Report #13588 check_circle

  • Creation Date: Aug. 20, 2021, 10:21 p.m.
  • Last Update: Aug. 21, 2021, 1:43 p.m.
  • File: evader.exe
  • Results:
Binary
DLL
False cancel
Size
45.50KB
trid
61.7% Win64 Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type
PE
wordsize
64
Subsystem
Windows CLI
Hashes
md5
644725580f2f0c86bb164e8c4673745a
sha1
0aa2578b8b51ce1bc2ae6f8d6a2adbec3466c9ab
crc32
0xe2b131b5
sha224
bd234a006254773008893c7c859762392b961dcc2953d9096efe61ef
sha256
382a646d75b8acb7ce9dbd85d449ba803982c03930286d12416a4932b05fb03c
sha384
9e817685e7eef62cd1f7673d858f6cab2ab0eebb4f107e80ec40880e0885f6671dbebb0b60806aeb835595d8a84b0438
sha512
7c42253a20c9176ca16f30b7af2c4dab5dc8a4faf84bc39ce0938b8f4ae00db5714b9857a5b927f2c4dd59685c96f6837fd66083726d62dfa8ecf57b38df0127
ssdeep
384:vlamEn9zVUM3MMsVj7fTl6U/bUYeSVCkLHCYuVZctF4w73isYpE7zeHJbc6nUBm0:K9miMzP7lDbzdLWk34w7dYpueHVVnf0
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, anti_dbg, HasDebugData, contentis_base64, win_registry, IsPE64, IsConsole, Microsoft_Visual_Cpp_80_DLL, HasRichSignature

Suspicious
True check_circle

Imports
GDI32.dll
ExtCreatePen, MoveToEx, GetTextExtentPoint32W, GetTextMetricsW, LineTo, SetTextColor, DeleteDC, CreateDIBSection, CreateFontIndirectW, GetDeviceCaps, SetBkColor, GetRgnBox, SetBkMode, SelectObject, SetRectRgn, CreateCompatibleDC, CreateRectRgnIndirect, CombineRgn, CreateSolidBrush, EqualRgn, GetStockObject, CreatePatternBrush, CreateRectRgn, GetObjectW, GetTextExtentPointW, CreateCompatibleBitmap
WINMM.dll
timeGetTime
ole32.dll
CoInitialize, CoUninitialize, CoCreateInstance
RPCRT4.dll
UuidToStringW, RpcStringFreeW, UuidCreate
SHELL32.dll
SHGetSpecialFolderPathW, ShellAboutW
UxTheme.dll
IsThemeActive, BufferedPaintClear
ADVAPI32.dll
RegEnumKeyExW, RegQueryValueExW, RegQueryInfoKeyW, RegDeleteKeyW, RegSetValueExW, RegCloseKey, RegCreateKeyW, RegOpenKeyExW, RegEnumValueW, RegGetValueW
COMCTL32.dll
ImageList_Create, ImageList_Add, ImageList_Destroy
KERNEL32.dll
GetSystemTimeAsFileTime, GetTickCount64, CreateThread, GetSystemTime, CloseHandle, DeleteCriticalSection, GlobalFindAtomW, CreateEventW, LockResource, ResetEvent, EnterCriticalSection, HeapSize, GetLastError, GlobalUnlock, GetStartupInfoW, lstrlenW, lstrcmpW, CompareStringW, MulDiv, LeaveCriticalSection, HeapDestroy, SizeofResource, WideCharToMultiByte, GlobalAlloc, GetModuleHandleW, SetEvent, GlobalLock, GlobalSize, CreateProcessW, GetCurrentThreadId, DecodePointer, QueryPerformanceCounter, IsProcessorFeaturePresent, IsDebuggerPresent, EncodePointer, LoadResource, FindResourceW, lstrlenA, HeapReAlloc
OLEAUT32.dll
BSTR_UserFree
Strings
List
c:\users\win\documents\visual studio 2012\Projects\ExecShell\Debug\ExecShell.pdb
c:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\x64\Release\Dropper.pdb
SOFTWARE\Microsoft\VisualStudio\11.0\Setup\VS
COMCTL32.dll
MSVCR110.dll
MSVCR110D.dll
MSVCR110D.dll
WINMM.dll
UxTheme.dll
proc.exe
proc.exe
%s%s%p%s%ld%s%d%s
_crt_debugger_hook
<requestedPrivileges>
<requestedPrivileges>
__crt_debugger_hook
IsProcessorFeaturePresent
IsProcessorFeaturePresent
GetProcAddress
Stack area around _alloca memory reserved by this function is corrupted
Stack area around _alloca memory reserved by this function is corrupted
CreateEventW
IsDebuggerPresent
IsDebuggerPresent
CreateProcessW
WriteProcessMemory
VirtualAllocEx
VirtualAlloc
CoCreateInstance
LoadLibraryW
QueryPerformanceCounter
FreeLibrary
LoadLibraryExW
CreateFileA
RegQueryValueExW
RegOpenKeyExW
GetModuleFileNameW
RegQueryValueExW
GetModuleHandleW
RegCreateKeyW
QueryPerformanceCounter
LoadLibraryA
RegDeleteKeyW
RegGetValueW
RegOpenKeyExW
RegEnumKeyExW
RegSetValueExW
LoadResource
GetModuleHandleW
ReadFile
A variable is being used without being initialized.
fprintf
f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c
fopen
f:\dd\vctools\crt_bld\self_x86\crt\src\atonexit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\atonexit.c
system
f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c
__crtCapturePreviousContext
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
GetProcessHeap
_wsplitpath_s
MSPDB110.DLL
__crtTerminateProcess
__crtTerminateProcess
4,484H4M4S4Y4
_commode
_commode
_initterm
_initterm
__setusermatherr
__setusermatherr
__C_specific_handler
_CrtDbgReportW
_initterm_e
_initterm_e
_CRT_RTC_INITW
_calloc_dbg
_calloc_crt
__set_app_type
__set_app_type
__dllonexit
__dllonexit
_amsg_exit
_amsg_exit
__getmainargs
__getmainargs
_invoke_watson
_CrtSetCheckCount
_XcptFilter
_XcptFilter
_wmakepath_s
__initenv
__initenv
?terminate@@YAXXZ
?terminate@@YAXXZ
.textbss
_controlfp_s
D$(9D$$s.HcD$$H

