Report #9849 cancel

  • Creation Date: May 26, 2020, 5:02 p.m.
  • Last Update: May 26, 2020, 5:03 p.m.
  • File: rufus-3.9.exe
  • Results:
Binary
DLL
False cancel
Size
1.14MB
trid
61.2% UPX compressed Win32 Executable
14.8% Win32 Dynamic Link Library
10.2% Win32 Executable
4.5% OS/2 Executable
4.5% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
d8b30d4c4dbc07b11573481b58adcd4b
sha1
38d643ded3b34851884c0c55fbf7ea2bf5c52f9f
crc32
0x7899918
sha224
8c5ceb393c53920e0f117d72abae4914fd3de1fd1e7ac64dd6c8ca53
sha256
d761d571bb4dcf5164484f3b573fe1c420444c77176f14d52ae5909d02360c75
sha384
7039d224d24724e801034dbd203020cbeb8adb6b70faf39cdc8444b5c158aaab92b77c9bd0f7cdd78766f6c2a4420f5d
sha512
57de5115b8989e8589ce355cc6ffdc74c51ec3d12f68f6cfd53472146c36684b89b9853dce0f2fc8cf82b040ffa76e838f1608b1fd18beac645037cb219b2f07
ssdeep
24576:ed0dkhseUYQ6WEtCSSIHNZOLCvMCYmqTb77/gtt4q9aM:edgkuenQ6W1HWNZ7vMSqTb7Li
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional, UPX_wwwupxsourceforgenet, screenshot, UPX_wwwupxsourceforgenet_additional, url, IP, contentis_base64, domain, yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h, IsPacked, HasOverlay, UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser, UPX_302, UPX, IsPE32, IsWindowsGUI

Suspicious
True check_circle

Strings
List
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
https://secure.comodo.net/CPS0C
%http://s.symcb.com/universal-root.crl0
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
https://www.gnu.org/licenses/gpl-3.0.html
https://d.symcb.com/rpa0@
https://d.symcb.com/cps0%
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0.
https://rufus.ie
HO.Nf
Od.sL
http://ocsp.comodoca.com0
http://ocsp.comodoca.com0
/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
/http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
5SE.sO
CRYPT32.dll
k.pK
Q.BM
http://s.symcd.com06
L$U.Gh
WINTRUST.dll
rufus-3.9.exe
http://ts-ocsp.ws.symantec.com0;
3.eT^
Heg|3
*.[_
n<Is`qfD
HE&o
HI,E
Ww?rFh
name="Microsoft.Windows.Common-Controls"
E~Qo%Fs$
wH%9E
d%n4a
a"=%sF#
<t+%o
a%iM:
%Fe@u
=%E-'
,~H%e
%eU"M
Ig]%n
<!-- If you don't have those in your app, Windows 10's GetVersionEx() -->
%FheP
sKr%sH
HMWE%E
COMODO RSA Code Signing CA
Eeo:\v
<requestedPrivileges>
support@akeo.ie0
9w.CO`3
rt:\FT
publicKeyToken="6595b64144ccf1df"
v.Om[
GetProcAddress
ExitProcess
E0C0A
ShellExecuteA
VirtualProtect
LoadLibraryA
Ab5E
EdC2
eaC0
EC2d
COMODO CA Limited1#0!
COMODO CA Limited1#0!
COMODO CA Limited1+0)
COMODO CA Limited1#0!
eda1
-.kM
<83"
AWL9;
Rdo^ 3
"COMODO RSA Certification Authority0
:\+
]w[,E>U
GetDC
G_HRO
&oT|
COMODO RSA Code Signing CA0
COMODO RSA Code Signing CA0
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 10 -->
<!-- Windows 8 -->
<!-- Windows 7 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
level="requireAdministrator"
<requestedExecutionLevel
R_YE
ET_M
version="6.0.0.0"
COMCTL32.DLL

Foremost
Matches
0.exe, 1 MB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious: http://s.symcb.com/universal-root.crl0, https://d.symcb.com/cps0%, http://ocsp.comodoca.com0, https://secure.comodo.net/cps0c, https://rufus.ie, http://s.symcd.com06, http://crl.comodoca.com/comodorsacertificationauthority.crl0q, http://crl.comodoca.com/comodorsacodesigningca.crl0t, https://www.gnu.org/licenses/gpl-3.0.html, http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(, http://crt.comodoca.com/comodorsaaddtrustca.crt0$, http://ts-ocsp.ws.symantec.com0;, https://d.symcb.com/rpa0@, https://d.symcb.com/rpa0., http://crt.comodoca.com/comodorsacodesigningca.crt0$, http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: ADVAPI32.dll, COMCTL32.DLL, ole32.dll, GDI32.dll, USER32.dll, SHLWAPI.dll, SETUPAPI.dll, WINTRUST.dll, COMDLG32.DLL, KERNEL32.DLL, SHELL32.dll, CRYPT32.dll, msvcrt.dll
hasFiles: True check_circle
Suspicious: 5SE.sO
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 45056
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 1244648
Suspicous: False cancel

Sections
Allowed: .rsrc
Suspicious: upx0, upx1
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: True check_circle

