Report #11247 check_circle

  • Creation Date: Sept. 10, 2020, 1:38 p.m.
  • Last Update: Sept. 10, 2020, 5:28 p.m.
  • File: Dropper_005.exe
  • Results:
Binary
DLL
False cancel
Size
186.00KB
trid
61.7% Win64 Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type
PE
wordsize
64
Subsystem
Windows CLI
Hashes
md5
4c5fe5afa0ae9ceabb92a69901a07d03
sha1
304cd2963cff6d7b7ed9a58ca3a0cf1882b80a81
crc32
0x8287b80d
sha224
9dbac8d1cdc613e45eee0feaa8f9775c6e3da1cc7e12ffe287610acc
sha256
3b2f1a0eaaa3e49dfad6153c9ed07c792a568c17b6582e4036ae86c2f1948204
sha384
9b10816b35faa4fee1199a6d3385e487426f539262ccdc9e907fd85a15d48bf94cd903ec55b1c27bcc546dabc0079ad4
sha512
8d4406cf5d69726f4e8578a749146b6d636e51b8c15f4f61f07453c71c4ae29e7cc614f2ff87b3d74a61a216356de7aae77a1b484e5cd5ebee58f3595b6cb2a6
ssdeep
1536:ZvYPG+/lLWqbPoATxKPTPCl+X8KY9/JOed/ohT6NxAMQ854URociX4Q2jw/mb3rK:ZvYPL/lLW2PoAp/xZdd/vsXQ4URoQM/
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, anti_dbg, HasDebugData, IP, contentis_base64, win_registry, IsPE64, IsConsole, Microsoft_Visual_Cpp_80_DLL, HasRichSignature

Suspicious
True check_circle

Strings
List
C:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\x64\Release\Dropper.pdb
C:\lihedoyeyusun\pezigekoyipu\herubodojog.pdb
94773\bin\dutisulek.pdb
1.3.3.4
xjelishu.izi
COMCTL32.dll
MSVCR110.dll
WINMM.dll
UxTheme.dll
proc.exe
proc.exe
<=UOLPKA=VECCA
57-3$&)&&&%%&)6&3:"$.,
%%')!
jThH%A
mscoree.dll
<requestedPrivileges>
__crt_debugger_hook
IsProcessorFeaturePresent
GetProcAddress
ExitProcess
CreateEventW
IsDebuggerPresent
IsDebuggerPresent
TerminateProcess
CreateProcessW
VirtualAlloc
CoCreateInstance
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegQueryValueExW
RegGetValueW
RegDeleteKeyW
RemoveDirectoryA
LoadLibraryA
RegCreateKeyW
FindFirstFileExA
GetModuleFileNameA
GetModuleHandleW
HeapCreate
WriteFile
CreateFileW
GetModuleFileNameW
LoadResource
GetModuleHandleW
QueryPerformanceCounter
QueryPerformanceCounter
GetTickCount
SleepEx
fprintf
Sleep
fopen
__crtCapturePreviousContext
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
GetCPInfo
A=CACANCA;4M=
-v|34ea&
ZMUUAO@<:E
__crtTerminateProcess
B;L>OADC<4MM
GCEEISHFD\
=VP=KABB9=;W=?LS
_commode
_initterm
4/A|ladk
&.*?cgfu_ZSE
VWEJJLGER_
EqduRAC_
wsoirzGT`
__setusermatherr
9:<bqmntyWO[
__C_specific_handler
_initterm_e
DD[IRNl|{z~
_calloc_crt
__set_app_type
__dllonexit
_amsg_exit
__getmainargs
_XcptFilter
IICEERP2
__initenv
?terminate@@YAXXZ
92-99.72,..+,429
.39/<,5,2;+22.
(-+/293<1.
:543,--95#54/4)(&&5.
D$(9D$$s.HcD$$H
BOKM=CRCPP]%
</assembly>
C===D=NL
_unlock
et_VOl)
`.rdata
`.rdata
InterlockedIncrement
InterlockedDecrement
_onexit
LcA<E3

Foremost
Matches
24.exe, 172 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed
Suspicious: 1.3.3.4, 0, Unknown
hasAllowed: False cancel
hasSuspicious: True check_circle

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: kernel32.dll, mscoree.dll, ADVAPI32.dll, MSVCR110.dll, ole32.dll, SHLWAPI.dll, USER32.dll, SHELL32.dll, COMCTL32.dll, RPCRT4.dll, UxTheme.dll, WINMM.dll, GDI32.dll, OLEAUT32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 185856
Suspicious: False cancel
Image
Address: 5368709120
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .pdata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 6772
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: kernel32.dll, mscoree.dll, advapi32.dll, ole32.dll, shlwapi.dll, user32.dll, shell32.dll, comctl32.dll, rpcrt4.dll, uxtheme.dll, winmm.dll, gdi32.dll, oleaut32.dll
hasLibs: True check_circle
Suspicious: msvcr110.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2020-09-03 17:08:06
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8.0 (DLL)

