Report #5910 check_circle

  • Creation Date: Feb. 12, 2020, 6:16 p.m.
  • Last Update: Feb. 13, 2020, 4:07 a.m.
  • File: STBN.BOL10667283.04.exe
  • Results:
Binary
DLL
False cancel
Size
3.17MB
trid
52.9% Win32 Executable
23.5% Generic Win/DOS Executable
23.5% DOS Executable Generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
c4103f88a3e90199fce9c8d4fcb2df32
sha1
ff139d62e96b6084890ea66a626c9a8f2e9f57ee
crc32
0xbade8361
sha224
14bfdf6b2615848c942b129de39abdd6e7d94219d4985971582238e0
sha256
f8763d6fce68af4546197e108b37a7ab81e2106c5fa4e494de157db3009ef807
sha384
9becd81fc219401a40e02e2213f4995a321f131e4415bdede755b33f725c7d0e431ab7fa2ed95457cd884e9c8bfffd15
sha512
009454cafcca538ef235658f52c0045973f917f7167b4fa279f1185af7e1df828d00900793d34ddfadd6ed278d83a282a73ba4ca0dbeb354992bd8a17ed0b148
ssdeep
49152:VUTOmnrRWYtQkh8T/6ppa7hrfx0lygS+9ieTiqSKJ5jGMmYmMY3WeNIoGsQj/jJo:VE3JhKpjGtjiJqxJ5jGMm5MdiGRJ1R
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, network_ssl, Armadillo_V6X_Minimum_Protection_Silicon_Realms_Toolworks_20081227, ThreadControl__Context, CRC32_poly_Constant, VC8_Microsoft_Corporation, CRC32_table, TEAN, win_files_operation, IsPacked, contentis_base64, screenshot, win_mutex, keylogger, VirtualPC_Detection, IsPE32, maldoc_find_kernel32_base_method_1, vmdetect, IsWindowsGUI, anti_dbg, DebuggerHiding__Active, Microsoft_Visual_Cpp_8

