Sample viewer

vx.netlux.org/Virus.DOS.FaxFree.Sultan.2766

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:39:17.5070656Z	44	PC: 12c34 \| Get time 0x12c34: inc ax 0x12c35: add al, byte ptr [bx + si] 0x12c37: add al, byte ptr [bx + si] 0x12c39: add al, byte ptr [bx + si] 0x12c3b: inc ax 0x12c3c: add al, byte ptr [bx + si] 0x12c3e: add al, byte ptr [bx + si] 0x12c40: add al, byte ptr [bx + si] 0x12c42: xchg dx, cx 0x12c44: mov ax, cx 0x12c46: xchg ax, dx 0x12c47: mov cx, ax 0x12c49: push dx 0x12c4a: pop ax 0x12c4b: xor ax, ax 0x12c4d: mov ah, 0x2c 0x12c4f: int 0x21 0x12c51: add al, byte ptr [bx + si] 0x12c53: add al, byte ptr [bx + si] 0x12c55: add al, byte ptr [bx + si]
2018-12-17T22:39:17.509595802Z	44	PC: 12c51 \| Get time 0x12c51: add al, byte ptr [bx + si] 0x12c53: add al, byte ptr [bx + si] 0x12c55: add al, byte ptr [bx + si] 0x12c57: inc ax 0x12c58: xor ax, ax 0x12c5a: add al, byte ptr [bx + si] 0x12c5c: add al, byte ptr [bx + si] 0x12c5e: add al, byte ptr [bx + si] 0x12c60: add al, byte ptr [bx + si] 0x12c62: add al, byte ptr [bx + si] 0x12c64: add al, byte ptr [bx + si] 0x12c66: add al, byte ptr [bx + si] 0x12c68: add al, byte ptr [bx + si] 0x12c6a: add al, byte ptr [bx + si] 0x12c6c: add al, byte ptr [bx + si] 0x12c6e: add al, byte ptr [bx + si] 0x12c70: add al, byte ptr [bx + si] 0x12c72: add al, byte ptr [bx + si] 0x12c74: add al, byte ptr [bx + si] 0x12c76: add al, byte ptr [bx + si]
2018-12-17T22:39:17.512343144Z	42	PC: 130c9 \| Get date 0x130c9: cmp dl, 0x19 0x130cc: jae 0x130d9 0x130ce: xor ax, ax 0x130d0: mov es, ax 0x130d2: mov ax, 0x19 0x130d5: mov word ptr es:[0x3f9], ax 0x130d9: xor ax, ax 0x130db: mov es, ax 0x130dd: ret 0x130de: push ax 0x130df: mov ax, 0xf3fc 0x130e2: mov word ptr cs:[0x1000], ax 0x130e6: mov ax, 0xcba5 0x130e9: mov word ptr cs:[0x1002], ax 0x130ed: pop ax 0x130ee: jmp 0x13c30 0x130f1: pop di 0x130f2: add word ptr [bx + di + 4], di 0x130f6: xor dx, dx 0x130f8: mov bx, 0x7e0
2018-12-17T22:39:17.514457755Z	76	PC: 12aa4 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6749,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:16.97970142Z	44	PC: 12c34 \| Get time 0x12c34: inc ax 0x12c35: add al, byte ptr [bx + si] 0x12c37: add al, byte ptr [bx + si] 0x12c39: add al, byte ptr [bx + si] 0x12c3b: inc ax 0x12c3c: add al, byte ptr [bx + si] 0x12c3e: add al, byte ptr [bx + si] 0x12c40: add al, byte ptr [bx + si] 0x12c42: xchg dx, cx 0x12c44: mov ax, cx 0x12c46: xchg ax, dx 0x12c47: mov cx, ax 0x12c49: push dx 0x12c4a: pop ax 0x12c4b: xor ax, ax 0x12c4d: mov ah, 0x2c 0x12c4f: int 0x21 0x12c51: add al, byte ptr [bx + si] 0x12c53: add al, byte ptr [bx + si] 0x12c55: add al, byte ptr [bx + si]
2018-12-25T12:00:16.982540517Z	44	PC: 12c51 \| Get time 0x12c51: add al, byte ptr [bx + si] 0x12c53: add al, byte ptr [bx + si] 0x12c55: add al, byte ptr [bx + si] 0x12c57: inc ax 0x12c58: xor ax, ax 0x12c5a: add al, byte ptr [bx + si] 0x12c5c: add al, byte ptr [bx + si] 0x12c5e: add al, byte ptr [bx + si] 0x12c60: add al, byte ptr [bx + si] 0x12c62: add al, byte ptr [bx + si] 0x12c64: add al, byte ptr [bx + si] 0x12c66: add al, byte ptr [bx + si] 0x12c68: add al, byte ptr [bx + si] 0x12c6a: add al, byte ptr [bx + si] 0x12c6c: add al, byte ptr [bx + si] 0x12c6e: add al, byte ptr [bx + si] 0x12c70: add al, byte ptr [bx + si] 0x12c72: add al, byte ptr [bx + si] 0x12c74: add al, byte ptr [bx + si] 0x12c76: add al, byte ptr [bx + si]
2018-12-25T12:00:16.984602136Z	42	PC: 130c9 \| Get date 0x130c9: cmp dl, 0x19 0x130cc: jae 0x130d9 0x130ce: xor ax, ax 0x130d0: mov es, ax 0x130d2: mov ax, 0x19 0x130d5: mov word ptr es:[0x3f9], ax 0x130d9: xor ax, ax 0x130db: mov es, ax 0x130dd: ret 0x130de: push ax 0x130df: mov ax, 0xf3fc 0x130e2: mov word ptr cs:[0x1000], ax 0x130e6: mov ax, 0xcba5 0x130e9: mov word ptr cs:[0x1002], ax 0x130ed: pop ax 0x130ee: jmp 0x13c30 0x130f1: pop di 0x130f2: add word ptr [bx + di + 4], di 0x130f6: xor dx, dx 0x130f8: mov bx, 0x7e0
