Report #7820 check_circle

Binary
DLL
False cancel
Size
540.00KB
trid
48.0% InstallShield setup
15.8% Win32 Executable Delphi generic
14.6% Windows screen saver
7.3% Win32 Dynamic Link Library
5.0% Win32 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
e56158dba449de923657fe7d661dde38
sha1
63723aaef1e2f0745ec7d499726af7feeea0702b
crc32
0xbc1259
sha224
539e0688cc4a5d104375b6513cf2ccbdff525f57fa97b0a538b5e7c0
sha256
c23463d0aee8868ab384a3d9502e0b855c8c69310e14ac8c16bd69f13652d4ab
sha384
88c7d9c30b882fddf6110cb05ab6ab6e00d6c7e7c583bc5e4eeead91d481f1d12e2d4c563514ed0fa6cc3ddd29a4d291
sha512
6474b0258de29943642b1d531fc99bf884b6f4a12ea67fb9043de1f5e35991d68fdf17d5246b2da357e3965c2387a38cde34a1dcbcf7252fe0ab695079fc234a
ssdeep
12288:9rc91r50TcpKk8mqjEGX8gMu6WmQe3Gbo7R:lq4cpKkdqjvtMu6WmQeso7
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, Borland, IP, Borland_Delphi_30_, BASE64_table, borland_delphi, Delphi_FormShow, network_dns, network_tcp_listen, Microsoft_Visual_Cpp_v50v60_MFC, win_files_operation, IsPE32, win_hook, network_tcp_socket, screenshot, Borland_Delphi_v40_v50, keylogger, contentis_base64, Borland_Delphi_40_additional, Borland_Delphi_40, Delphi_Random, IsWindowsGUI, network_udp_sock, Delphi_Copy, Borland_Delphi_Setup_Module, Borland_Delphi_DLL, win_registry, Delphi_StrToInt, Borland_Delphi_30_additional, Borland_Delphi_v30, Big_Numbers1, Big_Numbers0

Suspicious
True check_circle

Strings
List
t.Ht
GlassFrame.Top
h.ID
h.PA
h.PE
Font.Style
Font.Name
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
127.0.0.1
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
B.rsrc
SOFTWARE\Borland\Delphi\RTL
Delphi%.8X
Software\Borland\Locales
ISO_646.irv:1991
Software\Borland\Delphi\Locales
comctl32.dll
comctl32.dll
comctl32.dll
comctl32.dll
comctl32.dll
Wship6.dll
version.dll
wininet.dll
uxtheme.dll
0.0.0.1
0.0.0.0
Network is down.
Host is down.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
Username
Username
Socket Error # %d
OnReceive
jp-ocr-b-add
Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.
UhB-A
ControlOfs%.8X%.8X
WndProcPtr%.8X%.8X
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
Socks server did not respond.$Invalid socks authentication method.%Authentication error to socks server.
Connected.
OnHide4}D
Not connected.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Index out of bounds.
Connect timed out.
Command not supported.
Connection refused.
Too many open files.
Connection reset by peer.
Connection timed out.
Sub-menu is not in menu
Division by zero
Not Connected
August September
TaskbarCreated
Rebuild
clWebLawnGreen
TaskbarCreated
Selected
bsSizeToolWin
Too many open files
hsConnected
Assertion failed
Reply Code is not valid: %sDThis authentication method is already registered with class name %s.
General SOCKS server failure."Connection not allowed by ruleset.
Resolving hostname %s.
%s (%s, line %d)
Socket is already connected.
%s is not a valid service."Operation not supported on socket.
Error reading %s%s%s: %s
I/O error %d
No help found for %s#No context-sensitive help installed
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
Thread creation error: %s
List count out of bounds (%d)
ISO_646.irv:1983
Ancestor for '%s' not found
Connecting to %s.
Cannot assign a %s to a %s
Failed to set data for '%s'
No help found for context$No topic-based help system installed
Class %s not found
Property %s does not exist
Resource %s not found
OnDestroy
ESafecallException
,IdCookie
*ShellAPI
Password<
<requestedPrivileges>
TIdSSLRegistry
TIdSSLRegistry
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
ftpAborted
IdTCPConnection
TIdTCPConnection
TIdTCPConnection
IdTCPConnection

