Report #12643 check_circle

Binary
DLL
True check_circle
Size
921.50KB
trid
34.7% Win 9x/ME Control Panel applet
22.3% DOS Borland compiled Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.6% Win16/32 Executable Delphi generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
6b261ca7629336185399116f53e8e214
sha1
db15a733862100e6ef63888fe1e01714a8feaf6d
crc32
0x2946d873
sha224
55cde6bcc228703d5ef53b43985e09220e088859e1f341cd3ec92b4b
sha256
4ca0f2d12ee298c8afb439bdfdec49171f3633996b5a6fa0829a61a0ddd5a475
sha384
65e0453b678de70dfd66445def0b794d1bc4178963125780029236702d798d0568ff64d30116a54e6baf4eca24b5488a
sha512
ce81878c47ec48f6ff54d3e9dd111ce506d0702b375c3d9e5e9ed27997585968ed1827218df24656af57492de8ab36a3d39ba3c231098b4ee776b8e9e0317346
ssdeep
24576:y5mV/QlxPr2uuXx2ABtNWmQk99ZQ1Eezb2A:yZm9ezb2A
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, Borland, IP, Borland_Delphi_30_, escalate_priv, Delphi_FormShow, network_dns, screenshot, network_tcp_listen, Antivirus, Microsoft_Visual_Cpp_v50v60_MFC, network_irc, win_token, IsPE32, win_hook, contentis_base64, network_tcp_socket, borland_delphi_dll, network_udp_sock, Borland_Delphi_v40_v50, keylogger, win_files_operation, Borland_Delphi_40_additional, Borland_Delphi_40, Delphi_Random, IsWindowsGUI, IsDLL, Delphi_Copy, Borland_Delphi_Setup_Module, Borland_Delphi_DLL, url, android_meterpreter, win_registry, Delphi_StrToInt, Borland_Delphi_30_additional, Borland_Delphi_v30, Big_Numbers1, Big_Numbers0

Suspicious
True check_circle

Strings
List
http://besinciyildiz.av.tr/images/resimler/Sertijsh876i.rar
http://www.ibase.ind.br/classes/index.php
http://ipxcess.com/images/unwabbked.rar
http://ipxcess.com/images/uncheckeds.rar
t.Ht
C:\builds\TpAddons\IndyNet\System\IdStack.pas
C:\builds\TpAddons\IndyNet\System\IdStack.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas
C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas
GlassFrame.Top
h.GI
C:\builds\TpAddons\IndyNet\Core\IdCommandHandlers.pas
avastUI.exe
AvastSvc.exe
\AvastSecureLine\SecureLine.exe
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
\AvastSecureLine\avBugReport.exe
127.0.0.1
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas
C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas
c:\\windows\\system32\\msvbvm60.dll
C:\builds\TpAddons\IndyNet\Core\IdThread.pas
\bpresivsajery66.zlib
\bpresivsajery66.zlib
\bpresivsajery66.zlib
OnAdminInfoReceivedL
OnServerUsersListReceivedP
OnServerStatsReceived
OnServerListReceived
wsock32.dll
storport.sys
mswsock.dll
B.rsrc
SOFTWARE\Borland\Delphi\RTL
Delphi%.8X
Software\Borland\Locales
ISO_646.irv:1991
tape.sys
ndis.sys
Software\Borland\Delphi\Locales
winspool.drv
\SystemRoot
comctl32.dll
comctl32.dll
comctl32.dll
wtsapi32.dll
comctl32.dll
msacm32.dll
comctl32.dll
comctl32.dll
comctl32.dll
comctl32.dll
msvbvm60.dll
msimg32.dll
Wship6.dll
version.dll
version.dll
version.dll
wininet.dll
wininet.dll
uxtheme.dll
certcli.dll
clusapi.dll
nddeapi.dll
PONG %s %s
0.0.0.1
0.0.0.0
oleacc.dll
rsaenh.dll
ntdll.dll
oleacc.dll
winmm.dll
urlmon.dll
winmm.dll
vdmdbg.dll
authz.dll
hal.dll
PONG %s
shfolder.dll
Network is down.
framedyn.dll
Host is down.
mcisendcommandw
ntoskrnl.exe
\wcncsvcs.exe
mprapi.dll
mpr.dll
amReceiveServerNotices
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
Username
Username