Suspicious
True check_circle

Strings
List
Vcl.Graphics
Winapi.Windows
bt.TL
System.Net.HttpClient.Win
UD.cN
U.td
E.sh
E.tw
Font.Style
Font.Name
}System.Net.HttpClient
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Converter ID must be specified1No converter with the name %s has been registeredfThe converter named "%s" with an identical input type (%s) and output type (%s) has already been added$A method with name %s already exists.No method with the name %s has been registered)Wrong number of args: expected %d, got %d#Don't know how to add "%s" and "%s"(Don't know how to subtract "%s" and "%s"(Don't know how to multiply "%s" and "%s"
-V.ao
n.MN
f.TV
V.Uy
O.tj
r4.HK
h.Lk
_b.mP
f.va
5.bn
The credentials supplied were not complete, and could not be verified. Additional information can be returned from the context.4The context data must be renegotiated with the peer.'The target principal name is incorrect.:There is no LSA mode context associated with this context.8The clocks on the client and server machines are skewed.;The certificate chain was issued by an untrusted authority.7The message received was unexpected or badly formatted.;An unknown error occurred while processing the certificate.%The received certificate has expired.*The specified data could not be encrypted.*The specified data could not be decrypted.YThe client and server cannot communicate, because they do not possess a common algorithm.BThe security package failed to initialize, and cannot be installed-The token supplied to the function is invalid^The security package is not able to marshall the logon buffer, so the logon attempt has failedNThe per-message Quality of Protection is not supported by the security package?The security context does not allow impersonation of the client
System.Win.Registry
Unable to create Peer for: %s using the implementation %s. Check to make sure the peer class is registered and that it implements the correct interface-Cannot use the reserved implementationID "%s"2AByteEncoding must be an IIdTextEncoding interface,Key generation functions could not be loaded.SSL Certificate could not be loaded, error: %s(Public Key not Obtained from Certificate
Error getting SSL method.%Error setting File Descriptor for SSL!Error binding data to SSL socket.+EOF was observed that violates the protocol
q.AM
k.Bf
Y.fK
Q.PY
S3x.Fm
_.cX
0.Lr
K.BH
u.pn!\/Fi{
Xt.sz
r.dj
System.Net.Mime
System.Win.Crtl
System.Win.ComConst
L.Hk{N
]Xml.Win.msxmldom
SSL status: "%s"
Unable to save settings%Cannot remove shell notification icon"%s requires Windows Vista or later
Network is down.
Host is down.
Host field is empty
Socket Error # %d
^f.aU
%s class already registered
Unknown driver: %s
Error connecting to server: %s
No close token for type %s
The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation).dA security context was deleted before the context was completed. This is considered a logon failure.mThe client is trying to negotiate a context and the server requires user-to-user but didn't send a TGT reply.aUnable to accomplish the requested task because the local machine does not have any IP addresses.bThe supplied credential handle does not match the credential associated with the security context.]The crypto system or checksum function is invalid because a required function is unavailable.9The number of maximum ticket referrals has been exceeded.KThe local machine must be a Kerberos KDC (domain controller) and it is not.qThe other end of the security negotiation is requires strong crypto but it is not supported on the local machine.5The KDC reply contained more than one principal name.OExpected to find PA data for a hint of what etype to use, but it was not found.
;Ao.AI
No credential handle acquired:The encryption type requested is not supported by the KDC.QAn unsupported preauthentication mechanism was presented to the Kerberos package.
sa(w6
&o-Mt%
ram%/H
{(%/
+IdTCPServer
The domain controller certificate used for smartcard logon has been revoked. Please contact your system administrator with the contents of your system event log.IA signature operation must be performed before the user can authenticate.AOne or more of the parameters passed to the function was invalid.DClient policy does not allow credential delegation to target server.bClient policy does not allow credential delegation to target server with NLTM only authentication.1The recipient rejected the renegotiation request.-The required security context does not exist.`The PKU2U protocol encountered an error while attempting to utilize the associated certificates.:The identity of the server computer could not be verified.
System.Win.ComObj
=Dty
g|SA
hg|t
y<ti
|OCpi
Parameter count mismatch<Type '%s' is not declared in the interface section of a unit7VAR and OUT arguments must match parameter type exactly,Specified Login Credential Service not found"%s (Version %d.%d, Build %d, %5:s):%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)
^iCvJAGl[
Could not load SSL library.
[LBOr
cE-ya
8Vcl.ToolWin
Spanish (Spain)
System.Net.URLClient
g41aO
NSystem.Win.TaskbarCore
XMLDataFile must be specified$TransformationFile must be specified,Version of Transformation File not supported$Unable to add IStylusAsyncPlugin: %s#Unable to add IStylusSyncPlugin: %s'Unable to remove IStylusAsyncPlugin: %s&Unable to remove IStylusSyncPlugin: %s&Unable to get or set window handle: %s/Unable to enable or disable IRealTimeStylus: %s
Unrecognized command type.9Schema or user name separated by a '.' must be specified.
Parameter "%s" not found,Maximum number of redirections (%d) exceeded Error getting Server Certificate)Server Certificate Invalid or not present
%CrS%8f'yT
8=%cDPn>
7{P%-o&AMSo
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
A5L%o9I'
d%gEIx5)
Error parsing undefined valueDAdditional text encountered after finished reading JSON content: %s..The reader's MaxDepth of %s has been exceeded.<Token %s in state %s would result in an invalid JSON object.AAfter parsing a value an unexpected character was encountered: %s"Unexpected end when reading bytes.2Unexpected character while parsing constructor: %s9Unexpected character encountered while parsing number: %s9Unexpected character encountered while parsing value: %s.$Unexpected end while parsing comment)Unexpected end while parsing constructor.
1fDt
%eY&h0,
%e6~{
n\%e6`
%ehu2=
iE%%7
0%tEH`
D%6e{r
T%6E/
, line %d, position %d Path '%s'(Indentation value must be greater than 0KUTF8: A start byte not followed by enough continuation bytes in position %sDUTF8: An unexpected continuation byte in %s-byte UTF8 in position %sAUTF8: Type cannot be determined out of header byte at position %s*Internal: Field %s has no serialized value+Internal: Field %s conversion is incomplete&Internal: Array expected instead of %s+Internal: JSON value expected instead of %s'Internal: Array expected instead of nil/Internal: Current context cannot accept a value8Internal: Object context expected when processing a pair.Internal: Current context cannot accept a pair-Internal: No conversion possible for type: %sGInternal: Conversion failed, converted object is most likely incomplete,Internal: Type %s is not currently supportedTField attribute should provide a field interceptor instead of a type one on field %s$Internal: Cannot instantiate type %sBCan not change credentials after handle aquired. Use Release first
N1aeM

