Report #12645 check_circle

Binary
DLL
True check_circle
Size
80.00KB
trid
60.5% Windows ActiveX control
16.2% Win32 Executable MS Visual C++
14.3% Win64 Executable
3.4% Win32 Dynamic Link Library
2.3% Win32 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
b2091bcdeefcfce9e933160652b9cccb
sha1
6015537ff583005297b47cd2bb7108a23cc5e354
crc32
0x5c801d01
sha224
b79c043473b3cce07886f7f51d7b25260b91301a4170185083cc073a
sha256
b7370a1659372d440282515ac1b9d1608f02ec197bc45287d694c4f446b1a747
sha384
52b66b8a0f796452287a9485d7114237a16012567ed3a5fc470f7428f7c6119dd8768c310f5b1b928f8e729159dd940f
sha512
8df963811700aeb897f7f19d9621de1a088262c9fc744fe93b18359bf42c01277bfc02c6423e4f68bb5a24749ea7238d4618fa55da4fd0e6225428e6f918601e
ssdeep
768:8nFndU59qKl6sLiix0XJTr3kGzOGiVhAhYDkqzk3v2ntkB1:8FndU59VLi00hsGYhAhYoqzk+tA
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, network_tcp_socket, IsDLL, HasRichSignature, contentis_base64, android_meterpreter, Microsoft_Visual_Basic_v60_DLL, IsPE32, SEH__vba, IsWindowsGUI

Suspicious
True check_circle

Strings
List
c:\\windows\\system32\\msvbvm60.dll
wsock32.dll
storport.sys
mswsock.dll
tape.sys
ndis.sys
winspool.drv
msacm32.dll
msvbvm60.dll
msimg32.dll
wtsapi32.dll
comctl32.dll
version.dll
clusapi.dll
certcli.dll
nddeapi.dll
InstCheck.dll
InstCheck.dll
authz.dll
vdmdbg.dll
hal.dll
urlmon.dll
ntdll.dll
rsaenh.dll
shfolder.dll
framedyn.dll
mcisendcommandw
ntoskrnl.exe
mpr.dll
mprapi.dll
api-ms-win-core-sysinfo-l1-2-1.dll
getoverlappedresult
insertmenua
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-errorhandling-l1-1-1.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-handle-l1-1-0.dll
indycore100.bpl
mscoree.dll
_mbsnbicmp
imagelist_dragenter
imagelist_destroy
shell_notifyiconw
httpsendrequestexw
httpendrequestw
httpsendrequestw
getconsoleoutputcp
setclasslonga
getclasslongw
__vbaOnError
__vbaOnError
__vbaOnError
getcpinfo
getprocessheap
getcommandlinea
shellexecutea
findexecutablea
zwunloaddriver
_acmdln
isdebuggerpresent
setfilesecuritya
setfilesecurityw
outputdebugstringa
getshellwindow
setthreadexecutionstate
destroycursor
registerwindowmessagea
flushfilebuffers
HasChrome
heapdestroy
regflushkey
coinitializesecurity
internetattemptconnect
urldownloadtofilew
lookupprivilegevaluea
regconnectregistrya
destroymenu
getsecurityinfo
setsecurityinfo
hidecaret
destroyicon
registerdragdrop
OLESelfRegister
iowmiregistrationcontrol
mprconfigserverdisconnect
initializesecuritydescriptor
callnamedpipew
checktokenmembership
internetcrackurla
internetcrackurlw
registerclassa
registerclassexw
internetquerydataavailable
setvolumelabela
internetopenurla
auxgetvolume
registerclassexa
mcisetdriverdata
rtldeleteregistryvalue