Foremost
Matches
0.dll, 921 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 127.0.0.1, 1, localhost.
Suspicious: 0.0.0.1, 0, Unknown
hasAllowed: True check_circle
hasSuspicious: True check_circle

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://ipxcess.com/images/uncheckeds.rar, http://www.ibase.ind.br/classes/index.php, http://ipxcess.com/images/unwabbked.rar, http://besinciyildiz.av.tr/images/resimler/sertijsh876i.rar
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: http://www.ibase.ind.br/classes/index.php, authz.dll, vdmdbg.dll, shfolder.dll, MAPI32.DLL, api-ms-win-core-synch-l1-2-0.dll, hal.dll, api-ms-win-core-sysinfo-l1-2-1.dll, wininet.dll, mscoree.dll, api-ms-win-core-handle-l1-1-0.dll, c:\\windows\\system32\\msvbvm60.dll, uxtheme.dll, certcli.dll, oleaut32.dll, WS2_32.DLL, nddeapi.dll, api-ms-win-core-errorhandling-l1-1-1.dll, comctl32.dll, ole32.dll, advapi32.dll, oleacc.dll, clusapi.dll, USER32.DLL, framedyn.dll, api-ms-win-core-profile-l1-1-0.dll, gdi32.dll, msvbvm60.dll, urlmon.dll, Wship6.dll, DWMAPI.DLL, wsock32.dll, kernel32.dll, imm32.dll, rpcrt4.dll, winmm.dll, mprapi.dll, mswsock.dll, ntdll.dll, msacm32.dll, wtsapi32.dll, shell32.dll, imagehlp.dll, msimg32.dll, rsaenh.dll, api-ms-win-core-libraryloader-l1-2-0.dll, msvcrt.dll, version.dll, mpr.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 119296
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 0
Suspicious: True check_circle
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: True check_circle

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .itext, .data, .bss, .idata, .edata, .reloc, .rsrc, .l1
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 756656
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: authz.dll, vdmdbg.dll, shfolder.dll, mapi32.dll, api-ms-win-core-synch-l1-2-0.dll, hal.dll, wininet.dll, mscoree.dll, api-ms-win-core-handle-l1-1-0.dll, uxtheme.dll, certcli.dll, oleaut32.dll, ws2_32.dll, nddeapi.dll, api-ms-win-core-errorhandling-l1-1-1.dll, comctl32.dll, ole32.dll, advapi32.dll, oleacc.dll, clusapi.dll, user32.dll, framedyn.dll, api-ms-win-core-profile-l1-1-0.dll, gdi32.dll, msvbvm60.dll, urlmon.dll, wship6.dll, dwmapi.dll, wsock32.dll, kernel32.dll, imm32.dll, rpcrt4.dll, winmm.dll, mprapi.dll, mswsock.dll, ntdll.dll, msacm32.dll, wtsapi32.dll, shell32.dll, imagehlp.dll, msimg32.dll, rsaenh.dll, msvcrt.dll, version.dll, mpr.dll
hasLibs: True check_circle
Suspicious: api-ms-win-core-sysinfo-l1-2-1.dll, c:\\windows\\system32\\msvbvm60.dll, api-ms-win-core-libraryloader-l1-2-0.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2014-09-23 10:10:04
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.0

