Report #12850 check_circle

  • Creation Date: Aug. 12, 2021, 12:05 p.m.
  • Last Update: Aug. 12, 2021, 12:16 p.m.
  • File: Dropper.exe
  • Results:
Binary
DLL
False cancel
Size
83.00KB
trid
82.0% Win64 Executable
6.0% OS/2 Executable
5.9% Generic Win/DOS Executable
5.9% DOS Executable Generic
type
PE
wordsize
64
Subsystem
Windows CLI
Hashes
md5
4b7b76b58a946e30c71b89bf354eff90
sha1
78c5e506f88045cff0279f9e5c8462e9f61c9e15
crc32
0x563a9f92
sha224
3b927aaa9f0325c3fa9bc207192aa5b9e4db405000bd3181e3a76169
sha256
18359581eec8c4c26bb98a84bf09612463305868344d04f79856ba494efbd0a8
sha384
caed0c9c240611091ddf539f3a96f5e08a75a714a72ccc2be0049f2884302c9dd219977ea0541f72dd6f388999900821
sha512
6ec2fcd25414b4676f262f3d0eaaabe86121d02866991119c0c23cccd2fe77b372d929958e0d3a1bbca41ae82ca9e5ae41b5433dc3fb8ec0622b866ae132c40e
ssdeep
1536:P/TOINPy3ZcJurtUtHIQEozQAjU6/09g2aoy+ejX:P/THWthgDQAjUkYFT0
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, anti_dbg, HasDebugData, contentis_base64, IsPE64, IsConsole, Microsoft_Visual_Cpp_80_DLL, HasRichSignature

