Report #7689 check_circle

  • Creation Date: Feb. 27, 2020, 5:19 p.m.
  • Last Update: Feb. 27, 2020, 10:01 p.m.
  • File: 7.zip.exe
  • Results:
Binary
DLL
False cancel
Size
623.50KB
trid
30.5% Win32 Executable Delphi generic
28.1% Windows screen saver
14.1% Win32 Dynamic Link Library
9.7% Win32 Executable
4.4% Win16/32 Executable Delphi generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
ba874a04e30e20cc3277f3fe7b012926
sha1
07ad6197c56cf5d814dfebf080a34f3bf6d70d1a
crc32
0x90f88d00
sha224
05667bfc2e586496a4be4f091c18b39534a400b6e3d069bf6e9dd7be
sha256
b3f1ebf078af4d73d43e8a1e5ef5a30403e5256db8ea9cd1ecd60bc12360c75a
sha384
4628aef76b05d5e2b746082010a314c1b32896eae730519bdfa79fa85a1ea4ac3e49d5d97b9e91b2992f97f82784abf1
sha512
da7ca822e906f080e826001bfea287d81c4d95f2edad15540bd598bd167b5cee344ed6e7a6b99d54668a7474a578adfbb5b5fc511a1be0e0871ca537e27595af
ssdeep
12288:lrQV531XJqlSGzQk/duPUAFTIyUbdc2QkhbAJssCpL2G+L+T7a:to915uSGzQkF6TFUyUbtQkhMmsCNv+Ld
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, Borland, Borland_Delphi_30_, borland_delphi, Delphi_FormShow, Microsoft_Visual_Cpp_v50v60_MFC, win_files_operation, IsPE32, win_hook, contentis_base64, screenshot, Borland_Delphi_v40_v50, Borland_Delphi_40_additional, win_mutex, keylogger, Borland_Delphi_40, Delphi_Random, IsWindowsGUI, Delphi_Copy, Borland_Delphi_Setup_Module, Borland_Delphi_DLL, win_registry, Delphi_StrToInt, Advapi_Hash_API, Borland_Delphi_30_additional, Borland_Delphi_v30

Suspicious
True check_circle

Strings
List
t.Ht
GlassFrame.Top
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
B.rsrc
SOFTWARE\Borland\Delphi\RTL
Delphi%.8X
Software\Borland\Locales
Software\Borland\Delphi\Locales
comctl32.dll
comctl32.dll
comctl32.dll
comctl32.dll
comctl32.dll
version.dll
uxtheme.dll
Component %s not foundDGetting the Count of a TComponentsEnumerator object is not supportedWComponent was expected to implement IInterfaceComponentReference for ValuesList support<Errors object must support the interface IIterateIntfSupport Action does not provide response+Action can't respone to unknown HTTP method"Action can't redirect to blank URL
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s<input type="hidden" name="%s" value="%s">%s
Self-
ControlOfs%.8X%.8X
WndProcPtr%.8X%.8X
UhB7D
No help found for context$No topic-based help system installed+Type mismatch in parameter %d for method %s,Invalid DispID for parameter %d in method %s#Parameter %d required for method %s/Method definition for %s has over %d parameters!Too many parameters for method %s=Error decoding URL style (%%XX) encoded string at position %d1Invalid URL encoded character (%s) at position %dLOperation not supported. %s component does not support IGetWebComponentList
%s.WriteItem(%d)
Uh4%A
Response.Write(%s)
Apartment
Sub-menu is not in menu
Invalid parent'Execution of action %s is not permitted"Data Modification is not permitted
Producer
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Division by zero
Count
Count
Count
List
Count
Rebuild
Selected
bsSizeToolWin
August September
TaskbarCreated
clWebLawnGreen
TaskbarCreated
Uh%fD
Uh%eB
Too many open files
Assertion failed
include
Terminated
PathTranslated
%s (%s, line %d)
Privileged instruction(Exception %s in module %s at %p.
Error reading %s%s%s: %s
I/O error %d
No help found for %s#No context-sensitive help installed
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
%s on line %d
List count out of bounds (%d)
Ancestor for '%s' not found
'%s' is not a valid date
Cannot assign a %s to a %s
Class %s not found
Property %s does not exist
Resource %s not found
%s is not a valid BCD value$Could not parse SQL TimeStamp string
?HTTPApp
OnKeyPressL
Variable %s is not a container
OnDestroy
ESafecallException
THiddenFieldsEnum(
OnHide
*ShellAPI
TAdapterNamedField(
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=%0:s">
TClassList
HTTPProd
HTTPProd
HTTPProd
HTTPProd
ssShift
ssHotTrack
Error creating window class+Cannot focus a disabled or invisible window!Control '%s' has no parent window
Invalid stream format$''%s'' is not a valid component name
Variable not found: %s=Component does not support scripting. Class: %0:s, Name: %1:s.Object does not support scripting. Class: %0:s*File include error on line %d: expecting "*File include error on line %d: expecting =NFile include error on line %d: expecting virtual, file, or page, but found %s.
Invalid property element: %s
HiddenFields8
OnDockOver\
ssLeft
No argument for format '%s'
CanExecute
Delphi Component
TPersistent
TPersistent
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
HiddenRecordFields
THiddenFieldsEnum
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Foremost
Matches
0.exe, 623 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: USER32.DLL, kernel32.dll, uxtheme.dll, advapi32.dll, gdi32.dll, comctl32.dll, DWMAPI.DLL, ole32.dll, imm32.dll, oleaut32.dll, version.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 78336
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .itext, .data, .bss, .idata, .tls, .rdata, .reloc, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 563628
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: user32.dll, kernel32.dll, uxtheme.dll, advapi32.dll, gdi32.dll, comctl32.dll, dwmapi.dll, ole32.dll, imm32.dll, oleaut32.dll, version.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2015-12-03 12:57:16
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.0

