Report #690

(1)

Binary

DLL False

Size 1.99MB

trid 22.3% InstallShield setup

21.5% Win32 EXE PECompact compressed 14.3% Win64 Executable

14.0% UPX compressed Win32 Executable 13.7% Win32 EXE Yoda's Crypter

type PE

wordsize 32

Subsystem Windows CLI

Hashes

md5 f6701e2f1054fa298bbdebca6822ca7c

sha1 b6e29a701c2896a019446ac9df09b6b096c264c6

crc32 0x3e88abe9

sha224 e4d229b7887b9d64f6d5066ce201f2479dc1160632259b924cd1ddbc

sha256 d1f275a39d0d60f83bb77c46022034b63bea8582a005b8a1c36f223da0b08 18f

sha384 2d000a010ab56405d71470d210daf5c06865c0cd6a42f11f19a660078e93e d6ef93b6defa434ae95ba4856e5ad157882

sha512 217f46c4fbe5acac165adefaf23b11f3b2896b8838383057ff528a5d85edca0 d75d05f703609dd1c21b9188406a3bfcb7f4e8c99099a375efdaed25e87068 498

ssdeep 49152:qgxr/nIiYd/oWPoY20R0hBqEbU2UpPhOZy+hz7FxlU09VOTKqujAQ58n uwrSKzHm:95jKiOj+7

Report #690

Creation Date: Oct. 19, 2019, 2:21 a.m.

Last Update: Oct. 19, 2019, 5:35 a.m.

File:

038 Results:

(2)

Community

Google True

HashLib False

YARA

Matches IP, UPX20030XMarkusOberhumerLaszloMolnarJohnReiser, win_private_profil e, Dropper_Strings, HasDebugData, Antivirus, network_dropper, ldpreload, BASE64_table, escalate_priv, HasRichSignature, possible_includes_base64_

packed_functions, Borland, VC8_Microsoft_Corporation, DebuggerException __SetConsoleCtrl, network_dns, spreading_share, IsConsole, create_service, antisb_threatExpert, UPXV200V290MarkusOberhumerLaszloMolnarJohnReis er, cred_local, network_http, win_files_operation, IsPE32, win_hook, disable_

dep, contentis_base64, network_tcp_socket, SEH__vectored, screenshot, wi n_token, win_mutex, keylogger, DebuggerCheck__GlobalFlags, Misc_Suspici ous_Strings, xtreme_rat, UPX, migrate_apc, UPXv20MarkusLaszloReiser, Ch eck_Dlls, DebuggerHiding__Thread, network_udp_sock, System_Tools, anti_

dbg, network_tcp_listen, DebuggerCheck__QueryInfo, url, android_meterpre ter, Microsoft_Visual_Cpp_8, win_registry, Typical_Malware_String_Transform s, HasOverlay, network_dga, Advapi_Hash_API, Big_Numbers5, Crypt32_Cry ptBinaryToString_API, create_com_service, powershell, Big_Numbers0

Suspicious True

Strings

List

<rdf:Description rdf:about="uuid:b58a55db-7817-11dc-b3b7-80a45141ec24" xmlns:pdf="http://ns.adobe.com/pdf/

1.3/">

<rdf:Description rdf:about="uuid:cf09c8e3-7814-11dc-b3b7-80a45141ec24" xmlns:pdf="http://ns.adobe.com/pdf/

1.3/">

<rdf:Description rdf:about="uuid:880b6202-923d-11dc-bf0f-889ae1191ecf" xmlns:pdf="http://ns.adobe.com/pdf/1.

3/">

<rdf:Description rdf:about="uuid:6f03c386-7819-11dc-b3b7-80a45141ec24" xmlns:pdf="http://ns.adobe.com/pdf/

1.3/">

<rdf:Description rdf:about="uuid:b1be9614-923d-11dc-bf0f-889ae1191ecf" xmlns:pdf="http://ns.adobe.com/pdf/1.

3/">

<rdf:Description rdf:about="uuid:9ec20a53-923d-11dc-bf0f-889ae1191ecf" xmlns:pdf="http://ns.adobe.com/pdf/1.