Suspicious
True check_circle

Imports
KERNEL32.dll
GetSystemTimeAsFileTime, GetTickCount64, GetCurrentThreadId, QueryPerformanceCounter, IsProcessorFeaturePresent, IsDebuggerPresent, EncodePointer, DecodePointer
MSVCR110.dll
__getmainargs, _lock, __crtSetUnhandledExceptionFilter, ?terminate@@YAXXZ, __crtCapturePreviousContext, __crtTerminateProcess, __crtUnhandledException, __crt_debugger_hook, _commode, _onexit, __dllonexit, _calloc_crt, ??3@YAXPEAX@Z, _XcptFilter, _amsg_exit, _fmode, __set_app_type, exit, _exit, _cexit, _configthreadlocale, __setusermatherr, _initterm_e, _initterm, __C_specific_handler, __initenv, _unlock
Strings
List
C:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\x64\Release\Dropper.pdb
MSVCR110.dll
t_qpttvtt^qpttvpttxtttv|tVFpttvxtMqtttvdtEqpttv`tAqpttvlt@qpttvVtYqtttvRtRx|ttvFtPx|ttv
@tpsOV
Msa`YadBw
wtttLtpttzqgtttZtdttttttttttttt|
_`mBo~xtttttB
Delete
NoRemove
aRqRtttdmRvxtttdlRt
Rxtts
OTrsFtpY@QrcLWr
zd`MSfpcwgpcftps
ttttttpttttvtttttBttttdtttw@Zerdp[Q\g
[omdtcr]LW
<requestedPrivileges>
__crt_debugger_hook
tttwpttCptttmdtvtm`tttpdtsRdttwQttxwQdtttgttRgttts
VXY\QmgYtpsOV
VXY\QmgYtpsOV
@tps^op]]WXgFom|t`
IsProcessorFeaturePresent
SECURITY
Hardware
IsDebuggerPresent
Interface
TmoYgrMFtpYcWXA@W
{CV}YLTbQZQvtZlL^R|q|Bx_ptttZwtt`My_t@~Rttwdpttdttrdptvtttttptct|{cb
QueryPerformanceCounter
MClXsFtpoLobc|g
TypeLib
|`Rw}omg|`^oCV^c
cFQ}cLo`s
__crtCapturePreviousContext
ttt~vR|ftvRVttt~ct|DOtxBtRtWtttt~Rttpg|tt^ZZrtttvRlZ{tttvRFftfROttt~t]o`~FBqxt|trRtttvZttwpftt
}tttpSMdtttdZaBttw]\tpRttwvZqxt|tpRtttttttttvVGxvt}tZyRttw\lZstttw\GxOtxBtRvetttttttttt
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
tttptwRtdpwtttdtptvRwtttwtwtdtttwttRtTt`ttt|tpwttttpt|twZwttttBtR|wtttdtptzRvtttptvtRtttwttRtDtRttt`t|vttttpt|tvZptttwRttttttttt
^tttpSBdtttdZaBttw]\tsRttwwPtrtttwvZqxt|tyRtttttttttvVYdpt}tZyRttw\lmRtRtttdZgRttw\o
gto~~pZtttlawRlb~pFttto`pdlEzRttpm
qtttlwvtwtdRpttpwrt`tt]Rlrt`Rtw~wrdxRtwRr|tpgRg`|wfttplpgRx]wtvttWRwYt}xtQtwYtrdt|twYt}RtlBwYt}ttQtwEtr
Btttpyd`Z{Bttw\GxOxBqxtptvBtttttttttZ{Rttw\]ottt~~FBqxtptvBtttttttttZ{Rttw\]{ttt~~FBqxtptpRtttwpttwpbv\R
ttttcdttttpttttwtttttRtttt|ttttzttttxRttttpttttpttttvBttttttc_Bwtttttttrt}db^wlrt~Bb^wlrtyFbl]lrt{pb
dtpRtRsRtttttats`Sottat~tbtttttwxt\w
WtttwqMFtttpsw]FtttRstdtRadp}ttte||vctd`wtvw{vtRrqMFwtvw{vtd}tRR
_vRtttpZ}dttv]lDOxOxtOtvtplttttYtttgS\|tttdlxOg
tttt~tttpglZeBttw]VOyLlRRttttv]bttt~v]|t~wBtttZZfBttwZtAtttpS\
`wpRtwrBttqLvtYdpWttte||vctdFttRpWttpwqBpetgFtwdpWttdwqBp
tttwttttwvOtptrpttttctttgsRBZxtttv\RBttt~S^|tttdft\]xttt~tX
VdM^rtq`Vl]lrtp|Vl]lrtslV}gVttttttdtttttttdtwtttRptt~twdtldt
EtttpzT|tttw
pBtttttatpRPYtt{t}R`tttttwxto]
t}`tttpdt|FzttwQteVtQdtttgttAt
rR^\vVRvwttwttttQa^BtB|tTBtqttptWttqtptbttttto`tBvZwtttwYBqf~Rptdt~AtttttRwtt
Rtbtvdotttttwxt_\eTtwltBw^tttttpBq~|
psBZGt]l~wA|DOxBqxtptwRttttttttw
tttp~pBtttlFvB|ZyBttw\R}tttrSOltttg
tydtRtp`tWRw^tvttWBwXtvttWRwYt}xtQtwYtrdt|twYt}RtlBwYt}ttQtwEtr
RlXtttrVLFtttZZvdttw\GxOtFBwtq_ttttyBttpfRXttt~~v`tttDtvRttw}
tydtRtp`tWRw^tvttWBwXtvttWRwYt}xtQtwYtrdt|twYt}RtlBwYt}ttQtwEtr
ttRwptwOsdtt[dtctm`tvtpdt|VcttvQtw`wQdt|tgttYw`tt
tttwpttZvBttmdqft}`tttpdtqxyttwQt{xtQdtttgtteBFtts
tXbttttttqttttwttttwxFRtta~lttpRttttvtt`tpq|tt{w
tttpSO`tttd
tttwptvcqdttmdqAt}`tttpdt~d{ttwQtz
wtttmdwCt}`tttpdtx`pttwQt}ttQdtttgtt
tttwptwtqdttmdqDt}`tttpdtr`{ttwQtzFtQdtttgtt\R
tttwptwZvRttmdqqt}`tttpdt}`~ttwQtxdtQdtttgtt]tZtts
sdtt[dtctm`tvtpdttBbttvQtw`wQdt|tgtt|wltt
tttwptt@wRttmdvwt}`tttpdtq^rttwQt||tQdtttgttfRltts
tttwptvgqtttmdq]t}`tttpdt~ZxttwQtz|tQdtttgtt@tBtts
tttwptvsvBttmdqlt}`tttpdt~`yttwQt{^tQdtttgttMdFtts
t}`tttpdteBettwQtttwQdtttgttw]ttts
tttdDOtxBtdt}tttttttttwTtsRttwvGxtOtwttVtttttttttsZt|tttp~C
ttRwptvXsdtt[dtctm`tvtpdtyRcttvQtw`wQdt|tgttCM`tt
tttwpttVtRttmdw`t}`tttpdtvFvttwQts`tQdtttgttfB|tts
tttwptqYvBttmdqWt}`tttpdtt`xttwQt{BtQdtttgtt
tttwptwTwBttmdvdt}`tttpdtrR}ttwQt
tttwptq]tRttmdwQt}`tttpdteVvttwQts
tBttmdw_t}`tttpdt|BqttwQtrdtQdtttgttDBxtts
tttwptvDwRttmdv}t}`tttpdtyFrttwQt|RtQdtttgtt
tttwptqTvtttmdvYt}`tttpdteF|ttwQt~ltQdtttgttvB^tts
tttwptwYvtttmdvSt}`tttpdt}F|ttwQt~ttQdtttgttZBRtts
dpLtwB[tttttw{tXLFtt_xtTvVtttttp
tttwptvPwBttmdvbt}`tttpdt~V}ttwQt
tttwptqOqtttmdq[t}`tttpdttx{ttwQtzRtQdtttgttrB
tttwptwzwtttmdwFt}`tttpdt}dpttwQtr
tttwptqCttttmdw|t}`tttpdttxwttwQtp^tQdtttgtt|dptts
tttwptqCwtttmdwLt}`tttpdtt|sttwQt}xtQdtttgttrR`tts
tttwptqXqdttmdqBt}`tttpdte|{ttwQteptQdtttgttqd
tttwpttVvtttmdvVt}`tttpdtqd|ttwQt
tttwptwsqtttmdqPt}`tttpdtsxxttwQt{
RtDtpsxtttvttttrttttt|ttttTttttqRtttpttttptttttwBtttv^ttttBttttrdtttwRtttptttttwBtttv^tttw
xdttww|p~rttttlbyBlP~sltttlv~tptttl~
vtttmdv\t}`tttpdtxR|ttwQt~xtQdtttgtt
tttwptqsqtttmdq^t}`tttpdt{`xttwQtz`tQdtttgtt
t}`tttpdtpFsttwQt}ltQdtttgttWR`tts
trRtodtRtpxt~BtGtvttWdwCtrdtQdwFtr`t|tw
tttwptwAtdttmdwzt}`tttpdt|^wttwQtp
|ttttttat|BEottRtzR^tttttwxtDfY^tvptrvptttttpBq~~Qtt|RtF|dtttttatz

