Report #7175 cancel

  • Creation Date: Feb. 20, 2020, 4:45 p.m.
  • Last Update: Feb. 20, 2020, 10:05 p.m.
  • File: zq.exe
  • Results:
Binary
DLL
False cancel
Size
3.64MB
trid
50.9% Windows screen saver
17.5% Win32 Executable
8.0% Win16/32 Executable Delphi generic
7.8% OS/2 Executable
7.7% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
4aca58dd6c2fa0b6f350f34e8f99f6aa
sha1
fa8fdd604bccfe6f9abc9a15acbf36cb87559c27
crc32
0x2a0622fb
sha224
481ff441ce59b107f6d6334c328719959895cd64a5e9c39be3637e40
sha256
308565b11e063f7dacba969951e467bdc31d297a77f6b67843b8d9aeea214790
sha384
498bc8461c36c6ea0220246676763125656c37e7a176a077f12cea1f9225d03771671d9d00251c96eebfed5c5d8d7396
sha512
3e008ce7270cf45c08b830589024ec2a7ab9b43e483c1102d9bead943499d4b8072bd725336bb9205be8d41f05aeba7b573e9505a22c4067ce1406b2e1d110e7
ssdeep
49152:eN3DdpKjvp+vxp6wWNCMDyilPjkOOXBWayfD7p7kRPOCtUHdGTAJrHiXSNgxr7/J:eFDdDqYqCW1PuRPrtU9j/Ngxfk0Toz0
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
HasDigitalSignature, url, IP, contentis_base64, android_meterpreter, IsPacked, HasOverlay, IsPE32, IsWindowsGUI

Suspicious
True check_circle

Strings
List
Zhttp://icp-brasil.acfenacon.com.br/repositorio/certificados/AC_Instituto_Fenacon_RFBG2.p7c0(
Xhttp://icp-brasil.acfenacon.com.br/repositorio/lcr/ACInstitutoFenaconRFBG2/LatestCRL.crl0]
chttp://icp-brasil.acfenacon.com.br/repositorio/dpc/AC-Instituto-Fenacon-RFB/DPC_AC_IFenacon_RFB.pdf0
Whttp://repositorio.icpbrasil.gov.br/lcr/Certisign/ACInstitutoFenaconRFBG2/LatestCRL.crl0
Whttp://icp-brasil.outralcr.com.br/repositorio/lcr/ACInstitutoFenaconRFBG2/LatestCRL.crl0]
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
http://ocsp.certisign.com.br0
1http://crl.usertrust.com/UTN-USERFirst-Object.crl05
me.hn
elton@topmundi.com.br0
T5.Ht
y.Er
mu.De
HM.PL
F.no
t.fo
p2.th
_.TN
ZeNiX [forum.exetools.com]
ZeNiX [forum.exetools.com]
Zenix Yang [zenix.ccg@gmail.com]Zenix Yang [zenix.ccg@gmail.com]
'Zenix Yang [zenix.ccg@gmail.com]Zenix Yang [zenix.ccg@gmail.com]
R.CU
i.Dm
KD6.Eg
M.VU
g.vN
F.hu
8.nP
T.Sj
fkf.iS
N.vu
3.Gd
m.GU
0LbL.VI
_.mt
ushell32.dll
4.gn
o.vc
l.cd
f.yt
t6.va
OCx.QA
http://www.usertrust.com1
http://www.usertrust.com1
Q.ST
x.CD
l.aZ
6.KZ
O8.Es"fZ
D:S.er
}M.io
$E.Cd
^D.Li"
;;L.aW
|pC.UA
http://ocsp.usertrust.com0
h.dk
lkV.AS:
H|K.SE
+D.tl
|sW.gr
r.Tv#t
wsock32.dll
winspool.drv
luser32.dll
*foS.pym
comctl32.dll
netapi32.dll
Okernel32.dll
version.dll
wininet.dll
1.0.0.0
1.0.0.0
\msvcrt.dll
SHFolder.dll
HFtpG
k5RyVVW4l5vM.exe
hF(M>v}KE.Cz
N.SI-
`02*
@%/1
`02!
I:d3H
fDA1+
Rd3L(
+++%''(
_NfDh(
H{cL,E
".sRm:
TAG^[@>
g*(.dT:$`^-
PI|>>&o
d,E
SD Y-2E
-uR3 eb
111B1Y1a1o1~1
[-^ He
RE-D
TC-D

