Report #5615 check_circle

Binary
DLL
False cancel
Size
391.48KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
b2218df5c3373a9a1b619e53281e9806
sha1
8b683c897ecc6fa6881d29f6c41c7c159d65fa62
crc32
0x154a1137
sha224
a8d23a98916629c42e374002a29f4885676c94513bc36be0417eb684
sha256
681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
sha384
38d299730b1639eae0330c697c72dafe149b5d5cd4d54ece80ac67c924e8ea6fd30c64bd49c53d1e7401676ce506c0d8
sha512
1ea2d938086d3494f477c2e5459e2d5e1b57b7cf37aef792b745b7a261fcff183703696da2a52724331ec15ae82bc0a5dcdfd53d4a5374c38cafe23e15e10023
ssdeep
12288:EiyxWxUPt+K/vtWFnrMtTwaX4OI8537Nf/F6QU6q:EiyHPt+KtWqNwn85LNf/F6x6q
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, Dropper_Strings, HasDebugData, BASE64_table, HasRichSignature, VC8_Microsoft_Corporation, RIPEMD160_Constants, VMWare_Detection, Visual_Cpp_2005_Release_Microsoft, network_dns, win_files_operation, IsPE32, check_patchlevel, network_tcp_socket, IP, contentis_base64, vmdetect, IsWindowsGUI, anti_dbg, HasDigitalSignature, network_tcp_listen, url, SHA1_Constants, Microsoft_Visual_Cpp_8, win_registry, HasOverlay, vmdetect_misc, Misc_Suspicious_Strings, Big_Numbers1

Suspicious
True check_circle

Strings
List
%http://crl.globalsign.net/root-r3.crl0
http://www.vmware.com/0
http://www.vmware.com/0/
<http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
5http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
http://sf.symcb.com/sf.crt0
http://sf.symcb.com/sf.crl0a
http://sv.symcb.com/sv.crl0f
http://sv.symcb.com/sv.crt0
https://d.symcb.com/rpa0
https://d.symcb.com/rpa0
https://d.symcb.com/cps0%
https://d.symcb.com/cps0%
http://s1.symcb.com/pca3-g5.crl0
&https://www.globalsign.com/repository/0
&https://www.globalsign.com/repository/06
D:\build\ob\bora-5528349\bora\build\build\vmnat\release\win32\vmnat.pdb
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
#8887 = 192.168.27.128:21
#8888 = 192.168.27.128:80
#8889 = 192.168.27.128:22
#6000 = 192.168.27.128:6001
\\.\Global\%s
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.http://crl.thawte.com/ThawteTimestampingCA.crl0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
http://www.symauth.com/cps0(
http://www.symauth.com/rpa00
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
#http://logo.verisign.com/vslogo.gif04
# lynx http://localhost:8888
#http://crl.verisign.com/pca3-g5.crl04
https://www.verisign.com/rpa0
https://www.verisign.com/cps0*
DNSAPI.dll
Windows Server%s 2012
http://sf.symcd.com0&
http://sv.symcd.com0&
http://s2.symcb.com0
#nameserver3 = 208.23.14.4
#nameserver1 = 208.23.14.2
#nameserver2 = 63.93.12.3
Netmask must be in range 128.0.0.0 to 255.255.255.252
icudt44l.dat
icudt44l.dat
vmnetnat.conf
MSVCR90.dll
ISO_646.irv:1991
Windows Server 2012%s Datacenter Edition
Windows Server 2012%s Essentials Edition
Windows Server 2012%s Enterprise Edition
WS2_32.dll
vmnetnat-mac.txt
SHFOLDER.dll
Windows Server 2012%s Standard Edition
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Windows Server 2012%s Storage Server
Windows Server 2012%s Foundation Edition
SYSTEM\CurrentControlSet\Services\VMware NAT Service\Parameters
# rotate: send one DNS request at a time, rotate through the DNS servers
[netbios]
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\GMT
vmnat.exe
Windows 8%s
http://ts-ocsp.ws.symantec.com07
pciplugin
hostMAC = %s
Windows 8%s Pro
Cannot create TCP forwarding entry for %lu => %u.%u.%u.%u:%lu
System\CurrentControlSet\services\Tcpip\Parameters
253-TCP retransmissions: %d
252-TCP segments sent to vmnet: %d
Ignoring host MAC address: %02X:%02X:%02X:%02X:%02X:%02X.
%s is not valid TCP destination address in form a.b.c.d:port
# FTP (both active and passive FTP is always enabled)
[host]
%s is not valid TCP port number
# Automatically detect the DNS servers (not supported in Windows NT)
jp-ocr-b-add
windowsUnknown-64
http://ocsp.verisign.com0
%s does not contain valid TCP port number
5%6E6[6{6
windows-%u
windows-%d
# ftp localhost 8887
%s is not valid TCP destination address
vthread-%u
`%s' is not a VMware network device (cannot get MAC address)
`%s' is not VMware network device (cannot set MAC address)
Cannot open network device `%s': %s
229-%u entries
[incomingtcp]
# Allow PORT/EPRT FTP commands (they need incoming TCP stream...)
231-fd %u, from %u.%u.%u.%u/%u
SOFTWARE\Microsoft\Windows\CurrentVersion\Time Zones\