3/">

<rdf:Description rdf:about="uuid:0bbddd83-7818-11dc-b3b7-80a45141ec24" xmlns:stRef="http://ns.adobe.com/x ap/1.0/sType/ResourceRef#" xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/">

<rdf:Description rdf:about="uuid:0bbddd7d-7818-11dc-b3b7-80a45141ec24" xmlns:stRef="http://ns.adobe.com/x ap/1.0/sType/ResourceRef#" xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/">

<rdf:Description rdf:about="uuid:df90b7af-923d-11dc-bf0f-889ae1191ecf" xmlns:pdf="http://ns.adobe.com/pdf/1.3 /">

<rdf:Description rdf:about="uuid:0bbddd83-7818-11dc-b3b7-80a45141ec24" xmlns:pdf="http://ns.adobe.com/pdf/

1.3/">

<rdf:Description rdf:about="uuid:0bbddd7d-7818-11dc-b3b7-80a45141ec24" xmlns:pdf="http://ns.adobe.com/pdf/

(3)

1.3/">

<rdf:Description rdf:about="uuid:6f03c386-7819-11dc-b3b7-80a45141ec24" xmlns:stRef="http://ns.adobe.com/xa p/1.0/sType/ResourceRef#" xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/">

<rdf:Description rdf:about="uuid:b58a55db-7817-11dc-b3b7-80a45141ec24" xmlns:stRef="http://ns.adobe.com/x ap/1.0/sType/ResourceRef#" xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/">

<rdf:Description rdf:about="uuid:6f03c386-7819-11dc-b3b7-80a45141ec24" xmlns:xap="http://ns.adobe.com/xap /1.0/">

<rdf:Description rdf:about="uuid:70e4755a-7818-11dc-b3b7-80a45141ec24" xmlns:xap="http://ns.adobe.com/xa p/1.0/">

<rdf:Description rdf:about="uuid:cf09c8e3-7814-11dc-b3b7-80a45141ec24" xmlns:xap="http://ns.adobe.com/xap/

1.0/">

<rdf:Description rdf:about="uuid:b58a55db-7817-11dc-b3b7-80a45141ec24" xmlns:xap="http://ns.adobe.com/xa p/1.0/">

<rdf:Description rdf:about="uuid:70e47554-7818-11dc-b3b7-80a45141ec24" xmlns:xap="http://ns.adobe.com/xa p/1.0/">

<rdf:Description rdf:about="uuid:70e47554-7818-11dc-b3b7-80a45141ec24" xmlns:stRef="http://ns.adobe.com/x ap/1.0/sType/ResourceRef#" xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/">

<rdf:Description rdf:about="uuid:70e4755a-7818-11dc-b3b7-80a45141ec24" xmlns:stRef="http://ns.adobe.com/x ap/1.0/sType/ResourceRef#" xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/">

<rdf:Description rdf:about="uuid:1acf7d56-923e-11dc-bf0f-889ae1191ecf" xmlns:pdf="http://ns.adobe.com/pdf/1.

3/">

<rdf:Description rdf:about="uuid:70e47554-7818-11dc-b3b7-80a45141ec24" xmlns:pdf="http://ns.adobe.com/pdf/

1.3/">

<rdf:Description rdf:about="uuid:70e4755a-7818-11dc-b3b7-80a45141ec24" xmlns:pdf="http://ns.adobe.com/pdf/

1.3/">

</dc:rights></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:

tiff="http://ns.adobe.com/tiff/1.0/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" x mlns:exif="http://ns.adobe.com/exif/1.0/"/></rdf:RDF></x:xmpmeta>

</dc:rights></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:

tiff="http://ns.adobe.com/tiff/1.0/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" x mlns:exif="http://ns.adobe.com/exif/1.0/"/></rdf:RDF></x:xmpmeta>

<rdf:Description rdf:about="uuid:df90b7af-923d-11dc-bf0f-889ae1191ecf" xmlns:xapMM="http://ns.adobe.com/xa p/1.0/mm/">

<rdf:Description rdf:about="uuid:880b6202-923d-11dc-bf0f-889ae1191ecf" xmlns:xapMM="http://ns.adobe.com/x ap/1.0/mm/">

<rdf:Description rdf:about="uuid:c8e53c53-923d-11dc-bf0f-889ae1191ecf" xmlns:xapMM="http://ns.adobe.com/x ap/1.0/mm/">

<rdf:Description rdf:about="uuid:1acf7d56-923e-11dc-bf0f-889ae1191ecf" xmlns:xapMM="http://ns.adobe.com/xa p/1.0/mm/">

<rdf:Description rdf:about="uuid:b1be9614-923d-11dc-bf0f-889ae1191ecf" xmlns:xapMM="http://ns.adobe.com/x ap/1.0/mm/">

