Report #727 check_circle

  • Creation Date: Oct. 19, 2019, 2:57 a.m.
  • Last Update: Oct. 19, 2019, 8:57 a.m.
  • File: 031
  • Results:
Binary
DLL
False cancel
Size
344.47KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
e5f4925278e5ddc3ac7e5f153b82be04
sha1
f331ec226a40894fdc5ec948fb0ea739f0ffb760
crc32
0x76592187
sha224
f714309436fffcc66c4f5118af1b49b534d553e0c7a16e92c1f394c3
sha256
96492d73685049ae946b6d1e7583b4a39d1a650ec500a76ae5158fba2c407543
sha384
918ce804675e6b6b264c4fe477feb9fb4971619970bdb3f39f81a2d9d2c9af356044d0c8ca6a92d8a7c4803752b9e124
sha512
626d60b7cbc3120b3066f6af3c9a028d5da7c1c0a9dfa8daab38ef56ca22db471999b12279fbc8466ebbdbaaa2a945972298147acccb4d06da44feed5cab9289
ssdeep
6144:hesw5fDwtzTmeajEDnNbdIMkQZh6gSbuoB9/rupmrbH5A7/N3f0fvRk9PwMh2lF:8soEV/DNbdIMnLsBBBQmrbHC7/qk5QF
Community
Google
True check_circle
HashLib
False cancel
YARA
Matches
domain, contentis_base64, Check_OutputDebugStringA_iat, Borland_Delphi_Setup_Module, Borland_Delphi_DLL, Borland_Delphi_v40_v50, IP, SharedStrings, Borland_Delphi_40_additional, Borland_Delphi_30_, win_registry, Microsoft_Visual_Cpp_v50v60_MFC, HasOverlay, Borland_Delphi_40, Borland_Delphi_30_additional, IsPE32, Borland_Delphi_v30, IsWindowsGUI, anti_dbg, IsPacked

Suspicious
True check_circle

Strings
List
Ah.CY
j.Th
^Vh.sC
NMM.dll
ntdll.dll
3.9.139.161
brary\Rel
elect_O
is NULL!
name="Microsoft.Windows.Common-Controls"
[%9gRT
brary] Relo
PyCObject_Geto
de&%i
LU%n{
ARu2MS2%F
%EcPr
Uh%eC
brary
failed
bEnableVolume = %s
name="GoogleManifest.exe"/>
[PyDVDEngine] DK
(tCaptureCaps()
<requestedPrivileges>
BDROMDEF_TPT_BDJ_MOVIE_TITLE
MHmsfTime_LVS
F,SSh
SSh+cC
BDROMDEF_TPT_RESERVED
publicKeyToken="6595b64144ccf1df"
BDROMDEF_TP
GetProcAddress
ExitProcess
ExitProcess
ckedExcION_FAILURpected %s
u\hVnC
dumpfile
dumpfileformat
x.lR!
BDROMDEF_CC_KOREAN
SBDROMHmsfTiT
RegQueryValueExW
QueryPerformanceCounter
RegDeleteKeyW
RegOpenKeyW
RegSetValueExW
QueryPerformanceCounter
RegOpenKeyExW
LoadLibraryA
RegOpenKeyExW
RegQueryValueExW
RegEnumKeyExW
GetModuleHandleA
RegCreateKeyExW
BDROMDEF_CC
MBNAIL_IN
REAM_NUMBER_OF
D0aE
OMDEF_PIPS_HAV
DMETA_DI_THUMB
YBACK_LOCATION
BDJ_VK_REWIND
OP_VIDEO_PRES
P_SECONDA
APTER_NUM
LINE_CERT
BDMETA_SCENE_IN
ECONDARY_VIDEO_ENABLE_DISABLE
KEY_DOWN
USER_APPROV
+Login Unauthorized - Please try again later
U_TIMEOUT
BDJ_VK_PAUSE
IFY_AACS_SUP
BDROMDEF_PIP_CORE_ACAP_I
KA_REQUEST_KEY_UPDATE
IVE_HANDLE
MOVIE_TITLE
GetTickCount
GetTickCount
MDEF_NT_CAT
BDROMDEF_D
SPEED_X
Master Audio
Quick Upload
CL_DECI
DKA_REQ
dumpfi
TION_EX
EDVD_AU
urn\
CL_AUE
[BigBang]DEF_CT_SMPTE_ceMode
z}A.tW
hVnC
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
F_TPT_HetVideoType
HM_T
version="6.0.0.0"