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 4
Linker
Version: 2.34
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 3270128
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: advapi32.dll, comctl32.dll, ole32.dll, gdi32.dll, user32.dll, shlwapi.dll, setupapi.dll, wintrust.dll, comdlg32.dll, kernel32.dll, shell32.dll, crypt32.dll, msvcrt.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: True check_circle
Valid: True check_circle
Value: 1969-12-31 21:00:00
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: UPX v3.0 (EXE_LZMA) -> Markus Oberhumer & Laszlo Molnar & John Reiser, UPX -> www.upx.sourceforge.net
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
none: 1271
.rsrc: 1

pushpopmath
none: 653
.rsrc: 5

ss register
none: 14

garbagebytes
none: 476

hookdetection
none: 42

software breakpoint
none: 31
.rsrc: 1

fakeconditionaljumps
none: 38

programcontrolflowchange
none: 442

cpuinstructionsresultscomparison
none: 8
.rsrc: 4

AVclass
None
1
VirusTotal
md5
d8b30d4c4dbc07b11573481b58adcd4b
sha1
38d643ded3b34851884c0c55fbf7ea2bf5c52f9f
SCANS (DETECTION RATE = 1.41%)
AVG
update: 20200524
version: 18.4.3895.0
detected: False cancel

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
update: 20200524
version: 2019.9.16.1
detected: False cancel

APEX
update: 20200522
version: 6.24
detected: False cancel

Bkav
update: 20200523
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200524
version: 11.111.34187
detected: False cancel

ALYac
update: 20200524
version: 1.1.1.5
detected: False cancel

Avast
update: 20200524
version: 18.4.3895.0
detected: False cancel

Avira
update: 20200524
version: 8.3.3.8
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20200524
version: 6.3.0.2
detected: False cancel

DrWeb
update: 20200524
version: 7.0.46.3050
detected: False cancel

GData
update: 20200524
version: A:25.25731B:26.18848
detected: False cancel

Panda
update: 20200524
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200522
version: 4.4.1
detected: False cancel

VIPRE
update: 20200524
version: 83964
detected: False cancel

Zoner
update: 20200523
version: 0.0.0.0
detected: False cancel

ClamAV
update: 20200524
version: 0.102.3.0
detected: False cancel

Comodo
update: 20200524
version: 32472
detected: False cancel

F-Prot
update: 20200524
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20200524
version: 0.1.5.2
detected: False cancel

McAfee
update: 20200524
version: 6.0.6.653
detected: False cancel

Rising
update: 20200524
version: 25.0.0.25
detected: False cancel

Sophos
update: 20200524
version: 4.98.0
detected: False cancel

Yandex
update: 20200523
version: 5.5.2.24
detected: False cancel

Zillya
update: 20200523
version: 2.0.0.4096
detected: False cancel

Acronis
update: 20200515
version: 1.1.1.76
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20200524
version: 1.0.0.875
detected: False cancel

Cylance
update: 20200524
version: 2.3.1.101
detected: False cancel

Endgame
update: 20200512
version: 4.0.2
detected: False cancel

FireEye
update: 20200524
version: 32.31.0.0
detected: False cancel

Sangfor
update: 20200423
version: 1.0
detected: False cancel

TACHYON
update: 20200524
version: 2020-05-24.02
detected: False cancel

Tencent
update: 20200524
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20200524
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20200524
version: 1.0.0.403
detected: False cancel

eGambit
update: 20200524
detected: False cancel

Ad-Aware
update: 20200524
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20200524
version: 4.2
detected: False cancel

Emsisoft
update: 20200524
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20200524
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20200524
version: 6.2.142.0
detected: False cancel

Invincea
update: 20200502
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20200524
version: 16.0.100
detected: False cancel

Kingsoft
update: 20200524
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20200524
version: 1.0
detected: False cancel

Symantec
update: 20200524
version: 1.11.0.0
detected: False cancel

Trapmine
update: 20200505
version: 3.2.25.947
detected: False cancel

AhnLab-V3
update: 20200524
version: 3.17.6.27456
detected: False cancel

Antiy-AVL
result: GrayWare[AdWare]/Win32.ExtGPi
update: 20200524
version: 3.0.0.1
detected: True check_circle

Kaspersky
update: 20200524
version: 15.0.1.13
detected: False cancel

MaxSecure
update: 20200524
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20200524
version: 1.1.17000.7
detected: False cancel

Qihoo-360
update: 20200524
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20200524
version: 1.0
detected: False cancel

ESET-NOD32
update: 20200524
version: 21380
detected: False cancel

TrendMicro
update: 20200524
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20200524
version: 7.2
detected: False cancel

CrowdStrike
update: 20190702
version: 1.0
detected: False cancel

K7AntiVirus
update: 20200524
version: 11.111.34187
detected: False cancel

SentinelOne
update: 20200513
version: 4.3.0.0
detected: False cancel

Avast-Mobile
update: 20200522
version: 200522-00
detected: False cancel

Malwarebytes
update: 20200524
version: 3.6.4.335
detected: False cancel

CAT-QuickHeal
update: 20200524
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20200524
version: 1.0.134.25112
detected: False cancel

BitDefenderTheta
update: 20200521
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20200524
version: 14.0.409.0
detected: False cancel

SUPERAntiSpyware
update: 20200522
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20200524
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20200524
version: 10.0.0.1040
detected: False cancel

total
71
sha256
d761d571bb4dcf5164484f3b573fe1c420444c77176f14d52ae5909d02360c75
scan_id
d761d571bb4dcf5164484f3b573fe1c420444c77176f14d52ae5909d02360c75-1590344532
resource
d8b30d4c4dbc07b11573481b58adcd4b
positives
1
scan_date
2020-05-24 18:22:12
verbose_msg
Scan finished, information embedded
response_code
1
Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 93.42%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 64.08%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 51.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 52.57%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.98%
suspicious: False cancel