Report #13616 check_circle

  • Creation Date: Aug. 21, 2021, 6:11 p.m.
  • Last Update: Aug. 21, 2021, 6:16 p.m.
  • File: Dropper.dll
  • Results:
Binary
DLL
True check_circle
Size
91.00KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
2c5b440c1ba2d1158bfa0c50ce004c76
sha1
61452ad68f794d3ef318670bf13579e22469ba25
crc32
0x2b8aa6eb
sha224
75b10d8622d91dc5d4a2bc5bc4a0d7b0b18ba043202e962f9ac7430a
sha256
96c4d1221be54d1b60c727f5031e64f23f115450c2650db54e369ca6fb79ab2d
sha384
d60551367063b1c4f2facae248c9da4fe80171061af3af5daf11171bf41acb2a1119428e4a384007e870876bcd5dc126
sha512
54cd58933c0bf480f982aed54e77056957d4b398d84ec5ad3f8223f522c4c7b1bb802c809277d0566cfa1d8a88af7da7ec2aae2bb5e13cf25d9c212f11056424
ssdeep
1536:g1QbbUWJpRzTGPHSnWxVpJQS9c0UjiBuQZO12PAlJOFHA:+Qb46R5iBuU8J6A
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, ThreadControl__Context, Borland_Delphi_30_, HasDebugData, HasRichSignature, Microsoft_Visual_Cpp_v50v60_MFC, win_files_operation, IsPE32, disable_dep, SEH__vectored, Borland_Delphi_v40_v50, contentis_base64, DebuggerCheck__GlobalFlags, DebuggerHiding__Thread, IsDLL, anti_dbg, Borland_Delphi_DLL, DebuggerHiding__Active, DebuggerCheck__QueryInfo, url, IsConsole, Borland_Delphi_30_additional, Borland_Delphi_v30

Suspicious
True check_circle

Imports
KERNEL32.dll
GetProcAddress, LoadLibraryA, GetSystemTimeAsFileTime, GetCurrentThreadId, QueryPerformanceCounter, IsProcessorFeaturePresent, IsDebuggerPresent, DecodePointer, EncodePointer, GetTickCount64
MSVCR110.dll
_crt_debugger_hook, __crtUnhandledException, __crtTerminateProcess, _unlock, _calloc_crt, __dllonexit, _onexit, __clean_type_info_names_internal, _except_handler4_common, _initterm_e, _initterm, _malloc_crt, free, _amsg_exit, __CppXcptFilter, ??3@YAXPAX@Z, _lock, memset
Strings
List
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
C:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\Release\Dropper.pdb
MSVCR110.dll
Dropper.dll
hello.exe
hello.exe
RtlWnfDllUnloadCallback
NtDeleteWnfStateData
NtDeleteWnfStateName
ZwDeleteWnfStateData
crvwtt~{
_`mBo~xtttttB
LtdttVvRgttt~~]
Delete
NoRemove
_crt_debugger_hook
VXY\QmgYtpsOV
VXY\QmgYtpsOV
VXY\QmgYtpsOV
IsProcessorFeaturePresent
GetProcAddress
SECURITY
NtCreateLowBoxToken
ZwCreateTokenEx
ZwCreateLowBoxToken
NtCreateTokenEx
Hardware
NtFilterTokenEx
NtFilterBootOption
ZwFilterBootOption
RtlFlushHeaps
IsDebuggerPresent
Interface
NtCreateProcessEx
RtlExtractBitMap
NtWriteVirtualMemory
ZwReadFile
NtCreateThreadEx
ZwOpenFile
ZwDeleteFile
NtCreateThread
RtlCreateRegistryKey
ZwCreateFile
NtQueryDirectoryFile
LoadLibraryA
NtSetSystemInformation
RtlWriteRegistryValue
ZwWriteFile
QueryPerformanceCounter
RtlCreateUserThread
RtlCreateHeap
LdrLoadDll
TypeLib
RtlWaitOnAddress
RtlCreateHashTableEx
twR|tttlt{d|ctRltcd|ctRltVB|MtttttttwtttttttwttpttttdtwVt}Btsttpttdwd|tttttvgtq
tt^ttdwrtr^tWtwYtpdtodwOtrxtVRwEt}ttQtwEtr
tpRtodwFtrBtWBt@tr`tPtwYttttttw|tw|ttdwxtr`toBw]trBtdBwCt}ttPdwLtr^toBwZt}dtttwqtr
EtwpGetCpuSpeed
txtt@tqttyRtBttttztt|ttptddwOt}xtodwAtr|tWtw
tvRtwtsBRttttt|llgttdtt|ttttwtpZtpdwptwdtrdwptwdt|dwptwdt~dwptwdtxdwptwdtzdwptwdtddwptwdtfdwptwdt`dwptwdtbdwptw^tldwptwdtTdwptwdtVdwptwdtPdwptw
NtAdjustTokenClaimsAndDeviceGroups
ZwAdjustTokenClaimsAndDeviceGroups
RtlDecompressBufferEx
RtlGetProcessHeaps
NtWow64CsrClientConnectToServer
NtWow64CsrFreeCaptureBuffer
tttttttttwdgdttatpqtwex}
ZwWow64CsrClientConnectToServer
NtWow64CsrCaptureMessageBuffer
p|tpwtR`RtdpgdddRtdp|wttwtd
NtWow64CsrAllocateCaptureBuffer
ZwWow64CsrFreeCaptureBuffer
NtWow64CsrCaptureMessageString
RtlpConvertRelativeToAbsoluteSecurityAttribute
RtlpConvertAbsoluteToRelativeSecurityAttribute
ZwWow64CsrCaptureMessageBuffer
ZwWow64CsrAllocateCaptureBuffer
NtWow64DebuggerCall
RtlpMergeSecurityAttributeInformation
ZwWow64CsrCaptureMessageString
TttwXzd`ttpttQtdOBzF
ZwFlushBuffersFileEx
NtWow64CsrClientCallServer
4&4-42494H4M4T4c4j4o4v4
ZwWow64DebuggerCall
toBwrtr^tWtwYtp^tWRwXtr
Qcf`dtttt|wdttqtpttv{vWr
|^sttpw}d
lXc]lRttqtptwOp@xv
RtlQueryRegistryValuesEx
ZwWow64CsrClientCallServer
RtlCaptureStackContext
RtlRegisterForWnfMetaNotification
BSldtttttvtttt}tptt
MottqR_tttttttttttttp
tpttRW^ttptt`p`tt}mD@tFwttwXzlpltpttQQBOB|z
NtCreateWaitCompletionPacket
ZwCreateWaitCompletionPacket
NtFlushBuffersFileEx

