Report #12248 check_circle
- Creation Date: Nov. 6, 2020, 8:12 p.m.
- Last Update: Nov. 6, 2020, 8:17 p.m.
- File: notepad.bin
- Results:
Binary
DLL
False cancel
Size
2.44MB
trid
61.7% Win64 Executable14.7% Win32 Dynamic Link Library10.0% Win32 Executable4.5% OS/2 Executable4.4% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
80cfb7904e934182d512daa4fe0abbfb
sha1
9df15f471083698b818575c381e49c914dee69de
crc32
0xf8ff6705
sha224
cd4e3d1eeb905588028a12ee81c1b70394bc4f91ee32628608961eb0
sha256
ea6c3b993d830319b08871945cf2726dd6d8e62e8fed8fc42bcb053c38c78748
sha384
25472220620cb7159f9d20c168b5ee4a4cef287b0848f81d8efb1d02b14cc0ee085f5b6ee64617f06bf45a33a54b4a17
sha512
7d34b77d6bffb69aa46e19d74a2a6bee233edd0c2c817d46c3c6eac44654b45fcee8fa0b542c22bb71c29a3025c8c8c75b1d59554c10ad35fab8c4c8b9e66ec3
ssdeep
49152:+0utCR5sQPrlJGFAikwclCdh/tVvZdjqbeKZUYIqRGVB8rw:+0usRuQP5JG+ihlVvZd+bQ/1B
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, IP, HasDebugData, HasRichSignature, VC8_Microsoft_Corporation, win_files_operation, IsPE32, RSharedStrings, screenshot, keylogger, win_mutex, win_hook, maldoc_find_kernel32_base_method_1, IsWindowsGUI, antisb_threatExpert, anti_dbg, contentis_base64, url, Microsoft_Visual_Cpp_8, win_registry, Browsers, Misc_Suspicious_Strings, MD5_Constants, Big_Numbers3, spyeye_plugins
Suspicious
True check_circle
Strings
List
https://notepad-plus-plus.org/downloads/http://www.msftncsi.com/ncsi.txtExample: https://www.google.com/search?q=$(CURRENT_WORD)https://stackoverflow.com/search?q=$(CURRENT_WORD)https://www.google.com/search?q=$(CURRENT_WORD)https://search.yahoo.com/search?q=$(CURRENT_WORD)https://www.bing.com/search?q=$(CURRENT_WORD)https://duckduckgo.com/?q=$(CURRENT_WORD)https://community.notepad-plus-plus.org/https://npp-user-manual.org/https://github.com/notepad-plus-plus/notepad-plus-plus/https://notepad-plus-plus.org/https://notepad-plus-plus.org/<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Notepad++" type="win32"></assemblyIdentity><description>Notepad++</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"><dpiAware>true</dpiAware></asmv3:windowsSettings></asmv3:application><ms_compatibility:compatibility xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" xmlns="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:application xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></ms_compatibility:supportedOS></ms_compatibility:application></ms_compatibility:compatibility></assembly>%s\%s%03d%s.dumphttps://ivan-radic.github.io/udl-documentation/https://ivan-radic.github.io/udl-documentation/https://gitter.im/notepad-plus-plus/notepad-plus-plusxkcd.comnotification->nmhdr.code == %dnppPluginList.dllCRYPT32.dllu.cCc:\windows\INF\config.datfirefox.exechrome.exej.TkThe best antivirus is common sense.doLocalConf.xml\NppDump.dmpfinnish.xmlfind a recent copy of dbghelp.dll and install it.find a recent copy of dbghelp.dll and install it.kannada.xmllexer.cpp.track.preprocessorshortcuts.xmlstylers.xmloccitan.xmlnynorsk.xmlfold.baan.inner.levelgujarati.xmlbengali.xmlturkish.xmlenglish.xmlmarathi.xmlpiglatin.xmlkurdish.xmlsinhala.xmlenglish.xmlsession.xmlswedish.xmlpunjabi.xmltagalog.xmlblacklist.xmlasNotepad.xmlaragonese.xmlportuguese.xmlCmakeLists.txtstylers.model.xmlDon HO don.h@free.frtajikCyrillic.xmlCOMCTL32.dllluxembourgish.xmlkabyle.xmlwelsh.xmluyghur.xmlarabic.xmlhindi.xmlgreek.xmlslovak.xmlurdu.xmltelugu.xmlfrench.xmlbasque.xmlnepali.xmldutch.xmlpolish.xmlhebrew.xmlfarsi.xmlbreton.xmltatar.xmlvietnamese.xmltoolbarIcons.xmlVERSION.dllAuser32.dllgeorgian.xmlserbian.xmlconfig.model.xmlgalician.xmlspanish.xmlcroatian.xmlitalian.xmlalbanian.xmllatvian.xmlcatalan.xmlbosnian.xmlligurian.xmljapanese.xmlfriulian.xmlvenetian.xml