Foremost
Matches
None
Suspicious
False cancel
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: MSVCR110.dll, KERNEL32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 82944
Suspicious: False cancel
Image
Address: 5368709120
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .pdata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 4836
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: kernel32.dll
hasLibs: True check_circle
Suspicious: msvcr110.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2021-08-12 12:05:07
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8.0 (DLL)

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
False cancel
Tricks
AVclass
johnnie
1
VirusTotal
md5
4b7b76b58a946e30c71b89bf354eff90
sha1
78c5e506f88045cff0279f9e5c8462e9f61c9e15
SCANS (DETECTION RATE = 13.43%)
CMC
update: 20210812
version: 2.10.2019.1
detected: False cancel

MAX
result: malware (ai score=80)
update: 20210812
version: 2019.9.16.1
detected: True check_circle

APEX
update: 20210810
version: 6.196
detected: False cancel

Bkav
update: 20210812
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20210812
version: 11.203.37971
detected: False cancel

ALYac
result: Gen:Variant.Johnnie.273676
update: 20210812
version: 1.1.3.1
detected: True check_circle

Avast
update: 20210812
version: 21.1.5827.0
detected: False cancel

Avira
update: 20210812
version: 8.3.3.12
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
update: 20210812
version: 4.0.0.27
detected: False cancel

Cyren
update: 20210812
version: 6.3.0.2
detected: False cancel

DrWeb
update: 20210812
version: 7.0.49.9080
detected: False cancel

GData
result: Gen:Variant.Johnnie.273676
update: 20210812
version: A:25.30561B:27.24063
detected: True check_circle