Obfuscation
XOR: True check_circle
Fuzzing: False cancel

PEDetector
Matches
12448
Suspicious
True check_circle
Disassembly
hasTricks
False cancel
Tricks
AVclass
rack
1
VirusTotal
md5
4c5fe5afa0ae9ceabb92a69901a07d03
sha1
304cd2963cff6d7b7ed9a58ca3a0cf1882b80a81
SCANS (DETECTION RATE = 60.00%)
AVG
result: Win32:DropperX-gen [Drp]
update: 20200910
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20200909
version: 2.7.2019.1
detected: False cancel

MAX
result: malware (ai score=88)
update: 20200910
version: 2019.9.16.1
detected: True check_circle

APEX
update: 20200910
version: 6.69
detected: False cancel

Bkav
update: 20200909
version: 1.3.0.9899
detected: False cancel

K7GW
result: Trojan ( 0056684e1 )
update: 20200910
version: 11.135.35218
detected: True check_circle

ALYac
result: Gen:Variant.Ulise.121579
update: 20200910
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:DropperX-gen [Drp]
update: 20200910
version: 18.4.3895.0
detected: True check_circle

Avira
result: TR/Crypt.ZPACK.etnjk
update: 20200909
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
update: 20200905
version: 4.0.0.24
detected: False cancel

Cyren
update: 20200910
version: 6.3.0.2
detected: False cancel

DrWeb
result: Trojan.Encoder.31792
update: 20200910
version: 7.0.49.9080
detected: True check_circle

GData
result: Gen:Variant.Johnnie.273676
update: 20200910
version: A:25.26951B:27.20114
detected: True check_circle

Panda
result: Trj/CI.A
update: 20200909
version: 4.6.4.2
detected: True check_circle

VBA32
result: Trojan.Encoder
update: 20200909
version: 4.4.1
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20200910
version: 86570
detected: True check_circle

Zoner
update: 20200909
version: 0.0.0.0
detected: False cancel

ClamAV
update: 20200909
version: 0.102.4.0
detected: False cancel

Comodo
result: .UnclassifiedMalware@0
update: 20200728
version: 32668
detected: True check_circle

Ikarus
result: Trojan.Win32.Crypt
update: 20200909
version: 0.1.5.2
detected: True check_circle

McAfee
result: Artemis!4C5FE5AFA0AE
update: 20200910
version: 6.0.6.653
detected: True check_circle

Rising
result: Trojan.Kryptik!1.C673 (CLASSIC)
update: 20200909
version: 25.0.0.26
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20200910
version: 4.98.0
detected: True check_circle

Yandex
update: 20200907
version: 5.5.2.24
detected: False cancel

Zillya
update: 20200909
version: 2.0.0.4173
detected: False cancel

Acronis
update: 20200806
version: 1.1.1.77
detected: False cancel

Alibaba
result: Trojan:Win32/Kryptik.8818f9a3
update: 20190527
version: 0.3.0.5
detected: True check_circle

Arcabit
result: Trojan.Johnnie.D42D0C
update: 20200910
version: 1.0.0.881
detected: True check_circle

Cylance
result: Unsafe
update: 20200910
version: 2.3.1.101
detected: True check_circle

Elastic
update: 20200831
version: 4.0.8
detected: False cancel

FireEye
result: Trojan.GenericKD.33820058
update: 20200909
version: 32.36.1.0
detected: True check_circle

Sangfor
update: 20200814
version: 1.0
detected: False cancel

TACHYON
update: 20200910
version: 2020-09-10.01
detected: False cancel

Tencent
result: Win32.Trojan.Rack.Pegl
update: 20200910
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20200909
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20200910
version: 1.0.0.403
detected: False cancel

eGambit
update: 20200910
detected: False cancel

Ad-Aware
result: Gen:Variant.Johnnie.273676
update: 20200910
version: 3.0.16.117
detected: True check_circle

AegisLab
result: Trojan.Win32.Generic.4!c
update: 20200910
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Johnnie.273676 (B)
update: 20200910
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Trojan.TR/Crypt.ZPACK.etnjk
update: 20200910
version: 12.0.86.52
detected: True check_circle

Fortinet
result: W32/Generic.HDGO!tr
update: 20200910
version: 6.2.142.0
detected: True check_circle

Invincea
result: Mal/Generic-S
update: 20200910
version: 1.0.1.0
detected: True check_circle

Jiangmin
result: Trojan.MSIL.qkml
update: 20200909
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20200910
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20200910
version: 1.0
detected: False cancel

Symantec
result: Trojan.Gen.MBT
update: 20200909
version: 1.12.0.0
detected: True check_circle

AhnLab-V3
update: 20200909
version: 3.18.1.10026
detected: False cancel

Antiy-AVL
result: Trojan[Ransom]/Win32.Rack
update: 20200910
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Trojan.Win32.Generic
update: 20200910
version: 15.0.1.13
detected: True check_circle

MaxSecure
update: 20200910
version: 1.0.0.1
detected: False cancel

Microsoft
result: Trojan:Win32/Ymacco.AA3B
update: 20200910
version: 1.1.17400.5
detected: True check_circle

Qihoo-360
result: Win32/Trojan.Dropper.028
update: 20200910
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: HEUR:Trojan.Win32.Generic
update: 20200910
version: 1.0
detected: True check_circle