Foremost
Matches
0.exe, 343 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 3.9.139.161, 1, ec2-3-9-139-161.eu-west-2.compute.amazonaws.com.
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: ADVAPI32.dll, msvcrt.dll, ntdll.dll, NMM.dll, KERNEL32.dll, GDI32.dll, USER32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 296448
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 392668
Suspicous: False cancel

Sections
Allowed: .text, .data, .rdata, .bss, .idata, .crt, .tls, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 4
Linker
Version: 2.23
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 11212
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: advapi32.dll, msvcrt.dll, ntdll.dll, kernel32.dll, gdi32.dll, user32.dll
hasLibs: True check_circle
Suspicious: nmm.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2011-04-27 11:15:48
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 69
.rsrc: 2
.text: 4
.rdata: 65

nopsequence
.text: 207

pushpopmath
.data: 46
.text: 1
.rdata: 40

ss register
.rdata: 1

garbagebytes
.data: 24
.text: 4
.rdata: 26

hookdetection
.data: 3
.rdata: 2

software breakpoint
.data: 2

fakeconditionaljumps
.data: 1
.text: 2
.rdata: 1

programcontrolflowchange
.data: 23
.text: 4
.rdata: 25

cpuinstructionsresultscomparison
.data: 3
.rdata: 1

AVclass
kovter
1
VirusTotal
md5
e5f4925278e5ddc3ac7e5f153b82be04
sha1
f331ec226a40894fdc5ec948fb0ea739f0ffb760
SCANS (DETECTION RATE = 83.82%)
AVG
result: Win32:Malware-gen
update: 20191018
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=100)
update: 20191018
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20191015
version: 5.74
detected: True check_circle

Bkav
update: 20191018
version: 1.3.0.10239
detected: False cancel

K7GW
result: Trojan ( 0050b0231 )
update: 20191010
version: 11.72.32236
detected: True check_circle

Avast
result: Win32:Malware-gen
update: 20191018
version: 18.4.3895.0
detected: True check_circle

Avira
result: HEUR/AGEN.1044121
update: 20191018
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/Kovter.T.gen!Eldorado
update: 20191018
version: 6.2.2.2
detected: True check_circle

DrWeb
result: Trojan.SpyBot.703
update: 20191018
version: 7.0.41.7240
detected: True check_circle

GData
result: Trojan.GenericKD.4800676
update: 20191018
version: A:25.23716B:26.16333
detected: True check_circle

Panda
result: Trj/Genetic.gen
update: 20191017
version: 4.6.4.2
detected: True check_circle

VBA32
result: BScope.Trojan.Bagsu
update: 20191018
version: 4.2.0
detected: True check_circle

Zoner
update: 20191017
version: 1.0.0.1
detected: False cancel

ClamAV
result: Win.Trojan.Emotet-6530285-0
update: 20191018
version: 0.102.0.0
detected: True check_circle

Comodo
result: Malware@#3c2jq0gg2ego2
update: 20191018
version: 31616
detected: True check_circle

F-Prot
result: W32/Kovter.T.gen!Eldorado
update: 20191018
version: 4.7.1.166
detected: True check_circle

Ikarus
result: Trojan.Win32.Crypt
update: 20191018
version: 0.1.5.2
detected: True check_circle

McAfee
result: Trojan-FMSO!E5F4925278E5
update: 20191018
version: 6.0.6.653
detected: True check_circle

Rising
result: Ransom.Tovicrypt!8.9F4B (TFE:2:xno2oS6q7gQ)
update: 20191018
version: 25.0.0.24
detected: True check_circle

Sophos
result: Mal/Kovter-Z
update: 20191018
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.Agent!jro3XfNjwFk
update: 20191018
version: 5.5.2.24
detected: True check_circle

