Corvus_ - Report #5549

Report #5549

Creation Date: Feb. 11, 2020, 12:02 p.m.
Last Update: Feb. 11, 2020, 2:09 p.m.
File: A.tmp.exe
Results:

General
Static
Detection
Dynamic
Graph
Network
Classification

Binary

DLL

False

Size

148.00KB

trid

61.7% Win64 Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable

type

wordsize

Subsystem

Windows GUI

Hashes

md5

9dc487176719fc91813b56badd0eca2f

sha1

58acb487b5e3e2118150c16b2927712deda13753

crc32

0xad5aeafd

sha224

6069fdba1131f7e13bfc27606b26067a075fd71825cc6e2c8528de80

sha256

97fdd9719283a3853f517a2dcd3c1858ad2bfac0b1b5362f2c846018c6462181

sha384

dfac6f4a4b702d6938d58699cd5a1d8b238dd62195bb62b633c083574d01c6ca086e406eac975b9b6e9f6aa1283a22c6

sha512

2b9c18e3e23b10ae48e1868d5f7c4e193d0f2735c2e229a66f374c64deb1730156456cefa5624e3915d9ce533b96862f7cc62f9354a1ae15e1999e690160241d

ssdeep

3072:nAFBisCZUFi6bh0jQSOqW8NYWuAg0FujU1rJ1GnCcMf:nAFB/Fvbh0krAOmrJwCcMf

Community

Google

False

HashLib

False

YARA

Matches

VC8_Microsoft_Corporation, domain, anti_dbg, url, HasRichSignature, contentis_base64, Microsoft_Visual_Cpp_8, HasDebugData, maldoc_find_kernel32_base_method_1, network_dropper, network_http, win_files_operation, IsPE32, IsWindowsGUI

Suspicious

True

Strings

List

http://install.portmdfmoon.com/download/APSFPango
http://www.safefinder.com/faq/SafeFinder/FAQ_ENG.html
http://www.safefinder.com/privacy.html
http://www.safefinder.com/terms.html
http://www.safefinder.com/eula.html
C:\Work\installer\Release\safefinder.pdb
google-analytics.com
WININET.dll
urlmon.dll
Didn't download
fish.exe
Software\Rtp
Software\Smartbar
v=1&tid=%s&cid=%s&t=event&ec=case&ea=%s&el=%s
fr-ca
fr-ch
fr-be
fr-be
fr-ca
fr-ch
operator ""
no space on device
no such process
This product is compatible with Windows and installs on IE, Firefox and/or Chrome.
resource deadlock would occur
no such device or address
operation in progress
too many files open in system
file too large
too many links
too many files open
value too large
device or resource busy
no such device
operation canceled
Are you sure? Do you want to continue installation?
operation not permitted
set SafeFinder as my home page and new tab in my browsers.
Software\Pservice
Software\RGMservice
For uninstall instructions click here.
HttpOpenRequestW
HttpSendRequestW
mscoree.dll
<requestedPrivileges>
IsProcessorFeaturePresent
GetProcAddress
ExitProcess
SShU
identifier removed
In age of too much information, SafeFinder presents the perfect tool.
operation would block
StartProcess failed
IsDebuggerPresent
executable format error
Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
Simplify the web, SafeFinder gives you the optimal way to share, search, work & play.
CreateProcessW
TerminateProcess
Downloaded
ShellExecuteW
too many symbolic link levels
InternetConnectW
permission denied
RegOpenKeyExW
InternetOpenW
LoadLibraryExW
FreeLibrary
QueryPerformanceCounter
GetModuleFileNameW
FindNextFileW
FindFirstFileExW
CreateFileW
GetModuleHandleW
RegQueryValueExW
InternetReadFile
RegOpenKeyW
WriteFile
Click 'Accept' now to continue and set SafeFinder as my default search provider and
host unreachable
network reset
AFX_DIALOG_LAYOUT
network down
broken pipe
not a socket
MS Shell Dlg
Sleep
system
{"packer":{"DistributerName":"APSFPango","ChannelId":"3"},"Agent":{"SetAll":"true"}}
api-ms-win-security-systemfunctions-l1-1-0
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
POST
0"0(0.04090?0E0K0P0V0\0b0g0m0s0y0~0
GetCPInfo
fr-CH
fr-CA
fr-LU
fr-LU
fr-CH
fr-CA

