Report #10960 check_circle

  • Creation Date: Sept. 3, 2020, 12:18 p.m.
  • Last Update: Sept. 3, 2020, 12:24 p.m.
  • File: Dropper_brk.exe
  • Results:
Binary
DLL
False cancel
Size
233.00KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
96b1116a20cb88a214d74186a8451258
sha1
518a8f1110cd56ae028d0b15e2fd9b08c5bb9266
crc32
0x94785d11
sha224
dca20feadc64eb81217ffba93f0b90f9ecc54f08d35ec54780da8b0e
sha256
6fd1f6da208203ea52a95a11fbf9592c45819da90f2322da982592e07fd49f90
sha384
b4c1c96b3b1e18d7f8d81c4aa515daed3a2ef8c279a17e2cfbfb4c49841983e011d953a53adaa030f9a9ba8eea4a25b2
sha512
2e50000c7eb0c5de5ca4bbc609148c4c9c8b40f65aa711a05717b4a483b7d51cdd1284ddaf6be14a7280044957ec97847985096075f958471761c075f479d4e6
ssdeep
6144:caIOvcVqlH+8oRDcf75tqB0ujlhfaR8sm:cpAoq1WdwFEdjLaR8H
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, domain, anti_dbg, IP, contentis_base64, Microsoft_Visual_Cpp_8, HasDebugData, IsConsole, IsPE32, HasRichSignature

Suspicious
True check_circle

Strings
List
C:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\Release\Dropper.pdb
System.IO
System.Security.Cryptography
98d30.png
98d30.png
MSVCR110.dll
@proc.exe
proc.exe
tFex256HtbePPBP.exe
tFex256HtbePPBP.exe
tFex256HtbePPBP.exe
2.0.0.0
}a%+o
milkTea
%elEP
System.Windows.Forms
mscoree.dll
get_Magenta
_crt_debugger_hook
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD4m[
<requestedPrivileges>
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
IsProcessorFeaturePresent
857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857AB1B65E80C75F28857ABB9C2880C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28F906
ResourceManager
IsDebuggerPresent
CreateProcessW
txtKillburnChoco
txtKillburnChoco
password
GetModuleHandleW
QueryPerformanceCounter
Binder
ComputeHash
%/#=
fprintf
HashAlgorithm
fopen
$9189263f-fcbd-42cb-929e-6a490a7d766e
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
add_PrintPage
txtKillburnChoco_Click
ComponentResourceManager
set_StartPosition
MD5CryptoServiceProvider
E>7;H'X+POS
_CorExeMain
\\,WuTc80
%T*[pO6d!
+EhTP
Form1_Load
ec719.resources
ec719.resources
__crtTerminateProcess
button3_Click
button2_Click
button1_Click
set_Document
37S&G?I
timer1_Tick
set_AutoScaleMode
_commode
_initterm
get_Controls
set_ClientSize
get_ControlLightLight
get_ButtonFace
get_ControlDark
set_DisplayStyle
add_Load
add_Tick
get_Items
get_ASCII
set_Image
set_Location
txtLatte_Click
add_Click
txtCoffeCake_Click
set_TabIndex
set_AutoSize
get_FileName
get_NewLine
set_FileName
set_Name
qinkL;tU
set_Text
get_Text
set_Icon
set_Size
set_Font
set_ForeColor
set_BackColor
txtMocha_Click
set_Filter
txtValeCoffee_Click
get_Black
set_TextAlign
set_ImageAlign
be0%U?H

