Report #6183 check_circle

  • Creation Date: Feb. 14, 2020, 1:56 p.m.
  • Last Update: Feb. 14, 2020, 3:55 p.m.
  • File: BOLETO NF-1154_PDF.exe
  • Results:
Binary
DLL
False cancel
Size
642.00KB
trid
35.7% Win32 Executable
16.4% Win16/32 Executable Delphi generic
16.0% OS/2 Executable
15.8% Generic Win/DOS Executable
15.8% DOS Executable Generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
479926f70dd2e5ac8dfb49495951a8b7
sha1
1e7556a591bddc3524c6445c210a446a3b8a680c
crc32
0xe28b8457
sha224
450cb7238d68662158369321a7358d79dcd9e37a4f551246842835b5
sha256
172229be5a19b89704fb57ca7c547f1f10619a0a2e8d9689693af18262d5b8a8
sha384
19e3eddf70727bb3bd1bbb7dfdbb1e0892d15c442217ac1b0c07bce3fcba4ca8d681eec7e5cd683083b28ae8018df8ad
sha512
6c77dba837b04bc73cae08b660f2e75d453d2e1d8c98768f373ba16902988a3c9ca6cc8a97708fbf1742643d629830be8810de3983118a093163d40fbb13cd32
ssdeep
12288:TsR2Kf718YCZJpXVnT2yPa1rMx6C2XgTTORek/rG888888888888W8888888888W:Ah1cJplnT20IUx2XgnORzBW1HG05Hsy
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, ASProtect_123_RC4_130824_Solodovnikov_Alexey, Borland, Microsoft_Visual_Basic_v50, ASProtect_v123_RC1, ASProtect_v12x_New_Strain_additional, ASProtect_v11_BRS, ASProtect_v12_additional, ASProtect_133_21_Registered_Alexey_Solodovnikov, IsPacked, ASProtect_v12x_New_Strain, ASProtectv12xNewStrain, contentis_base64, IsPE32, ASProtectv123RC1, IsWindowsGUI, ASProtect_V2X_Registered_Alexey_Solodovnikov, ASProtect_133_21_Registered_Alexey_Solodovnikov_additional, HasOverlay, ASProtect13321RegisteredAlexeySolodovnikov, VMProtect_1704_phpbb3

Suspicious
True check_circle

Strings
List
s.tG
Font.Style
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Style
Font.Name
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Name
Font.Style
Font.Name
Font.Name
Font.Name
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Style
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Name
Font.Style
Font.Style
Font.Style
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name
Font.Style
Font.Name

Foremost
Matches
0.exe, 641 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: user32.dll, comctl32.dll, ole32.dll, advapi32.dll, gdi32.dll, kernel32.dll, comdlg32.dll, oleaut32.dll, shell32.dll, msimg32.dll, version.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 232448
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: , , , , , , , , , .rsrc, .data, .adata
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 4096
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: user32.dll, comctl32.dll, ole32.dll, advapi32.dll, gdi32.dll, kernel32.dll, comdlg32.dll, oleaut32.dll, shell32.dll, msimg32.dll, version.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2017-05-04 12:58:47
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: ASProtect v1.2x, ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov, ASProtect v1.2
Compiled: False cancel
Compilers
MainPacker: ASProtect v1.23 RC1

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
none: 197
.data: 70

pushpopmath
none: 123
.data: 51
.rsrc: 3

ss register
none: 2

garbagebytes
none: 62
.data: 34

hookdetection
none: 6
.data: 6

software breakpoint
none: 9
.data: 3

fakeconditionaljumps
none: 4
.data: 2

programcontrolflowchange
none: 58
.data: 32

cpuinstructionsresultscomparison
none: 3
.data: 3
.rsrc: 12

AVclass
banload
1
VirusTotal
md5
479926f70dd2e5ac8dfb49495951a8b7
sha1
1e7556a591bddc3524c6445c210a446a3b8a680c
SCANS (DETECTION RATE = 64.62%)
AVG
result: Win32:Malware-gen
update: 20190223
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190223
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=99)
update: 20190223
version: 2018.9.12.1
detected: True check_circle