Foremost

Matches

0.exe, 148 KB

Suspicious

True

Heuristics

IPs

hasIPs: False
Allowed
Suspicious
hasAllowed: False
hasSuspicious: False

URLs

Allowed
hasURLs: True
Suspicious: http://www.safefinder.com/eula.html, http://install.portmdfmoon.com/download/apsfpango, http://www.safefinder.com/terms.html, http://www.safefinder.com/privacy.html, http://www.safefinder.com/faq/safefinder/faq_eng.html
hasAllowed: False
hasSuspicious: True

Files

Allowed: mscoree.dll, kernel32.dll, WININET.dll, ADVAPI32.dll, USER32.dll, SHELL32.dll, RPCRT4.dll, GDI32.dll, urlmon.dll
hasFiles: True
Suspicious
hasAllowed: True
hasSuspicious: False

Binary

Sizes

RVA
RVA: 16
Suspicious: False
Code
Size: 74240
Suspicious: False
Image
Address: 4194304
Suspicious: False
Stack
Stack: 4096
Suspicious: False
Headers
Headers: 1024
Suspicious: False
Suspicious: False

Symbols

Number
Number: 0
Suspicious: True
Pointer
Pointer: 0
Suspicious: True
Directories
Number: 16
Suspicious: False

Checksum

Value: 0
Suspicous: True

Sections

Allowed: .text, .rdata, .data, .rsrc, .reloc
Suspicious
hasAllowed: True
hasSections: True
hasSuspicious: False

Versions

OS
Version: 5
Suspicious: False
Image
Version: True
Suspicious: 5
Linker
Version: 14.16
Suspicious: False
Subsystem
Version: 5.1
Suspicious: False
Suspicious: False

EntryPoint

Address: 31810
Suspicious: False

Anomalies

Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True

Libraries

Allowed: mscoree.dll, kernel32.dll, wininet.dll, advapi32.dll, user32.dll, shell32.dll, rpcrt4.dll, gdi32.dll, urlmon.dll
hasLibs: True
Suspicious
hasAllowed: True
hasSuspicious: False

Timestamp

Past: False
Valid: True
Value: 2019-04-02 12:59:01
Future: False

Compilation

Packed: False
Missing: False
Packers
Compiled: True
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation

XOR: False
Fuzzing: False

PEDetector

Matches

None

Suspicious

False

Disassembly

hasTricks

True

Tricks

ldr

.text: 1

pushret

.rdata: 2

pushpopmath

.rdata: 8
.reloc: 6

sizeofimage

.text: 1

garbagebytes

.rdata: 2

hookdetection

.rdata: 1

stealthimport

.rdata: 1

peb ntglobalflag

.text: 1

software breakpoint

.rdata: 1
.reloc: 1

programcontrolflowchange

.rdata: 2

AVclass

oxypumper

VirusTotal

md5

9dc487176719fc91813b56badd0eca2f

sha1

58acb487b5e3e2118150c16b2927712deda13753

SCANS (DETECTION RATE = 79.17%)

AVG

result: Win32:Adware-gen [Adw]
update: 20191207
version: 18.4.3895.0
detected: True

CMC

update: 20190321
version: 1.1.0.977
detected: False

MAX

result: malware (ai score=99)
update: 20191207
version: 2019.9.16.1
detected: True

APEX

result: Malicious
update: 20191207
version: 5.93
detected: True

Bkav

update: 20191207
version: 1.3.0.9899
detected: False

K7GW

result: Adware ( 005524301 )
update: 20191207
version: 11.81.32762
detected: True

ALYac

result: Trojan.GenericKD.41172374
update: 20191207
version: 1.1.1.5
detected: True

Avast

result: Win32:Adware-gen [Adw]
update: 20191207
version: 18.4.3895.0
detected: True

Avira

result: ADWARE/OxyPumper.mwfxv
update: 20191207
version: 8.3.3.8
detected: True

Baidu

update: 20190318
version: 1.0.0.2
detected: False

Cyren

result: W32/Adware.ZRME-0226
update: 20191207
version: 6.2.2.2
detected: True

DrWeb

result: Adware.OxyPumper.3
update: 20191207
version: 7.0.42.9300
detected: True

GData

result: Trojan.GenericKD.41172374
update: 20191207
version: A:25.24195B:26.16911
detected: True