Foremost
Matches
0.exe, 376 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 63.93.12.3, 1, 2(SERVFAIL)
Suspicious: 208.23.14.2, 0, Unknown, 255.255.255.252, 0, Unknown, 192.168.27.128, 0, Unknown, 208.23.14.4, 0, Unknown
hasAllowed: True check_circle
hasSuspicious: True check_circle

URLs
Allowed: http://crl.microsoft.com/pki/crl/products/microsoftcodeverifroot.crl0
hasURLs: True check_circle
Suspicious: http://ocsp.verisign.com0, https://www.verisign.com/rpa, http://www.vmware.com/0, https://www.verisign.com/rpa0, http://s1.symcb.com/pca3-g5.crl0, http://sv.symcb.com/sv.crl0f, https://d.symcb.com/cps0%, http://localhost:8888, http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0x, http://crl.verisign.com/pca3-g5.crl04, http://sf.symcb.com/sf.crl0a, http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0, https://d.symcb.com/rpa0, https://www.verisign.com/cps0, http://sv.symcb.com/sv.crt0, http://crl.thawte.com/thawtetimestampingca.crl0, http://sv.symcd.com0&, http://www.symauth.com/cps0(, http://s2.symcb.com0, http://ocsp.thawte.com0, https://www.globalsign.com/repository/06, http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, http://www.symauth.com/rpa00, http://sf.symcb.com/sf.crt0, http://www.vmware.com/0/, https://www.globalsign.com/repository/0, http://logo.verisign.com/vslogo.gif04, http://sf.symcd.com0&, http://ts-ocsp.ws.symantec.com07, http://crl.globalsign.net/root-r3.crl0, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: kernel32.dll, WS2_32.dll, ADVAPI32.dll, IPHLPAPI.DLL, SHFOLDER.dll, MSVCR90.dll, USER32.dll, DNSAPI.dll
hasFiles: True check_circle
Suspicious: vmnetnat-mac.txt, icudt44l.dat
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 147968
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 428239
Suspicous: False cancel

Sections
Allowed: .text, .rdata, .data, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 10.0
Suspicious: False cancel
Subsystem
Version: 5.1
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 236846
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: kernel32.dll, ws2_32.dll, advapi32.dll, shfolder.dll, msvcr90.dll, user32.dll, dnsapi.dll
hasLibs: True check_circle
Suspicious: iphlpapi.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2017-05-11 04:43:35
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 1
.text: 1
.rdata: 4
.reloc: 1

pushpopmath
.rsrc: 1
.text: 1
.rdata: 30
.reloc: 16

garbagebytes
.text: 1
.rdata: 1

software breakpoint
.text: 6
.reloc: 4

programcontrolflowchange
.text: 1
.rdata: 1

cpuinstructionsresultscomparison
.rdata: 3

AVclass
None
1
VirusTotal
md5
b2218df5c3373a9a1b619e53281e9806
sha1
8b683c897ecc6fa6881d29f6c41c7c159d65fa62
SCANS (DETECTION RATE = 0.00%)
AVG
update: 20200131
version: 18.4.3895.0
detected: False cancel

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
update: 20200131
version: 2019.9.16.1
detected: False cancel

APEX
update: 20200131
version: 5.112
detected: False cancel

Bkav
update: 20200122
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200131
version: 11.89.33163
detected: False cancel

ALYac
update: 20200131
version: 1.1.1.5
detected: False cancel

Avast
update: 20200131
version: 18.4.3895.0
detected: False cancel

Avira
update: 20200131
version: 8.3.3.8
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20200131
version: 6.2.2.2
detected: False cancel

