Report #235 check_circle

  • Creation Date: Sept. 16, 2019, 4:40 p.m.
  • Last Update: Sept. 16, 2019, 4:46 p.m.
  • File: mal.exe
  • Results:
Binary
DLL
False cancel
Size
1.59MB
trid
36.1% InstallShield setup
26.2% Win32 Executable MS Visual C++
23.2% Win64 Executable
5.5% Win32 Dynamic Link Library
3.7% Win32 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
650a1063c775568b74ca04560fcc4310
sha1
449fc9dfc3596fe3287bb02e6497d96b5d457275
crc32
0x56799389
sha224
4308ce25b4c1d9a2377b44d373f42bb3ad0bcb822e0dc3d82b80d002
sha256
7db23af566cafc9d57f1517fe926a682531576b427154dab9993088b645ae82f
sha384
36110af4e518adb957b841fca67154a2db32431b5332f2fdb6f8310a54d240d2f02a3c26a883c30a2c7ba24229e76858
sha512
a1749d8723d3b6a331a573fd98548d762bf78e4d457fb01f828f1022b5018a6ac414fc65e52235d6dab1b3353a16950ee56cf931b8bf97725c2cf5ca55f4950f
ssdeep
49152:kswku84W4FZDFhiBnoh+iMsPsffVkqxFJ:1wkuljDFhYAc
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
win_files_operation, domain, contentis_base64, anti_dbg, HasDigitalSignature, screenshot, HasDebugData, url, HasRichSignature, win_mutex, keylogger, create_service, win_registry, IsPacked, HasOverlay, Advapi_Hash_API, win_token, IsPE32, escalate_priv, IsWindowsGUI, IP

Suspicious
True check_circle

Strings
List
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
http://www.microsoft.com/applets/calc/templates/v1
http://sf.symcb.com/sf.crt0
http://sf.symcb.com/sf.crl0f
xmlns:calcTemplate='http://www.microsoft.com/applets/calc/templates/v1'
https://d.symcb.com/rpa0
https://d.symcb.com/cps0%
F:\buildagent\workspace\root\GbPlugin\RB\GbpSv\src\main\GbpSv\GbpSv.pdb
name="Microsoft.Windows.Shell.calc"
m.nA
calc.pdb
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.http://crl.thawte.com/ThawteTimestampingCA.crl0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
U.Ci
http://sf.symcd.com0&
n.IQ
w.Nr!
WindowsCodecs.dll
mshelp://windows/?id=f15f7d3e-ee9c-465a-a7e8-4e6af5cfee5d
COMCTL32.dll
WINMM.dll
UxTheme.dll
imageres.dll
ntdll.dll
ntdll.dll
3.9.3.0
3.9.3.0
GbpSv.exe
http://ts-ocsp.ws.symantec.com07
*.\0
fD9$Hu
fD9$Ou
&o"rD
#=%/
AfD;
P,TR
http://ocsp.verisign.com0
"RidP
71aeM
fD90t
fD90t
fD98t
name="Microsoft.Windows.Common-Controls"
ESL9o%%
%8n`&h
?'%%%%%%&:
p2%AT
|%sOg%
Programmer_radix
Software\Microsoft\Windows\CurrentVersion\Applets\
GdipDeletePen
u%haE
GdiplusShutdown
GdipDeleteBrush
%ivRgI
Software\Microsoft\Calc
T 45%e
r%n {(#
_wcsnicmp
_wcsicmp
cuberoot()
<requestedPrivileges>
<requestedPrivileges>
^{[\+\-]?}{\d*\%c?\d*}({e}[\+\-]?{\d*})?$
^[\+\-]?{\d*}\%c?{\d*}(e[\+\-]?{\d*})?\b*$
publicKeyToken="6595b64144ccf1df"
CalcCommand
_acmdln
GetProcAddress
GetProcAddress
ExitProcess
ErrorCode: %d, Line: %d Column: %d; Error: %s
CreateEventW
CreateEventW
LaunchingApp
Module32Next
IsDebuggerPresent
SuspendThread
CreateEventA
OpenProcessToken
CreateProcessW
CreateProcessA
OpenProcess
ReadProcessMemory
TerminateProcess
TerminateProcess
WriteProcessMemory
volumeformulas
CreateProcessAsUserW
DeviceIoControl
VirtualAlloc
CoCreateInstance