Panda
update: 20210812
version: 4.6.4.2
detected: False cancel

VBA32
update: 20210812
version: 5.0.0
detected: False cancel

VIPRE
update: 20210812
version: 94692
detected: False cancel

Zoner
update: 20210811
version: 0.0.0.0
detected: False cancel

ClamAV
update: 20210812
version: 0.103.3.0
detected: False cancel

Comodo
update: 20210812
version: 33796
detected: False cancel

Ikarus
update: 20210812
version: 0.1.5.2
detected: False cancel

Lionic
update: 20210812
version: 4.2
detected: False cancel

McAfee
update: 20210812
version: 6.0.6.653
detected: False cancel

Rising
update: 20210812
version: 25.0.0.26
detected: False cancel

Sophos
update: 20210812
version: 1.3.0.0
detected: False cancel

Yandex
update: 20210811
version: 5.5.2.24
detected: False cancel

Zillya
update: 20210812
version: 2.0.0.4428
detected: False cancel

Acronis
update: 20210512
version: 1.1.1.82
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
result: Trojan.Johnnie.D42D0C
update: 20210812
version: 1.0.0.886
detected: True check_circle

Cylance
update: 20210812
version: 2.3.1.101
detected: False cancel

FireEye
result: Gen:Variant.Johnnie.273676
update: 20210812
version: 32.44.1.0
detected: True check_circle

Sangfor
update: 20210625
version: 2.9.0.0
detected: False cancel

TACHYON
update: 20210812
version: 2021-08-12.02
detected: False cancel

Tencent
update: 20210812
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20210812
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20210812
version: 1.0.0.403
detected: False cancel

eGambit
update: 20210812
detected: False cancel

Ad-Aware
result: Gen:Variant.Johnnie.273676
update: 20210812
version: 3.0.21.179
detected: True check_circle

Emsisoft
result: Gen:Variant.Johnnie.273676 (B)
update: 20210812
version: 2021.4.0.5819
detected: True check_circle

F-Secure
update: 20210812
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20210812
version: 6.2.142.0
detected: False cancel

Jiangmin
update: 20210811
version: 16.0.100
detected: False cancel

Kingsoft
update: 20210812
version: 2017.9.26.565
detected: False cancel

Paloalto
update: 20210812
version: 1.0
detected: False cancel

Symantec
update: 20210812
version: 1.15.0.0
detected: False cancel

AhnLab-V3
update: 20210812
version: 3.20.4.10148
detected: False cancel

Antiy-AVL
update: 20210812
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20210812
version: 21.0.1.45
detected: False cancel

MaxSecure
update: 20210811
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20210812
version: 1.1.18400.5
detected: False cancel

Qihoo-360
update: 20210812
version: 1.0.0.1300
detected: False cancel

ZoneAlarm
update: 20210812
version: 1.0
detected: False cancel

ESET-NOD32
update: 20210812
version: 23782
detected: False cancel

Gridinsoft
update: 20210812
version: 1.0.51.144
detected: False cancel

TrendMicro
update: 20210812
version: 11.0.0.1006
detected: False cancel

BitDefender
result: Gen:Variant.Johnnie.273676
update: 20210812
version: 7.2
detected: True check_circle

CrowdStrike
update: 20210203
version: 1.0
detected: False cancel

K7AntiVirus
update: 20210812
version: 11.203.37972
detected: False cancel

SentinelOne
update: 20210805
version: 6.1.0.4
detected: False cancel

Malwarebytes
update: 20210812
version: 4.2.2.27
detected: False cancel

CAT-QuickHeal
update: 20210812
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20210812
version: 1.0.146.25311
detected: False cancel

BitDefenderTheta
update: 20210803
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
result: Gen:Variant.Johnnie.273676
update: 20210812
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20210807
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20210812
version: v2019.1.2+3728
detected: False cancel

TrendMicro-HouseCall
update: 20210812
version: 10.0.0.1040
detected: False cancel

total
67
sha256
18359581eec8c4c26bb98a84bf09612463305868344d04f79856ba494efbd0a8
scan_id
18359581eec8c4c26bb98a84bf09612463305868344d04f79856ba494efbd0a8-1628780753
resource
4b7b76b58a946e30c71b89bf354eff90
positives
9
scan_date
2021-08-12 15:05:53
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Execution Failed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 85.00%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 66.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 100.00%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 60.50%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 66.84%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.78%
suspicious: False cancel

Add to Collection
Download