Report #7356 check_circle

Binary
DLL
False cancel
Size
3.06MB
trid
66.9% Inno Setup installer
25.3% Win32 EXE PECompact compressed
2.7% Win32 Executable
1.2% Win16/32 Executable Delphi generic
1.2% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
6a17dd4005aec7721e921fc1135e14e9
sha1
7370d4dfcdaf2a7cd37148962c174a96cdca35f3
crc32
0x615b6908
sha224
2085ec804a9b8f8ba97028067efa6e00a1e861e281b033970247befe
sha256
d30a5ad95438566dc45746d7843f6a162c001123c271119401420411389c8bb2
sha384
afccd0722cdd419d0dc3842d9bf7ef76f428407acb170a69fed85701ef57e96b037b60ea55cab70c9503d9706e06f7f7
sha512
e04b94959e7ae625382b9669e34bc30f644069c6b0dc90313a2cee8330307a24835f07b5f034c77ca9324450010325d3dbd3e84c559468277ac2db9e6b598571
ssdeep
49152:jdMWfKqcRNZdnaSTAZ3gpt/56dPWGXHXgG:RMKAPZAGp156dPW
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
IP, Borland, Dropper_Strings, Borland_Delphi_30_, network_ssl, borland_delphi, Delphi_FormShow, BobSoftMiniDelphiBoBBobSoft, Microsoft_Visual_Cpp_v50v60_MFC, BobSoft_Mini_Delphi_BoB_BobSoft_additional, win_files_operation, IsPE32, win_hook, contentis_base64, screenshot, Borland_Delphi_v40_v50, keylogger, MD5_Constants, Borland_Delphi_40_additional, OpenSSL_DSA, Borland_Delphi_40, Delphi_Random, IsWindowsGUI, anti_dbg, Borland_Delphi_Setup_Module, Borland_Delphi_DLL, url, android_meterpreter, win_registry, Delphi_CompareCall, Borland_Delphi_30_additional, Borland_Delphi_v30

Suspicious
True check_circle

Strings
List
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
http://www.indyproject.org/
C:\Program Files (x86)\AppBrad\AplicativoBradesco.exe
C:\Program Files\AppBrad\AplicativoBradesco.exe
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
Vcl.Graphics
NWinapi.Storage
Winapi.Storage
t.Ht
Winapi.Windows
Winapi.Windows
Winapi.Windows
Winapi.Windows
Uh.BE
Font.Style
Font.Name
Winapi.Foundation
aWinapi.Foundation
.stl=application/vnd.ms-pki.stl
.sxg=application/vnd.sun.xml.writer.global
.pko=application/vnd.ms-pki.pko
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
libssl32.dll
ssleay32.dll
ssleay32.dll
127.0.0.1
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
security.dll
The credentials supplied were not complete, and could not be verified. Additional information can be returned from the context.4The context data must be renegotiated with the peer.'The target principal name is incorrect.:There is no LSA mode context associated with this context.8The clocks on the client and server machines are skewed.;The certificate chain was issued by an untrusted authority.7The message received was unexpected or badly formatted.;An unknown error occurred while processing the certificate.%The received certificate has expired.*The specified data could not be encrypted.*The specified data could not be decrypted.6The caller is not the owner of the desired credentialsBThe security package failed to initialize, and cannot be installed-The token supplied to the function is invalid^The security package is not able to marshall the logon buffer, so the logon attempt has failedNThe per-message Quality of Protection is not supported by the security package?The security context does not allow impersonation of the client
Skype.exe
Skype.exe
System.Win.Registry
System.Win.Registry
System.Win.Registry
System.Win.Registry
System.Win.Registry
System.Win.Registry
System.Win.Registry
jTList<System.Win.Notification.TPair<System.string,Winapi.UI.Notifications.IToastNotification>>.TEnumerator4%i
ITComparer<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>2
ITComparer<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>h
IIComparer<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
KTComparison<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
X@TList`1.Pack$224$ActRec<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>d \
FTArray<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
_ossl_old_des_ecb_encrypt
X@TList`1.Pack$226$ActRec<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
X@TList`1.Pack$224$ActRec<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
X@TList`1.Pack$226$ActRec<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>D
ETList<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>&
ETList<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
NTList<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>.arrayofT
KTEnumerator<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
KTEnumerator<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>(
QTList<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>.TEnumerator5
X.TList`1.Pack$226$0$Intf<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
X.TList`1.Pack$224$0$Intf<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
VTCollectionNotifyEvent<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>
QTList<Vcl.Themes.TPair<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>>.TEnumerator
ITDictionary<Winapi.Windows.HWND,Vcl.Themes.TSysStyleHook>.TPairEnumerator

