Report #5352 cancel

  • Creation Date: Nov. 21, 2019, 5:43 p.m.
  • Last Update: Nov. 21, 2019, 6:02 p.m.
  • File: 043
  • Results:
Binary
DLL
False cancel
Size
1.05MB
trid
42.7% Win32 Executable
19.2% OS/2 Executable
18.9% Generic Win/DOS Executable
18.9% DOS Executable Generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
af285a3f91f3f9aac89875942c03771b
sha1
3b1d28087fdb201c6b2191631c60f352c46c630f
crc32
0x43526dac
sha224
a8fae698d60183484456bf298e24b03cad362d7bb7e9c6586aa65ef5
sha256
fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806
sha384
c54e1136ce55f244c7bd375958d5a4ab00575e86a90aa263502fbf5e39d93258f7bdf31e8bf9dfa5fc5033d577718a10
sha512
27c5ac2001812800d18d681c3f97a7d7617b1f6fb4886ac3e612ebca67f1be9684c9716457a2271cb437b492d96f8ec4035199f3d4441565d065a61d383234a0
ssdeep
24576:4/WmaxvuGNdBd0zcT7JOgygMLgkq8Kxp:K1gNDkcIgygQgwep
Community
Google
True check_circle
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, domain, DebuggerException__SetConsoleCtrl, Check_OutputDebugStringA_iat, HasDigitalSignature, url, HasRichSignature, contentis_base64, Microsoft_Visual_Cpp_8, Armadillo_v4x, HasOverlay, win_files_operation, IsPE32, anti_dbg, IsWindowsGUI

Suspicious
True check_circle

Strings
List
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
https://secure.comodo.net/CPS0C
http://www.certum.pl/CPS0
http://ocsp.comodoca.com0
http://ocsp.comodoca.com0
http://crl.certum.pl/ctnca.crl0k
C.se
%http://repository.certum.pl/ctnca.cer0@
http://subca.ocsp-certum.com01
3.mP
7.tV
G.Uy
d.DZ
75XX.Eu
^^d.nC
kernelbase.dll
pfpick.dll
8dSa7
)@Evdu%a6TK
}%eyD6
5%siD
!%ufal
;G%sR
s='%A
M%#hA
KBERAR
tryN
%EyNB
lh%eFC
mscoree.dll
COMODO RSA Code Signing CA
A`8.Cy
GetProcAddress
ExitProcess
1995-1997 Eastman Kodak Company. All rights reserved.
E0C0A
TerminateProcess
VirtualAlloc
VirtualProtect
CreateFileA
GetModuleHandleW
GetModuleHandleA
SetFilePointer
WriteFile
GetModuleFileNameA
HeapCreate
QueryPerformanceCounter
FreeLibrary
LoadLibraryExA
LC_CTYPE
C7aF1E
d1AE
COMODO CA Limited1#0!
COMODO CA Limited1#0!
COMODO CA Limited1+0)
COMODO CA Limited1#0!
LC_COLLATE
LC_NUMERIC
LC_MONETARY
GetTickCount
LC_TIME
0#-4
"COMODO RSA Certification Authority0
Rd#h
Sleep
COMODO RSA Code Signing CA0
COMODO RSA Code Signing CA0
af.lo
GetConsoleOutputCP
l.MZ&
L6u8T is
GetCPInfo
4#4,454A4M4Y4e4p4x4
_e%/
3'3-323A3H3N3V3\3n3s3
YW-79NoSS
$H!>62nE
KERNELBASE.DLL
DeJ.1dAE
5.tug2{#T
FtPj;S
58u~Etd
^eN9cG,)
Net&work...
LT8|jt[m/O
W0Al_9h#l
?KIMFO5
{a9d6]c
e$(KED:g
Certum Trusted Network CA
Certum Trusted Network CA
pr-china
[9NOm('
d\gE/5!
e_L;6C\
Certum Trusted Network CA0
$isYAUPH