Foremost
Matches
0.dll, 80 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: InstCheck.dll, imagehlp.dll, wtsapi32.dll, api-ms-win-core-profile-l1-1-0.dll, ntdll.dll, api-ms-win-core-synch-l1-2-0.dll, hal.dll, nddeapi.dll, user32.dll, MSVBVM60.DLL, rsaenh.dll, authz.dll, api-ms-win-core-handle-l1-1-0.dll, framedyn.dll, clusapi.dll, msacm32.dll, mscoree.dll, vdmdbg.dll, msvcrt.dll, c:\\windows\\system32\\msvbvm60.dll, api-ms-win-core-errorhandling-l1-1-1.dll, certcli.dll, shfolder.dll, kernel32.dll, oleaut32.dll, mprapi.dll, mpr.dll, ole32.dll, api-ms-win-core-libraryloader-l1-2-0.dll, msimg32.dll, version.dll, gdi32.dll, api-ms-win-core-sysinfo-l1-2-1.dll, VBA6.DLL, mswsock.dll, rpcrt4.dll, urlmon.dll, comctl32.dll, shell32.dll, wsock32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 12288
Suspicious: False cancel
Image
Address: 285212672
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 42585
Suspicous: False cancel

Sections
Allowed: .text, .data, .rsrc, .reloc, .l1
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 4
Linker
Version: 6.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 4780
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: imagehlp.dll, wtsapi32.dll, api-ms-win-core-profile-l1-1-0.dll, ntdll.dll, api-ms-win-core-synch-l1-2-0.dll, hal.dll, nddeapi.dll, user32.dll, msvbvm60.dll, rsaenh.dll, authz.dll, api-ms-win-core-handle-l1-1-0.dll, framedyn.dll, clusapi.dll, msacm32.dll, mscoree.dll, vdmdbg.dll, msvcrt.dll, api-ms-win-core-errorhandling-l1-1-1.dll, certcli.dll, shfolder.dll, kernel32.dll, oleaut32.dll, mprapi.dll, mpr.dll, ole32.dll, msimg32.dll, version.dll, gdi32.dll, mswsock.dll, rpcrt4.dll, urlmon.dll, comctl32.dll, shell32.dll, wsock32.dll
hasLibs: True check_circle
Suspicious: instcheck.dll, c:\\windows\\system32\\msvbvm60.dll, api-ms-win-core-libraryloader-l1-2-0.dll, api-ms-win-core-sysinfo-l1-2-1.dll, vba6.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2014-09-17 16:34:06
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual Basic v6.0 DLL

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
False cancel
Tricks
AVclass
None
1
VirusTotal
md5
b2091bcdeefcfce9e933160652b9cccb
sha1
6015537ff583005297b47cd2bb7108a23cc5e354
SCANS (DETECTION RATE = 11.76%)
CMC
update: 20210506
version: 2.10.2019.1
detected: False cancel

MAX
update: 20210512
version: 2019.9.16.1
detected: False cancel

APEX
update: 20210510
version: 6.162
detected: False cancel

Bkav
update: 20210511
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20210511
version: 11.181.37150
detected: False cancel

ALYac
update: 20210511
version: 1.1.3.1
detected: False cancel

Avast
update: 20210511
version: 21.1.5827.0
detected: False cancel

Avira
result: TR/VB.Downloader.Gen2
update: 20210512
version: 8.3.3.12
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
result: Malicious (score: 100)
update: 20210511
version: 4.0.0.27
detected: True check_circle

Cyren
update: 20210511
version: 6.3.0.2
detected: False cancel

DrWeb
update: 20210511
version: 7.0.49.9080
detected: False cancel

GData
update: 20210511
version: A:25.29616B:27.22972
detected: False cancel

Panda
update: 20210511
version: 4.6.4.2
detected: False cancel

VBA32
update: 20210507
version: 5.0.0
detected: False cancel

VIPRE
update: 20210511
version: 92484
detected: False cancel

Zoner
update: 20210511
version: 0.0.0.0
detected: False cancel

ClamAV
result: Win.Dropper.Bancos-7586364-0
update: 20210511
version: 0.103.2.0
detected: True check_circle

Comodo
update: 20210511
version: 33520
detected: False cancel

Ikarus
update: 20210511
version: 0.1.5.2
detected: False cancel

McAfee
update: 20210504
version: 6.0.6.653
detected: False cancel

Rising
update: 20210511
version: 25.0.0.26
detected: False cancel

Sophos
update: 20210511
version: 1.0.2.0
detected: False cancel

Yandex
update: 20210510
version: 5.5.2.24
detected: False cancel

Zillya
update: 20210511
version: 2.0.0.4360
detected: False cancel

Acronis
update: 20210211
version: 1.1.1.81
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20210511
version: 1.0.0.886
detected: False cancel

