Report #8235 cancel

  • Creation Date: March 2, 2020, 4:13 p.m.
  • Last Update: March 2, 2020, 5:05 p.m.
  • File: BOL_N564838920_PDF.exe
  • Results:
Binary
DLL
False cancel
Size
164.00KB
trid
49.0% DirectShow filter
28.3% Windows ActiveX control
17.8% Generic CIL Executable
1.6% Win32 Dynamic Link Library
1.0% Win32 Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
05ca966c627cfd69493cb7c8bf2e95ff
sha1
4c88c697431a34172b2c0b6995330ea3481db6e3
crc32
0xe93c39cc
sha224
4c133ef542fcc72b2e24d274f9255e6146cf97da35edc5211db4037c
sha256
55bc4ecfa17bc29ee3f9469afc94b27878f3e9695889a609318b7960b8380ce7
sha384
6b5ccdab6029d7a9af235d8732bc31c5075359c739ac991db2614b3e59e99f00e26c196df0b06295dcc517107280159a
sha512
43eb1987b0c789a00f4a7bec51f2602a3440bd4d9e7d0d5030470d80b7ccde6dc02fb49cc1d448f88ff13dd228b76981508b8ca6809de9747a78eaadc27849ef
ssdeep
3072:rzNcOKzGL34jTLUlLD0NzpDudk61bugpu/z3HP/Ummx1qoua2HtJbMF:v2Q4CLD0Nzg1bnO3gStaeIF
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, HasDebugData, Microsoft_Visual_C_v70_Basic_NET, Microsoft_Visual_Studio_NET_additional, Microsoft_Visual_Studio_NET, NET_executable_, IsPE32, Microsoft_Visual_C_v70_Basic_NET_additional, NET_executable, network_tcp_socket, screenshot, IP, contentis_base64, keylogger, NETexecutableMicrosoft, url, IsNET_EXE, Microsoft_Visual_C_Basic_NET, win_registry, IsConsole, Browsers, System_Tools

Suspicious
True check_circle

Strings
List
c:\a25\ConsoleApplication1\ConsoleApplication1\obj\Debug\ConsoleApplication1.pdb
My.Computer
System.IO
System.Net
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
ConsoleApplication1.My
3http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
3http://crl.microsoft.com/pki/crl/products/tspca.crl0H
,http://www.microsoft.com/pki/certs/tspca.crt0
,http://www.microsoft.com/pki/certs/CSPCA.crt0
System.ComponentModel.Design
\Internet Explorer\iexplore.exe
System.Net.Sockets
System.Security.Cryptography
http://microsoft.com0
System.Security.AccessControl
\Internet Explorer\mswinsck.ocx
MSWNSK98.chm
WSOCK32.dll
hhctrl.ocx
\mswinsck.ocx
SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
4System.Web.Services.Protocols.SoapHttpClientProtocol
1.0.0.0
1.0.0.0
1.0.0.0
1.0.0.0
\a.dll
11.0.0.0
Host is down.
RegSvr32.exe /s
Network subsystem failed9The network cannot be reached from this host at this time1Connection has timed out when SO_KEEPALIVE is set5Connection is aborted due to timeout or other failure&The connection is reset by remote side
Socket is not connectedWWW
"255.255.255.255
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
ConsoleApplication1.My.Resources
8.0.0.0
4.0.0.0
System.Net.Configuration.SettingsSectionInternal
Error occurred;
name="Microsoft.Windows.Common-Controls"
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
RemoteP&ort
System.Net.Configuration
Socket is not connected
Socket has a pending request(Socket is resolving remote computer name(Socket has resolved remote computer name'Socket is connecting to remote computer'Socket has connected to remote computer/Socket is closing connection to remote computer
Winsock methods and events"Returns the remote host IP address
3System.Resources.Tools.StronglyTypedResourceBuilder
Apartment
Socket has resolved remote computer nameWW'
Socket is resolving remote computer nameWW(
BytesReceivedWWWd
sckClosedWWWX
The connection is reset by remote side
pass
<!-- If your application is designed to work with Windows 7, uncomment the following supportedOS node-->
<!-- If your application is designed to work with Windows 8, uncomment the following supportedOS node-->
Address is not available from the local machineWWW
Socket has connected to remote computerWWW/
Socket is connecting to remote computerWWW'
Socket is currently openWW
Socket is currently open Socket is listening for requests
Socket is currently closed
Socket is currently closed
HKEY_CLASSES_ROOT
=Socket is non-blocking and the specified operation will block+A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
The network cannot be reached from this host at this timeW1
Socket is closing connection to remote computerWWW
HKEY_LOCAL_MACHINE
Socket has a pending requestWW(
Socket is already connectedWWW
Socket has encountered an errorWWW
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Socket is listening for requestsWW
Socket has been shut downW
11 Example key permissions were changed.
requestedExecutionLevel node with one of the following.
Graceful shutdown in progress.
ConsoleApplication1.exe
ConsoleApplication1.exe
ConsoleApplication1.exe
SOFTWARE\\Classes\\CLSID\\
SW_HIDE
OCX\MSWINSCK.dbg
Connect to the remote computer'Listen for incoming connection requests%Accept an incoming connection request
mscoree.dll
\InprocServer32
Socket is already connected
Socket has been shut down
Connection has timed out when SO_KEEPALIVE is setW5
User-Agent
\InprocServer
_RemoteHostWd
Remote&Host
get_UserName
Registra_BHO
get_ResourceManager
+ListenWWd
TcpClient