Panda

result: Trj/CI.A
update: 20191207
version: 4.6.4.2
detected: True

VBA32

result: BScope.Adware.Linkury
update: 20191206
version: 4.2.0
detected: True

VIPRE

result: Trojan.Win32.Generic!BT
update: 20191207
version: 79854
detected: True

Zoner

update: 20191207
version: 1.0.0.1
detected: False

ClamAV

update: 20191207
version: 0.102.1.0
detected: False

Comodo

result: ApplicUnwnt@#1owsxvngh5wl4
update: 20191207
version: 31813
detected: True

F-Prot

update: 20191207
version: 4.7.1.166
detected: False

Ikarus

result: PUA.OxyPumper
update: 20191207
version: 0.1.5.2
detected: True

McAfee

result: RDN/Generic PUP.cjs
update: 20191207
version: 6.0.6.653
detected: True

Rising

result: Adware.SafeFinder!1.BB2E (CLASSIC)
update: 20191207
version: 25.0.0.24
detected: True

Sophos

result: Generic PUA FI (PUA)
update: 20191207
version: 4.98.0
detected: True

Yandex

result: Trojan.Cryptos!K3ReBoIrGhc
update: 20191205
version: 5.5.2.24
detected: True

Zillya

update: 20191206
version: 2.0.0.3968
detected: False

Acronis

update: 20191205
version: 1.1.1.58
detected: False

Alibaba

result: Trojan:MSIL/Cryptos.c925e798
update: 20190527
version: 0.3.0.5
detected: True

Arcabit

result: Trojan.Generic.D2743D96
update: 20191207
version: 1.0.0.865
detected: True

Cylance

result: Unsafe
update: 20191207
version: 2.3.1.101
detected: True

Endgame

result: malicious (high confidence)
update: 20190918
version: 3.0.15
detected: True

FireEye

result: Generic.mg.9dc487176719fc91
update: 20191207
version: 29.7.0.0
detected: True

Sangfor

result: Malware
update: 20191031
version: 1.0
detected: True

TACHYON

update: 20191207
version: 2019-12-07.01
detected: False

Tencent

update: 20191207
version: 1.0.0.1
detected: False

ViRobot

result: Trojan.Win32.Z.Oxypumper.151552.B
update: 20191206
version: 2014.3.20.0
detected: True

Webroot

result: W32.Adware.Gen
update: 20191207
version: 1.0.0.403
detected: True

Ad-Aware

result: Trojan.GenericKD.41172374
update: 20191207
version: 3.0.5.370
detected: True

AegisLab

result: Trojan.MSIL.Cryptos.4!c
update: 20191207
version: 4.2
detected: True

Emsisoft

result: Trojan.GenericKD.41172374 (B)
update: 20191207
version: 2018.12.0.1641
detected: True

F-Secure

result: Adware.ADWARE/OxyPumper.mwfxv
update: 20191207
version: 12.0.86.52
detected: True

Fortinet

result: Riskware/OxyPumper
update: 20191207
version: 6.2.137.0
detected: True

Invincea

result: heuristic
update: 20190904
version: 6.3.6.26157
detected: True

Jiangmin

result: Trojan.MSIL.lepg
update: 20191207
version: 16.0.100
detected: True

Kingsoft

update: 20191207
version: 2013.8.14.323
detected: False

Paloalto

result: generic.ml
update: 20191207
version: 1.0
detected: True

Symantec

result: ML.Attribute.HighConfidence
update: 20191206
version: 1.11.0.0
detected: True

Trapmine

update: 20190826
version: 3.1.81.800
detected: False

AhnLab-V3

result: PUP/Win32.Agent.C3296420
update: 20191207
version: 3.16.5.25880
detected: True

Antiy-AVL

result: Trojan/MSIL.Cryptos
update: 20191207
version: 3.0.0.1
detected: True

Kaspersky

result: Trojan.MSIL.Cryptos.debx
update: 20191207
version: 15.0.1.13
detected: True

MaxSecure

result: Trojan.Malware.74227051.susgen
update: 20191206
version: 1.0.0.1
detected: True

Microsoft

result: Trojan:Win32/Stealer.J!ibt
update: 20191207
version: 1.1.16600.7
detected: True