Foremost
Matches
0.exe, 2 MB, 3550.png, 77 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circleAllowed: 127.0.0.1, 1, localhost.SuspicioushasAllowed: True check_circlehasSuspicious: False cancel
URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettingshasURLs: True check_circleSuspicious: https://search.yahoo.com/search?q=$(current_word), http://www.msftncsi.com/ncsi.txt, http://, https://duckduckgo.com/?q=$(current_word), https://github.com/notepad-plus-plus/notepad-plus-plus/, https://notepad-plus-plus.org/downloads/, https://www.google.com/search?q=$(current_word), https://ivan-radic.github.io/udl-documentation/, https://stackoverflow.com/search?q=$(current_word), https://community.notepad-plus-plus.org/, https://, https://www.bing.com/search?q=$(current_word), https://gitter.im/notepad-plus-plus/notepad-plus-plus, https://npp-user-manual.org/, https://notepad-plus-plus.org/hasAllowed: True check_circlehasSuspicious: True check_circle
Files
Allowed: http://www.msftncsi.com/ncsi.txt, combase.dll, Auser32.dll, uxtheme.dll, IND)ind)mscoree.dll, ntdll.dll, SciLexer.dll, nppPluginList.dll, api-ms-win-core-synch-l1-2-0.dll, DBGHELP.DLL, advapi32.dll, okernel32.dll, SHLWAPI.dll, VERSION.dll, SHELL32.dll, COMCTL32.dll, ole32.dll, CRYPT32.dll, SensApi.dll, USER32.dll, GDI32.dll, KERNEL32.dll, WINMM.dll, COMDLG32.dll, WINTRUST.dllhasFiles: True check_circleSuspicious: slovenian.xml, serbianCyrillic.xml, nepali.xml, corsican.xml, georgian.xml, nativeLang.xml, portuguese.xml, danish.xml, punjabi.xml, uzbekCyrillic.xml, spanish.xml, spanish_ar.xml, langs.xml, bulgarian.xml, english.xml, bosnian.xml, friulian.xml, urdu.xml, finnish.xml, aranese.xml, userDefineLang.xml, vietnamese.xml, stylers.model.xml, piglatin.xml, mongolian.xml, luxembourgish.xml, italian.xml, turkish.xml, hebrew.xml, telugu.xml, samogitian.xml, aragonese.xml, nynorsk.xml, shortcuts.xml, greek.xml, polish.xml, hindi.xml, swedish.xml, kyrgyz.xml, latvian.xml, kurdish.xml, croatian.xml, functionList.xml, korean.xml, brazilian_portuguese.xml, esperanto.xml, sinhala.xml, estonian.xml, marathi.xml, dutch.xml, config.xml, belarusian.xml, german.xml, uyghur.xml, macedonian.xml, stylers.xml, french.xml, hungarian.xml, welsh.xml, czech.xml, slovak.xml, doLocalConf.xml, japanese.xml, arabic.xml, tatar.xml, tajikCyrillic.xml, serbian.xml, galician.xml, indonesian.xml, azerbaijani.xml, norwegian.xml, venetian.xml, ukrainian.xml, afrikaans.xml, dlangs.model.xml, kannada.xml, blacklist.xml, bengali.xml, kazakh.xml, malay.xml, catalan.xml, farsi.xml, breton.xml, lithuanian.xml, ligurian.xml, asNotepad.xml, \noEasterEggs.xml, russian.xml, tamil.xml, toolbarIcons.xml, romanian.xml, gujarati.xml, sardinian.xml, english_customizable.xml, extremaduran.xml, contextMenu.xml, chineseSimplified.xml, taiwaneseMandarin.xml, uzbek.xml, tagalog.xml, *.xml, albanian.xml, config.model.xml, occitan.xml, basque.xml, zulu.xml, session.xml, thai.xml, kabyle.xml, CmakeLists.txt, c:\windows\INF\config.dat, *.* !*.exe !*.obj !*.loghasAllowed: True check_circlehasSuspicious: True check_circle
Binary
Sizes