Foremost
Matches
0.exe, 233 KB, 61.png, 130 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: MSVCR110.dll, mscoree.dll, KERNEL32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 235520
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 4911
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: mscoree.dll, kernel32.dll
hasLibs: True check_circle
Suspicious: msvcr110.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2020-09-03 12:17:19
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
6304
Suspicious
True check_circle
Disassembly
hasTricks
True check_circle
Tricks
pushret
.rsrc: 71
.text: 1

pushpopmath
.rsrc: 40
.reloc: 3

garbagebytes
.rsrc: 24
.text: 1

software breakpoint
.rsrc: 1

fakeconditionaljumps
.rsrc: 2

programcontrolflowchange
.rsrc: 22
.text: 1

cpuinstructionsresultscomparison
.rsrc: 2
.rdata: 2

AVclass
remcos
1
VirusTotal
md5
96b1116a20cb88a214d74186a8451258
sha1
518a8f1110cd56ae028d0b15e2fd9b08c5bb9266
SCANS (DETECTION RATE = 45.45%)
AVG
result: Win32:PWSX-gen [Trj]
update: 20200903
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20200903
version: 2.7.2019.1
detected: False cancel

MAX
result: malware (ai score=89)
update: 20200903
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20200901
version: 6.66
detected: True check_circle

Bkav
update: 20200903
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200903
version: 11.133.35153
detected: False cancel

ALYac
update: 20200903
version: 1.1.1.5
detected: False cancel

Avast
result: Win32:PWSX-gen [Trj]
update: 20200903
version: 18.4.3895.0
detected: True check_circle

Avira
result: TR/Kryptik.hvdkh
update: 20200903
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
update: 20200903
version: 4.0.0.24
detected: False cancel

Cyren
result: W32/MSIL_Kryptik.AQG.gen!Eldorado
update: 20200903
version: 6.3.0.2
detected: True check_circle

DrWeb
result: Trojan.Siggen9.44167
update: 20200903
version: 7.0.48.8080
detected: True check_circle

GData
result: Gen:Variant.Johnnie.272735
update: 20200903
version: A:25.26871B:27.20039
detected: True check_circle

Panda
update: 20200903
version: 4.6.4.2
detected: False cancel

VBA32
result: TScope.Trojan.MSIL
update: 20200903
version: 4.4.1
detected: True check_circle

VIPRE
update: 20200903
version: 86412
detected: False cancel

Zoner
update: 20200903
version: 0.0.0.0
detected: False cancel

ClamAV
result: Win.Packed.Remcos-8070789-0
update: 20200903
version: 0.102.4.0
detected: True check_circle

Comodo
update: 20200728
version: 32668
detected: False cancel

Ikarus
update: 20200903
version: 0.1.5.2
detected: False cancel

McAfee
result: GenericRXLE-RD!F5EFA81034D6
update: 20200903
version: 6.0.6.653
detected: True check_circle

Rising
update: 20200903
version: 25.0.0.26
detected: False cancel

Sophos
update: 20200903
version: 4.98.0
detected: False cancel

Yandex
update: 20200901
version: 5.5.2.24
detected: False cancel

Zillya
update: 20200903
version: 2.0.0.4168
detected: False cancel

Acronis
update: 20200806
version: 1.1.1.77
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
result: Trojan.Johnnie.D4295F
update: 20200903
version: 1.0.0.881
detected: True check_circle

Elastic
result: malicious (high confidence)
update: 20200831
version: 4.0.8
detected: True check_circle

FireEye
result: Generic.mg.96b1116a20cb88a2
update: 20200903
version: 32.36.1.0
detected: True check_circle

Sangfor
result: Malware
update: 20200814
version: 1.0
detected: True check_circle

TACHYON
update: 20200903
version: 2020-09-03.02
detected: False cancel

Tencent
update: 20200903
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20200903
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20200903
version: 1.0.0.403
detected: False cancel

eGambit
update: 20200903
detected: False cancel

Ad-Aware
result: Gen:Variant.Johnnie.272735
update: 20200903
version: 3.0.16.117
detected: True check_circle

F-Secure
result: Trojan.TR/Kryptik.hvdkh
update: 20200903
version: 12.0.86.52
detected: True check_circle

Fortinet
update: 20200903
version: 6.2.142.0
detected: False cancel

Invincea
update: 20200903
version: 1.0.1.0
detected: False cancel

Jiangmin
update: 20200903
version: 16.0.100
detected: False cancel

Kingsoft
update: 20200903
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20200903
version: 1.0
detected: False cancel