Cylance
result: Unsafe
update: 20210512
version: 2.3.1.101
detected: True check_circle

Elastic
result: malicious (high confidence)
update: 20210420
version: 4.0.21
detected: True check_circle

FireEye
update: 20210511
version: 32.44.1.0
detected: False cancel

Sangfor
update: 20210416
version: 2.9.0.0
detected: False cancel

TACHYON
update: 20210512
version: 2021-05-12.01
detected: False cancel

Tencent
update: 20210512
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20210511
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20210512
version: 1.0.0.403
detected: False cancel

eGambit
update: 20210512
detected: False cancel

Ad-Aware
update: 20210512
version: 3.0.21.179
detected: False cancel

AegisLab
update: 20210512
version: 4.2
detected: False cancel

Emsisoft
update: 20210511
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20210331
version: 12.0.86.52
detected: False cancel

Fortinet
result: W32/CoinMiner.3E08!tr
update: 20210511
version: 6.2.142.0
detected: True check_circle

Jiangmin
update: 20210511
version: 16.0.100
detected: False cancel

Kingsoft
update: 20210512
version: 2017.9.26.565
detected: False cancel

Paloalto
update: 20210512
version: 1.0
detected: False cancel

Symantec
update: 20210511
version: 1.14.0.0
detected: False cancel

AhnLab-V3
update: 20210512
version: 3.20.0.10177
detected: False cancel

Antiy-AVL
update: 20210511
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20210512
version: 21.0.1.45
detected: False cancel

MaxSecure
update: 20210511
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20210511
version: 1.1.18100.6
detected: False cancel

Qihoo-360
update: 20210512
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20210512
version: 1.0
detected: False cancel

ESET-NOD32
update: 20210511
version: 23280
detected: False cancel

Gridinsoft
result: Malware.Win32.Pack.49786!se
update: 20210511
version: 1.0.39.131
detected: True check_circle

TrendMicro
update: 20210511
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20210511
version: 7.2
detected: False cancel

CrowdStrike
update: 20210203
version: 1.0
detected: False cancel

K7AntiVirus
update: 20210511
version: 11.181.37149
detected: False cancel

SentinelOne
result: Static AI - Malicious PE
update: 20210215
version: 5.0.0.20
detected: True check_circle

Malwarebytes
update: 20210511
version: 4.2.2.27
detected: False cancel

CAT-QuickHeal
update: 20210511
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20210511
version: 1.0.146.25279
detected: False cancel

BitDefenderTheta
update: 20210504
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20210511
version: 14.0.409.0
detected: False cancel

SUPERAntiSpyware
update: 20210507
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20210511
version: v2019.1.2+3728
detected: False cancel

TrendMicro-HouseCall
update: 20210511
version: 10.0.0.1040
detected: False cancel

total
68
sha256
b7370a1659372d440282515ac1b9d1608f02ec197bc45287d694c4f446b1a747
scan_id
b7370a1659372d440282515ac1b9d1608f02ec197bc45287d694c4f446b1a747-1620785585
resource
b2091bcdeefcfce9e933160652b9cccb
positives
8
scan_date
2021-05-12 02:13:05
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rpcss.dll
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rpcss.dll
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Windows\Globalization\Sorting\SortDefault.nls
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe.manifest
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe.123.Manifest
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe.124.Manifest
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe.2.Manifest
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Windows\AppPatch\sysmain.sdb
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor\Malware
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor\Malware
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor\Malware
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor\Malware
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor\Malware
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor\Malware
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Read2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\ui\SwDRM.dll
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Open2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.903Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\malware.exe
11/5/2021 - 22:45:42.918Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\Windows
11/5/2021 - 22:45:42.918Unknown2196C:\Windows\SysWOW64\rundll32.exeC:\Monitor
11/5/2021 - 22:45:43.106Unknown2476C:\Windows\System32\rundll32.exeC:\Monitor

Process
Trace
11/5/2021 - 22:45:42.918Terminate2476C:\Windows\System32\rundll32.exe2196C:\Windows\SysWOW64\rundll32.exe

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 77.50%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 53.57%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 55.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 77.94%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.94%
suspicious: False cancel

Add to Collection
Download