Foremost
Matches
0.exe, 3 MB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious: http://www.usertrust.com1, http://icp-brasil.outralcr.com.br/repositorio/lcr/acinstitutofenaconrfbg2/latestcrl.crl0, http://crl.usertrust.com/utn-userfirst-object.crl05, http://repositorio.icpbrasil.gov.br/lcr/certisign/acinstitutofenaconrfbg2/latestcrl.crl0, http://ocsp.usertrust.com0, http://icp-brasil.acfenacon.com.br/repositorio/dpc/ac-instituto-fenacon-rfb/dpc_ac_ifenacon_rfb.pdf0, http://ocsp.certisign.com.br0, http://icp-brasil.acfenacon.com.br/repositorio/certificados/ac_instituto_fenacon_rfbg2.p7c0(, http://icp-brasil.acfenacon.com.br/repositorio/lcr/acinstitutofenaconrfbg2/latestcrl.crl0
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: netapi32.dll, ushell32.dll, oleaut32.dll, wininet.dll, comctl32.dll, SHFolder.dll, Okernel32.dll, user32.dll, \msvcrt.dll, advapi32.dll, gdi32.dll, wsock32.dll, version.dll, luser32.dll, ole32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 1545728
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 3831395
Suspicous: False cancel

Sections
Allowed: .text, .itext, .data, .bss, .idata, .didata, .edata, .tls, .rdata, .vmp0, .vmp1, .reloc, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 5993932
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: netapi32.dll, oleaut32.dll, wininet.dll, comctl32.dll, shfolder.dll, user32.dll, advapi32.dll, gdi32.dll, wsock32.dll, version.dll, ole32.dll
hasLibs: True check_circle
Suspicious: ushell32.dll, okernel32.dll, \msvcrt.dll, luser32.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2017-06-01 19:26:00
Future: False cancel

Compilation
Packed: False cancel
Missing: True check_circle
Packers
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
none: 1368
.rsrc: 19

pushpopmath
none: 1710
.rsrc: 14

ss register
none: 20
.rsrc: 1

garbagebytes
none: 568
.rsrc: 12

hookdetection
none: 72

software breakpoint
none: 138

fakeconditionaljumps
none: 46

programcontrolflowchange
none: 524
.rsrc: 12

cpuinstructionsresultscomparison
none: 13
.rsrc: 9

AVclass
banbra
1
VirusTotal
md5
4aca58dd6c2fa0b6f350f34e8f99f6aa
sha1
fa8fdd604bccfe6f9abc9a15acbf36cb87559c27
SCANS (DETECTION RATE = 68.66%)
AVG
result: Win32:Trojan-gen
update: 20180603
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20180603
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=87)
update: 20180603
version: 2017.11.15.1
detected: True check_circle

Bkav
result: HW32.Packed.8414
update: 20180601
version: 1.3.0.9466
detected: True check_circle

K7GW
result: Trojan-Downloader ( 005124be1 )
update: 20180603
version: 10.48.27343
detected: True check_circle

ALYac
result: Trojan.Generic.21668276
update: 20180602
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:Trojan-gen
update: 20180603
version: 18.4.3895.0
detected: True check_circle

Avira
result: TR/Crypt.XPACK.Gen7
update: 20180603
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20180531
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/Trojan.ZPCY-7980
update: 20180603
version: 6.0.0.4
detected: True check_circle

DrWeb
update: 20180603
version: 7.0.28.2020
detected: False cancel

GData
result: Trojan.Generic.21668276
update: 20180603
version: A:25.17292B:25.12403
detected: True check_circle

Panda
result: Trj/GdSda.A
update: 20180603
version: 4.6.4.2
detected: True check_circle

VBA32
result: TrojanBanker.Banbra
update: 20180601
version: 3.12.32.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20180603
version: 67028
detected: True check_circle

Zoner
update: 20180602
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic!BT
update: 20180603
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180603
version: 0.99.2.0
detected: False cancel

Comodo
update: 20180603
version: 29125
detected: False cancel

F-Prot
update: 20180603
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan-Spy.Agent
update: 20180603
version: 0.1.5.2
detected: True check_circle

McAfee
result: GenericRXCA-VQ!4ACA58DD6C2F
update: 20180603
version: 6.0.6.653
detected: True check_circle