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.text: 58
.itext: 7

pushpopmath
.text: 10
.idata: 2
.reloc: 33

ss register
.reloc: 1

garbagebytes
.text: 55
.itext: 7

hookdetection
.text: 2
.reloc: 2

software breakpoint
.text: 4
.reloc: 15

fakeconditionaljumps
.text: 1

programcontrolflowchange
.text: 54
.itext: 7

cpuinstructionsresultscomparison
.data: 1
.rsrc: 1
.text: 7

AVclass
bestafera
1
VirusTotal
md5
ba874a04e30e20cc3277f3fe7b012926
sha1
07ad6197c56cf5d814dfebf080a34f3bf6d70d1a
SCANS (DETECTION RATE = 55.38%)
AVG
result: Win32:Banker-MRP [Trj]
update: 20180325
version: 18.2.3827.0
detected: True check_circle

CMC
update: 20180324
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=85)
update: 20180325
version: 2017.11.15.1
detected: True check_circle

Bkav
update: 20180325
version: 1.3.0.9466
detected: False cancel

K7GW
update: 20180325
version: 10.42.26601
detected: False cancel

ALYac
result: Gen:Variant.Graftor.258717
update: 20180325
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:Banker-MRP [Trj]
update: 20180325
version: 18.2.3827.0
detected: True check_circle

Avira
result: TR/Spy.Banker.638464
update: 20180324
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20180323
version: 1.0.0.2
detected: False cancel

Cyren
update: 20180325
version: 5.4.30.7
detected: False cancel

DrWeb
update: 20180325
version: 7.0.28.2020
detected: False cancel

GData
result: Gen:Variant.Graftor.258717
update: 20180325
version: A:25.16495B:25.11872
detected: True check_circle

Panda
result: Trj/GdSda.A
update: 20180324
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20180323
version: 3.12.28.0
detected: False cancel

VIPRE
result: Trojan.Win32.Generic!BT
update: 20180325
version: 65508
detected: True check_circle

Zoner
update: 20180325
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic!BT
update: 20180325
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180325
version: 0.99.2.0
detected: False cancel

Comodo
update: 20180325
version: 28741
detected: False cancel

F-Prot
update: 20180325
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan-Banker.Win32.BestaFera
update: 20180324
version: 0.1.5.2
detected: True check_circle

McAfee
result: Artemis!BA874A04E30E
update: 20180325
version: 6.0.6.653
detected: True check_circle

Rising
result: Spyware.Banker!8.8D (TFE:4:cScTNbf6VhK)
update: 20180325
version: 25.0.0.1
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20180325
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.PWS.BestaFera!
update: 20180324
version: 5.5.1.3
detected: True check_circle