DrWeb
update: 20200131
version: 7.0.44.12030
detected: False cancel

GData
update: 20200131
version: A:25.24754B:26.17553
detected: False cancel

Panda
update: 20200131
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200131
version: 4.3.0
detected: False cancel

VIPRE
update: 20200131
version: 81192
detected: False cancel

Zoner
update: 20200130
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20200131
version: 0.102.1.0
detected: False cancel

Comodo
update: 20200131
version: 32028
detected: False cancel

F-Prot
update: 20200131
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20200131
version: 0.1.5.2
detected: False cancel

McAfee
update: 20200131
version: 6.0.6.653
detected: False cancel

Rising
update: 20200131
version: 25.0.0.24
detected: False cancel

Sophos
update: 20200131
version: 4.98.0
detected: False cancel

Yandex
update: 20200131
version: 5.5.2.24
detected: False cancel

Zillya
update: 20200131
version: 2.0.0.4010
detected: False cancel

Acronis
update: 20200128
version: 1.1.1.58
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20200131
version: 1.0.0.869
detected: False cancel

Cylance
update: 20200131
version: 2.3.1.101
detected: False cancel

Endgame
update: 20200131
version: 3.0.16
detected: False cancel

FireEye
update: 20200131
version: 29.7.0.0
detected: False cancel

Sangfor
update: 20200114
version: 1.0
detected: False cancel

TACHYON
update: 20200131
version: 2020-01-31.03
detected: False cancel

Tencent
update: 20200131
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20200131
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20200131
version: 1.0.0.403
detected: False cancel

eGambit
update: 20200131
detected: False cancel

Ad-Aware
update: 20200131
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20200131
version: 4.2
detected: False cancel

Emsisoft
update: 20200131
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20200131
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20200131
version: 6.2.137.0
detected: False cancel

Invincea
update: 20191211
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20200131
version: 16.0.100
detected: False cancel

Kingsoft
update: 20200131
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20200131
version: 1.0
detected: False cancel

Symantec
update: 20200131
version: 1.11.0.0
detected: False cancel

Trapmine
update: 20200123
version: 3.2.22.914
detected: False cancel

AhnLab-V3
update: 20200131
version: 3.17.0.26111
detected: False cancel

Antiy-AVL
update: 20200131
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20200131
version: 15.0.1.13
detected: False cancel

MaxSecure
update: 20200131
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20200131
version: 1.1.16700.3
detected: False cancel

Qihoo-360
update: 20200131
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20200131
version: 1.0
detected: False cancel

Cybereason
update: 20190616
version: 1.2.449
detected: False cancel

ESET-NOD32
update: 20200131
version: 20766
detected: False cancel

TrendMicro
update: 20200131
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20200131
version: 7.2
detected: False cancel

CrowdStrike
update: 20190702
version: 1.0
detected: False cancel

K7AntiVirus
update: 20200131
version: 11.89.33163
detected: False cancel

SentinelOne
update: 20191218
version: 1.12.1.57
detected: False cancel

Avast-Mobile
update: 20200130
version: 200130-00
detected: False cancel

CAT-QuickHeal
update: 20200131
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20200131
version: 1.0.134.25031
detected: False cancel

BitDefenderTheta
update: 20200120
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20200131
version: 14.0.405.0
detected: False cancel

SUPERAntiSpyware
update: 20200125
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20200131
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20200131
version: 10.0.0.1040
detected: False cancel

total
71
sha256
681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
scan_id
681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c-1580504029
resource
b2218df5c3373a9a1b619e53281e9806
positives
0
scan_date
2020-01-31 20:53:49
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\
11/2/2020 - 18:45:42.981Unknown1480C:\malware.exeC:\
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows
11/2/2020 - 18:45:42.981Unknown1480C:\malware.exeC:\Windows
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742
11/2/2020 - 18:45:42.981Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
11/2/2020 - 18:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\imm32.dll
11/2/2020 - 18:45:43.43Open1480C:\malware.exeC:\icudt44l.dat
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData\VMware
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData\VMware
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\ProgramData\VMware
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\Windows\SysWOW64\tzres.dll
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\Windows\SysWOW64\tzres.dll
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\Windows\SysWOW64\tzres.dll
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\Windows\SysWOW64\tzres.dll
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData\VMware
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\ProgramData\VMware
11/2/2020 - 18:45:43.90Open1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\ProgramData
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\Windows
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\Monitor
11/2/2020 - 18:45:43.90Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742

Process
Trace

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 99.96%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 92.36%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 66.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 53.37%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download