Report #5532 check_circle

Binary
DLL
False cancel
Size
93.50KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
5872056d20ebb14ea85235244053bc58
sha1
11d2f15d86fce20046d643545489d83fab711a38
crc32
0xa3f0530a
sha224
981eadf40ed361da2ac629ba07aeb7b6250761dae0c82009bc1f31fd
sha256
b0f164c113a117f1abc8904f2a847ec4ee05fb4c3960be05d5c8dc1598a9a72d
sha384
be2235f65c5ea33fc516e8694c0c6ed4516c4c0056a07ad8b5754704012913cf112c859b72d6ebb4e4c487098a03d951
sha512
9d8e00776cb9d5ea815316f996f9f385f561b027afb73c43afd4e2804c99b31c2deb2209bde1ef4b8a32cef1da7a57cbbc1bb946193b4887b3ba70f3608909e7
ssdeep
768:JZnRRLMXITA+x7SVrPuxG4veB/0A24Er1owz4I9hJn8krbbYQDtE5+QeGkYDJ+lM:/SQ1x8ab6o441t8I5daXs+rfmFiKsz
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, domain, anti_dbg, url, contentis_base64, Microsoft_Visual_Cpp_8, HasDebugData, IsConsole, win_files_operation, IsPE32, HasRichSignature

Suspicious
True check_circle

Strings
List
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
C:\P\monst3r\Release\gth4rgsdgf.pdb
dkernel32.dll
Amscoree.dll
no space on device
no such process
resource deadlock would occur
no such device or address
operation in progress
too many files open
file too large
device or resource busy
too many files open in system
too many links
value too large
no such device
operation canceled
operation not permitted
network_down
network_reset
host_unreachable
permission_denied
not_a_socket
- abort() has been called
IsProcessorFeaturePresent
GetProcAddress
ExitProcess
operation_would_block
identifier removed
operation would block
IsDebuggerPresent
executable format error
TerminateProcess
too many symbolic link levels
CoCreateInstance
permission denied
QueryPerformanceCounter
GetModuleFileNameW
GetModuleHandleW
CreateFileW
WriteFile
LoadLibraryExW
LoadLibraryW
GetModuleFileNameA
host unreachable
network reset
network down
broken pipe
not a socket
> >@>L>h>t>
Sleep
VFLFKCHFBFOFOFLFOCHFOFBFPFRFJFBCHFKFBFUFQDIFMFLEXFPFFEYFEFUFMEYFEFFFFFNFPFGFODLCJDRDUDPDUECDUECDUDXDSDTDREIDREIDSDPDSDRDREHDREKDSDRDREMDREHDRELDRELDREMDREHDREKDRENDREIDUDXDUEADTEMDUECDUDWDREKDRELDREMDREHDUECDUEGDUECCJDIFCFRFKEYFQFFFLFKCHFJEXEWFCFTFHFTEXFQEWFLCPFFEXEXFUFFFFFAFNFUFQFVCQDIFAFFFJCHFQFPFVEWFBFVFSFMEWFVEWFCFHDIFGFEFOEXFVFRFLEWFIFJEYDLCYDHDIEWFIFLFLFIEXFTFOFBEXFSFMFUFJEYFVFVDLEWFPEYCPECFFFACPFFEXEXFUFFFFFAFNFUFQFVCTCYCTCYCQCQCUDEDDDIFAFFFJCHFAFDEXFSFRFHFTFFFAFHFIDIFFEXEXFUFFFFFAFNFUFQFVDLECFFFACPFFEXEXFUFFFFFAFNFUFQFVCTDACTEBFBFKCPFFEXEXFUFFFFFAFNFUFQFVCQCUCYCQDIFAFFFJCHFJFSFHFVFCFQFQEWFQFLFHFQDIFVFPFOFOFQFDFMEWEXFMFDFTFPFMFCFQFVDGDLCJCJDIFTFEFFFIFBCPEBFBFKCPFFEXEXFUFFFFFAFNFUFQFVCQDMCXCQDIFVFPFOFOFQFDFMEWEXFMFDFTFPDLFVFPFOFOFQFDFMEWEXFMFDFTFPCNCPDRFEFOCPCPCPCPEWFPEYCPECFFFACPFFEXEXFUFFFFFAFNFUFQFVCTCYCTCYCQCQCUDEDDCQCQCRDADDCSCPEWFPEYCPECFFFACPFFEXEXFUFFFFFAFNFUFQFVCTDACTCYCQCQCUDEDDCQCUEWFIFLFLFIEXFTFOFBEXFSFMFUFJEYFVFVCUFGFEFOEXFVFRFLEWFIFJEYCQCQCQDIFFEXEXFUFFFFFAFNFUFQFVDLECFFFACPFFEXEXFUFFFFFAFNFUFQFVCTDBCTEBFBFKCPFFEXEXFUFFFFFAFNFUFQFVCQCUDACQDIFTDTFKFADIFJEXEWFCFTFHFTEXFQEWFLDLFVFPFOFOFQFDFMEWEXFMFDFTFPDIFBFKFACHFCFRFKEYFQFFFLFKDIFPFBFQCHFSFAFIFJFFFTFUFCEXEXFUFAFSFCFMDLDRFOFBEWFQFBEEEXFGFBEYFQCPFJEXEWFCFTFHFTEXFQEWFLCPCJDTDTDPDTDVDTEBDTDPDSEODRENDREJDTDVDTEODUECDUEGDTEODUECDTEBDTDPDSEODSEKDTDWDTDWDTDSDREJDSDRDREJDRELCJCQCQDIFSFAFIFJFFFTFUFCEXEXFUFAFSFCFMCVFLFMFBFKCHFJEXEWFCFTFHFTEXFQEWFLCPCJEJDTDYDTDWDTEMCJCQCTFJEXEWFCFTFHFTEXFQEWFLCPFMFLEXFPFFEYFEFUFMEYFEFFFFFNFPFGFOCQCTFCEWFIFPFBDIFSFAFIFJFFFTFUFCEXEXFUFAFSFCFMCVFPFBFKFADIFCFRFKEYFQFFFLFKCHFUFQFEFUFIEXFKEWEXFTFTFADIDSFFFJCHFHFHFHFBFAFUEXFSFTFCEXFLFDFPEXFDFUDICHCHFHFHFHFBFAFUEXFSFTFCEXFLFDFPEXFDFUCHDLCHDSEWFQFBDPFAFACPCJFPCJCTCHDBCXCTCHEDFLFTCPCQCQCHDICHDSFLCHEKFKFQFFFICHCPEDFLFTCPCQCHDMCHFHFHFHFBFAFUEXFSFTFCEXFLFDFPEXFDFUCQCHDICHEBFLFLFMDIFBFUFBEYFRFQFBCPFJEXEWFCFTFHFTEXFQEWFLCPFSFAFIFJFFFTFUFCEXEXFUFAFSFCFMCVFOFBFPFMFLFKFPFBEJFBFUFQCQCQDIFBFKFACHFCFRFKEYFQFFFLFK
system
network_unreachable
GetCPInfo
GetProcessHeap
network unreachable
7!717A7R7V7b7f7r7v7
6&626A6R6/797=8@9S:]:g:
.?AV_com_error@@
no_protocol_option
wrong_protocol_type
0'04090G0$1.141H1T1
protocol_not_supported
operation_in_progress
no_buffer_space
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
destination_address_required
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1
invalid_argument
bad_address
timed_out
filename_too_long
address_not_available
message_size
restrict(
not_connected
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
operation_not_supported
connection_reset
address_in_use
connection_refused
already_connected
connection_aborted
too_many_files_open
3 303@3d3l3t3|3
CONOUT$
=0=8=L=T=\=d=h=l=t=
VELDQEIEYFOFFFMFQ
: :,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
delete[]
;5TDA
1#IND
1#INF
`.rdata
InterlockedIncrement
InterlockedDecrement
`string'
+t"HHt