Foremost
Matches
0.exe, 1 MB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://ocsp.comodoca.com0, https://secure.comodo.net/cps0c, http://crl.comodoca.com/comodorsacertificationauthority.crl0q, http://crl.comodoca.com/comodorsacodesigningca.crl0t, http://crt.comodoca.com/comodorsaaddtrustca.crt0$, http://repository.certum.pl/ctnca.cer0@, http://www.certum.pl/cps0, http://subca.ocsp-certum.com01, http://crt.comodoca.com/comodorsacodesigningca.crt0$, http://crl.certum.pl/ctnca.crl0k
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: kernelbase.dll, kernel32.dll, pfpick.dll, ADVAPI32.dll, OLEAUT32.dll, mscoree.dll, GDI32.dll, USER32.DLL
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 450560
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 1110443
Suspicous: False cancel

Sections
Allowed: .text, .rdata, .data, .idata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 12.0
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 485203
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: kernelbase.dll, kernel32.dll, advapi32.dll, oleaut32.dll, mscoree.dll, gdi32.dll, user32.dll
hasLibs: True check_circle
Suspicious: pfpick.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2018-12-01 18:02:06
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 8
.text: 117
.rdata: 106

pushpopmath
.data: 8
.text: 93
.rdata: 77
.reloc: 3

ss register
.data: 1
.text: 2
.rdata: 1

garbagebytes
.data: 4
.text: 50
.rdata: 35

hookdetection
.text: 6
.rdata: 6
.reloc: 1

software breakpoint
.text: 8
.rdata: 2
.reloc: 1

fakeconditionaljumps
.data: 1
.text: 7
.rdata: 1

programcontrolflowchange
.data: 3
.text: 43
.rdata: 34

cpuinstructionsresultscomparison
.text: 2

AVclass
qbot
1
VirusTotal
md5
af285a3f91f3f9aac89875942c03771b
sha1
3b1d28087fdb201c6b2191631c60f352c46c630f
SCANS (DETECTION RATE = 76.06%)
AVG
result: Win32:DangerousSig [Trj]
update: 20191020
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=100)
update: 20191020
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20191019
version: 5.75
detected: True check_circle

Bkav
update: 20191018
version: 1.3.0.10239
detected: False cancel

K7GW
result: Trojan ( 0054330d1 )
update: 20191010
version: 11.72.32236
detected: True check_circle

ALYac
result: DeepScan:Generic.Exploit.Shellcode.2.A5F0515D
update: 20191020
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:DangerousSig [Trj]
update: 20191020
version: 18.4.3895.0
detected: True check_circle

Avira
result: TR/AD.Qbot.qybva
update: 20191020
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20191020
version: 6.2.2.2
detected: False cancel

DrWeb
result: BackDoor.Qbot.417
update: 20191020
version: 7.0.41.7240
detected: True check_circle

GData
result: DeepScan:Generic.Exploit.Shellcode.2.A5F0515D
update: 20191020
version: A:25.23728B:26.16357
detected: True check_circle

Panda
result: Trj/CI.A
update: 20191020
version: 4.6.4.2
detected: True check_circle

VBA32
result: BScope.Backdoor.Qbot
update: 20191018
version: 4.2.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20191020
version: 78722
detected: True check_circle

Zoner
update: 20191020
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20191020
version: 0.102.0.0
detected: False cancel

Comodo
result: Malware@#29vhynumtz0bc
update: 20191020
version: 31625
detected: True check_circle

F-Prot
update: 20191020
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Crypt.Agent
update: 20191020
version: 0.1.5.2
detected: True check_circle

McAfee
result: GenericR-QOB!AF285A3F91F3
update: 20191020
version: 6.0.6.653
detected: True check_circle

Rising
result: Backdoor.Qbot!8.3147 (TFE:5:1P58gnsZWpQ)
update: 20191020
version: 25.0.0.24
detected: True check_circle

Sophos
result: Mal/Qbot-R
update: 20191020
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.PWS.Qbot!i3Xy93/9lRA
update: 20191018
version: 5.5.2.24
detected: True check_circle

Zillya
result: Backdoor.Qbot.Win32.2
update: 20191018
version: 2.0.0.3929
detected: True check_circle

Acronis
result: suspicious
update: 20191018
version: 1.1.1.58
detected: True check_circle

Alibaba
result: Backdoor:Win32/Qbot.ded462f0
update: 20190527
version: 0.3.0.5
detected: True check_circle

Arcabit
result: DeepScan:Generic.Exploit.Shellcode.2.A5F0515D
update: 20191020
version: 1.0.0.859
detected: True check_circle