Cybereason
update: 20190616
version: 1.2.449
detected: False cancel

ESET-NOD32
result: a variant of Win64/Kryptik.CAA
update: 20200910
version: 21964
detected: True check_circle

TrendMicro
result: Ransom_Rack.R011C0GI520
update: 20200910
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Gen:Variant.Johnnie.273676
update: 20200910
version: 7.2
detected: True check_circle

CrowdStrike
result: win/malicious_confidence_60% (W)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan ( 0056684e1 )
update: 20200909
version: 11.135.35216
detected: True check_circle

SentinelOne
update: 20200724
version: 4.4.0.0
detected: False cancel

Malwarebytes
result: Trojan.MalPack
update: 20200910
version: 3.6.4.335
detected: True check_circle

TotalDefense
update: 20200909
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20200910
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20200910
version: 1.0.134.25140
detected: False cancel

BitDefenderTheta
result: Gen:NN.ZexaF.34216.kq0@aeV20bpG
update: 20200902
version: 7.2.37796.0
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Johnnie.273676
update: 20200910
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200904
version: 5.6.0.1032
detected: False cancel

TrendMicro-HouseCall
update: 20200910
version: 10.0.0.1040
detected: False cancel

total
70
sha256
3b2f1a0eaaa3e49dfad6153c9ed07c792a568c17b6582e4036ae86c2f1948204
scan_id
3b2f1a0eaaa3e49dfad6153c9ed07c792a568c17b6582e4036ae86c2f1948204-1599710740
resource
4c5fe5afa0ae9ceabb92a69901a07d03
positives
42
scan_date
2020-09-10 04:05:40
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Machine Crashed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:54170 code time.windows.com.
computer localhost arrow_forward computer gateway:DNS code ctldl.windowsupdate.com.
computer localhost arrow_forward computer gateway:DNS code time.windows.com.
computer localhost arrow_forward computer gateway:DNS code www.msftncsi.com.
computer localhost arrow_forward computer gateway:DNS code teredo.ipv6.microsoft.com.
computer localhost arrow_forward computer gateway:57592 code ipv6.msftncsi.com.
computer localhost arrow_forward computer gateway:55890 code ctldl.windowsupdate.com.
computer localhost arrow_forward computer gateway:59631 code teredo.ipv6.microsoft.com.
computer localhost arrow_forward computer gateway:65124 code www.msftncsi.com.
computer localhost arrow_forward computer gateway:DNS code ipv6.msftncsi.com.
computer localhost arrow_forward computer gateway:51986 code teredo.ipv6.microsoft.com.

Response
computer gateway:DNS arrow_forward computer localhost code time.windows.com. reply_all 40.119.6.228

computer gateway:DNS arrow_forward computer localhost code ipv6.msftncsi.com. reply_all a978.i6g1.akamai.net.

computer gateway:DNS arrow_forward computer localhost code ctldl.windowsupdate.com. reply_all 200.143.247.10

computer gateway:DNS arrow_forward computer localhost code www.msftncsi.com. reply_all 200.143.247.9


TCP
Info
computer localhost:49159 arrow_forward 200.143.247.8:80
200.143.247.8:80 arrow_forward computer localhost:49159
200.143.247.8:80 arrow_forward computer localhost:49157
computer localhost:49157 arrow_forward 200.143.247.8:80

UDP
Info
40.119.6.228:123 arrow_forward computer localhost:123
computer localhost:64618 arrow_forward help_outline 224.0.0.252:5355
computer localhost:53 arrow_forward computer localhost:59631
computer localhost:58687 arrow_forward help_outline 224.0.0.252:5355
computer localhost:61636 arrow_forward help_outline 224.0.0.252:5355
computer localhost:64165 arrow_forward help_outline 224.0.0.252:5355
computer localhost:55106 arrow_forward help_outline 224.0.0.252:5355
computer localhost:58340 arrow_forward help_outline 224.0.0.252:5355
computer localhost:51336 arrow_forward help_outline 224.0.0.252:5355
computer localhost:57828 arrow_forward help_outline 239.255.255.250:3702
computer localhost:53 arrow_forward computer localhost:55890
computer localhost:53 arrow_forward computer localhost:65124
computer localhost:62669 arrow_forward help_outline 224.0.0.252:5355
computer localhost:53 arrow_forward computer localhost:57592
computer localhost:54170 arrow_forward computer localhost:53
computer localhost:123 arrow_forward 40.119.6.228:123
computer localhost:67 arrow_forward computer localhost:68
computer localhost:58399 arrow_forward help_outline 224.0.0.252:5355
computer localhost:51986 arrow_forward computer localhost:53
computer localhost:55890 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:54170
computer localhost:59631 arrow_forward computer localhost:53
computer localhost:65124 arrow_forward computer localhost:53
computer localhost:57592 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:51986
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info
computer localhost send GET ctldl.windowsupdate.com attach_file /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?02b9760648b4c051
computer localhost send GET www.msftncsi.com attach_file /ncsi.txt

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 77.50%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 99.34%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 63.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 47.98%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 89.83%
suspicious: False cancel

Add to Collection
Download