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.rsrc: 2
.text: 62
.itext: 6
.reloc: 1

nopsequence
.data: 1
.text: 12

pushpopmath
.rsrc: 1
.text: 16
.idata: 9
.reloc: 43

garbagebytes
.rsrc: 2
.text: 59
.itext: 6

hookdetection
.text: 2
.reloc: 1

software breakpoint
.text: 4
.reloc: 14

programcontrolflowchange
.rsrc: 2
.text: 59
.itext: 6

cpuinstructionsresultscomparison
.rsrc: 3
.text: 14

AVclass
chepro
1
VirusTotal
md5
6b261ca7629336185399116f53e8e214
sha1
db15a733862100e6ef63888fe1e01714a8feaf6d
SCANS (DETECTION RATE = 54.41%)
AVG
result: Win32:Malware-gen
update: 20210511
version: 21.1.5827.0
detected: True check_circle

CMC
update: 20210506
version: 2.10.2019.1
detected: False cancel

MAX
result: malware (ai score=81)
update: 20210512
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20210510
version: 6.162
detected: True check_circle

Bkav
result: W32.AIDetect.malware2
update: 20210511
version: 1.3.0.9899
detected: True check_circle

K7GW
result: Trojan ( 7000000f1 )
update: 20210511
version: 11.181.37150
detected: True check_circle

ALYac
result: Gen:Variant.Symmi.39738
update: 20210511
version: 1.1.3.1
detected: True check_circle

Avast
result: Win32:Malware-gen
update: 20210511
version: 21.1.5827.0
detected: True check_circle

Avira
update: 20210512
version: 8.3.3.12
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
result: Malicious (score: 100)
update: 20210511
version: 4.0.0.27
detected: True check_circle

Cyren
update: 20210511
version: 6.3.0.2
detected: False cancel

DrWeb
update: 20210511
version: 7.0.49.9080
detected: False cancel

GData
result: Gen:Variant.Symmi.39738
update: 20210511
version: A:25.29616B:27.22972
detected: True check_circle

Panda
update: 20210511
version: 4.6.4.2
detected: False cancel

VBA32
update: 20210507
version: 5.0.0
detected: False cancel

VIPRE
update: 20210511
version: 92484
detected: False cancel

Zoner
update: 20210511
version: 0.0.0.0
detected: False cancel

ClamAV
update: 20210511
version: 0.103.2.0
detected: False cancel

Comodo
update: 20210511
version: 33520
detected: False cancel

Ikarus
result: Trojan.Win32.BHO
update: 20210511
version: 0.1.5.2
detected: True check_circle

McAfee
result: GenericR-DZI!6B261CA76293
update: 20210504
version: 6.0.6.653
detected: True check_circle

Rising
result: Malware.Heuristic!ET#85% (RDMK:cmRtazpwaSbjCqbIONPXOATUQWJY)
update: 20210511
version: 25.0.0.26
detected: True check_circle

Sophos
update: 20210511
version: 1.0.2.0
detected: False cancel

Yandex
update: 20210510
version: 5.5.2.24
detected: False cancel

Zillya
result: Trojan.ChePro.Win32.6060
update: 20210511
version: 2.0.0.4360
detected: True check_circle

Acronis
update: 20210211
version: 1.1.1.81
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20210511
version: 1.0.0.886
detected: False cancel

Cylance
result: Unsafe
update: 20210512
version: 2.3.1.101
detected: True check_circle

Elastic
result: malicious (high confidence)
update: 20210420
version: 4.0.21
detected: True check_circle

FireEye
result: Generic.mg.6b261ca762933618
update: 20210511
version: 32.44.1.0
detected: True check_circle

Sangfor
result: Trojan.Win32.Save.a
update: 20210416
version: 2.9.0.0
detected: True check_circle

TACHYON
update: 20210512
version: 2021-05-12.01
detected: False cancel

Tencent
update: 20210512
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20210511
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20210512
version: 1.0.0.403
detected: False cancel

Ad-Aware
result: Gen:Variant.Symmi.39738
update: 20210512
version: 3.0.21.179
detected: True check_circle