<rdf:Description rdf:about="uuid:b1be9614-923d-11dc-bf0f-889ae1191ecf" xmlns:xap="http://ns.adobe.com/xap/

1.0/">

<rdf:Description rdf:about="uuid:c8e53c53-923d-11dc-bf0f-889ae1191ecf" xmlns:xap="http://ns.adobe.com/xap/1 .0/">

<rdf:Description rdf:about="uuid:9ec20a53-923d-11dc-bf0f-889ae1191ecf" xmlns:xapMM="http://ns.adobe.com/x ap/1.0/mm/">

<rdf:Description rdf:about="uuid:9ec20a53-923d-11dc-bf0f-889ae1191ecf" xmlns:xap="http://ns.adobe.com/xap/1 .0/">

<rdf:Description rdf:about="uuid:df90b7af-923d-11dc-bf0f-889ae1191ecf" xmlns:xap="http://ns.adobe.com/xap/1.

0/">

<rdf:Description rdf:about="uuid:cf09c8e3-7814-11dc-b3b7-80a45141ec24" xmlns:xapMM="http://ns.adobe.com/

xap/1.0/mm/">

<rdf:Description rdf:about="uuid:1acf7d56-923e-11dc-bf0f-889ae1191ecf" xmlns:xap="http://ns.adobe.com/xap/1 .0/">

<rdf:Description rdf:about="uuid:880b6202-923d-11dc-bf0f-889ae1191ecf" xmlns:xap="http://ns.adobe.com/xap/

1.0/">

<rdf:Description rdf:about="uuid:b1be9614-923d-11dc-bf0f-889ae1191ecf" xmlns:tiff="http://ns.adobe.com/tiff/1.

0/">

(4)

<rdf:Description rdf:about="uuid:9ec20a53-923d-11dc-bf0f-889ae1191ecf" xmlns:tiff="http://ns.adobe.com/tiff/1.0 /">

<rdf:Description rdf:about="uuid:df90b7af-923d-11dc-bf0f-889ae1191ecf" xmlns:tiff="http://ns.adobe.com/tiff/1.0/

">

<rdf:Description rdf:about="uuid:c8e53c53-923d-11dc-bf0f-889ae1191ecf" xmlns:pdf="http://ns.adobe.com/pdf/1.

3/">

<rdf:Description rdf:about="uuid:1acf7d56-923e-11dc-bf0f-889ae1191ecf" xmlns:tiff="http://ns.adobe.com/tiff/1.0 /">

<rdf:Description rdf:about="uuid:70e47554-7818-11dc-b3b7-80a45141ec24" xmlns:tiff="http://ns.adobe.com/tiff/

1.0/">

<rdf:Description rdf:about="uuid:70e4755a-7818-11dc-b3b7-80a45141ec24" xmlns:tiff="http://ns.adobe.com/tiff/

1.0/">

<rdf:Description rdf:about="uuid:cf09c8e3-7814-11dc-b3b7-80a45141ec24" xmlns:tiff="http://ns.adobe.com/tiff/1.

0/">

<rdf:Description rdf:about="uuid:b58a55db-7817-11dc-b3b7-80a45141ec24" xmlns:tiff="http://ns.adobe.com/tiff/

1.0/">

<rdf:Description rdf:about="uuid:6f03c386-7819-11dc-b3b7-80a45141ec24" xmlns:tiff="http://ns.adobe.com/tiff/1 .0/">

<rdf:Description rdf:about="uuid:c8e53c53-923d-11dc-bf0f-889ae1191ecf" xmlns:exif="http://ns.adobe.com/exif/1 .0/">

<rdf:Description rdf:about="uuid:880b6202-923d-11dc-bf0f-889ae1191ecf" xmlns:tiff="http://ns.adobe.com/tiff/1.

0/">

<rdf:Description rdf:about="uuid:0bbddd7d-7818-11dc-b3b7-80a45141ec24" xmlns:xap="http://ns.adobe.com/xa p/1.0/">

<rdf:Description rdf:about="uuid:0bbddd83-7818-11dc-b3b7-80a45141ec24" xmlns:xap="http://ns.adobe.com/xa p/1.0/">

<rdf:Description rdf:about="uuid:0bbddd83-7818-11dc-b3b7-80a45141ec24" xmlns:tiff="http://ns.adobe.com/tiff/

1.0/">

<rdf:Description rdf:about="uuid:0bbddd7d-7818-11dc-b3b7-80a45141ec24" xmlns:tiff="http://ns.adobe.com/tiff/

1.0/">

<rdf:Description rdf:about="uuid:c8e53c53-923d-11dc-bf0f-889ae1191ecf" xmlns:tiff="http://ns.adobe.com/tiff/1.0 /">

<rdf:Description rdf:about="uuid:1acf7d56-923e-11dc-bf0f-889ae1191ecf" xmlns:exif="http://ns.adobe.com/exif/1.