Foremost
Matches
0.exe, 93 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Files
Allowed: Amscoree.dll, USER32.DLL, dkernel32.dll, ole32.dll, KERNEL32.dll, OLEAUT32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 47104
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 16108
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: user32.dll, ole32.dll, kernel32.dll, oleaut32.dll
hasLibs: True check_circle
Suspicious: amscoree.dll, dkernel32.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2019-04-12 11:31:41
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 1
.text: 1

pushpopmath
.text: 6
.rdata: 7
.reloc: 3

garbagebytes
.data: 1
.text: 1

programcontrolflowchange
.data: 1
.text: 1

AVclass
occamy
1
VirusTotal
md5
5872056d20ebb14ea85235244053bc58
sha1
11d2f15d86fce20046d643545489d83fab711a38
SCANS (DETECTION RATE = 61.76%)
AVG
result: Win32:MalwareX-gen [Trj]
update: 20190503
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
update: 20190503
version: 2018.9.12.1
detected: False cancel

Bkav
update: 20190503
version: 1.3.0.9899
detected: False cancel

K7GW
result: Trojan-Downloader ( 0054a91c1 )
update: 20190503
version: 11.41.30804
detected: True check_circle

ALYac
result: Trojan.GenericKD.41199952
update: 20190503
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:MalwareX-gen [Trj]
update: 20190503
version: 18.4.3895.0
detected: True check_circle

Avira
result: HEUR/AGEN.1038176
update: 20190503
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/Agent.AYE.gen!Eldorado
update: 20190503
version: 6.2.0.1
detected: True check_circle