2018-12-25T12:00:16.986271739Z	76	PC: 12aa4 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":26,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6749,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:16.911491028Z	64	PC: 0 \| Write file or device (Write 2 bytes on handle 1)
2018-12-25T12:00:16.930075669Z	41	PC: 94fae \| Parse filename
2018-12-25T12:00:16.933704517Z	41	PC: 9502f \| Parse filename
2018-12-25T12:00:16.935159804Z	41	PC: 9504c \| Parse filename
2018-12-25T12:00:16.937144314Z	26	PC: 984f7 \| Set disk transfer address
2018-12-25T12:00:16.938813086Z	71	PC: 986f3 \| Get current directory
2018-12-25T12:00:16.94098516Z	78	PC: 986fe \| Find first file
2018-12-25T12:00:16.946979584Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T12:00:16.949042069Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T12:00:16.955465022Z	64	PC: 9a848 \| Write file or device (Write 26 bytes on handle 2)
2018-12-25T12:00:16.959008458Z	37	PC: 123c4 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-25T12:00:16.960369097Z	37	PC: 123cb \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:00:16.961245743Z	37	PC: 123d2 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:16.962080184Z	62	PC: 122ab \| Close file
2018-12-25T12:00:16.96328555Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.964457154Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.965548949Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.966662048Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.96784412Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.968896685Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.969950967Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.971402967Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.972508862Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.973549087Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.974939042Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.976400672Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.977471395Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.979412921Z	62	PC: 122ab \| Close file (See above)
2018-12-25T12:00:16.980876779Z	99	PC: 9a5d7 \| Get DBCS lead byte table pointer
2018-12-25T12:00:16.981845997Z	56	PC: 94df9 \| Get or set country info
2018-12-25T12:00:16.983557961Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T12:00:16.986385179Z	25	PC: 94e62 \| Get default drive
2018-12-25T12:00:16.988809012Z	71	PC: 970dd \| Get current directory
2018-12-25T12:00:16.992637458Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T12:00:16.994792755Z	2	PC: 970b2 \| Character output (Char = '3e')
2018-12-25T12:00:16.996299243Z	93	PC: 94f20 \| File sharing functions
2018-12-25T12:00:16.998248074Z	93	PC: 94f27 \| File sharing functions
2018-12-25T12:00:17.000196057Z	10	PC: 94f39 \| Buffered keyboard input
2018-12-25T12:00:31.958147341Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T12:00:33.312632786Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T12:00:33.415571174Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T12:00:33.423527519Z	41	PC: 94fae \| Parse filename (See above)
2018-12-25T12:00:33.426309724Z	41	PC: 9502f \| Parse filename (See above)
2018-12-25T12:00:33.429447269Z	41	PC: 9504c \| Parse filename (See above)
2018-12-25T12:00:33.432200733Z	26	PC: 984f7 \| Set disk transfer address (See above)
2018-12-25T12:00:33.43511055Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T12:00:33.445005163Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T12:00:33.455834837Z	71	PC: 9856c \| Get current directory
2018-12-25T12:00:33.460957821Z	73	PC: 97c09 \| Release memory
2018-12-25T12:00:33.463706891Z	75	PC: 11821 \| Execute program
2018-12-25T12:00:33.479467192Z	9	PC: 12a47 \| Display string (String= 'Hello, World! ')
2018-12-25T12:00:33.484759612Z	76	PC: 12a4b \| Terminate with return code (Return code = '36')