Zillya
result: Trojan.Kryptik.Win32.1417972
update: 20191017
version: 2.0.0.3927
detected: True check_circle

Acronis
result: suspicious
update: 20191005
version: 1.1.1.58
detected: True check_circle

Alibaba
result: Trojan:Win32/Kovter.76991845
update: 20190527
version: 0.3.0.5
detected: True check_circle

Arcabit
result: Trojan.Generic.D4940A4
update: 20191018
version: 1.0.0.859
detected: True check_circle

Cylance
result: Unsafe
update: 20191018
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20190918
version: 3.0.15
detected: True check_circle

FireEye
result: Generic.mg.e5f4925278e5ddc3
update: 20191018
version: 29.7.0.0
detected: True check_circle

TACHYON
update: 20191018
version: 2019-10-18.02
detected: False cancel

Tencent
update: 20191018
version: 1.0.0.1
detected: False cancel

ViRobot
result: Trojan.Win32.Z.Kovter.352739
update: 20191018
version: 2014.3.20.0
detected: True check_circle

Webroot
result: W32.Trojan.Gen
update: 20191018
version: 1.0.0.403
detected: True check_circle

eGambit
result: Unsafe.AI_Score_99%
update: 20191018
version: v5.0.6
detected: True check_circle

Ad-Aware
result: Trojan.GenericKD.4800676
update: 20191018
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Win32.Generic.4!c
update: 20191018
version: 4.2
detected: True check_circle

Emsisoft
result: Trojan.GenericKD.4800676 (B)
update: 20191018
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Heuristic.HEUR/AGEN.1044121
update: 20191018
version: 12.0.86.52
detected: True check_circle

Fortinet
result: W32/GenKryptik.ACZR!tr
update: 20191018
version: 5.4.247.0
detected: True check_circle

Invincea
result: heuristic
update: 20190904
version: 6.3.6.26157
detected: True check_circle

Jiangmin
result: Trojan.Generic.eeaun
update: 20191018
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20191018
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20191018
version: 1.0
detected: True check_circle

Symantec
result: Trojan.Kovter!gen3
update: 20191018
version: 1.11.0.0
detected: True check_circle

Trapmine
result: malicious.high.ml.score
update: 20190826
version: 3.1.81.800
detected: True check_circle

AhnLab-V3
result: Trojan/Win32.Poweliks.R211930
update: 20191018
version: 3.16.3.25410
detected: True check_circle

Antiy-AVL
result: Trojan/Win32.Poweliks
update: 20191018
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Trojan-Downloader.Win32.Upatre.icwa
update: 20191018
version: 15.0.1.13
detected: True check_circle

Microsoft
result: Trojan:Win32/Kovter.I
update: 20191018
version: 1.1.16500.1
detected: True check_circle

Qihoo-360
result: Win32/Trojan.623
update: 20191018
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: Trojan-Downloader.Win32.Upatre.icwa
update: 20191018
version: 1.0
detected: True check_circle

Cybereason
result: malicious.278e5d
update: 20190616
version: 1.2.449
detected: True check_circle

ESET-NOD32
result: a variant of Win32/Kryptik.FRZM
update: 20191018
version: 20201
detected: True check_circle

TrendMicro
result: TROJ_HPKOVTER.SMAX1
update: 20191018
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Trojan.GenericKD.4800676
update: 20191018
version: 7.2
detected: True check_circle

CrowdStrike
result: win/malicious_confidence_100% (W)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan ( 0050b0231 )
update: 20191018
version: 11.73.32308
detected: True check_circle

SentinelOne
result: DFI - Malicious PE
update: 20190807
version: 1.0.31.22
detected: True check_circle

Avast-Mobile
update: 20191012
version: 191012-04
detected: False cancel

Malwarebytes
update: 20191018
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20191018
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Trojan.Generic
update: 20191017
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Kryptik.ezcvvz
update: 20191018
version: 1.0.134.24859
detected: True check_circle