Foremost
Matches
0.exe, 570 KB, 2565.png, 26 KB, 2686.png, 4 KB, 2695.png, 5 KB, 2706.png, 6 KB, 2719.png, 3 KB, 2727.png, 4 KB, 2736.png, 4 KB, 2745.png, 2 KB, 2751.png, 3 KB, 2757.png, 3 KB, 2763.png, 4 KB, 2771.png, 4 KB, 2780.png, 4 KB, 2789.png, 2 KB, 2795.png, 3 KB, 2801.png, 3 KB, 2807.png, 4 KB, 2817.png, 4 KB, 2826.png, 5 KB, 2836.png, 3 KB, 2842.png, 3 KB, 2849.png, 3 KB, 2856.png, 4 KB, 2866.png, 5 KB, 2876.png, 5 KB, 2887.png, 3 KB, 2893.png, 3 KB, 2901.png, 3 KB, 2908.png, 3 KB, 2916.png, 3 KB, 2923.png, 4 KB, 2932.png, 3 KB, 2939.png, 3 KB, 2947.png, 4 KB, 2955.png, 4 KB, 2964.png, 4 KB, 2973.png, 5 KB, 2983.png, 4 KB, 2993.png, 5 KB, 3004.png, 6 KB, 3016.png, 4 KB, 3024.png, 4 KB, 3033.png, 4 KB, 3043.png, 4 KB, 3052.png, 5 KB, 3063.png, 6 KB, 3076.png, 4 KB, 3084.png, 4 KB, 3093.png, 4 KB, 3102.png, 3 KB, 3108.png, 3 KB, 3115.png, 3 KB, 3121.png, 2 KB, 3127.png, 2 KB, 3133.png, 3 KB, 3139.png, 2 KB, 3145.png, 2 KB, 3151.png, 2 KB, 3157.png, 3 KB, 3164.png, 3 KB, 3171.png, 4 KB, 3180.png, 3 KB, 3187.png, 4 KB, 3195.png, 4 KB, 3204.png, 3 KB, 3211.png, 4 KB, 3220.png, 4 KB, 3229.png, 2 KB, 3235.png, 2 KB, 3240.png, 2 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://www.microsoft.com/applets/calc/templates/v1, http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious: https://www.verisign.com/cps0, http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, https://d.symcb.com/cps0%, http://sf.symcb.com/sf.crt0, http://crl.thawte.com/thawtetimestampingca.crl0, http://ocsp.verisign.com0, https://www.verisign.com/rpa, http://ocsp.thawte.com0, http://sf.symcb.com/sf.crl0f, http://crl.verisign.com/pca3-g5.crl04, https://www.verisign.com/rpa0, http://logo.verisign.com/vslogo.gif04, http://sf.symcd.com0&, http://ts-ocsp.ws.symantec.com07, https://d.symcb.com/rpa0, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: kernel32.dll, imageres.dll, ntdll.dll, USER32.DLL, ADVAPI32.dll, SHLWAPI.dll, RPCRT4.dll, OLEAUT32.dll, FLTLIB.DLL, SHELL32.dll, UxTheme.dll, msvcrt.dll, COMCTL32.dll, ole32.dll, gdiplus.dll, WindowsCodecs.dll, GDI32.dll, WINMM.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 321024
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 635367
Suspicous: False cancel

Sections
Allowed: .text, code, .rdata, .data, data, bss, .gas0, .gas1, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 9.0
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 1310378
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: kernel32.dll, imageres.dll, ntdll.dll, user32.dll, advapi32.dll, shlwapi.dll, rpcrt4.dll, oleaut32.dll, fltlib.dll, shell32.dll, uxtheme.dll, msvcrt.dll, comctl32.dll, ole32.dll, gdiplus.dll, windowscodecs.dll, gdi32.dll, winmm.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2015-11-16 08:32:32
Future: False cancel

Compilation
Packed: False cancel
Missing: True check_circle
Packers
Compiled: False cancel
Compilers

Obfuscation
XOR: True check_circle
Fuzzing: False cancel

PEDetector
Matches
590048
Suspicious
True check_circle
Disassembly
hasTricks
True check_circle
Tricks
pushret
none: 286

pushpopmath
none: 183

ss register
none: 13

garbagebytes
none: 114

hookdetection
none: 8

software breakpoint
none: 13

fakeconditionaljumps
none: 3

programcontrolflowchange
none: 111

cpuinstructionsresultscomparison
none: 2
.rsrc: 4

AVclass
None
1
VirusTotal
md5
650a1063c775568b74ca04560fcc4310
sha1
449fc9dfc3596fe3287bb02e6497d96b5d457275
SCANS (DETECTION RATE = 7.25%)
AVG
update: 20190916
version: 18.4.3895.0
detected: False cancel

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
update: 20190916
version: 2019.9.16.1
detected: False cancel

APEX
result: Malicious
update: 20190913
version: 5.63
detected: True check_circle

