Report #6772 check_circle

  • Creation Date: Feb. 18, 2020, 3:29 p.m.
  • Last Update: Feb. 19, 2020, 4:55 a.m.
  • File: net1.exe
  • Results:
Binary
DLL
False cancel
Size
124.00KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
dc2c73cd32dd4f5cc77c5f269631fee3
sha1
0f9ccec798ccf517a77c7a4eb637d75d3b07dccb
crc32
0x3dd567a0
sha224
cb4fc46dedcaaf375d8fd4287dfda92d918b4ecd422fd9853028249c
sha256
bf24fc24a1cbc920e4cb68e7a6767b8898495307da21f04a0a919bc4bda8ce68
sha384
479796e10feacb5bc895da5960c3dc0662a6d0965c18c06167c56cb7ba44ddfe46b8e35298cefdc52071ff5518f46ced
sha512
fd4950af6bbcda18a66a3292ff85aa340761a642d09193ebbbdeeddd92dfb3d4353199a66b1e56d5fc733aa0f93f2901a7ee32d269ebd695614a0cb425095462
ssdeep
3072:Byn5QtAuRqW/r8QBgOp5yPJmOthMopsWkNCPjyW:kQF8QmIys7bWkNCOW
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
DebuggerHiding__Thread, maldoc_getEIP_method_1, domain, Dropper_Strings, win_token, contentis_base64, spreading_share, win_registry, HasDebugData, IsConsole, win_files_operation, IsPE32, HasRichSignature

Suspicious
True check_circle

Strings
List
t9HHt.Ht
net1.pdb
YYt.Ht#Ht
System\Setup
F.PW
NETAPI32.dll
NETAPI32.dll
NTDSAPI.dll
NTDSAPI.dll
NETRAP.dll
NETRAP.dll
ntdll.dll
SAMLIB.dll
SAMLIB.dll
\Device\LanmanRedirector
net1.exe
net1.exe
System\CurrentControlSet\Services\Tcpip\Parameters
System\WPA\Starter
%2.2lu%ws%2.2lu%ws%2.2lu
%5.5ws%Fws%6hu
%-*.*ws%hu
%-*.*ws%lu
%-*.*ws%lu
computer
receiver
%Fws %ws%*ws%2hu %ws%16.16ws*%ws*
%2.2lu%ws %2.2lu%ws %2.2lu%ws
System\CurrentControlSet\Services\w32time\Parameters
/COMMAND
_wcsnicmp
_strnicmp
_wcsicmp
/CMDFILE
/NETWORK
\PIPE\LANMAN
/PERSISTENT
/PASSWORDREQ
/PASSWORD
/LOGONSERVER
_stricmp
/PASSWORDCHG
/HIDDEN
sShortDate
/DRIVER
/DEBUG
ADMIN$
-= XOR 2009 Valhalla =- Assembled 1997 .. Activated 07.2002 - devoted for peace and harmony in universe against war, racism, terrorism and cruel brutality .. remember .. life is the most important thing - not money .. it's time for a revolution NOW ....
PANIC: expression too complex, please simplify;
GetProcAddress
GetPrinterDriverA
/RANDOMIZE
GetNcpSecretKey
redirector
SShp
LanmanWorkstation
lanmanworkstation
TerminateProcess
NWPasswordSet
LanmanServer
ntpserver
Installed
lanmanserver
OpenServiceW
GetModuleFileNameW
OpenSCManagerW
RegQueryValueExW
LoadLibraryW
QueryPerformanceCounter
WriteFile
RegSetValueExW
FreeLibrary
RegDeleteValueW
RegOpenKeyExW
GetModuleHandleA
NetShareEnum
/COMPUTERNAME
Net Command
NWPassword
Microsoft Corporation. All rights reserved.
/RANDOM
/RANDOM
_wfopen
/OPTIONS
GetTickCount
/AUTODISCONNECT
server
/DELETE
/DELETE
Sleep
fread
send
NWAttachToFileServerW
I_NetPathType
GetConsoleOutputCP
/IMPORTPATH
/EXPORTPATH
/SCRIPTPATH
/QUERYSNTP
/QUERYSNTP

