Report #13633 check_circle

  • Creation Date: Sept. 2, 2021, 6:53 p.m.
  • Last Update: Sept. 2, 2021, 6:57 p.m.
  • File: evader.exe
  • Results:
Binary
DLL
False cancel
Size
30.50KB
trid
61.7% Win64 Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type
PE
wordsize
64
Subsystem
Windows CLI
Hashes
md5
ed184e9f407a50750dfd8ed98036de1a
sha1
9dbe7ec05c18f67eb8764906097956b30f4a29cc
crc32
0xb53012d6
sha224
062ece7fc6f0d795cfc6fad5ffa148046201f433e2c652895cdda0af
sha256
1098fa7f19d7676f84fbccbe43bca5705559eaf2d3ade89cdfc6866ae10b975e
sha384
e60fe1791f9d33a54839a9f97acafdaafc28d555f0c47537771f3553b4ac206ce6f519aafbefc47d81487b49e0bccc41
sha512
48669bd809b827c81a399cf7c83acfc30ecd89ad6d5e8f16f8af3a335698200a1ccbd354035652e05de04c06369e98bf9364c57d504db131b12621d6007b90e8
ssdeep
384:hlamEn9zVUMbaMsVj7fTl66/HDVrL5yZsXfPPeN5qu7/btczd/xbGV9W3wW:E9m2azP7lNDCgmHLVchhGVC
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, anti_dbg, HasDebugData, IP, contentis_base64, cred_local, win_registry, IsPE64, IsConsole, Microsoft_Visual_Cpp_80_DLL, HasRichSignature

Suspicious
True check_circle

Imports
GDI32.dll
ExtCreatePen, MoveToEx, GetTextExtentPoint32W, GetTextMetricsW, LineTo, SetTextColor, DeleteDC, CreateDIBSection, CreateFontIndirectW, GetDeviceCaps, SetBkColor, GetRgnBox, SetBkMode, SelectObject, SetRectRgn, CreateCompatibleDC, CreateRectRgnIndirect, CombineRgn, CreateSolidBrush, EqualRgn, GetStockObject, CreatePatternBrush, CreateRectRgn, GetObjectW, GetTextExtentPointW, CreateCompatibleBitmap
WINMM.dll
timeGetTime
ole32.dll
CoInitialize, CoUninitialize, CoCreateInstance
RPCRT4.dll
UuidToStringW, RpcStringFreeW, UuidCreate
SHELL32.dll
SHGetSpecialFolderPathW, ShellAboutW
UxTheme.dll
IsThemeActive, BufferedPaintClear
ADVAPI32.dll
RegEnumKeyExW, RegQueryValueExW, RegQueryInfoKeyW, RegDeleteKeyW, RegSetValueExW, RegCloseKey, RegCreateKeyW, RegOpenKeyExW, RegEnumValueW, RegGetValueW
COMCTL32.dll
ImageList_Create, ImageList_Add, ImageList_Destroy
KERNEL32.dll
GetSystemTimeAsFileTime, GetTickCount64, CreateThread, GetSystemTime, CloseHandle, DeleteCriticalSection, GlobalFindAtomW, CreateEventW, LockResource, ResetEvent, EnterCriticalSection, HeapSize, GetLastError, GlobalUnlock, GetStartupInfoW, lstrlenW, lstrcmpW, CompareStringW, MulDiv, LeaveCriticalSection, HeapDestroy, SizeofResource, WideCharToMultiByte, GlobalAlloc, GetModuleHandleW, SetEvent, GlobalLock, GlobalSize, CreateProcessW, GetCurrentThreadId, DecodePointer, QueryPerformanceCounter, IsProcessorFeaturePresent, IsDebuggerPresent, EncodePointer, LoadResource, FindResourceW, lstrlenA, HeapReAlloc
OLEAUT32.dll
BSTR_UserFree
Strings
List
c:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\x64\Release\Dropper.pdb
cmdkey.pdb
cmdkey.exe
cmdkey.exe
name="Microsoft.Windows.Security.CmdKey"
api-ms-win-core-registry-l1-1-0.dll
api-ms-win-security-credentials-l1-1-0.dll
ext-ms-win-security-credui-l1-1-0.dll
COMCTL32.dll
MSVCR110.dll
WINMM.dll
UxTheme.dll
SYSTEM\CurrentControlSet\Control\SafeBoot\Option
proc.exe
proc.exe
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-apiquery-l1-1-0.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-delayload-l1-1-1.dll
api-ms-win-core-delayload-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-heap-l2-1-0.dll
_wcsicmp
<requestedPrivileges>
<requestedPrivileges>
__crt_debugger_hook
IsProcessorFeaturePresent
CreateEventW
IsDebuggerPresent
CreateProcessW
TerminateProcess
CoCreateInstance
RegCreateKeyW
WriteFile
RegGetValueW
LoadResource
RegOpenKeyExW
QueryPerformanceCounter
RegOpenKeyExW
RegQueryValueExW
GetModuleHandleW
RegEnumKeyExW
GetModuleHandleW
RegSetValueExW
QueryPerformanceCounter
RegQueryValueExW
RegDeleteKeyW
Microsoft Corporation. All rights reserved.
GetTickCount
fprintf
Sleep
fopen
ext-ms-win-security-credui-l1-1-1
ext-ms-win-security-credui-l1-1-0
__crtCapturePreviousContext
<requestedExecutionLevel
GetConsoleOutputCP
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<description>Credential Manager Command Line Utility</description>
Credential Manager Command Line Utility
10.0.19041.1 (WinBuild.160101.0800)
version="5.1.0.0"
__p__commode
__crtTerminateProcess
_commode
type="win32"
:I;a;g;p;w;
_initterm
_initterm
__p__fmode
.didat$6
.didat$5
.didat$7
.didat$2
.didat$3
.didat$4
10.0.19041.1
_resetstkoflw
*Session
.CRT$XIAA
.CRT$XCAA
<assemblyIdentity
__setusermatherr
__setusermatherr
__C_specific_handler
_initterm_e
_calloc_crt
_controlfp
agld?rups
__set_app_type
__set_app_type