Foremost
Matches
0.exe, 3 MB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: USER32.DLL, kernel32.dll, COMCTL32.DLL, mscoree.dll, GDI32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 3010560
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 3337982
Suspicous: False cancel

Sections
Allowed: .text, .itext, .data, .bss, .idata, .didata, .edata, .tls, .rdata, .reloc, .text1, .adata, .data1, .reloc1, .pdata, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 83.82
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 6731042
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: user32.dll, kernel32.dll, comctl32.dll, mscoree.dll, gdi32.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2018-11-13 19:07:32
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
ldr
.rdata: 1

pushret
.rsrc: 1
.adata: 8
.pdata: 1490
.rdata: 2

pushpopmath
.rsrc: 2
.adata: 23
.pdata: 831
.rdata: 4

sizeofimage
.rdata: 1

ss register
.pdata: 16

garbagebytes
.adata: 4
.pdata: 578
.rdata: 1

hookdetection
.adata: 1
.pdata: 58

stealthimport
.adata: 1

peb ntglobalflag
.rdata: 1

isdebbugerpresent
.rdata: 1

software breakpoint
.adata: 2
.pdata: 46

fakeconditionaljumps
.pdata: 54
.rdata: 45

programcontrolflowchange
.adata: 4
.pdata: 529
.rdata: 1

cpuinstructionsresultscomparison
.rsrc: 20
.adata: 6
.pdata: 4

AVclass
ursu
1
VirusTotal
md5
c4103f88a3e90199fce9c8d4fcb2df32
sha1
ff139d62e96b6084890ea66a626c9a8f2e9f57ee
SCANS (DETECTION RATE = 32.84%)
AVG
result: Win32:Malware-gen
update: 20181120
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20181119
version: 1.1.0.977
detected: False cancel

MAX
update: 20181120
version: 2018.9.12.1
detected: False cancel

Bkav
update: 20181119
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20181120
version: 11.12.29085
detected: False cancel

ALYac
result: Gen:Variant.Ursu.312572
update: 20181120
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:Malware-gen
update: 20181120
version: 18.4.3895.0
detected: True check_circle

Avira
result: TR/Spy.Banker.Gen
update: 20181120
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20181120
version: 1.0.0.2
detected: False cancel

Cyren
update: 20181120
version: 6.2.0.1
detected: False cancel

DrWeb
update: 20181120
version: 7.0.34.11020
detected: False cancel

GData
result: Gen:Variant.Ursu.312572
update: 20181120
version: A:25.19462B:25.13714
detected: True check_circle

Panda
result: Trj/GdSda.A
update: 20181119
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20181119
version: 3.33.0
detected: False cancel

Zoner
update: 20181120
version: 1.0
detected: False cancel

ClamAV
update: 20181119
version: 0.100.2.0
detected: False cancel

F-Prot
update: 20181120
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20181119
version: 0.1.5.2
detected: False cancel

McAfee
result: Artemis!C4103F88A3E9
update: 20181120
version: 6.0.6.653
detected: True check_circle