DrWeb
update: 20190503
version: 7.0.34.11020
detected: False cancel

GData
result: Trojan.GenericKD.41199952
update: 20190503
version: A:25.21775B:25.14995
detected: True check_circle

Panda
result: Trj/GdSda.A
update: 20190503
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20190503
version: 4.0.0
detected: False cancel

Zoner
update: 20190503
version: 1.0
detected: False cancel

ClamAV
update: 20190503
version: 0.101.2.0
detected: False cancel

Comodo
update: 20190503
version: 30811
detected: False cancel

F-Prot
result: W32/Agent.AYE.gen!Eldorado
update: 20190503
version: 4.7.1.166
detected: True check_circle

McAfee
result: RDN/Generic Downloader.x
update: 20190503
version: 6.0.6.653
detected: True check_circle

Rising
result: Downloader.Agent!8.B23 (CLOUD)
update: 20190503
version: 25.0.0.24
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20190503
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.DL.Agent!cyE4G2a2g1k
update: 20190501
version: 5.5.1.3
detected: True check_circle

Zillya
result: Downloader.Agent.Win32.378722
update: 20190503
version: 2.0.0.3807
detected: True check_circle

Acronis
update: 20190501
version: 1.0.1.48
detected: False cancel

Alibaba
result: TrojanDownloader:Win32/MalwareX.bc096bc7
update: 20190426
version: 0.4.0.6
detected: True check_circle

Arcabit
result: Trojan.Generic.D274A950
update: 20190503
version: 1.0.0.845
detected: True check_circle

Cylance
result: Unsafe
update: 20190503
version: 2.3.1.101
detected: True check_circle

Endgame
update: 20190403
version: 3.0.9
detected: False cancel

FireEye
result: Trojan.GenericKD.41199952
update: 20190503
version: 29.7.0.0
detected: True check_circle

TACHYON
update: 20190503
version: 2019-05-03.03
detected: False cancel

Tencent
result: Win32.Trojan-downloader.Agent.Swkw
update: 20190503
version: 1.0.0.1
detected: True check_circle

ViRobot
result: Trojan.Win32.Z.Agent.95744.UH
update: 20190503
version: 2014.3.20.0
detected: True check_circle

eGambit
update: 20190503
version: v4.3.6
detected: False cancel

Ad-Aware
result: Trojan.GenericKD.41199952
update: 20190503
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Win32.Generic.4!c
update: 20190503
version: 4.2
detected: True check_circle

Emsisoft
result: Trojan.GenericKD.41199952 (B)
update: 20190503
version: 2018.4.0.1029
detected: True check_circle

F-Secure
result: Heuristic.HEUR/AGEN.1038176
update: 20190503
version: 12.0.86.52
detected: True check_circle

Fortinet
result: W32/Agent.EML!tr.dldr
update: 20190503
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20190313
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20190503
version: 16.0.100
detected: False cancel

Kingsoft
update: 20190503
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20190503
version: 1.0
detected: False cancel

Symantec
result: Trojan.Gen.MBT
update: 20190503
version: 1.9.0.0
detected: True check_circle

Trapmine
result: suspicious.low.ml.score
update: 20190325
version: 3.1.52.760
detected: True check_circle

AhnLab-V3
result: Trojan/Win32.Agent.C3159682
update: 20190503
version: 3.15.1.23978
detected: True check_circle

Antiy-AVL
result: Trojan/Win32.Occamy
update: 20190503
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Trojan.Win32.NovaLoader.gen
update: 20190503
version: 15.0.1.13
detected: True check_circle

Microsoft
result: Trojan:Win32/Occamy.C
update: 20190503
version: 1.1.15900.4
detected: True check_circle

Qihoo-360
result: Win32/Trojan.2ff
update: 20190503
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20190503
version: 6.8.0.5.4203
detected: False cancel

Trustlook
update: 20190503
version: 1.0
detected: False cancel

ZoneAlarm
result: HEUR:Trojan.Win32.NovaLoader.gen
update: 20190503
version: 1.0
detected: True check_circle

Cybereason
result: malicious.d20ebb
update: 20190417
version: 1.2.449
detected: True check_circle

ESET-NOD32
result: a variant of Win32/TrojanDownloader.Agent.ENR
update: 20190503
version: 19297
detected: True check_circle

TrendMicro
result: Trojan.Win32.BOILOD.USXVPDD19
update: 20190503
version: 10.0.0.1040
detected: True check_circle

BitDefender
result: Trojan.GenericKD.41199952
update: 20190503
version: 7.2
detected: True check_circle

CrowdStrike
update: 20190212
version: 1.0
detected: False cancel

K7AntiVirus
result: Trojan-Downloader ( 0054a91c1 )
update: 20190503
version: 11.41.30805
detected: True check_circle