AegisLab
update: 20210512
version: 4.2
detected: False cancel

Emsisoft
result: Gen:Variant.Symmi.39738 (B)
update: 20210511
version: 2018.12.0.1641
detected: True check_circle

F-Secure
update: 20210331
version: 12.0.86.52
detected: False cancel

Fortinet
result: W32/CoinMiner.3E08!tr
update: 20210511
version: 6.2.142.0
detected: True check_circle

Jiangmin
result: Trojan/Banker.ChePro.bfl
update: 20210511
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20210512
version: 2017.9.26.565
detected: False cancel

Paloalto
update: 20210512
version: 1.0
detected: False cancel

Symantec
update: 20210511
version: 1.14.0.0
detected: False cancel

AhnLab-V3
result: Trojan/Win32.Banload.R120818
update: 20210512
version: 3.20.0.10177
detected: True check_circle

Antiy-AVL
result: Trojan/Generic.ASMalwS.F9D2CD
update: 20210511
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Trojan-Banker.Win32.ChePro.qej
update: 20210512
version: 21.0.1.45
detected: True check_circle

MaxSecure
update: 20210511
version: 1.0.0.1
detected: False cancel

Microsoft
result: TrojanSpy:Win32/Banker
update: 20210511
version: 1.1.18100.6
detected: True check_circle

Qihoo-360
update: 20210512
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20210512
version: 1.0
detected: False cancel

ESET-NOD32
result: Win32/TrojanDownloader.Banload.WCF
update: 20210511
version: 23280
detected: True check_circle

Gridinsoft
update: 20210511
version: 1.0.39.131
detected: False cancel

TrendMicro
result: Mal_Banload1
update: 20210511
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Gen:Variant.Symmi.39738
update: 20210511
version: 7.2
detected: True check_circle

CrowdStrike
result: win/malicious_confidence_60% (D)
update: 20210203
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan ( 7000000f1 )
update: 20210511
version: 11.181.37149
detected: True check_circle

SentinelOne
result: Static AI - Suspicious PE
update: 20210215
version: 5.0.0.20
detected: True check_circle

Malwarebytes
result: Trojan.Nymaim.Generic
update: 20210511
version: 4.2.2.27
detected: True check_circle

CAT-QuickHeal
update: 20210511
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Win32.ChePro.dgiqqi
update: 20210511
version: 1.0.146.25279
detected: True check_circle

BitDefenderTheta
result: Gen:NN.ZevbaF.34688.5K4@aSBn2Gji
update: 20210504
version: 7.2.37796.0
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Symmi.39738
update: 20210511
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20210507
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Infected.dh
update: 20210511
version: v2019.1.2+3728
detected: True check_circle

TrendMicro-HouseCall
result: Mal_Banload1
update: 20210511
version: 10.0.0.1040
detected: True check_circle

total
68
sha256
4ca0f2d12ee298c8afb439bdfdec49171f3633996b5a6fa0829a61a0ddd5a475
scan_id
4ca0f2d12ee298c8afb439bdfdec49171f3633996b5a6fa0829a61a0ddd5a475-1620785274
resource
6b261ca7629336185399116f53e8e214
positives
37
scan_date
2021-05-12 02:07:54
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
11/5/2021 - 22:45:43.715Unknown652C:\Windows\SysWOW64\rundll32.exeC:\Windows
11/5/2021 - 22:45:43.715Unknown652C:\Windows\SysWOW64\rundll32.exeC:\Monitor
11/5/2021 - 22:45:43.715Unknown652C:\Windows\SysWOW64\rundll32.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
11/5/2021 - 22:45:43.856Unknown2088C:\Windows\System32\rundll32.exeC:\Monitor

Process
Trace
11/5/2021 - 22:45:43.715Terminate2088C:\Windows\System32\rundll32.exe652C:\Windows\SysWOW64\rundll32.exe

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 80.00%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 91.91%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 57.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 62.95%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 80.99%
suspicious: False cancel

Add to Collection
Download