Foremost
Matches
0.exe, 164 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 255.255.255.255, 1, record
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

URLs
Allowed: http://www.microsoft.com/pki/certs/cspca.crt0, http://microsoft.com0, http://crl.microsoft.com/pki/crl/products/cspca.crl0h, http://crl.microsoft.com/pki/crl/products/tspca.crl0h, http://www.microsoft.com/pki/certs/tspca.crt0, http://www.w3.org/2001/xmlschema-instance
hasURLs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Files
Allowed: \a.dll, ADVAPI32.dll, ole32.dll, VERSION.DLL, GDI32.dll, USER32.dll, OLEAUT32.dll, kernel32.dll, mscoree.dll, WSOCK32.dll
hasFiles: True check_circle
Suspicious: \mswinsck.ocx, MSWINSCK.OCX, \Internet Explorer\mswinsck.ocx, hhctrl.ocx
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 15360
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .sdata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 159326
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: advapi32.dll, ole32.dll, version.dll, gdi32.dll, user32.dll, oleaut32.dll, kernel32.dll, mscoree.dll, wsock32.dll
hasLibs: True check_circle
Suspicious: \a.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2015-05-31 18:37:25
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C# / Basic .NET, Microsoft Visual Studio .NET, .NET executable, Microsoft Visual C# v7.0 / Basic .NET

Obfuscation
XOR: True check_circle
Fuzzing: True check_circle

PEDetector
Matches
1322
Suspicious
True check_circle
Disassembly
hasTricks
True check_circle
Tricks
pushret
.text: 5

pushpopmath
.text: 18

ss register
.text: 1

garbagebytes
.text: 2

software breakpoint
.text: 2

programcontrolflowchange
.text: 2

cpuinstructionsresultscomparison
.text: 12

AVclass
banload
1
VirusTotal
md5
05ca966c627cfd69493cb7c8bf2e95ff
sha1
4c88c697431a34172b2c0b6995330ea3481db6e3
SCANS (DETECTION RATE = 68.66%)
AVG
result: MSIL:Banker-AU [Trj]
update: 20180325
version: 18.2.3827.0
detected: True check_circle

CMC
update: 20180324
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=100)
update: 20180325
version: 2017.11.15.1
detected: True check_circle

Bkav
update: 20180325
version: 1.3.0.9466
detected: False cancel

K7GW
result: Trojan ( 004ba4c11 )
update: 20180325
version: 10.42.26601
detected: True check_circle

ALYac
result: Gen:Variant.Zusy.144509
update: 20180325
version: 1.1.1.5
detected: True check_circle

Avast
result: MSIL:Banker-AU [Trj]
update: 20180325
version: 18.2.3827.0
detected: True check_circle

Avira
result: TR/Dropper.MSIL.Gen
update: 20180324
version: 8.3.3.6
detected: True check_circle

Baidu
result: Win32.Trojan.WisdomEyes.16070401.9500.9977
update: 20180323
version: 1.0.0.2
detected: True check_circle

Cyren
result: W32/Trojan.FERR-1887
update: 20180325
version: 5.4.30.7
detected: True check_circle

DrWeb
result: Trojan.DownLoader13.29729
update: 20180325
version: 7.0.28.2020
detected: True check_circle

GData
result: Gen:Variant.Zusy.144509
update: 20180325
version: A:25.16495B:25.11872
detected: True check_circle

Panda
result: Trj/Chgt.O
update: 20180324
version: 4.6.4.2
detected: True check_circle

VBA32
result: Trojan.Downloader
update: 20180323
version: 3.12.28.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20180325
version: 65508
detected: True check_circle

Zoner
update: 20180325
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic!BT
update: 20180325
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180325
version: 0.99.2.0
detected: False cancel