Symantec
update: 20200903
version: 1.12.0.0
detected: False cancel

AhnLab-V3
update: 20200903
version: 3.18.1.10026
detected: False cancel

Antiy-AVL
result: Trojan/Win32.Sonbokli
update: 20200903
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Backdoor.MSIL.Remcos.gen
update: 20200903
version: 15.0.1.13
detected: True check_circle

MaxSecure
result: Win.MxResIcn.Heur.Gen
update: 20200902
version: 1.0.0.1
detected: True check_circle

Qihoo-360
result: QVM41.1.Malware.Gen
update: 20200903
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: HEUR:Backdoor.MSIL.Remcos.gen
update: 20200903
version: 1.0
detected: True check_circle

Cybereason
update: 20190616
version: 1.2.449
detected: False cancel

ESET-NOD32
result: a variant of MSIL/Kryptik.VSI
update: 20200903
version: 21929
detected: True check_circle

TrendMicro
result: TROJ_GEN.R002C0DG220
update: 20200903
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Gen:Variant.Johnnie.272735
update: 20200903
version: 7.2
detected: True check_circle

CrowdStrike
update: 20190702
version: 1.0
detected: False cancel

K7AntiVirus
update: 20200903
version: 11.133.35150
detected: False cancel

SentinelOne
update: 20200724
version: 4.4.0.0
detected: False cancel

Malwarebytes
result: Backdoor.Remcos
update: 20200903
version: 3.6.4.335
detected: True check_circle

TotalDefense
update: 20200902
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20200903
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Win32.Remcos.hnkppj
update: 20200903
version: 1.0.134.25140
detected: True check_circle

BitDefenderTheta
result: Gen:NN.ZexaE.34216.ouW@aClT!opO
update: 20200902
version: 7.2.37796.0
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Johnnie.272735
update: 20200903
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200828
version: 5.6.0.1032
detected: False cancel

TrendMicro-HouseCall
result: TROJ_GEN.R002C0DG220
update: 20200903
version: 10.0.0.1040
detected: True check_circle

total
66
sha256
6fd1f6da208203ea52a95a11fbf9592c45819da90f2322da982592e07fd49f90
scan_id
6fd1f6da208203ea52a95a11fbf9592c45819da90f2322da982592e07fd49f90-1599146299
resource
96b1116a20cb88a214d74186a8451258
positives
30
scan_date
2020-09-03 15:18:19
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
3/9/2020 - 11:45:42.418Open1480C:\malware.exeC:\Monitor\proc.exe
3/9/2020 - 11:45:42.418Write1480C:\malware.exeC:\Monitor\proc.exe
3/9/2020 - 11:45:42.418Unknown1480C:\malware.exeC:\Monitor\proc.exe
3/9/2020 - 11:45:42.418Open1480C:\malware.exeC:\ntvdm64.dll
3/9/2020 - 11:45:42.418Open1480C:\malware.exeC:\Windows\SysWOW64\ntvdm64.dll
3/9/2020 - 11:45:42.434Open1480C:\malware.exeC:\Windows\SysWOW64\ntvdm64.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\VERSION.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 11:45:42.450Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 11:45:42.465Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 11:45:42.465Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 11:45:42.465Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 11:45:42.465Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\ntvdm64.dll.mui
3/9/2020 - 11:45:42.465Read1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\ntvdm64.dll.muintvdm64.dll.mui
3/9/2020 - 11:45:42.481Open1480C:\malware.exeC:\Windows\Fonts\StaticCache.dat
3/9/2020 - 11:45:42.481Read1480C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
3/9/2020 - 11:45:42.481Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 11:45:42.481Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\dwmapi.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 11:45:42.575Open1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 11:45:42.575Unknown1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 55.62%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 95.82%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 57.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 47.18%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 49.65%
suspicious: False cancel

Add to Collection
Download