Rising
update: 20181120
version: 25.0.0.24
detected: False cancel

Sophos
update: 20181120
version: 4.98.0
detected: False cancel

Yandex
update: 20181119
version: 5.5.1.3
detected: False cancel

Zillya
update: 20181119
version: 2.0.0.3695
detected: False cancel

Alibaba
update: 20180921
version: 0.1.0.2
detected: False cancel

Arcabit
result: Trojan.Ursu.D4C4FC
update: 20181120
version: 1.0.0.834
detected: True check_circle

Babable
update: 20180918
version: 9107201
detected: False cancel

Cylance
result: Unsafe
update: 20181120
version: 2.3.1.101
detected: True check_circle

Endgame
update: 20181108
version: 3.0.2
detected: False cancel

TACHYON
update: 20181120
version: 2018-11-20.01
detected: False cancel

Tencent
update: 20181120
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20181120
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20181120
version: 1.0.0.403
detected: False cancel

eGambit
update: 20181120
version: v4.3.5
detected: False cancel

Ad-Aware
result: Gen:Variant.Ursu.312572
update: 20181120
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Win32.Buzus.lxsr
update: 20181120
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Ursu.312572 (B)
update: 20181120
version: 2018.4.0.1029
detected: True check_circle

F-Secure
result: Gen:Variant.Ursu.312572
update: 20181120
version: 11.0.19100.45
detected: True check_circle

Fortinet
update: 20181120
version: 5.4.247.0
detected: False cancel

Invincea
update: 20181108
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20181120
version: 16.0.100
detected: False cancel

Kingsoft
update: 20181120
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20181120
version: 1.0
detected: True check_circle

Symantec
result: Trojan.Gen.2
update: 20181120
version: 1.8.0.0
detected: True check_circle

AhnLab-V3
result: Trojan/Win32.Midgare.C2837168
update: 20181120
version: 3.13.1.22397
detected: True check_circle

Antiy-AVL
update: 20181120
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20181120
version: 15.0.1.13
detected: False cancel

Microsoft
result: Trojan:Win32/Tiggre!plock
update: 20181120
version: 1.1.15400.5
detected: True check_circle

Qihoo-360
result: Win32/Trojan.df4
update: 20181120
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20181118
version: 6.8.0.5.3867
detected: False cancel

Trustlook
update: 20181120
version: 1.0
detected: False cancel

ZoneAlarm
update: 20181120
version: 1.0
detected: False cancel

Cybereason
update: 20180225
version: 1.2.27
detected: False cancel

ESET-NOD32
update: 20181120
version: 18410
detected: False cancel

TrendMicro
update: 20181120
version: 10.0.0.1040
detected: False cancel

BitDefender
result: Gen:Variant.Ursu.312572
update: 20181120
version: 7.2
detected: True check_circle

CrowdStrike
update: 20181022
version: 1.0
detected: False cancel

K7AntiVirus
update: 20181120
version: 11.12.29086
detected: False cancel

SentinelOne
update: 20181011
version: 1.0.19.245
detected: False cancel

Avast-Mobile
update: 20181119
version: 181119-02
detected: False cancel

Malwarebytes
update: 20181120
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20181118
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20181119
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20181120
version: 1.0.134.24299
detected: False cancel

MicroWorld-eScan
result: Gen:Variant.Ursu.312572
update: 20181120
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20181114
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Injector.wc
update: 20181120
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_GEN.R002H09KF18
update: 20181120
version: 10.0.0.1040
detected: True check_circle