Comodo
update: 20180325
detected: False cancel

F-Prot
update: 20180325
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan-Downloader.MSIL.Banload
update: 20180324
version: 0.1.5.2
detected: True check_circle

McAfee
result: Artemis!05CA966C627C
update: 20180325
version: 6.0.6.653
detected: True check_circle

Rising
result: Downloader.Banload!8.15B (TFE:C:RxYs8ULxyoF)
update: 20180325
version: 25.0.0.1
detected: True check_circle

Sophos
update: 20180325
version: 4.98.0
detected: False cancel

Yandex
result: Trojan.DL.Banload!yk9mFeSpSBM
update: 20180324
version: 5.5.1.3
detected: True check_circle

Zillya
result: Downloader.Banload.Win32.62963
update: 20180323
version: 2.0.0.3519
detected: True check_circle

Arcabit
result: Trojan.Zusy.D2347D
update: 20180325
version: 1.0.0.831
detected: True check_circle

Cylance
result: Unsafe
update: 20180325
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20180316
version: 2.0.5
detected: True check_circle

Tencent
result: Msil.Trojan.Dropper.Glu
update: 20180325
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180324
version: 2014.3.20.0
detected: False cancel

eGambit
update: 20180325
version: v4.3.5
detected: False cancel

Ad-Aware
result: Gen:Variant.Zusy.144509
update: 20180325
version: 3.0.3.1010
detected: True check_circle

AegisLab
result: Variant.Zusy.Gen!c
update: 20180325
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Zusy.144509 (B)
update: 20180325
version: 4.0.2.899
detected: True check_circle

F-Secure
result: Gen:Variant.Zusy.144509
update: 20180325
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: MSIL/Banload.BE!tr.dldr
update: 20180325
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20180121
version: 6.3.4.26036
detected: False cancel

Jiangmin
update: 20180325
version: 16.0.100
detected: False cancel

Kingsoft
update: 20180325
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20180325
version: 1.0
detected: True check_circle

Symantec
result: Downloader
update: 20180324
version: 1.5.0.0
detected: True check_circle

nProtect
update: 20180325
version: 2018-03-25.01
detected: False cancel

AhnLab-V3
update: 20180324
version: 3.12.0.20130
detected: False cancel

Antiy-AVL
result: Trojan/Win32.TSGeneric
update: 20180325
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: UDS:DangerousObject.Multi.Generic
update: 20180325
version: 15.0.1.13
detected: True check_circle

Microsoft
result: TrojanDownloader:MSIL/BrobanDel.A
update: 20180325
version: 1.1.14600.4
detected: True check_circle

Qihoo-360
result: HEUR/QVM03.0.Malware.Gen
update: 20180325
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180319
version: 6.8.0.5.2551
detected: False cancel

ZoneAlarm
result: UDS:DangerousObject.Multi.Generic
update: 20180325
version: 1.0
detected: True check_circle

Cybereason
result: malicious.c627cf
update: 20180225
version: 1.2.27
detected: True check_circle

ESET-NOD32
result: a variant of MSIL/TrojanDownloader.Banload.BE
update: 20180325
version: 17111
detected: True check_circle

TrendMicro
result: TROJ_BANLOAD.YWNIR
update: 20180325
version: 9.862.0.1074
detected: True check_circle

WhiteArmor
update: 20180324
detected: False cancel

BitDefender
result: Gen:Variant.Zusy.144509
update: 20180325
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_100% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan ( 004ba4c11 )
update: 20180325
version: 10.42.26601
detected: True check_circle

SentinelOne
update: 20180225
version: 1.0.15.206
detected: False cancel

Avast-Mobile
update: 20180324
version: 180324-00
detected: False cancel

Malwarebytes
update: 20180325
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20180325
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: TrojanDownloader.Banload
update: 20180324
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Dwn.dtknyx
update: 20180325
version: 1.0.100.22043
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Zusy.144509
update: 20180325
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180325
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: Artemis!Trojan
update: 20180324
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_BANLOAD.YWNIR
update: 20180325
version: 9.950.0.1006
detected: True check_circle

total
67
sha256
55bc4ecfa17bc29ee3f9469afc94b27878f3e9695889a609318b7960b8380ce7
scan_id
55bc4ecfa17bc29ee3f9469afc94b27878f3e9695889a609318b7960b8380ce7-1521958583
resource
05ca966c627cfd69493cb7c8bf2e95ff
positives
46
scan_date
2018-03-25 06:16:23
verbose_msg
Scan finished, information embedded
response_code
1
Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 62.59%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 97.44%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 52.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 76.46%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 98.35%
suspicious: False cancel