Foremost
Matches
24.exe, 32 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: MSVCR110D.dll, ADVAPI32.DLL, MSPDB110.DLL, user32.dll, ole32.dll, SHLWAPI.dll, SHELL32.dll, WINMM.dll, UxTheme.dll, COMCTL32.dll, GDI32.dll, KERNEL32.dll, OLEAUT32.dll, MSVCR110.dll, RPCRT4.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 41984
Suspicious: False cancel
Image
Address: 5368709120
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .pdata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 6772
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: advapi32.dll, user32.dll, ole32.dll, shlwapi.dll, shell32.dll, winmm.dll, uxtheme.dll, comctl32.dll, gdi32.dll, kernel32.dll, oleaut32.dll, rpcrt4.dll
hasLibs: True check_circle
Suspicious: msvcr110d.dll, mspdb110.dll, msvcr110.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2021-08-20 22:21:04
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8.0 (DLL)

Obfuscation
XOR: True check_circle
Fuzzing: False cancel

PEDetector
Matches
12448
Suspicious
True check_circle
Disassembly
hasTricks
False cancel
Tricks
AVclass
File
Trace
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\Monitor\proc.exe
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Windows\System32\apphelp.dll
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Windows\System32\apphelp.dll
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Windows\AppPatch\sysmain.sdb
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Monitor
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\Monitor
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Monitor\proc.exe
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\Monitor\proc.exe
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Monitor
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\Monitor
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Monitor
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\Monitor
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Monitor\proc.exe
21/8/2021 - 12:45:42.590Read2476C:\malware.exeC:\Monitor\proc.exe
21/8/2021 - 12:45:42.590Open2476C:\malware.exeC:\Monitor\ui\SwDRM.dll
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\Monitor
21/8/2021 - 12:45:42.590Unknown2476C:\malware.exeC:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\Prefetch\PROC.EXE-5509F567.pf
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\System32\wow64.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\System32\wow64.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\System32\wow64win.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\System32\wow64win.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\System32\wow64cpu.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\System32\wow64cpu.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\System32\wow64log.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows
21/8/2021 - 12:45:42.653Unknown752C:\Monitor\proc.exeC:\Windows
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Monitor
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Monitor\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\SysWOW64\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\system\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Monitor\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\SysWOW64\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\SysWOW64\wbem\MSVCR110D.dll
21/8/2021 - 12:45:42.653Open752C:\Monitor\proc.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\MSVCR110D.dll

Process
Trace
21/8/2021 - 12:45:42.590Create2476C:\malware.exe752C:\Monitor\proc.exe

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 77.50%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 78.67%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 99.32%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 64.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 63.97%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download