 0x21 0x9f5e2: cmp dl, 0x20 0x9f5e5: je 0x9f5d7 0x9f5e7: mov cx, 0xffff 0x9f5ea: loop 0x9f5ea 0x9f5ec: jmp 0x9f5d7 0x9f5ee: xor ax, ax 0x9f5f0: retf 0x9f5f1: cmp cx, 0x29a 0x9f5f5: jne 0x9f586

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":15690,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:44:10.768240382Z	48	PC: 12e33 \| Get DOS version
2018-12-25T12:44:10.770466159Z	74	PC: 12e50 \| Reallocate memory
2018-12-25T12:44:10.771813923Z	72	PC: 12e57 \| Allocate memory
2018-12-25T12:44:10.773752992Z	53	PC: 9f590 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:10.775991544Z	37	PC: 9f5a9 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:10.778095478Z	44	PC: 9f5ca \| Get time 0x9f5ca: cmp dh, 5 0x9f5cd: jne 0x9f5ee 0x9f5cf: mov ax, 3 0x9f5d2: int 0x10 0x9f5d4: mov si, 0x4b2 0x9f5d7: lodsb al, byte ptr [si] 0x9f5d8: or al, al 0x9f5da: je 0x9f5da 0x9f5dc: mov ah, 2 0x9f5de: mov dl, al 0x9f5e0: int 0x21 0x9f5e2: cmp dl, 0x20 0x9f5e5: je 0x9f5d7 0x9f5e7: mov cx, 0xffff 0x9f5ea: loop 0x9f5ea 0x9f5ec: jmp 0x9f5d7 0x9f5ee: xor ax, ax 0x9f5f0: retf 0x9f5f1: cmp cx, 0x29a 0x9f5f5: jne 0x9f586

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":15690,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:44:11.765284865Z	48	PC: 12e33 \| Get DOS version
2018-12-25T12:44:11.76681525Z	74	PC: 12e50 \| Reallocate memory
2018-12-25T12:44:11.767783311Z	72	PC: 12e57 \| Allocate memory
2018-12-25T12:44:11.768847323Z	53	PC: 9f590 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:11.770697231Z	37	PC: 9f5a9 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:11.772855451Z	44	PC: 9f5ca \| Get time 0x9f5ca: cmp dh, 5 0x9f5cd: jne 0x9f5ee 0x9f5cf: mov ax, 3 0x9f5d2: int 0x10 0x9f5d4: mov si, 0x4b2 0x9f5d7: lodsb al, byte ptr [si] 0x9f5d8: or al, al 0x9f5da: je 0x9f5da 0x9f5dc: mov ah, 2 0x9f5de: mov dl, al 0x9f5e0: int 0x21 0x9f5e2: cmp dl, 0x20 0x9f5e5: je 0x9f5d7 0x9f5e7: mov cx, 0xffff 0x9f5ea: loop 0x9f5ea 0x9f5ec: jmp 0x9f5d7 0x9f5ee: xor ax, ax 0x9f5f0: retf 0x9f5f1: cmp cx, 0x29a 0x9f5f5: jne 0x9f586

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":5,"TimeBased":true,"OriginalID":15690,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:44:12.573239861Z	48	PC: 12e33 \| Get DOS version
2018-12-25T12:44:12.574457695Z	74	PC: 12e50 \| Reallocate memory
2018-12-25T12:44:12.575954938Z	72	PC: 12e57 \| Allocate memory
2018-12-25T12:44:12.577608589Z	53	PC: 9f590 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:12.586827526Z	37	PC: 9f5a9 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:44:12.587752681Z	44	PC: 9f5ca \| Get time 0x9f5ca: cmp dh, 5 0x9f5cd: jne 0x9f5ee 0x9f5cf: mov ax, 3 0x9f5d2: int 0x10 0x9f5d4: mov si, 0x4b2 0x9f5d7: lodsb al, byte ptr [si] 0x9f5d8: or al, al 0x9f5da: je 0x9f5da 0x9f5dc: mov ah, 2 0x9f5de: mov dl, al 0x9f5e0: int 0x21 0x9f5e2: cmp dl, 0x20 0x9f5e5: je 0x9f5d7 0x9f5e7: mov cx, 0xffff 0x9f5ea: loop 0x9f5ea 0x9f5ec: jmp 0x9f5d7 0x9f5ee: xor ax, ax 0x9f5f0: retf 0x9f5f1: cmp cx, 0x29a 0x9f5f5: jne 0x9f586