total
67
sha256
f8763d6fce68af4546197e108b37a7ab81e2106c5fa4e494de157db3009ef807
scan_id
f8763d6fce68af4546197e108b37a7ab81e2106c5fa4e494de157db3009ef807-1542695727
resource
c4103f88a3e90199fce9c8d4fcb2df32
positives
22
scan_date
2018-11-20 06:35:27
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Machine Crashed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:52809 code ctldl.windowsupdate.com.
computer localhost arrow_forward computer gateway:DNS code ctldl.windowsupdate.com.
computer localhost arrow_forward computer gateway:61083 code time.windows.com.
computer localhost arrow_forward computer gateway:50273 code raw.githubusercontent.com.
computer localhost arrow_forward computer gateway:DNS code time.windows.com.
computer localhost arrow_forward computer gateway:55483 code teredo.ipv6.microsoft.com.
computer localhost arrow_forward computer gateway:DNS code teredo.ipv6.microsoft.com.
computer localhost arrow_forward computer gateway:DNS code raw.githubusercontent.com.
computer localhost arrow_forward computer gateway:63189 code teredo.ipv6.microsoft.com.
computer localhost arrow_forward computer gateway:63658 code ipv6.msftncsi.com.
computer localhost arrow_forward computer gateway:DNS code www.msftncsi.com.
computer localhost arrow_forward computer gateway:51106 code www.msftncsi.com.
computer localhost arrow_forward computer gateway:DNS code ipv6.msftncsi.com.

Response
computer gateway:DNS arrow_forward computer localhost code ctldl.windowsupdate.com. reply_all 200.143.247.8

computer gateway:DNS arrow_forward computer localhost code www.msftncsi.com. reply_all 200.143.247.8

computer gateway:DNS arrow_forward computer localhost code raw.githubusercontent.com. reply_all 151.101.252.133

computer gateway:DNS arrow_forward computer localhost code ipv6.msftncsi.com. reply_all a978.i6g1.akamai.net.

computer gateway:DNS arrow_forward computer localhost code time.windows.com. reply_all 20.43.94.199


TCP
Info
200.143.247.9:80 arrow_forward computer localhost:49157
computer localhost:49157 arrow_forward 200.143.247.9:80
computer localhost:65191 arrow_forward 151.101.252.133:443
computer localhost:49159 arrow_forward 200.143.247.10:80
151.101.252.133:443 arrow_forward computer localhost:65191
200.143.247.10:80 arrow_forward computer localhost:49159

UDP
Info
computer localhost:57059 arrow_forward help_outline 224.0.0.252:5355
computer localhost:63189 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:61083
computer localhost:53 arrow_forward computer localhost:55483
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:63805 arrow_forward help_outline 224.0.0.252:5355
computer localhost:61083 arrow_forward computer localhost:53
computer localhost:62687 arrow_forward help_outline 239.255.255.250:3702
computer localhost:123 arrow_forward 20.43.94.199:123
computer localhost:53 arrow_forward computer localhost:52809
computer localhost:50308 arrow_forward help_outline 224.0.0.252:5355
computer localhost:59472 arrow_forward help_outline 224.0.0.252:5355
computer localhost:55483 arrow_forward computer localhost:53
20.43.94.199:123 arrow_forward computer localhost:123
computer localhost:63658 arrow_forward computer localhost:53
computer localhost:51106 arrow_forward computer localhost:53
computer localhost:51974 arrow_forward help_outline 224.0.0.252:5355
computer localhost:68 arrow_forward help_outline 255.255.255.255:67
computer localhost:53 arrow_forward computer localhost:51106
computer localhost:67 arrow_forward computer localhost:68
computer localhost:53 arrow_forward computer localhost:63189
computer localhost:53 arrow_forward computer localhost:63658
computer localhost:64995 arrow_forward help_outline 224.0.0.252:5355
computer localhost:60122 arrow_forward help_outline 224.0.0.252:5355
computer localhost:55555 arrow_forward help_outline 224.0.0.252:5355
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:52809 arrow_forward computer localhost:53
computer localhost:54088 arrow_forward help_outline 224.0.0.252:5355
computer localhost:58658 arrow_forward help_outline 224.0.0.252:5355

HTTP
Info
computer localhost send GET www.msftncsi.com attach_file /ncsi.txt
computer localhost send GET ctldl.windowsupdate.com attach_file /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f3ae4f410e5bb11e

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 74.80%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 66.34%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 73.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 85.23%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.95%
suspicious: True check_circle

Add to Collection
Download