Foremost
Matches
0.exe, 3 MB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 255.255.255.255, 1, record, 127.0.0.1, 1, localhost.
Suspicious: 7.29.0.102, 0, Unknown, 0.0.0.1, 0, Unknown
hasAllowed: True check_circle
hasSuspicious: True check_circle

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious: http://www.indyproject.org/
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: user32.dll, Msctf.dll, secur32.dll, ssleay32.dll, kernel32.dll, uxtheme.dll, security.dll, MSWSOCK.DLL, libeay32.dll, iphlpapi.dll, Invalid owner %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL, Normaliz.dll, Fwpuclnt.dll, IdnDL.dll, comctl32.dll, Wship6.dll, ole32.dll, libssl32.dll, imm32.dll, oleaut32.dll, WS2_32.DLL, netapi32.dll, wtsapi32.dll, api-ms-win-core-winrt-l1-1-0.dll, DWMAPI.DLL, Shcore.dll, msimg32.dll, advapi32.dll, api-ms-win-core-winrt-string-l1-1-0.dll, winmm.dll, windowscodecs.dll, version.dll, shlwapi.dll, gdi32.dll, shell32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 389632
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .itext, .data, .bss, .idata, .didata, .edata, .tls, .rdata, .reloc, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 2818796
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: user32.dll, msctf.dll, secur32.dll, kernel32.dll, uxtheme.dll, security.dll, mswsock.dll, normaliz.dll, idndl.dll, comctl32.dll, wship6.dll, ole32.dll, imm32.dll, oleaut32.dll, ws2_32.dll, netapi32.dll, wtsapi32.dll, api-ms-win-core-winrt-l1-1-0.dll, dwmapi.dll, shcore.dll, msimg32.dll, advapi32.dll, api-ms-win-core-winrt-string-l1-1-0.dll, winmm.dll, windowscodecs.dll, version.dll, shlwapi.dll, gdi32.dll, shell32.dll
hasLibs: True check_circle
Suspicious: ssleay32.dll, libeay32.dll, iphlpapi.dll, invalid owner %s is already associated with %se%d is an invalid pageindex value. pageindex must be between 0 and %d=this control requires version 4.70 or greater of comctl32.dll, fwpuclnt.dll, libssl32.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2016-11-14 09:09:07
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: BobSoft Mini Delphi -> BoB / BobSoft
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.0, Borland Delphi v6.0 - v7.0
MainPacker: BobSoft Mini Delphi -> BoB / BobSoft

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 4
.rsrc: 2
.text: 36
.itext: 5

nopsequence
.itext: 1

pushpopmath
.data: 1
.rsrc: 4
.text: 60
.idata: 2
.reloc: 211

garbagebytes
.data: 2
.rsrc: 1
.text: 28
.itext: 5

hookdetection
.data: 1
.text: 1
.reloc: 20

software breakpoint
.text: 9
.reloc: 79

programcontrolflowchange
.data: 2
.rsrc: 1
.text: 28
.itext: 5

cpuinstructionsresultscomparison
.data: 4
.rsrc: 10
.text: 27
.reloc: 3

AVclass
banbra
1
VirusTotal
md5
6a17dd4005aec7721e921fc1135e14e9
sha1
7370d4dfcdaf2a7cd37148962c174a96cdca35f3
SCANS (DETECTION RATE = 67.16%)
AVG
result: FileRepMetagen [Malware]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

CMC
update: 20180323
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=100)
update: 20180323
version: 2017.11.15.1
detected: True check_circle

Bkav
update: 20180322
version: 1.3.0.9466
detected: False cancel

K7GW
result: Proxy-Program ( 004fde261 )
update: 20180323
version: 10.42.26597
detected: True check_circle

ALYac
result: Gen:Variant.Graftor.314352
update: 20180323
version: 1.1.1.5
detected: True check_circle