Foremost
Matches
0.exe, 540 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 127.0.0.1, 1, localhost.
Suspicious: 0.0.0.1, 0, Unknown
hasAllowed: True check_circle
hasSuspicious: True check_circle

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: user32.dll, kernel32.dll, uxtheme.dll, gdi32.dll, comctl32.dll, Wship6.dll, DWMAPI.DLL, imm32.dll, wininet.dll, advapi32.dll, oleaut32.dll, WS2_32.DLL, version.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 79872
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .itext, .data, .bss, .idata, .tls, .rdata, .reloc, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 477756
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: user32.dll, kernel32.dll, uxtheme.dll, gdi32.dll, comctl32.dll, wship6.dll, dwmapi.dll, imm32.dll, wininet.dll, advapi32.dll, oleaut32.dll, ws2_32.dll, version.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2015-11-23 09:13:03
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.text: 46
.itext: 5

pushpopmath
.rsrc: 1
.text: 15
.reloc: 32

garbagebytes
.text: 46
.itext: 5

hookdetection
.text: 2
.reloc: 2

software breakpoint
.text: 4
.reloc: 6

programcontrolflowchange
.text: 46
.itext: 5

cpuinstructionsresultscomparison
.data: 2
.rsrc: 3
.text: 7

AVclass
bestafera
1
VirusTotal
md5
e56158dba449de923657fe7d661dde38
sha1
63723aaef1e2f0745ec7d499726af7feeea0702b
SCANS (DETECTION RATE = 69.70%)
AVG
result: FileRepMetagen [Malware]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

CMC
update: 20180323
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=87)
update: 20180324
version: 2017.11.15.1
detected: True check_circle

Bkav
update: 20180322
version: 1.3.0.9466
detected: False cancel

K7GW
result: Trojan-Downloader ( 004d7a9a1 )
update: 20180323
version: 10.42.26598
detected: True check_circle

ALYac
result: Gen:Variant.Zusy.175439
update: 20180323
version: 1.1.1.5
detected: True check_circle

Avast
result: FileRepMetagen [Malware]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

Avira
result: TR/Spy.Banker.Gen2
update: 20180323
version: 8.3.3.6
detected: True check_circle

Baidu
result: Win32.Trojan.WisdomEyes.16070401.9500.9980
update: 20180323
version: 1.0.0.2
detected: True check_circle

Cyren
result: W32/Trojan.ZNKT-1487
update: 20180323
version: 5.4.30.7
detected: True check_circle

DrWeb
update: 20180323
version: 7.0.28.2020
detected: False cancel

GData
result: Gen:Variant.Zusy.175439
update: 20180323
version: A:25.16481B:25.11861
detected: True check_circle

Panda
result: Trj/Genetic.gen
update: 20180323
version: 4.6.4.2
detected: True check_circle

VBA32
result: TrojanBanker.BestaFera
update: 20180323
version: 3.12.28.0
detected: True check_circle

VIPRE
result: Trojan-Downloader.Win32.Banload.ard (v)
update: 20180323
version: 65478
detected: True check_circle

Zoner
update: 20180323
version: 1.0
detected: False cancel

AVware
result: Trojan-Downloader.Win32.Banload.ard (v)
update: 20180323
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180323
version: 0.99.2.0
detected: False cancel

Comodo
result: .UnclassifiedMalware
update: 20180323
version: 28733
detected: True check_circle

F-Prot
update: 20180323
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.Win32.Agent
update: 20180323
version: 0.1.5.2
detected: True check_circle

McAfee
result: Artemis!E56158DBA449
update: 20180323
version: 6.0.6.653
detected: True check_circle