RVARVA: 16Suspicious: False cancelCodeSize: 1337344Suspicious: False cancelImageAddress: 4194304Suspicious: False cancelStackStack: 4096Suspicious: False cancelHeadersHeaders: 1024Suspicious: False cancelSuspicious: False cancel
Symbols
NumberNumber: 0Suspicious: True check_circlePointerPointer: 0Suspicious: True check_circleDirectoriesNumber: 16Suspicious: False cancel
Checksum
Value: 0Suspicous: True check_circle
Sections
Allowed: .text, .rdata, .data, .rsrc, .relocSuspicioushasAllowed: True check_circlehasSections: True check_circlehasSuspicious: False cancel
Versions
OSVersion: 6Suspicious: False cancelImageVersion: False cancelSuspicious: 6LinkerVersion: 14.27Suspicious: False cancelSubsystemVersion: 6.0Suspicious: False cancelSuspicious: False cancel
EntryPoint
Address: 944820Suspicious: False cancel
Anomalies
Anomalies: The header checksum and the calculated checksum do not match.hasAnomalies: True check_circle
Libraries
Allowed: combase.dll, uxtheme.dll, ntdll.dll, api-ms-win-core-synch-l1-2-0.dll, dbghelp.dll, advapi32.dll, shlwapi.dll, version.dll, shell32.dll, comctl32.dll, ole32.dll, crypt32.dll, sensapi.dll, user32.dll, gdi32.dll, kernel32.dll, winmm.dll, comdlg32.dll, wintrust.dllhasLibs: True check_circleSuspicious: auser32.dll, ind)ind)mscoree.dll, scilexer.dll, npppluginlist.dll, okernel32.dllhasAllowed: True check_circlehasSuspicious: True check_circle
Timestamp
Past: False cancelValid: True check_circleValue: 2020-11-03 12:02:34Future: False cancel
Compilation
Packed: False cancelMissing: False cancelPackersCompiled: True check_circleCompilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation
Obfuscation
XOR: False cancelFuzzing: True check_circle
PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
ldr
.text: 2
pushret
.rsrc: 82.rdata: 56
nopsequence
.rsrc: 2
pushpopmath
.data: 4.rsrc: 43.text: 13.rdata: 49.reloc: 59
sizeofimage
.text: 2
garbagebytes
.rsrc: 22.rdata: 17
hookdetection
.rsrc: 5.rdata: 3.reloc: 2
stealthimport
.text: 2
peb ntglobalflag
.text: 1
isdebbugerpresent
.text: 2
software breakpoint
.data: 1.rsrc: 1.text: 10.rdata: 1.reloc: 24
fakeconditionaljumps
.rsrc: 1
programcontrolflowchange
.rsrc: 22.rdata: 17
cpuinstructionsresultscomparison
.data: 2.rsrc: 51.rdata: 10.reloc: 7
AVclass
vatet
1
VirusTotal
md5
80cfb7904e934182d512daa4fe0abbfb
sha1
9df15f471083698b818575c381e49c914dee69de
SCANS (DETECTION RATE = 47.89%)
AVG
result: Win32:TrojanX-gen [Trj]update: 20201106version: 20.10.5736.0detected: True check_circle
CMC
update: 20201106version: 2.7.2019.1detected: False cancel
MAX
result: malware (ai score=99)update: 20201106version: 2019.9.16.1detected: True check_circle
APEX
result: Maliciousupdate: 20201104version: 6.94detected: True check_circle
Bkav
update: 20201106version: 1.3.0.9899detected: False cancel
K7GW
result: Riskware ( 0040eff71 )update: 20201106version: 11.149.35663detected: True check_circle
ALYac
result: Gen:Variant.Zusy.317023update: 20201106version: 1.1.1.5detected: True check_circle
Avast
result: Win32:TrojanX-gen [Trj]update: 20201106version: 20.10.5736.0detected: True check_circle
Avira
update: 20201106version: 8.3.3.8detected: False cancel
Baidu
update: 20190318version: 1.0.0.2detected: False cancel
Cynet
update: 20201106version: 4.0.0.24detected: False cancel
Cyren
result: W32/Trojan.BBGJ-5118update: 20201106version: 6.3.0.2detected: True check_circle
DrWeb
update: 20201106version: 7.0.49.9080detected: False cancel
GData
result: Gen:Variant.Zusy.317023update: 20201106version: A:25.27607B:27.20787detected: True check_circle