SentinelOne
update: 20190420
version: 1.0.25.316
detected: False cancel

Avast-Mobile
update: 20190503
version: 190503-00
detected: False cancel

Malwarebytes
update: 20190503
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20190503
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Trojan.Tiggre
update: 20190503
version: 14.00
detected: True check_circle

NANO-Antivirus
update: 20190503
version: 1.0.134.24788
detected: False cancel

MicroWorld-eScan
result: Trojan.GenericKD.41199952
update: 20190503
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20190430
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: RDN/Generic Downloader.x
update: 20190502
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: Trojan.Win32.BOILOD.USXVPDD19
update: 20190503
version: 10.0.0.1040
detected: True check_circle

total
68
sha256
b0f164c113a117f1abc8904f2a847ec4ee05fb4c3960be05d5c8dc1598a9a72d
scan_id
b0f164c113a117f1abc8904f2a847ec4ee05fb4c3960be05d5c8dc1598a9a72d-1556908795
resource
5872056d20ebb14ea85235244053bc58
positives
42
scan_date
2019-05-03 18:39:55
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
11/2/2020 - 11:46:25.981Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
11/2/2020 - 11:46:25.981Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
11/2/2020 - 11:46:25.981Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
11/2/2020 - 11:46:25.981Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
11/2/2020 - 11:46:26.28Open1480C:\malware.exeC:\Windows\SysWOW64\msscript.ocx
11/2/2020 - 11:46:26.28Open1480C:\malware.exeC:\Windows\SysWOW64\msscript.ocx
11/2/2020 - 11:46:26.75Open1480C:\malware.exeC:\Windows\SysWOW64\vbscript.dll
11/2/2020 - 11:46:26.75Open1480C:\malware.exeC:\Windows\SysWOW64\vbscript.dll
11/2/2020 - 11:46:26.75Open1480C:\malware.exeC:\Windows\SysWOW64\msxml6.dll
11/2/2020 - 11:46:26.75Open1480C:\malware.exeC:\Windows\SysWOW64\msxml6.dll
11/2/2020 - 11:46:26.75Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
11/2/2020 - 11:46:26.75Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
11/2/2020 - 11:46:26.75Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
11/2/2020 - 11:46:26.90Open1480C:\malware.exeC:\Windows\SysWOW64\msxml6r.dll
11/2/2020 - 11:46:26.90Open1480C:\malware.exeC:\Windows\SysWOW64\msxml6r.dll
11/2/2020 - 11:46:26.90Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
11/2/2020 - 11:46:26.90Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
11/2/2020 - 11:46:26.90Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
11/2/2020 - 11:46:26.90Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
11/2/2020 - 11:46:26.90Open1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
11/2/2020 - 11:46:26.90Unknown1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\CRYPTSP.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\RpcRtRemote.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
11/2/2020 - 11:46:26.247Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
11/2/2020 - 11:46:26.247Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
11/2/2020 - 11:46:26.247Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\credssp.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\credssp.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\credssp.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\mlang.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\mlang.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\DNSAPI.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
11/2/2020 - 11:46:26.293Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\IPHLPAPI.DLL
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\WINNSI.DLL
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
11/2/2020 - 11:46:26.793Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
11/2/2020 - 11:46:26.840Open1480C:\malware.exeC:\rasadhlp.dll
11/2/2020 - 11:46:26.840Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
11/2/2020 - 11:46:26.840Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
11/2/2020 - 11:46:27.809Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
11/2/2020 - 11:46:27.809Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
11/2/2020 - 11:46:28.122Open1480C:\malware.exeC:\Windows\SysWOW64\schannel.dll
11/2/2020 - 11:46:28.122Open1480C:\malware.exeC:\Windows\SysWOW64\schannel.dll

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
11/2/2020 - 11:46:26.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows Script\SettingsJITDebug

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code api.staging.blusalt.io.
computer localhost arrow_forward computer gateway:50273 code api.staging.blusalt.io.

Response
computer gateway:DNS arrow_forward computer localhost code api.staging.blusalt.io. reply_all 68.183.223.14


TCP
Info
computer localhost:65193 arrow_forward 68.183.223.14:443
68.183.223.14:443 arrow_forward computer localhost:65192
computer localhost:65192 arrow_forward 68.183.223.14:443
computer localhost:65191 arrow_forward 68.183.223.14:80
68.183.223.14:443 arrow_forward computer localhost:65193
68.183.223.14:80 arrow_forward computer localhost:65191

UDP
Info
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:50273

HTTP
Info
computer localhost send GET 68.183.223.14 help_outline attach_file /preto123.txt

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 52.75%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 98.34%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 61.86%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 84.19%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.33%
suspicious: False cancel

Add to Collection
Download