Cylance
result: Unsafe
update: 20191020
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20190918
version: 3.0.15
detected: True check_circle

FireEye
result: Generic.mg.af285a3f91f3f9aa
update: 20191020
version: 29.7.0.0
detected: True check_circle

TACHYON
update: 20191020
version: 2019-10-20.02
detected: False cancel

Tencent
update: 20191020
version: 1.0.0.1
detected: False cancel

ViRobot
result: Trojan.Win32.Z.Qbot.1099192
update: 20191020
version: 2014.3.20.0
detected: True check_circle

Webroot
result: W32.Trojan.Emotet
update: 20191020
version: 1.0.0.403
detected: True check_circle

eGambit
update: 20191020
version: v5.0.6
detected: False cancel

Ad-Aware
result: DeepScan:Generic.Exploit.Shellcode.2.A5F0515D
update: 20191020
version: 3.0.5.370
detected: True check_circle

AegisLab
update: 20191020
version: 4.2
detected: False cancel

Emsisoft
result: DeepScan:Generic.Exploit.Shellcode.2.A5F0515D (B)
update: 20191020
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Trojan.TR/AD.Qbot.qybva
update: 20191020
version: 12.0.86.52
detected: True check_circle

Fortinet
result: W32/Kryptik.GNKI!tr
update: 20191020
version: 5.4.247.0
detected: True check_circle

Invincea
result: heuristic
update: 20190904
version: 6.3.6.26157
detected: True check_circle

Jiangmin
result: Backdoor.QBot.qt
update: 20191020
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20191020
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20191020
version: 1.0
detected: True check_circle

Symantec
result: W32.Qakbot!gm
update: 20191019
version: 1.11.0.0
detected: True check_circle

Trapmine
update: 20190826
version: 3.1.81.800
detected: False cancel

AhnLab-V3
result: Trojan/Win32.Kryptik.R248438
update: 20191020
version: 3.16.3.25410
detected: True check_circle

Antiy-AVL
result: Trojan[Backdoor]/Win32.Qbot
update: 20191020
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Backdoor.Win32.Qbot.aent
update: 20191020
version: 15.0.1.13
detected: True check_circle

MaxSecure
result: Trojan.Malware.73960695.susgen
update: 20191019
version: 1.0.0.1
detected: True check_circle

Microsoft
result: Backdoor:Win32/Qbot.B
update: 20191020
version: 1.1.16500.1
detected: True check_circle

Qihoo-360
result: Win32/Backdoor.BO.4da
update: 20191020
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: Backdoor.Win32.Qbot.aent
update: 20191020
version: 1.0
detected: True check_circle

Cybereason
result: malicious.f91f3f
update: 20190616
version: 1.2.449
detected: True check_circle

ESET-NOD32
result: a variant of Win32/Kryptik.GNKI
update: 20191020
version: 20211
detected: True check_circle

TrendMicro
result: Backdoor.Win32.QAKBOT.SMER
update: 20191020
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: DeepScan:Generic.Exploit.Shellcode.2.A5F0515D
update: 20191020
version: 7.2
detected: True check_circle

CrowdStrike
result: win/malicious_confidence_60% (W)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan ( 0054330d1 )
update: 20191020
version: 11.73.32320
detected: True check_circle

SentinelOne
result: DFI - Malicious PE
update: 20190807
version: 1.0.31.22
detected: True check_circle

Avast-Mobile
update: 20191012
version: 191012-04
detected: False cancel

Malwarebytes
update: 20191020
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20191020
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Backdoor.QBot
update: 20191020
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Qbot.fkujrf
update: 20191020
version: 1.0.134.24859
detected: True check_circle

MicroWorld-eScan
result: DeepScan:Generic.Exploit.Shellcode.2.A5F0515D
update: 20191020
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20191019
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: GenericR-QOB!AF285A3F91F3
update: 20191020
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: Backdoor.Win32.QAKBOT.SMER
update: 20191020
version: 10.0.0.1040
detected: True check_circle

total
71
sha256
fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806
scan_id
fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806-1571589611
resource
af285a3f91f3f9aac89875942c03771b
positives
54
scan_date
2019-10-20 16:40:11
verbose_msg
Scan finished, information embedded
response_code
1
Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 98.35%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 87.64%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 64.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 48.83%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: True check_circle