Report #13648 check_circle

  • Creation Date: Sept. 11, 2021, 9:52 p.m.
  • Last Update: Sept. 11, 2021, 10:07 p.m.
  • File: 016.exe
  • Results:
Binary
DLL
False cancel
Size
499.02KB
trid
52.9% Win32 Executable
23.5% Generic Win/DOS Executable
23.5% DOS Executable Generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
9543576cbf6368dee732d3ee0b86fb29
sha1
aad550a979ee97ea0c6605721e810305ae3572c0
crc32
0x9b0d9c10
sha224
bfb20e9b9694317436d1ffed7ddb63f21b3da274ba9ea5d8ad779385
sha256
ae4a7d5a23a0c7cbb710c39f50b1d9f3fe2729f939c51a452cfe012c0055da7a
sha384
53f41d5d1c2cf98e570549aab7a1e48c1504b3bc9f9b5171d1818863ad7be6f62eef85c19d093b402ca7ea67f2eb44c0
sha512
ca3e29576b78ca02c992925fc55cdd4de1c0ab909674026db9c7ef402405193a73c46dd06f405f563b75c6e70d8601e977f62cf99b8cb768f42b91c97631be17
ssdeep
12288:lnFQ9gaNGgh7qy7aClanzUNpEBdNPKgoQUIRdhwKJ:xm13h7naGanINMNPKPCRJ
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
HasModified_DOS_Message, NET_executable, contentis_base64, Microsoft_Visual_C_v70_Basic_NET, Microsoft_Visual_Studio_NET_additional, IP, IsNET_EXE, NETexecutableMicrosoft, Microsoft_Visual_C_Basic_NET, Microsoft_Visual_Studio_NET, IsPE32, HasOverlay, mpress_2_xx_net, NET_executable_, domain, RijnDael_AES_LONG, Microsoft_Visual_C_v70_Basic_NET_additional, IsWindowsGUI, RijnDael_AES_CHAR, IsPacked

Suspicious
True check_circle

Imports
mscoree.dll
_CorExeMain
Strings
List
System.Security
System.Security
System.IO
System.IO
System.Management
3.LY
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Net.Sockets
System.Security.Cryptography
c.Aq
System.IO.Compression.FileSystem
System.Security.Permissions
System.IO.Compression
1.0.0.0
1.0.0.0
1.0.0.0
mfplat.dll
ntdll.dll
mfreadwrite.dll
""fD**~T
lR61num6MK35VG11
nT67YM8p
:1%ur=DIsi
V0tuFT
E`%5%
bSNK1a2JCY
U%e!E
nJDtBWRJ5r
File is invalid.
ApartmentState
SetApartmentState
E`I%owA
-YaF%ekTr
Count
Next
Delete
DeleteValue
LoadLibrary
fvXRcnqnNI
tDelegat
MulticastDelegate
et%ct
System.Windows.Forms
System.Windows.Forms
VE%GcP
DataProtectionScope
mscoree.dll
get_ExecutablePath
get_ExecutablePath
set_SecurityProtocol
get_IsInterface
khvbssL arVW~
reF5sSHs9Q
TcpClient
TwHGRdpnWS
PsN8Cb2afPj920KeRed
Gfg4tuFcE0oxn4H6Q42
L3KPpC5X1a84WXlBsC0
Q37GvTU12M4EWy58
2zuk733L1aF8AKay
zA1Ka2xiYg94MUH2Yss
GetProcAddress
GtSshm
xLySK8VuR9xTFFuTdwb
ZipArchiveEntry
SecurityProtocolType
oJBrKg1DyGxLRVnWME2
tLjSQ1aWUWVA9nGCrX1
wcpUj4z2ONeyySRKuy
IdJ1acn0XSMFkdfZOVR
wfMGdxXaP64via8uVDw
fDRKeXYBPSaOpl49JOb
CompressionLevel
SecurityAction
D0E
Host [
ExtractToDirectory
RegistryView
RegistryHive
ZipArchiveMode
ZipArchive
ServicePointManager
E9FC1
SocketType
SocketFlags
iHIBPCDXN4Mb2SJvtt1
nPRfDZYpYUIdiotBh3i
A12dc
rOTbuXFORIkQrvLvobI
FreeLibrary
Ad5E
E9Ef
Capture
Ldtoken
ANYO_LD
Socket
GetHashCode
&oT3
<PrivateImplementationDetails>{0A51F496-C9B0-4543-9ABE-A85A61AEAA7C}
LINK_V

Foremost
Matches
0.exe, 6 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: ntdll.dll, mscoree.dll, mfreadwrite.dll, ole32.dll, oleaut32.dll, kernel32.dll, mfplat.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 2048
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 512
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 8.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 11870
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: ntdll.dll, mscoree.dll, mfreadwrite.dll, ole32.dll, oleaut32.dll, kernel32.dll, mfplat.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2010-12-09 16:58:13
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C# / Basic .NET, Microsoft Visual Studio .NET, .NET executable, Microsoft Visual C# v7.0 / Basic .NET

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushpopmath
.text: 3

cpuinstructionsresultscomparison
.text: 1

AVclass
File
Trace
11/9/2021 - 21:45:42.590Open2088C:\malware.exeC:\Windows\System32\MUI\0416\mscorees.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\mscorrc.dll.DLL
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\system\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Monitor\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\wbem\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\WindowsPowerShell\v1.0\mscorrc.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\malware.exe.config
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\Microsoft.NET\Framework64\v4.0.40305
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\Microsoft.NET\Framework64\v4.0.40305
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\Fonts\StaticCache.dat
11/9/2021 - 21:45:42.747Read2088C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\uxtheme.dll
11/9/2021 - 21:45:42.747Open2088C:\malware.exeC:\Windows\System32\uxtheme.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\dwmapi.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\dwmapi.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\dwmapi.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\ole32.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\ole32.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\rpcss.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\CRYPTBASE.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\cryptbase.dll
11/9/2021 - 21:45:42.809Unknown2088C:\malware.exeC:\Windows\System32\cryptbase.dllcryptbase.dll
11/9/2021 - 21:45:42.809Open2088C:\malware.exeC:\Windows\System32\cryptbase.dll
11/9/2021 - 21:45:42.809Unknown2088C:\malware.exeC:\Windows\System32\cryptbase.dllcryptbase.dll
11/9/2021 - 21:45:42.825Open2088C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
11/9/2021 - 21:45:42.825Unknown2088C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 60.00%
suspicious: True check_circle

NFS 3.0 (Threshold = 0.75)
confidence: 63.33%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 90.18%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 50.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 49.41%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: True check_circle

Add to Collection
Download