Qihoo-360

result: Win32/Trojan.cdb
update: 20191207
version: 1.0.0.1120
detected: True

ZoneAlarm

result: Trojan.MSIL.Cryptos.debx
update: 20191207
version: 1.0
detected: True

Cybereason

result: malicious.76719f
update: 20190616
version: 1.2.449
detected: True

ESET-NOD32

result: a variant of Win32/Adware.OxyPumper.BT
update: 20191207
version: 20471
detected: True

TrendMicro

result: TROJ_FRS.VSNW11G19
update: 20191207
version: 11.0.0.1006
detected: True

BitDefender

result: Trojan.GenericKD.41172374
update: 20191207
version: 7.2
detected: True

CrowdStrike

result: win/malicious_confidence_60% (W)
update: 20190702
version: 1.0
detected: True

K7AntiVirus

result: Adware ( 005524301 )
update: 20191207
version: 11.81.32762
detected: True

SentinelOne

update: 20191203
version: 1.9.0.2431
detected: False

Avast-Mobile

update: 20191205
version: 191205-00
detected: False

Malwarebytes

result: PUP.Optional.SafeFinder
update: 20191207
version: 2.1.1.1115
detected: True

TotalDefense

update: 20191207
version: 37.1.62.1
detected: False

CAT-QuickHeal

result: Trojan.MSIL
update: 20191207
version: 14.00
detected: True

NANO-Antivirus

result: Trojan.Win32.Cryptos.fovdqg
update: 20191207
version: 1.0.134.24859
detected: True

BitDefenderTheta

result: Gen:NN.ZexaF.32519.juW@aSzLc6di
update: 20191204
version: 7.2.37796.0
detected: True

MicroWorld-eScan

result: Trojan.GenericKD.41172374
update: 20191207
version: 14.0.297.0
detected: True

SUPERAntiSpyware

result: Trojan.Agent/Gen-Kryptik
update: 20191203
version: 5.6.0.1032
detected: True

McAfee-GW-Edition

result: RDN/Generic PUP.cjs
update: 20191207
version: v2017.3010
detected: True

TrendMicro-HouseCall

result: TROJ_FRS.VSNW11G19
update: 20191207
version: 10.0.0.1040
detected: True

total

sha256

97fdd9719283a3853f517a2dcd3c1858ad2bfac0b1b5362f2c846018c6462181

scan_id

97fdd9719283a3853f517a2dcd3c1858ad2bfac0b1b5362f2c846018c6462181-1575719064

resource

9dc487176719fc91813b56badd0eca2f

permalink

https://www.virustotal.com/file/97fdd9719283a3853f517a2dcd3c1858ad2bfac0b1b5362f2c846018c6462181/analysis/1575719064/

positives

scan_date

2019-12-07 11:44:24

verbose_msg

Scan finished, information embedded

response_code

File

Trace

Process

Trace

Analysis

Reason

Blue Screen

Status

Execution Failed

Results

Registry

Trace

File Summary

Created

Identified: False

Deleted

Identified: False

Process Summary

Created

Identified: False

Deleted

Identified: False

Registry Summary

Proxy

Identified: False

AutoRun

Identified: False

Created

Identified: False

Deleted

Identified: False

Browsers

Identified: False

Internet

Identified: False

Loading...

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS

False

TCP

False

UDP

False

HTTP

False

Results

BINARY

KNN (K=3, NFS-BRMalware)

confidence: 66.67%
suspicious: False

Decision Tree (NFS-BRMalware)

confidence: 100.00%
suspicious: True

SVC (Kernel=Linear, NFS-BRMalware)

confidence: 99.83%
suspicious: False

MalConv (Ember: Raw Bytes, Threshold=0.5)

confidence: 83.43%
suspicious: True

Random Forest (100 estimators, NFS-BRMalware)

confidence: 54.00%
suspicious: True

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)

confidence: 45.39%
suspicious: True

LightGDM (Ember: File Characteristics, Threshold=0.8336)

confidence: 98.70%
suspicious: True

Report #5549 check_circle

Binary

Hashes

Community

YARA

Strings

Foremost

Heuristics

PEDetector

Disassembly

AVclass

VirusTotal

File

Process

Analysis

Registry

File Summary

Process Summary

Registry Summary

Loading...

DNS

TCP

UDP

HTTP

Summary

Results

Report #5549