Foremost
Matches
24.exe, 17 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: api-ms-win-core-string-l1-1-0.dll, api-ms-win-core-console-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-win-core-file-l1-1-0.dll, ADVAPI32.dll, MSVCR110.dll, ole32.dll, SHLWAPI.dll, USER32.dll, SHELL32.dll, api-ms-win-core-apiquery-l1-1-0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-delayload-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, COMCTL32.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-core-delayload-l1-1-1.dll, RPCRT4.dll, UxTheme.dll, api-ms-win-security-credentials-l1-1-0.dll, WINMM.dll, api-ms-win-core-processenvironment-l1-1-0.dll, GDI32.dll, msvcrt.dll, api-ms-win-core-libraryloader-l1-2-0.dll, api-ms-win-core-heap-l1-1-0.dll, OLEAUT32.dll, KERNEL32.dll, api-ms-win-core-heap-l2-1-0.dll, ext-ms-win-security-credui-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 26624
Suspicious: False cancel
Image
Address: 5368709120
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .pdata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 6772
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: api-ms-win-core-string-l1-1-0.dll, api-ms-win-core-console-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-win-core-file-l1-1-0.dll, advapi32.dll, ole32.dll, shlwapi.dll, user32.dll, shell32.dll, api-ms-win-core-apiquery-l1-1-0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-delayload-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, comctl32.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-core-delayload-l1-1-1.dll, rpcrt4.dll, uxtheme.dll, api-ms-win-security-credentials-l1-1-0.dll, winmm.dll, api-ms-win-core-processenvironment-l1-1-0.dll, gdi32.dll, msvcrt.dll, api-ms-win-core-heap-l1-1-0.dll, oleaut32.dll, kernel32.dll, ext-ms-win-security-credui-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll
hasLibs: True check_circle
Suspicious: msvcr110.dll, api-ms-win-core-libraryloader-l1-2-0.dll, api-ms-win-core-heap-l2-1-0.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2021-09-02 18:53:16
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8.0 (DLL)

Obfuscation
XOR: True check_circle
Fuzzing: False cancel

PEDetector
Matches
12448
Suspicious
True check_circle
Disassembly
hasTricks
False cancel
Tricks
AVclass
File
Trace
2/9/2021 - 17:45:43.590Unknown2476C:\malware.exeC:\Monitor\proc.exe
2/9/2021 - 17:45:43.637Open752C:\Monitor\proc.exeC:\Windows\Prefetch\PROC.EXE-5509F567.pf
2/9/2021 - 17:45:43.637Unknown2476C:\malware.exeC:\Monitor
2/9/2021 - 17:45:43.637Unknown2476C:\malware.exeC:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6

Process
Trace
2/9/2021 - 17:45:43.590Create2476C:\malware.exe752C:\Monitor\proc.exe
2/9/2021 - 17:45:43.637Terminate2476C:\malware.exe752C:\Monitor\proc.exe

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: True check_circle

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 80.00%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 78.67%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 94.17%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 63.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 54.63%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download