Foremost
Matches
0.exe, 124 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: NWAPI32.DLL, FPNWCLNT.DLL, ntdll.dll, ADVAPI32.dll, NTDSAPI.dll, SAMLIB.dll, msvcrt.dll, NETAPI32.dll, KERNEL32.dll, NETRAP.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 55808
Suspicious: False cancel
Image
Address: 16777216
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 166171
Suspicous: False cancel

Sections
Allowed: .text, .data, .rsrc, xor
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 5
Linker
Version: 7.10
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 176128
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: ntdll.dll, advapi32.dll, ntdsapi.dll, samlib.dll, msvcrt.dll, netapi32.dll, kernel32.dll
hasLibs: True check_circle
Suspicious: nwapi32.dll, fpnwclnt.dll, netrap.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2008-04-13 15:33:48
Future: False cancel

Compilation
Packed: False cancel
Missing: True check_circle
Packers
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
False cancel
Tricks
AVclass
xorala
1
VirusTotal
md5
dc2c73cd32dd4f5cc77c5f269631fee3
sha1
0f9ccec798ccf517a77c7a4eb637d75d3b07dccb
SCANS (DETECTION RATE = 91.04%)
AVG
result: Win32:Valla
update: 20180216
version: 18.1.3800.0
detected: True check_circle

CMC
result: Virus.Win32!O
update: 20180216
version: 1.1.0.977
detected: True check_circle

MAX
result: malware (ai score=82)
update: 20180216
version: 2017.11.15.1
detected: True check_circle

Bkav
result: W32.Valla
update: 20180212
version: 1.3.0.9466
detected: True check_circle

K7GW
result: Virus ( 0008d6e31 )
update: 20180216
version: 10.40.26234
detected: True check_circle

ALYac
result: Win32.Valhalla.2048
update: 20180216
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:Valla
update: 20180216
version: 18.1.3800.0
detected: True check_circle

Avira
result: W32/Xorala.b
update: 20180216
version: 8.3.3.6
detected: True check_circle

Baidu
result: Win32.Virus.Xorala.a
update: 20180208
version: 1.0.0.2
detected: True check_circle

Cyren
result: W32/Harmony.A
update: 20180216
version: 5.4.30.7
detected: True check_circle

DrWeb
result: Win32.Valhala.2048
update: 20180216
version: 7.0.28.2020
detected: True check_circle

GData
result: Win32.Virus.Xorala.A
update: 20180216
version: A:25.16049B:25.11597
detected: True check_circle

Panda
result: W32/Valla.2048
update: 20180216
version: 4.6.4.2
detected: True check_circle

VBA32
result: Win32.Xoralda.2048
update: 20180216
version: 3.12.28.0
detected: True check_circle

VIPRE
result: Virus.Win32.Valla.a (v)
update: 20180216
version: 64642
detected: True check_circle

Zoner
result: Win32.Xorala.A
update: 20180216
version: 1.0
detected: True check_circle

AVware
result: Virus.Win32.Valla.a (v)
update: 20180216
version: 1.5.0.42
detected: True check_circle

ClamAV
result: Win.Trojan.Xorala-1
update: 20180216
version: 0.99.2.0
detected: True check_circle

Comodo
result: Virus.Win32.Xorala.b0
update: 20180216
version: 28535
detected: True check_circle

F-Prot
result: W32/Harmony.A
update: 20180216
version: 4.7.1.166
detected: True check_circle

Ikarus
result: Win32.Xorala
update: 20180216
version: 0.1.5.2
detected: True check_circle

McAfee
result: W32/Valla.a
update: 20180216
version: 6.0.6.653
detected: True check_circle

Rising
result: Win32.Xorala.a (CLASSIC)
update: 20180216
version: 25.0.0.1
detected: True check_circle

Sophos
result: W32/Rox-A
update: 20180216
version: 4.98.0
detected: True check_circle

Yandex
result: Win32.Xorala
update: 20180216
version: 5.5.1.3
detected: True check_circle

Zillya
result: Virus.Xorala.Win32.1
update: 20180216
version: 2.0.0.3493
detected: True check_circle

Arcabit
result: Win32.Valhalla.2048
update: 20180216
version: 1.0.0.830
detected: True check_circle

Cylance
result: Unsafe
update: 20180216
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20180214
version: 1.2.0
detected: True check_circle

