Report #13655 check_circle

  • Creation Date: Sept. 14, 2021, 3:14 p.m.
  • Last Update: Sept. 14, 2021, 3:18 p.m.
  • File: 004
  • Results:
Binary
DLL
False cancel
Size
45.00KB
trid
55.8% Generic CIL Executable
21.0% Win64 Executable
9.9% Windows screen saver
5.0% Win32 Dynamic Link Library
3.4% Win32 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
4e28ae9224a2c9765351b387dda9fbee
sha1
0d06db6338a22f9c3c21688c57d213a395b6e91a
crc32
0x6709216d
sha224
031609c76c16f4638d3009e7b9bf390bc87916558185e8311941984b
sha256
e1ff405eb4bd0d3b159bc9d97006b59630425b21bf95eb48c5491d15ff35cac7
sha384
117ac5a2fd80272bcf336133b9ac7f48a93763b5028570f86a20d40e488b5abda0a5b1764785468c43fa5df6f3fb955d
sha512
d6988feb1c2c3dee43b59e97ce79720a12f5e9bb93225d72e9d3dd9023282e0db4f3a5ca969d145c164bb97e147c5341b18a6ec8f96f2aa361971829180de1dd
ssdeep
768:XuScq5TAYGTqWU8j+zmo2qLy36tEaOPIWzjbngX3iymkGBDZPx:XuScq5TA5c2qEa3W3bgXSymhdPx
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
Sandboxie_Detection, domain, Njrat, Microsoft_Visual_C_v70_Basic_NET, Microsoft_Visual_Studio_NET, NET_executable_, IsPE32, Microsoft_Visual_C_v70_Basic_NET_additional, WMI_strings, NET_executable, contentis_base64, Microsoft_Visual_Studio_NET_additional, IP, win_mutex, NETexecutableMicrosoft, DebuggerCheck__RemoteAPI, VMWare_Detection, IsWindowsGUI, anti_dbg, url, IsNET_EXE, Microsoft_Visual_C_Basic_NET, Big_Numbers3

Suspicious
True check_circle

Imports
mscoree.dll
_CorExeMain
Strings
List
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
System.Net.Security
System.IO
System.Net
System.Management
%AppData%
System.Net.Sockets
System.Security.Cryptography.X509Certificates
System.Security.Cryptography
System.Security.Principal
System.Security.Authentication
System.IO.Compression
SbieDll.dll
1.0.0.0
1.0.0.0
1.0.0.0
1.0.0.0
ntdll.dll
SHA256Managed
Stub.exe
Stub.exe
Software\
Antivirus
Antivirus
set_ReceiveBufferSize
Select * from AntivirusProduct
get_Connected
Delete
DeleteValue
DeleteSubKeyTree
Received
Received
DeleteSubKey
System.Windows.Forms
EXECUTION_STATE
get_ActivatePong
set_ActivatePong
mscoree.dll
set_TcpClient
set_SslClient
\root\SecurityCenter2
owner
get_TcpClient
get_SslClient
set_UseShellExecute
set_Credentials
get_ExecutablePath
Client.Install
get_UserName
Plugin.Plugin
get_MachineName
<requestedPrivileges>
SslPolicyErrors
sslPolicyErrors
SslStream
Decompress
GetHostAddresses
Compress
SslProtocols
GetPathRoot
NetworkCredential
PreventSleep
isDebuggerPresent
NetworkStream
EnterDebugMode
Pong
AuthenticateAsClient
ICredentials
pong
InstallFile
CompressionMode
DebuggableAttribute
ClientSocket
DebuggingModes
DetectDebugger
CallSiteBinder
DownloadString
RegistryKey
SetRegistry
CheckHostName
GetForegroundWindow
DetectSandboxie
KeepAlivePacket
ReadServertData
masterKey
sendPlugin
SocketType
savePlugin
Serversignature
FlushFinalBlock
InstallFolder
Installed
get_PublicKey
ValidateServerCertificate
ES_DISPLAY_REQUIRED
ClientOnExit
HMACSHA256
ES_SYSTEM_REQUIRED
IsAdmin
GetTempPath

Foremost
Matches
0.exe, 45 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Files
Allowed: SbieDll.dll, mscoree.dll, ntdll.dll, kernel32.dll, user32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 2560
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 512
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 8.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 51038
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: mscoree.dll, ntdll.dll, kernel32.dll, user32.dll
hasLibs: True check_circle
Suspicious: sbiedll.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2020-05-10 02:24:51
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C# / Basic .NET, Microsoft Visual Studio .NET, .NET executable, Microsoft Visual C# v7.0 / Basic .NET

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.text: 4

pushpopmath
.rsrc: 2
.text: 24

garbagebytes
.text: 3

programcontrolflowchange
.text: 3

cpuinstructionsresultscomparison
.text: 16

AVclass
File
Trace
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\SysWOW64\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\SysWOW64\mscorrc.dll.DLL
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\System32\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\System32\mscorrc.dll.DLL
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\SysWOW64\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\system\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Monitor\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\SysWOW64\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\mscorrc.dll
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\malware.exe.config
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\Microsoft.NET\Framework\v4.0.40305
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\Microsoft.NET\Framework\v4.0.40305
14/9/2021 - 14:45:42.590Open2476C:\malware.exeC:\Windows\Fonts\StaticCache.dat
14/9/2021 - 14:45:42.590Read2476C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
14/9/2021 - 14:45:42.668Open2476C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
14/9/2021 - 14:45:42.668Open2476C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\dwmapi.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\Windows\SysWOW64\ole32.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\Windows\SysWOW64\ole32.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
14/9/2021 - 14:45:42.731Open2476C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
14/9/2021 - 14:45:42.731Unknown2476C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 57.50%
suspicious: True check_circle

NFS 3.0 (Threshold = 0.75)
confidence: 74.67%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 72.51%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 62.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 76.45%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.95%
suspicious: True check_circle

Add to Collection
Download