MicroWorld-eScan
result: Trojan.GenericKD.4800676
update: 20191018
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20191011
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.PWSZbot.fc
update: 20191017
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_HPKOVTER.SMAX1
update: 20191018
version: 10.0.0.1040
detected: True check_circle

total
68
sha256
96492d73685049ae946b6d1e7583b4a39d1a650ec500a76ae5158fba2c407543
scan_id
96492d73685049ae946b6d1e7583b4a39d1a650ec500a76ae5158fba2c407543-1571396108
resource
e5f4925278e5ddc3ac7e5f153b82be04
positives
57
scan_date
2019-10-18 10:55:08
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Machine Crashed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:50581 code ctldl.windowsupdate.com.
computer localhost arrow_forward computer gateway:DNS code ctldl.windowsupdate.com.
computer localhost arrow_forward computer gateway:DNS code time.windows.com.
computer localhost arrow_forward computer gateway:DNS code teredo.ipv6.microsoft.com.
computer localhost arrow_forward computer gateway:61232 code teredo.ipv6.microsoft.com.
computer localhost arrow_forward computer gateway:58005 code www.msftncsi.com.
computer localhost arrow_forward computer gateway:DNS code www.msftncsi.com.
computer localhost arrow_forward computer gateway:56846 code ipv6.msftncsi.com.
computer localhost arrow_forward computer gateway:DNS code ipv6.msftncsi.com.
computer localhost arrow_forward computer gateway:56026 code time.windows.com.

Response
computer gateway:DNS arrow_forward computer localhost code time.windows.com. reply_all 52.148.114.188

computer gateway:DNS arrow_forward computer localhost code ctldl.windowsupdate.com. reply_all 192.16.48.200

computer gateway:DNS arrow_forward computer localhost code ipv6.msftncsi.com. reply_all a978.i6g1.akamai.net.

computer gateway:DNS arrow_forward computer localhost code www.msftncsi.com. reply_all 200.143.247.9


TCP
Info
192.16.48.200:80 arrow_forward computer localhost:49159
computer localhost:49159 arrow_forward 192.16.48.200:80
200.143.247.8:80 arrow_forward computer localhost:49157
computer localhost:49157 arrow_forward 200.143.247.8:80

UDP
Info
computer localhost:56026 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:61232
computer localhost:62166 arrow_forward help_outline 224.0.0.252:5355
computer localhost:62256 arrow_forward help_outline 224.0.0.252:5355
computer localhost:58005 arrow_forward computer localhost:53
computer localhost:62720 arrow_forward help_outline 224.0.0.252:5355
52.148.114.188:123 arrow_forward computer localhost:123
computer localhost:64475 arrow_forward help_outline 224.0.0.252:5355
computer localhost:49195 arrow_forward help_outline 239.255.255.250:3702
computer localhost:56846 arrow_forward computer localhost:53
computer localhost:123 arrow_forward 52.148.114.188:123
computer localhost:53 arrow_forward computer localhost:56026
computer localhost:53 arrow_forward computer localhost:50581
computer localhost:68 arrow_forward help_outline 255.255.255.255:67
computer localhost:50837 arrow_forward help_outline 224.0.0.252:5355
computer localhost:67 arrow_forward computer localhost:68
computer localhost:53 arrow_forward computer localhost:56846
computer localhost:53 arrow_forward computer localhost:58005
computer localhost:49194 arrow_forward help_outline 224.0.0.252:5355
computer localhost:50581 arrow_forward computer localhost:53
computer localhost:54179 arrow_forward help_outline 224.0.0.252:5355
computer localhost:61232 arrow_forward computer localhost:53
computer localhost:61442 arrow_forward help_outline 224.0.0.252:5355

HTTP
Info
computer localhost send GET www.msftncsi.com attach_file /ncsi.txt
computer localhost send GET ctldl.windowsupdate.com attach_file /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?66489492a4fa9f16

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel
Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle
SVC (Kernel=Linear, NFS-BRMalware)
confidence: 98.27%
suspicious: False cancel
Random Forest (100 estimators, NFS-BRMalware)
confidence: 55.00%
suspicious: False cancel
Add to Collection
Download