Rising
update: 20180603
version: 25.0.0.1
detected: False cancel

Sophos
result: Mal/Generic-S
update: 20180603
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.PWS.Banbra!fKCUX7gYb+Q
update: 20180529
version: 5.5.1.3
detected: True check_circle

Zillya
result: Trojan.Banker.Win32.115766
update: 20180601
version: 2.0.0.3565
detected: True check_circle

Arcabit
result: Trojan.Generic.D14AA1B4
update: 20180603
version: 1.0.0.831
detected: True check_circle

Babable
update: 20180406
version: 9107201
detected: False cancel

Cylance
result: Unsafe
update: 20180603
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20180507
version: 2.1.2
detected: True check_circle

Tencent
update: 20180603
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20180603
version: 2014.3.20.0
detected: False cancel

Webroot
result: W32.Malware.Gen
update: 20180603
version: 1.0.0.403
detected: True check_circle

eGambit
result: PE.Heur.InvalidSig
update: 20180603
version: v4.3.5
detected: True check_circle

Ad-Aware
result: Trojan.Generic.21668276
update: 20180603
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Ml.Attribute.Gen!c
update: 20180603
version: 4.2
detected: True check_circle

Emsisoft
result: Trojan.Generic.21668276 (B)
update: 20180603
version: 4.0.2.899
detected: True check_circle

F-Secure
result: Trojan.Generic.21668276
update: 20180603
version: 11.0.19100.45
detected: True check_circle

Fortinet
update: 20180603
version: 5.4.247.0
detected: False cancel

Invincea
result: heuristic
update: 20180601
version: 6.3.5.26121
detected: True check_circle

Jiangmin
update: 20180603
version: 16.0.100
detected: False cancel

Kingsoft
update: 20180603
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20180603
version: 1.0
detected: True check_circle

Symantec
result: ML.Attribute.HighConfidence
update: 20180602
version: 1.6.0.0
detected: True check_circle

nProtect
update: 20180603
version: 2018-06-03.02
detected: False cancel

AhnLab-V3
result: Trojan/Win32.Banbra.C1997477
update: 20180603
version: 3.12.1.20996
detected: True check_circle

Antiy-AVL
result: Trojan[Banker]/Win32.Banbra
update: 20180603
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Trojan-Banker.Win32.Banbra.vzkg
update: 20180603
version: 15.0.1.13
detected: True check_circle

Microsoft
result: TrojanSpy:Win32/Banker
update: 20180603
version: 1.1.14901.4
detected: True check_circle

Qihoo-360
update: 20180603
version: 1.0.0.1120
detected: False cancel

TheHacker
update: 20180530
version: 6.8.0.5.3045
detected: False cancel

ZoneAlarm
result: Trojan-Banker.Win32.Banbra.vzkg
update: 20180603
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Win32/Spy.Mekotio.M
update: 20180603
version: 17491
detected: True check_circle

TrendMicro
result: TROJ_GEN.R002C0DBF18
update: 20180603
version: 10.0.0.1040
detected: True check_circle

BitDefender
result: Trojan.Generic.21668276
update: 20180603
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_100% (D)
update: 20180530
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan-Downloader ( 005124be1 )
update: 20180602
version: 10.48.27343
detected: True check_circle

SentinelOne
result: static engine - malicious
update: 20180225
version: 1.0.15.206
detected: True check_circle

Avast-Mobile
update: 20180602
version: 180602-06
detected: False cancel

Malwarebytes
update: 20180603
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20180602
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: TrojanBanker.Banbra
update: 20180603
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Banbra.epvatg
update: 20180603
version: 1.0.106.22618
detected: True check_circle

MicroWorld-eScan
result: Trojan.Generic.21668276
update: 20180603
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180603
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Backdoor.wc
update: 20180603
version: v2017.2786
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_GEN.R002C0DBF18
update: 20180603
version: 9.950.0.1006
detected: True check_circle

total
67
sha256
308565b11e063f7dacba969951e467bdc31d297a77f6b67843b8d9aeea214790
scan_id
308565b11e063f7dacba969951e467bdc31d297a77f6b67843b8d9aeea214790-1528031068
resource
4aca58dd6c2fa0b6f350f34e8f99f6aa
positives
46
scan_date
2018-06-03 13:04:28
verbose_msg
Scan finished, information embedded
response_code
1
Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 92.43%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 57.50%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 72.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 61.87%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 22.90%
suspicious: False cancel