Tencent
result: Virus.Win32.Valla.a
update: 20180216
version: 1.0.0.1
detected: True check_circle

ViRobot
result: Win32.Valla.2048
update: 20180216
version: 2014.3.20.0
detected: True check_circle

Webroot
update: 20180216
version: 1.0.0.207
detected: False cancel

eGambit
update: 20180216
version: v4.3.4
detected: False cancel

Ad-Aware
result: Win32.Valhalla.2048
update: 20180216
version: 3.0.3.1010
detected: True check_circle

AegisLab
result: W32.W.Runouce.l4QL
update: 20180216
version: 4.2
detected: True check_circle

Emsisoft
result: Win32.Valhalla.2048 (B)
update: 20180216
version: 4.0.2.899
detected: True check_circle

F-Secure
update: 20180210
version: 11.0.19100.45
detected: False cancel

Fortinet
result: W32/Valla.2048
update: 20180216
version: 5.4.247.0
detected: True check_circle

Invincea
result: heuristic
update: 20180121
version: 6.3.4.26036
detected: True check_circle

Jiangmin
result: Hacktool/VB.ASPX.a
update: 20180216
version: 16.0.100
detected: True check_circle

Kingsoft
result: Win32.Xorala.2048
update: 20180216
version: 2013.8.14.323
detected: True check_circle

Paloalto
result: generic.ml
update: 20180216
version: 1.0
detected: True check_circle

Symantec
result: W32.Valla.2048
update: 20180216
version: 1.5.0.0
detected: True check_circle

nProtect
result: Virus/W32.Valla
update: 20180216
version: 2018-02-16.02
detected: True check_circle

AhnLab-V3
result: Win32/Valla.2048
update: 20180216
version: 3.11.3.19504
detected: True check_circle

Antiy-AVL
result: Virus/Win32.Xorala.b
update: 20180216
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Virus.Win32.Xorala
update: 20180216
version: 15.0.1.13
detected: True check_circle

Microsoft
result: Virus:Win32/Valla.2048
update: 20180216
version: 1.1.14500.5
detected: True check_circle

Qihoo-360
result: Virus.Win32.Agent.A
update: 20180216
version: 1.0.0.1120
detected: True check_circle

TheHacker
result: W32/Valla.a
update: 20180213
version: 6.8.0.5.2403
detected: True check_circle

ZoneAlarm
result: Virus.Win32.Xorala
update: 20180216
version: 1.0
detected: True check_circle

ESET-NOD32
result: Win32/Xorala.A
update: 20180216
version: 16915
detected: True check_circle

TrendMicro
result: PE_VALLA.A
update: 20180216
version: 9.862.0.1074
detected: True check_circle

WhiteArmor
update: 20180205
detected: False cancel

BitDefender
result: Win32.Valhalla.2048
update: 20180216
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_100% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
result: Virus ( 0008d6e31 )
update: 20180216
version: 10.40.26233
detected: True check_circle

SentinelOne
result: static engine - malicious
update: 20180115
version: 1.0.12.202
detected: True check_circle

Avast-Mobile
update: 20180216
version: 180216-02
detected: False cancel

Malwarebytes
result: Virus.Valhalla
update: 20180216
version: 2.1.1.1115
detected: True check_circle

TotalDefense
result: Win32/Valla.2048
update: 20180216
version: 37.1.62.1
detected: True check_circle

CAT-QuickHeal
result: W32.Xorala
update: 20180216
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Virus.Win32.Xorala.cbehdj
update: 20180216
version: 1.0.100.21498
detected: True check_circle

MicroWorld-eScan
result: Win32.Valhalla.2048
update: 20180216
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180216
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Virut.ch
update: 20180216
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: PE_VALLA.A
update: 20180216
version: 9.950.0.1006
detected: True check_circle

total
67
sha256
bf24fc24a1cbc920e4cb68e7a6767b8898495307da21f04a0a919bc4bda8ce68
scan_id
bf24fc24a1cbc920e4cb68e7a6767b8898495307da21f04a0a919bc4bda8ce68-1518791261
resource
dc2c73cd32dd4f5cc77c5f269631fee3
positives
61
scan_date
2018-02-16 14:27:41
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Execution Failed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 99.64%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 94.09%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 54.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 71.11%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.05%
suspicious: False cancel

Add to Collection
Download