K7GW
result: Trojan-Downloader ( 0050c6101 )
update: 20190223
version: 11.30.30088
detected: True check_circle

ALYac
update: 20190223
version: 1.1.1.5
detected: False cancel

Avast
result: Win32:Malware-gen
update: 20190223
version: 18.4.3895.0
detected: True check_circle

Avira
result: HEUR/AGEN.1018630
update: 20190223
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190215
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/Trojan.EFJJ-7489
update: 20190223
version: 6.2.0.1
detected: True check_circle

DrWeb
result: Trojan.DownLoader24.56647
update: 20190223
version: 7.0.34.11020
detected: True check_circle

GData
result: Gen:Trojan.Heur.OWXa77Acgqgi
update: 20190223
version: A:25.20800B:25.14450
detected: True check_circle

Panda
result: Trj/CI.A
update: 20190223
version: 4.6.4.2
detected: True check_circle

VBA32
result: suspected of Trojan.Downloader.gen.h
update: 20190222
version: 3.35.1
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20190223
version: 73286
detected: True check_circle

Zoner
update: 20190223
version: 1.0
detected: False cancel

ClamAV
update: 20190223
version: 0.101.1.0
detected: False cancel

Comodo
result: Malware@#1lbltks9vvble
update: 20190223
version: 30471
detected: True check_circle

Ikarus
result: Trojan-Downloader.Win32.Banload
update: 20190223
version: 0.1.5.2
detected: True check_circle

McAfee
result: RDN/Generic Downloader.x
update: 20190223
version: 6.0.6.653
detected: True check_circle

Rising
result: Downloader.Banload!8.15B (CLOUD)
update: 20190223
version: 25.0.0.24
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20190223
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.DL.Banload!zjHUDgRAClA
update: 20190222
version: 5.5.1.3
detected: True check_circle

Acronis
update: 20190222
version: 1.0.1.40
detected: False cancel

Alibaba
update: 20180921
version: 0.1.0.2
detected: False cancel

Arcabit
result: Trojan.Heur.OWXa77Acgqgi
update: 20190223
version: 1.0.0.837
detected: True check_circle

Babable
update: 20180918
version: 9107201
detected: False cancel

Cylance
result: Unsafe
update: 20190223
version: 2.3.1.101
detected: True check_circle

TACHYON
update: 20190223
version: 2019-02-23.02
detected: False cancel

Tencent
update: 20190223
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20190223
version: 2014.3.20.0
detected: False cancel

Webroot
result: W32.Trojan.Gen
update: 20190223
version: 1.0.0.403
detected: True check_circle

eGambit
result: Generic.Malware
update: 20190223
version: v4.3.6
detected: True check_circle

Ad-Aware
result: Gen:Trojan.Heur.OWXa77Acgqgi
update: 20190223
version: 3.0.5.370
detected: True check_circle

AegisLab
update: 20190223
version: 4.2
detected: False cancel

Emsisoft
result: Gen:Trojan.Heur.OWXa77Acgqgi (B)
update: 20190223
version: 2018.4.0.1029
detected: True check_circle

F-Secure
result: Heuristic.HEUR/AGEN.1018630
update: 20190223
version: 12.0.86.52
detected: True check_circle

Fortinet
result: W32/Trojandldr.DEBS!tr
update: 20190223
version: 5.4.247.0
detected: True check_circle

Invincea
result: heuristic
update: 20181128
version: 6.3.6.26157
detected: True check_circle

Jiangmin
result: Packed.Black.akhb
update: 20190223
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20190223
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20190223
version: 1.0
detected: True check_circle

Symantec
result: ML.Attribute.HighConfidence
update: 20190222
version: 1.8.0.0
detected: True check_circle

Trapmine
update: 20190123
version: 3.1.40.719
detected: False cancel

AhnLab-V3
result: Trojan/Win32.Banload.C1946688
update: 20190223
version: 3.14.1.22785
detected: True check_circle