Panda
update: 20201106version: 4.6.4.2detected: False cancel
VBA32
update: 20201106version: 4.4.1detected: False cancel
VIPRE
result: Trojan.Win32.Generic!BTupdate: 20201106version: 88012detected: True check_circle
Zoner
update: 20201106version: 0.0.0.0detected: False cancel
ClamAV
update: 20201106version: 0.102.3.0detected: False cancel
Comodo
update: 20201106version: 32966detected: False cancel
Ikarus
result: Trojan.Win32.Vatetupdate: 20201106version: 0.1.5.2detected: True check_circle
McAfee
result: Artemis!80CFB7904E93update: 20201106version: 6.0.6.653detected: True check_circle
Rising
result: Backdoor.Vatet!8.11AD1 (TFE:5:AUe6Y3mTaAL)update: 20201106version: 25.0.0.26detected: True check_circle
Sophos
result: Mal/Generic-Supdate: 20201106version: 4.98.0detected: True check_circle
Yandex
update: 20201102version: 5.5.2.24detected: False cancel
Zillya
update: 20201106version: 2.0.0.4216detected: False cancel
Acronis
update: 20201023version: 1.1.1.80detected: False cancel
Alibaba
result: Backdoor:Win32/Vatet.6ef2a9aaupdate: 20190527version: 0.3.0.5detected: True check_circle
Arcabit
result: Trojan.Zusy.D4D65Fupdate: 20201106version: 1.0.0.881detected: True check_circle
Cylance
result: Unsafeupdate: 20201106version: 2.3.1.101detected: True check_circle
Elastic
update: 20201030version: 4.0.12detected: False cancel
FireEye
result: Gen:Variant.Zusy.317023update: 20201106version: 32.36.1.0detected: True check_circle
Sangfor
update: 20201104version: 1.0detected: False cancel
TACHYON
update: 20201106version: 2020-11-06.02detected: False cancel
Tencent
update: 20201106version: 1.0.0.1detected: False cancel
ViRobot
update: 20201106version: 2014.3.20.0detected: False cancel
Webroot
update: 20201106version: 1.0.0.403detected: False cancel
eGambit
update: 20201106detected: False cancel
Ad-Aware
result: Gen:Variant.Zusy.317023update: 20201106version: 3.0.16.117detected: True check_circle
AegisLab
result: Trojan.Win32.Zusy.4!cupdate: 20201106version: 4.2detected: True check_circle
Emsisoft
result: Gen:Variant.Zusy.317023 (B)update: 20201106version: 2018.12.0.1641detected: True check_circle
F-Secure
update: 20201106version: 12.0.86.52detected: False cancel
Fortinet
result: W32/Agent.BBFB!trupdate: 20201106version: 6.2.142.0detected: True check_circle
Invincea
result: Mal/Generic-Supdate: 20201106version: 1.0.1.0detected: True check_circle
Jiangmin
update: 20201106version: 16.0.100detected: False cancel
Kingsoft
update: 20201106version: 2013.8.14.323detected: False cancel
Paloalto
update: 20201106version: 1.0detected: False cancel
Symantec
result: Trojan.Gen.2update: 20201106version: 1.13.0.0detected: True check_circle
AhnLab-V3
update: 20201106version: 3.19.1.10100detected: False cancel
Antiy-AVL
update: 20201106version: 3.0.0.1detected: False cancel
Kaspersky
result: HEUR:Trojan.Win32.Agentb.genupdate: 20201106version: 15.0.1.13detected: True check_circle
MaxSecure
update: 20201106version: 1.0.0.1detected: False cancel
Microsoft
result: Backdoor:Win32/Vatet.G!dhaupdate: 20201106version: 1.1.17600.5detected: True check_circle
Qihoo-360
result: Win32/Trojan.a8aupdate: 20201106version: 1.0.0.1120detected: True check_circle
ZoneAlarm
result: HEUR:Trojan.Win32.Agentb.genupdate: 20201106version: 1.0detected: True check_circle
ESET-NOD32
update: 20201106version: 22277detected: False cancel
Gridinsoft
update: 20201106version: 1.0.15.103detected: False cancel
TrendMicro
result: Trojan.Win32.VATET.SMupdate: 20201106version: 11.0.0.1006detected: True check_circle