Avast
result: FileRepMetagen [Malware]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

Avira
result: TR/ProxChange.rkbee
update: 20180323
version: 8.3.3.6
detected: True check_circle

Baidu
result: Win32.Trojan.WisdomEyes.16070401.9500.9854
update: 20180323
version: 1.0.0.2
detected: True check_circle

Cyren
result: W32/Trojan.NQXW-4601
update: 20180323
version: 5.4.30.7
detected: True check_circle

DrWeb
update: 20180323
version: 7.0.28.2020
detected: False cancel

GData
result: Gen:Variant.Graftor.314352
update: 20180323
version: A:25.16478B:25.11859
detected: True check_circle

Panda
result: Trj/GdSda.A
update: 20180323
version: 4.6.4.2
detected: True check_circle

VBA32
result: Adware.DealPly
update: 20180323
version: 3.12.28.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20180323
version: 65472
detected: True check_circle

Zoner
update: 20180323
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic!BT
update: 20180323
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180323
version: 0.99.2.0
detected: False cancel

Comodo
result: UnclassifiedMalware
update: 20180323
version: 28732
detected: True check_circle

F-Prot
update: 20180323
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Win32.ProxyChanger
update: 20180323
version: 0.1.5.2
detected: True check_circle

McAfee
result: GenericR-IXH!6A17DD4005AE
update: 20180323
version: 6.0.6.653
detected: True check_circle

Rising
result: Malware.Undefined!8.C (TFE:5:hmGoTKxjbwB)
update: 20180323
version: 25.0.0.1
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20180323
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.ProxyChanger!BI1CmB6BvmM
update: 20180323
version: 5.5.1.3
detected: True check_circle

Zillya
result: Trojan.Banbra.Win32.26117
update: 20180323
version: 2.0.0.3519
detected: True check_circle

Arcabit
result: Trojan.Graftor.D4CBF0
update: 20180323
version: 1.0.0.831
detected: True check_circle

Cylance
update: 20180323
version: 2.3.1.101
detected: False cancel

Endgame
result: malicious (high confidence)
update: 20180316
version: 2.0.5
detected: True check_circle

Tencent
result: Win32.Trojan-banker.Banbra.Wnwh
update: 20180323
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180323
version: 2014.3.20.0
detected: False cancel

eGambit
update: 20180323
version: v4.3.5
detected: False cancel

Ad-Aware
result: Gen:Variant.Graftor.314352
update: 20180323
version: 3.0.3.1010
detected: True check_circle

AegisLab
result: Troj.Banker.W32.Banbra!c
update: 20180323
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Graftor.314352 (B)
update: 20180323
version: 4.0.2.899
detected: True check_circle

F-Secure
result: Gen:Variant.Graftor.314352
update: 20180323
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: W32/Banbra.UY!tr
update: 20180323
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20180121
version: 6.3.4.26036
detected: False cancel

Jiangmin
update: 20180323
version: 16.0.100
detected: False cancel

Kingsoft
update: 20180323
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20180323
version: 1.0
detected: False cancel

Symantec
result: Trojan.Gen.2
update: 20180323
version: 1.5.0.0
detected: True check_circle

nProtect
result: Banker/W32.Banbra.3205120
update: 20180323
version: 2018-03-23.02
detected: True check_circle

AhnLab-V3
result: Trojan/Win32.Banbra.C1666400
update: 20180323
version: 3.12.0.20130
detected: True check_circle

Antiy-AVL
update: 20180323
version: 3.0.0.1
detected: False cancel

Kaspersky
result: HEUR:Trojan.Win32.Generic
update: 20180323
version: 15.0.1.13
detected: True check_circle

Microsoft
update: 20180323
version: 1.1.14600.4
detected: False cancel

Qihoo-360
result: Win32/Trojan.f1a
update: 20180323
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180319
version: 6.8.0.5.2551
detected: False cancel

ZoneAlarm
result: HEUR:Trojan.Win32.Generic
update: 20180323
version: 1.0
detected: True check_circle

Cybereason
result: malicious.005aec
update: 20180225
version: 1.2.27
detected: True check_circle

ESET-NOD32
result: Win32/ProxyChanger.UY
update: 20180323
version: 17106
detected: True check_circle