Zillya
update: 20180323
version: 2.0.0.3519
detected: False cancel

Arcabit
result: Trojan.Graftor.D3F29D
update: 20180325
version: 1.0.0.831
detected: True check_circle

Cylance
result: Unsafe
update: 20180325
version: 2.3.1.101
detected: True check_circle

Endgame
update: 20180316
version: 2.0.5
detected: False cancel

Tencent
result: Win32.Trojan-banker.Bestafera.Phgh
update: 20180325
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180324
version: 2014.3.20.0
detected: False cancel

eGambit
update: 20180325
version: v4.3.5
detected: False cancel

Ad-Aware
result: Gen:Variant.Graftor.258717
update: 20180325
version: 3.0.3.1010
detected: True check_circle

AegisLab
result: Troj.Banker.W32.Bestafera!c
update: 20180325
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Graftor.258717 (B)
update: 20180325
version: 4.0.2.899
detected: True check_circle

F-Secure
result: Gen:Variant.Graftor.258717
update: 20180325
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: W32/BestaFera.ETM!tr
update: 20180325
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20180121
version: 6.3.4.26036
detected: False cancel

Jiangmin
result: Trojan.Banker.BestaFera.abu
update: 20180325
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20180325
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20180325
version: 1.0
detected: False cancel

Symantec
result: Infostealer.Bancos
update: 20180324
version: 1.5.0.0
detected: True check_circle

nProtect
update: 20180325
version: 2018-03-25.02
detected: False cancel

AhnLab-V3
update: 20180324
version: 3.12.0.20130
detected: False cancel

Antiy-AVL
result: Trojan[Banker]/Win32.BestaFera
update: 20180325
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Trojan-Banker.Win32.BestaFera.etm
update: 20180325
version: 15.0.1.13
detected: True check_circle

Microsoft
update: 20180325
version: 1.1.14600.4
detected: False cancel

Qihoo-360
result: Win32/Trojan.735
update: 20180325
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180319
version: 6.8.0.5.2551
detected: False cancel

ZoneAlarm
result: Trojan-Banker.Win32.BestaFera.etm
update: 20180325
version: 1.0
detected: True check_circle

ESET-NOD32
update: 20180325
version: 17111
detected: False cancel

TrendMicro
result: TROJ_GEN.R002C0WBF18
update: 20180325
version: 9.862.0.1074
detected: True check_circle

BitDefender
result: Gen:Variant.Graftor.258717
update: 20180325
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_60% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
update: 20180325
version: 10.42.26601
detected: False cancel

SentinelOne
update: 20180225
version: 1.0.15.206
detected: False cancel

Avast-Mobile
update: 20180324
version: 180324-00
detected: False cancel

Malwarebytes
update: 20180325
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20180325
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Trojan.BestaFera
update: 20180324
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.BestaFera.esrysz
update: 20180325
version: 1.0.100.22043
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Graftor.258717
update: 20180325
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180325
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.AdwareDealPly.jh
update: 20180324
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_GEN.R002C0WBF18
update: 20180325
version: 9.950.0.1006
detected: True check_circle

total
65
sha256
b3f1ebf078af4d73d43e8a1e5ef5a30403e5256db8ea9cd1ecd60bc12360c75a
scan_id
b3f1ebf078af4d73d43e8a1e5ef5a30403e5256db8ea9cd1ecd60bc12360c75a-1521960728
resource
ba874a04e30e20cc3277f3fe7b012926
positives
36
scan_date
2018-03-25 06:52:08
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\CRYPTSP.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\92d2d0d4647a625ad98ab0871725557b
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\92d2d0d4647a625ad98ab0871725557b
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\92d2d0d4647a625ad98ab0871725557b\off
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\92d2d0d4647a625ad98ab0871725557b\off
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\92d2d0d4647a625ad98ab0871725557b
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\92d2d0d4647a625ad98ab0871725557b\off
27/2/2020 - 21:46:18.778Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\92d2d0d4647a625ad98ab0871725557b\off
27/2/2020 - 21:46:18.840Unknown1480C:\malware.exeC:\Windows
27/2/2020 - 21:46:18.840Unknown1480C:\malware.exeC:\Monitor
27/2/2020 - 21:46:18.840Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
27/2/2020 - 21:46:18.840Unknown1480C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat

Process
Trace

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 75.94%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 54.23%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 65.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 49.42%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 78.71%
suspicious: False cancel

Add to Collection
Download