Foremost
Matches
0.dll, 91 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Files
Allowed: Dropper.dll, MSVCR110.dll, KERNEL32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 89088
Suspicious: False cancel
Image
Address: 268435456
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 7360
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: kernel32.dll
hasLibs: True check_circle
Suspicious: dropper.dll, msvcr110.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2021-08-21 18:08:48
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???)

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
False cancel
Tricks
AVclass
File
Trace
21/8/2021 - 17:45:44.106Open2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shell32.dll
21/8/2021 - 17:45:44.106Open2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe.Local
21/8/2021 - 17:45:44.106Open2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/8/2021 - 17:45:44.106Unknown2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/8/2021 - 17:45:44.106Open2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/8/2021 - 17:45:44.106Open2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
21/8/2021 - 17:45:44.106Open2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
21/8/2021 - 17:45:44.106Open2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\WindowsShell.Manifest
21/8/2021 - 17:45:44.106Unknown2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
21/8/2021 - 17:45:44.122Unknown2124C:\Windows\SysWOW64\rundll32.exeC:\Windows
21/8/2021 - 17:45:44.122Unknown2124C:\Windows\SysWOW64\rundll32.exeC:\Monitor
21/8/2021 - 17:45:44.122Unknown2124C:\Windows\SysWOW64\rundll32.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/8/2021 - 17:45:44.278Unknown2172C:\Windows\System32\rundll32.exeC:\Monitor

Process
Trace
21/8/2021 - 17:45:44.122Terminate2172C:\Windows\System32\rundll32.exe2124C:\Windows\SysWOW64\rundll32.exe
21/8/2021 - 17:45:47.200Terminate2124C:\Windows\SysWOW64\rundll32.exe2424C:\Monitor\hello.exe

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 72.50%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 56.67%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 76.25%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 52.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 66.11%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.99%
suspicious: False cancel

Add to Collection
Download