TrendMicro
result: TROJ_GEN.R002C0PBG18
update: 20180323
version: 9.862.0.1074
detected: True check_circle

WhiteArmor
update: 20180223
detected: False cancel

BitDefender
result: Gen:Variant.Graftor.314352
update: 20180323
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_90% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
result: Proxy-Program ( 004fde261 )
update: 20180323
version: 10.42.26598
detected: True check_circle

SentinelOne
update: 20180225
version: 1.0.15.206
detected: False cancel

Avast-Mobile
update: 20180323
version: 180323-04
detected: False cancel

Malwarebytes
update: 20180323
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20180323
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Trojan.Dynamer
update: 20180323
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Banbra.eittiq
update: 20180323
version: 1.0.100.22043
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Graftor.314352
update: 20180323
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180323
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Dropper.wh
update: 20180323
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_GEN.R002C0PBG18
update: 20180323
version: 9.950.0.1006
detected: True check_circle

total
67
sha256
d30a5ad95438566dc45746d7843f6a162c001123c271119401420411389c8bb2
scan_id
d30a5ad95438566dc45746d7843f6a162c001123c271119401420411389c8bb2-1521830445
resource
6a17dd4005aec7721e921fc1135e14e9
positives
45
scan_date
2018-03-23 18:40:45
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\SysWOW64\security.dll
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\SECUR32.DLL
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\malware.exe.Local
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88
21/2/2020 - 23:45:42.950Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88\comctl32.dll.mui
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll.Config
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\malware.exe.Local
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.950Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.950Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\malware.exe.Local
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.950Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.950Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\shell32.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\shell32.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\shell32.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\malware.exe.Local
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.965Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Fwpuclnt.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\IdnDL.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\idndl.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\idndl.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\iphlpapi.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\WINNSI.DLL
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
21/2/2020 - 23:45:42.965Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
21/2/2020 - 23:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
21/2/2020 - 23:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
21/2/2020 - 23:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
21/2/2020 - 23:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
21/2/2020 - 23:45:42.981Open1480C:\malware.exeC:\DNSAPI.dll
21/2/2020 - 23:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
21/2/2020 - 23:45:42.981Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\rasadhlp.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\imageres.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\imageres.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\imageres.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\imageres.dll.mui
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\System32\pt-BR\imageres.dll.mui
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\pt\imageres.dll.mui
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.mui
21/2/2020 - 23:45:43.75Read1480C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.muiimageres.dll.mui
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
21/2/2020 - 23:45:43.75Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
21/2/2020 - 23:45:47.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
21/2/2020 - 23:45:47.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
21/2/2020 - 23:45:48.12Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ywR UzLCI.bat
21/2/2020 - 23:45:48.12Write1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ywR UzLCI.batywR UzLCI.bat
21/2/2020 - 23:45:51.12Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Aplicativo Itau\itauaplicativo.exe
21/2/2020 - 23:45:51.12Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Aplicativo Itau\itauaplicativo.exe
21/2/2020 - 23:45:51.12Open1480C:\malware.exeC:\Program Files (x86)\AppBrad\AplicativoBradesco.exe
21/2/2020 - 23:45:51.12Open1480C:\malware.exeC:\Program Files (x86)\AppBrad\AplicativoBradesco.exe
21/2/2020 - 23:45:51.12Open1480C:\malware.exeC:\Program Files\AppBrad\AplicativoBradesco.exe
21/2/2020 - 23:45:51.12Open1480C:\malware.exeC:\Program Files\AppBrad\AplicativoBradesco.exe
21/2/2020 - 23:45:53.12Open1480C:\malware.exeC:\Monitor\ywR UzLCI.bat
21/2/2020 - 23:45:53.12Open1480C:\malware.exeC:\Monitor\ywR UzLCI.bat

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
21/2/2020 - 23:45:42.981Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigURL

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code mkts.marketingbrdigitalgr.com.br.
computer localhost arrow_forward computer gateway:50273 code mkts.marketingbrdigitalgr.com.br.

Response

TCP
Info

UDP
Info
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:50273

HTTP
Info

Summary
DNS
True check_circle

TCP
False cancel

UDP
True check_circle

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 39.32%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 53.55%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 64.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 70.71%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.00%
suspicious: False cancel

Add to Collection
Download