Antiy-AVL
update: 20190223
version: 3.0.0.1
detected: False cancel

Kaspersky
result: Packed.Win32.Black.d
update: 20190223
version: 15.0.1.13
detected: True check_circle

Microsoft
result: TrojanDownloader:Win32/Banload
update: 20190223
version: 1.1.15700.8
detected: True check_circle

Qihoo-360
result: HEUR/QVM15.0.B711.Malware.Gen
update: 20190223
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20190217
version: 6.8.0.5.4025
detected: False cancel

Trustlook
update: 20190223
version: 1.0
detected: False cancel

ZoneAlarm
result: Packed.Win32.Black.d
update: 20190223
version: 1.0
detected: True check_circle

Cybereason
result: malicious.70dd2e
update: 20190109
version: 1.2.27
detected: True check_circle

ESET-NOD32
result: a variant of Win32/Spy.Zumanek.CA
update: 20190223
version: 18922
detected: True check_circle

BitDefender
result: Gen:Trojan.Heur.OWXa77Acgqgi
update: 20190223
version: 7.2
detected: True check_circle

CrowdStrike
update: 20181023
version: 1.0
detected: False cancel

K7AntiVirus
result: Trojan-Downloader ( 0050c6101 )
update: 20190223
version: 11.30.30088
detected: True check_circle

SentinelOne
result: static engine - malicious
update: 20190203
version: 1.0.23.276
detected: True check_circle

Avast-Mobile
update: 20190223
version: 190223-00
detected: False cancel

Malwarebytes
update: 20190223
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20190223
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20190223
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Win32.Black.eovhom
update: 20190223
version: 1.0.134.24576
detected: True check_circle

MicroWorld-eScan
result: Gen:Trojan.Heur.OWXa77Acgqgi
update: 20190223
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20190220
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.PWSBanker.jc
update: 20190223
version: v2017.3010
detected: True check_circle

total
65
sha256
172229be5a19b89704fb57ca7c547f1f10619a0a2e8d9689693af18262d5b8a8
scan_id
172229be5a19b89704fb57ca7c547f1f10619a0a2e8d9689693af18262d5b8a8-1550476078
resource
479926f70dd2e5ac8dfb49495951a8b7
positives
42
scan_date
2019-02-18 07:47:58
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
14/2/2020 - 14:45:43.903Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
14/2/2020 - 14:45:43.903Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
14/2/2020 - 14:45:43.903Open1480C:\malware.exeC:\dwmapi.dll
14/2/2020 - 14:45:43.903Open1480C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
14/2/2020 - 14:45:43.903Open1480C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
14/2/2020 - 14:45:43.903Open1480C:\malware.exeC:\Windows\Fonts\StaticCache.dat
14/2/2020 - 14:45:43.903Read1480C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll.Config
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\malware.exe.Local
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
14/2/2020 - 14:46:33.903Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
14/2/2020 - 14:46:33.903Open1480C:\malware.exeC:\Windows\WindowsShell.Manifest
14/2/2020 - 14:46:33.903Unknown1480C:\malware.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\api-ms-win-downlevel-shlwapi-l2-1-0.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Secur32.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\api-ms-win-downlevel-advapi32-l2-1-0.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
14/2/2020 - 14:46:34.309Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
14/2/2020 - 14:46:34.309Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\IPHLPAPI.DLL
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\WINNSI.DLL
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
14/2/2020 - 14:46:34.356Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
14/2/2020 - 14:46:34.403Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
14/2/2020 - 14:46:34.403Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
14/2/2020 - 14:46:34.403Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
14/2/2020 - 14:46:34.403Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
14/2/2020 - 14:46:34.403Open1480C:\malware.exeC:\DNSAPI.dll
14/2/2020 - 14:46:34.403Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
14/2/2020 - 14:46:34.403Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
14/2/2020 - 14:46:34.450Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
14/2/2020 - 14:46:34.450Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
14/2/2020 - 14:46:34.543Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
14/2/2020 - 14:46:34.543Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
14/2/2020 - 14:46:34.543Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
14/2/2020 - 14:46:34.543Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
14/2/2020 - 14:46:34.590Open1480C:\malware.exeC:\dhcpcsvc6.DLL
14/2/2020 - 14:46:34.590Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
14/2/2020 - 14:46:34.590Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
14/2/2020 - 14:46:34.590Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
14/2/2020 - 14:46:34.590Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\CRYPTSP.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\RpcRtRemote.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
14/2/2020 - 14:46:34.637Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
14/2/2020 - 14:46:34.637Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\dhcpcsvc.DLL
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
14/2/2020 - 14:46:34.637Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
14/2/2020 - 14:46:34.700Open1480C:\malware.exeC:\rasadhlp.dll
14/2/2020 - 14:46:34.700Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
14/2/2020 - 14:46:34.700Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
14/2/2020 - 14:46:34.747Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
14/2/2020 - 14:46:34.747Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
14/2/2020 - 14:46:35.856Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
14/2/2020 - 14:46:35.856Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
14/2/2020 - 14:46:35.918Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
14/2/2020 - 14:46:35.934Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\malware.exe.Local
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
14/2/2020 - 14:46:36.59Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:36.59Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:36.75Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:36.75Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
14/2/2020 - 14:46:38.325Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm\LOyGbV.exe
14/2/2020 - 14:46:38.325Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm\KXxJZk.exe
14/2/2020 - 14:46:38.325Open1480C:\malware.exeC:\Monitor\LOyGbV.exe
14/2/2020 - 14:46:38.325Open1480C:\malware.exeC:\Monitor\KXxJZk.exe
14/2/2020 - 14:46:38.325Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm
14/2/2020 - 14:46:38.325Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm
14/2/2020 - 14:46:38.325Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\fIfGxm
14/2/2020 - 14:46:38.356Unknown1480C:\malware.exeC:\Windows
14/2/2020 - 14:46:38.356Unknown1480C:\malware.exeC:\Monitor
14/2/2020 - 14:46:38.356Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
14/2/2020 - 14:46:38.356Unknown1480C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
14/2/2020 - 14:46:38.356Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
14/2/2020 - 14:46:38.356Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
14/2/2020 - 14:46:38.356Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d

