Report #13647 check_circle

  • Creation Date: Sept. 11, 2021, 9:52 p.m.
  • Last Update: Sept. 11, 2021, 10:02 p.m.
  • File: 013.exe
  • Results:
Binary
DLL
False cancel
Size
20.94KB
trid
52.9% Win32 Executable
23.5% Generic Win/DOS Executable
23.5% DOS Executable Generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
ddc560c442c617d7c91d14bcbcc9dc46
sha1
78b8e643e1f46e457ce7a9897bac1d0c3efccf8a
crc32
0xfc8bbb34
sha224
3b86c7025c09deb7d9b95f70e1f763539763a62081c50ab724dad8ed
sha256
f51c5d274b1da0f6fe2724e41d0c0dab2348d118db80f81cf58bc3f041572020
sha384
49bd67d9933cf974fce0f522abb3f54a7b721e27a06fcc160ebd5afaa97a74858d39f2ff8453d2502a071b73adfe69f8
sha512
688acb19348f566c3b07ff1e24d1ff9df1228082afc7cfbc3dd5e47c16de4f0507429860eee25c99a26edf20cd6db003134ce6e4724379f982a72bea6b8654e1
ssdeep
384:dv3wIQdChGxJvOtZ9NTvuzJkeO53M5Jj1/f/zP4/vDIS2:dvgldCIxEtZ9NTvuzJkeO53Ij1zPOw
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
HasModified_DOS_Message, NET_executable, contentis_base64, Microsoft_Visual_C_v70_Basic_NET, Microsoft_Visual_Studio_NET_additional, IP, IsNET_EXE, NETexecutableMicrosoft, Microsoft_Visual_C_Basic_NET, Microsoft_Visual_Studio_NET, IsPacked, HasOverlay, mpress_2_xx_net, NET_executable_, domain, IsPE32, Microsoft_Visual_C_v70_Basic_NET_additional, IsWindowsGUI

Suspicious
True check_circle

Imports
mscoree.dll
_CorExeMain
Strings
List
System.Security
System.IO
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions
[n]%e4P
%02E@'
File is invalid.
lManaged
System.Windows.Forms
mscoree.dll
get_ExecutablePath
SecurityAction
Hash
3ipher(2
-#IsAttacCh84
SecurityPermissionAttribute
2A?romIm
_CorExeMain
(H v4.0.30931r<a
F:AvaiXl4
cAl#go5
!Inde{x0
get_EntryPoint
$NonLoca
_Closure
N_STATEu
Instanc$
ons.Gene
!It's .NET EXE$@
FfHBLeng(
#Strings
get_Length
RuntimeCompatibilityAttribute
ispose__
ReadInt32
)Heigkh|
<Module>
ReadUInt32
ReadUInt16
epla8ceIBAR
ompareMe0th
nterDebuag8
8Default
_SYSTEM_
4AMCW!
GetParameters
ArI$!EB
REQUIRED
System. IO
OutAttribute
STAThreadAttribute
FileStream
FileAccess
DialogResult
MessageBox
MethodInfo
FileShare
SeekOrigin
BinaryReader
MethodBase
ParameterInfo
SkipVerification
mscorlib
=-!EnD
Application
FileMode
timeType
XECUTIO
ou<c(A
Transfor
Assembly
#GUID
ang$@
BB!EIt
Rijndae
allback
dule>
- PRef
Draw$
.ctor
D EPM0T
Hmber(
V"Libr
ttn+C
T0EG
,P os
MPRESS
Stream
Screen
Object
alBasT
bToLow
Invoke
pHtt
`.rsrc
1fhE
CGraphi cs
UcE s
ver0
valpu

Foremost
Matches
0.exe, 5 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: mscoree.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 2048
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 512
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 8.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 11870
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: mscoree.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2010-12-09 16:58:13
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C# / Basic .NET, Microsoft Visual Studio .NET, .NET executable, Microsoft Visual C# v7.0 / Basic .NET

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushpopmath
.text: 3

cpuinstructionsresultscomparison
.text: 1

AVclass
File
Trace
11/9/2021 - 21:45:42.481Open2476C:\malware.exeC:\Windows\System32\MUI\0416\mscorees.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\mscorrc.dll.DLL
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\system\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Monitor\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\wbem\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\WindowsPowerShell\v1.0\mscorrc.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\malware.exe.config
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\Microsoft.NET\Framework64\v4.0.40305
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\Microsoft.NET\Framework64\v4.0.40305
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\Fonts\StaticCache.dat
11/9/2021 - 21:45:42.653Read2476C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\uxtheme.dll
11/9/2021 - 21:45:42.653Open2476C:\malware.exeC:\Windows\System32\uxtheme.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\dwmapi.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\dwmapi.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\dwmapi.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\ole32.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\ole32.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\CRYPTBASE.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\cryptbase.dll
11/9/2021 - 21:45:42.715Unknown2476C:\malware.exeC:\Windows\System32\cryptbase.dllcryptbase.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\System32\cryptbase.dll
11/9/2021 - 21:45:42.715Unknown2476C:\malware.exeC:\Windows\System32\cryptbase.dllcryptbase.dll
11/9/2021 - 21:45:42.715Open2476C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
11/9/2021 - 21:45:42.715Unknown2476C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 53.75%
suspicious: True check_circle

NFS 3.0 (Threshold = 0.75)
confidence: 66.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 98.99%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 54.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 65.18%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: True check_circle

Add to Collection
Download