BitDefender
result: Gen:Variant.Zusy.317023update: 20201106version: 7.2detected: True check_circle
CrowdStrike
result: win/malicious_confidence_100% (W)update: 20190702version: 1.0detected: True check_circle
K7AntiVirus
result: Riskware ( 0040eff71 )update: 20201106version: 11.149.35663detected: True check_circle
SentinelOne
update: 20201105version: 4.7.0.18detected: False cancel
Malwarebytes
update: 20201106version: 3.6.4.335detected: False cancel
TotalDefense
update: 20201106version: 37.1.62.1detected: False cancel
CAT-QuickHeal
update: 20201106version: 14.00detected: False cancel
NANO-Antivirus
update: 20201106version: 1.0.146.25233detected: False cancel
BitDefenderTheta
update: 20201023version: 7.2.37796.0detected: False cancel
MicroWorld-eScan
result: Gen:Variant.Zusy.317023update: 20201106version: 14.0.409.0detected: True check_circle
SUPERAntiSpyware
update: 20201106version: 5.6.0.1032detected: False cancel
McAfee-GW-Edition
result: Artemis!Trojanupdate: 20201106version: v2019.1.2+3728detected: True check_circle
TrendMicro-HouseCall
result: Trojan.Win32.VATET.SMupdate: 20201106version: 10.0.0.1040detected: True check_circle
total
71
sha256
ea6c3b993d830319b08871945cf2726dd6d8e62e8fed8fc42bcb053c38c78748
scan_id
ea6c3b993d830319b08871945cf2726dd6d8e62e8fed8fc42bcb053c38c78748-1604700253
resource
80cfb7904e934182d512daa4fe0abbfb
positives
34
scan_date
2020-11-06 22:04:13
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
| 6/11/2020 - 19:45:43.262 | Open | 2088 | C:\malware.exe | C:\Windows\Fonts\StaticCache.dat | |
| 6/11/2020 - 19:45:43.262 | Read | 2088 | C:\malware.exe | C:\Windows\Fonts\StaticCache.dat | StaticCache.dat |
| 6/11/2020 - 19:45:43.356 | Open | 2088 | C:\malware.exe | C:\dwmapi.dll | |
| 6/11/2020 - 19:45:43.356 | Open | 2088 | C:\malware.exe | C:\Windows\SysWOW64\dwmapi.dll | |
| 6/11/2020 - 19:45:43.356 | Open | 2088 | C:\malware.exe | C:\Windows\SysWOW64\dwmapi.dll | |
| 6/11/2020 - 19:45:43.356 | Open | 2088 | C:\malware.exe | C:\Windows\SysWOW64\ole32.dll | |
| 6/11/2020 - 19:45:43.356 | Open | 2088 | C:\malware.exe | C:\Windows\SysWOW64\ole32.dll | |
| 6/11/2020 - 19:45:43.356 | Open | 2088 | C:\malware.exe | C:\Windows\SysWOW64\rpcss.dll | |
| 6/11/2020 - 19:45:43.356 | Open | 2088 | C:\malware.exe | C:\Windows\SysWOW64\rpcss.dll |
Process
Trace
Analysis
Reason
Timeout
Status
Sucessfully Executed
Results
1
Registry
Trace
File Summary
Created
Identified: False cancel
Deleted
Identified: False cancel
Process Summary
Created
Identified: False cancel
Deleted
Identified: False cancel
Registry Summary
Proxy
Identified: False cancel
AutoRun
Identified: False cancel
Created
Identified: False cancel
Deleted
Identified: False cancel
Browsers
Identified: False cancel
Internet
Identified: False cancel
Loading...
DNS
Query
Response
TCP
Info
UDP
Info
HTTP
Info
Summary
DNS
False cancel
TCP
False cancel
UDP
False cancel
HTTP
False cancel
Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 70.00%suspicious: False cancel
Decision Tree (NFS-BRMalware)
confidence: 100.00%suspicious: True check_circle
MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 90.37%suspicious: True check_circle
Random Forest (100 estimators, NFS-BRMalware)
confidence: 77.00%suspicious: False cancel
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 93.45%suspicious: False cancel
LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%suspicious: False cancel