Bkav
update: 20190916
version: 1.3.0.10239
detected: False cancel

K7GW
update: 20190912
version: 11.66.31997
detected: False cancel

ALYac
update: 20190916
version: 1.1.1.5
detected: False cancel

Avast
update: 20190916
version: 18.4.3895.0
detected: False cancel

Avira
update: 20190916
version: 8.3.3.8
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20190916
version: 6.2.0.1
detected: False cancel

DrWeb
update: 20190916
version: 7.0.41.7240
detected: False cancel

GData
update: 20190916
version: A:25.23403B:26.16046
detected: False cancel

Panda
update: 20190916
version: 4.6.4.2
detected: False cancel

VBA32
update: 20190916
version: 4.0.0
detected: False cancel

Zoner
update: 20190916
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20190916
version: 0.101.4.0
detected: False cancel

Comodo
update: 20190916
version: 31485
detected: False cancel

F-Prot
update: 20190916
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20190916
version: 0.1.5.2
detected: False cancel

McAfee
update: 20190916
version: 6.0.6.653
detected: False cancel

Rising
update: 20190916
version: 25.0.0.24
detected: False cancel

Sophos
update: 20190916
version: 4.98.0
detected: False cancel

Yandex
update: 20190916
version: 5.5.2.24
detected: False cancel

Zillya
update: 20190916
version: 2.0.0.3901
detected: False cancel

Acronis
update: 20190904
version: 1.1.1.56
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20190916
version: 1.0.0.856
detected: False cancel

Cylance
update: 20190916
version: 2.3.1.101
detected: False cancel

Endgame
update: 20190819
version: 3.0.14
detected: False cancel

FireEye
update: 20190916
version: 29.7.0.0
detected: False cancel

TACHYON
update: 20190916
version: 2019-09-16.02
detected: False cancel

Tencent
update: 20190916
version: 1.0.0.1
detected: False cancel

ViRobot
result: Trojan.Win32.Agent.590048
update: 20190916
version: 2014.3.20.0
detected: True check_circle

Webroot
update: 20190916
version: 1.0.0.403
detected: False cancel

eGambit
update: 20190916
version: v5.0.5
detected: False cancel

Ad-Aware
update: 20190916
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20190916
version: 4.2
detected: False cancel

Emsisoft
update: 20190916
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20190916
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20190916
version: 5.4.247.0
detected: False cancel

Invincea
update: 20190904
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20190916
version: 16.0.100
detected: False cancel

Kingsoft
update: 20190916
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20190916
version: 1.0
detected: False cancel

Symantec
update: 20190916
version: 1.10.0.0
detected: False cancel

Trapmine
update: 20190826
version: 3.1.81.800
detected: False cancel

AhnLab-V3
update: 20190916
version: 3.16.1.25089
detected: False cancel

Antiy-AVL
update: 20190916
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20190916
version: 15.0.1.13
detected: False cancel

Microsoft
result: Trojan:Win32/Fuerboos.E!cl
update: 20190916
version: 1.1.16300.1
detected: True check_circle

Qihoo-360
update: 20190916
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20190916
version: 1.0
detected: False cancel

Cybereason
result: malicious.fc3596
update: 20190616
version: 1.2.449
detected: True check_circle

ESET-NOD32
update: 20190916
version: 20028
detected: False cancel

TrendMicro
update: 20190916
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20190916
version: 7.2
detected: False cancel

CrowdStrike
result: win/malicious_confidence_80% (D)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
update: 20190916
version: 11.67.32027
detected: False cancel

SentinelOne
update: 20190807
version: 1.0.31.22
detected: False cancel

Avast-Mobile
update: 20190916
version: 190916-00
detected: False cancel

Malwarebytes
update: 20190916
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20190916
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20190916
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20190916
version: 1.0.134.24859
detected: False cancel

MicroWorld-eScan
update: 20190916
version: 14.0.297.0
detected: False cancel

SUPERAntiSpyware
update: 20190913
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20190916
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20190916
version: 10.0.0.1040
detected: False cancel

total
69
sha256
7db23af566cafc9d57f1517fe926a682531576b427154dab9993088b645ae82f
scan_id
7db23af566cafc9d57f1517fe926a682531576b427154dab9993088b645ae82f-1568662811
resource
650a1063c775568b74ca04560fcc4310
positives
5
scan_date
2019-09-16 19:40:11
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Execution Failed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info
computer localhost:49476 arrow_forward computer localhost:27015
computer localhost:27015 arrow_forward computer localhost:49476

UDP
Info
computer localhost:51870 arrow_forward help_outline 239.255.255.250:1900

HTTP
Info

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
Random Forest
detected: TBD
confidence: TBD
Add to Collection
Download