Process
Trace

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
14/2/2020 - 14:46:34.356Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
14/2/2020 - 14:46:34.403Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnable
14/2/2020 - 14:46:34.403Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyServer
14/2/2020 - 14:46:34.403Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyOverride
14/2/2020 - 14:46:34.403Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigURL
14/2/2020 - 14:46:34.403Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoDetect
14/2/2020 - 14:46:34.403Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings
14/2/2020 - 14:46:34.450Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContentCachePrefix
14/2/2020 - 14:46:34.450Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\CookiesCachePrefix
14/2/2020 - 14:46:34.450Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\HistoryCachePrefix
14/2/2020 - 14:46:34.747Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
14/2/2020 - 14:46:34.747Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
14/2/2020 - 14:46:34.747Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
14/2/2020 - 14:46:34.747Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionReason
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionTime
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecision
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadNetworkName
14/2/2020 - 14:46:36.75Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDetectedUrl
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
14/2/2020 - 14:46:36.75Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
14/2/2020 - 14:46:36.75Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
14/2/2020 - 14:46:36.75Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: True check_circle

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code aura.krakow.pl.
computer localhost arrow_forward computer gateway:50273 code aura.krakow.pl.

Response
computer gateway:DNS arrow_forward computer localhost code aura.krakow.pl. reply_all 193.105.32.185


TCP
Info
computer localhost:65191 arrow_forward 193.105.32.185:80
193.105.32.185:80 arrow_forward computer localhost:65191
computer localhost:65192 arrow_forward 193.105.32.185:80
193.105.32.185:80 arrow_forward computer localhost:65192

UDP
Info
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:67 arrow_forward computer localhost:68
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info
computer localhost send GET aura.krakow.pl attach_file /scripts/mod-18/mod02.png
computer localhost send GET aura.krakow.pl attach_file /scripts/mod-18/mod01.png

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 89.03%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 73.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 82.20%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.77%
suspicious: False cancel

Add to Collection
Download