Rising
result: Malware.Undefined!8.C (TFE:4:ygMQ26caECC)
update: 20180323
version: 25.0.0.1
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20180323
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.PWS.BestaFera!
update: 20180323
version: 5.5.1.3
detected: True check_circle

Zillya
update: 20180323
version: 2.0.0.3519
detected: False cancel

Arcabit
result: Trojan.Zusy.D2AD4F
update: 20180323
version: 1.0.0.831
detected: True check_circle

Cylance
result: Unsafe
update: 20180324
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20180316
version: 2.0.5
detected: True check_circle

Tencent
result: Win32.Trojan-banker.Bestafera.Ajkz
update: 20180324
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180323
version: 2014.3.20.0
detected: False cancel

eGambit
update: 20180324
version: v4.3.5
detected: False cancel

Ad-Aware
result: Gen:Variant.Zusy.175439
update: 20180323
version: 3.0.3.1010
detected: True check_circle

AegisLab
result: Troj.Banker.W32.Bestafera!c
update: 20180323
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Zusy.175439 (B)
update: 20180323
version: 4.0.2.899
detected: True check_circle

F-Secure
result: Gen:Variant.Zusy.175439
update: 20180323
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: W32/Banload.WTX!tr.dldr
update: 20180323
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20180121
version: 6.3.4.26036
detected: False cancel

Jiangmin
result: Trojan.Generic.fxpc
update: 20180323
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20180324
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20180324
version: 1.0
detected: True check_circle

Symantec
result: Infostealer.Bancos
update: 20180323
version: 1.5.0.0
detected: True check_circle

nProtect
update: 20180323
version: 2018-03-23.02
detected: False cancel

AhnLab-V3
result: Trojan/Win32.CSon.R2885
update: 20180323
version: 3.12.0.20130
detected: True check_circle

Antiy-AVL
result: Trojan[Banker]/Win32.BestaFera
update: 20180323
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Trojan-Banker.Win32.BestaFera.ecy
update: 20180323
version: 15.0.1.13
detected: True check_circle

Microsoft
update: 20180323
version: 1.1.14600.4
detected: False cancel

Qihoo-360
result: HEUR/QVM05.1.Malware.Gen
update: 20180324
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180319
version: 6.8.0.5.2551
detected: False cancel

ZoneAlarm
result: Trojan-Banker.Win32.BestaFera.ecy
update: 20180323
version: 1.0
detected: True check_circle

ESET-NOD32
result: Win32/TrojanDownloader.Banload.WTD
update: 20180323
version: 17107
detected: True check_circle

TrendMicro
result: TROJ_GEN.R002C0WCM18
update: 20180323
version: 9.862.0.1074
detected: True check_circle

WhiteArmor
update: 20180223
detected: False cancel

BitDefender
result: Gen:Variant.Zusy.175439
update: 20180323
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_100% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan-Downloader ( 004d7a9a1 )
update: 20180323
version: 10.42.26598
detected: True check_circle

SentinelOne
update: 20180225
version: 1.0.15.206
detected: False cancel

Avast-Mobile
update: 20180323
version: 180323-04
detected: False cancel

Malwarebytes
result: Trojan.Banload
update: 20180323
version: 2.1.1.1115
detected: True check_circle

TotalDefense
update: 20180323
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20180323
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Win32.Banker.dywxsb
update: 20180323
version: 1.0.100.22043
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Zusy.175439
update: 20180323
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180323
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Gnamer.hh
update: 20180323
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_GEN.R002C0WCM18
update: 20180323
version: 9.950.0.1006
detected: True check_circle

total
66
sha256
c23463d0aee8868ab384a3d9502e0b855c8c69310e14ac8c16bd69f13652d4ab
scan_id
c23463d0aee8868ab384a3d9502e0b855c8c69310e14ac8c16bd69f13652d4ab-1521846951
resource
e56158dba449de923657fe7d661dde38
positives
46
scan_date
2018-03-23 23:15:51
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Execution Failed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 75.41%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 56.70%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 65.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 53.86%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 84.31%
suspicious: False cancel

Add to Collection
Download