0/">

<rdf:Description rdf:about="uuid:df90b7af-923d-11dc-bf0f-889ae1191ecf" xmlns:exif="http://ns.adobe.com/exif/1.

0/">

<rdf:Description rdf:about="uuid:880b6202-923d-11dc-bf0f-889ae1191ecf" xmlns:exif="http://ns.adobe.com/exif/

1.0/">

<rdf:Description rdf:about="uuid:b1be9614-923d-11dc-bf0f-889ae1191ecf" xmlns:exif="http://ns.adobe.com/exif/

1.0/">

<rdf:Description rdf:about="uuid:9ec20a53-923d-11dc-bf0f-889ae1191ecf" xmlns:exif="http://ns.adobe.com/exif/1 .0/">

<rdf:Description rdf:about="uuid:6f03c386-7819-11dc-b3b7-80a45141ec24" xmlns:photoshop="http://ns.adobe.co m/photoshop/1.0/">

<rdf:Description rdf:about="uuid:b58a55db-7817-11dc-b3b7-80a45141ec24" xmlns:photoshop="http://ns.adobe.c om/photoshop/1.0/">

<rdf:Description rdf:about="uuid:70e47554-7818-11dc-b3b7-80a45141ec24" xmlns:photoshop="http://ns.adobe.c om/photoshop/1.0/">

<rdf:Description rdf:about="uuid:b1be9614-923d-11dc-bf0f-889ae1191ecf" xmlns:photoshop="http://ns.adobe.co m/photoshop/1.0/">

<rdf:Description rdf:about="uuid:df90b7af-923d-11dc-bf0f-889ae1191ecf" xmlns:photoshop="http://ns.adobe.com /photoshop/1.0/">

<rdf:Description rdf:about="uuid:9ec20a53-923d-11dc-bf0f-889ae1191ecf" xmlns:photoshop="http://ns.adobe.co m/photoshop/1.0/">

<rdf:Description rdf:about="uuid:1acf7d56-923e-11dc-bf0f-889ae1191ecf" xmlns:photoshop="http://ns.adobe.com /photoshop/1.0/">

<rdf:Description rdf:about="uuid:880b6202-923d-11dc-bf0f-889ae1191ecf" xmlns:photoshop="http://ns.adobe.co m/photoshop/1.0/">

<rdf:Description rdf:about="uuid:c8e53c53-923d-11dc-bf0f-889ae1191ecf" xmlns:photoshop="http://ns.adobe.co

(5)

m/photoshop/1.0/">

<rdf:Description rdf:about="uuid:70e4755a-7818-11dc-b3b7-80a45141ec24" xmlns:photoshop="http://ns.adobe.c om/photoshop/1.0/">

<rdf:Description rdf:about="uuid:cf09c8e3-7814-11dc-b3b7-80a45141ec24" xmlns:photoshop="http://ns.adobe.co m/photoshop/1.0/">

<rdf:Description rdf:about="uuid:cf09c8e3-7814-11dc-b3b7-80a45141ec24" xmlns:exif="http://ns.adobe.com/exif/

1.0/">

<rdf:Description rdf:about="uuid:6f03c386-7819-11dc-b3b7-80a45141ec24" xmlns:exif="http://ns.adobe.com/exif/

1.0/">

<rdf:Description rdf:about="uuid:b58a55db-7817-11dc-b3b7-80a45141ec24" xmlns:exif="http://ns.adobe.com/exif /1.0/">

<rdf:Description rdf:about="uuid:70e4755a-7818-11dc-b3b7-80a45141ec24" xmlns:exif="http://ns.adobe.com/exif /1.0/">

<rdf:Description rdf:about="uuid:70e47554-7818-11dc-b3b7-80a45141ec24" xmlns:exif="http://ns.adobe.com/exif /1.0/">

<rdf:Description rdf:about="uuid:0bbddd7d-7818-11dc-b3b7-80a45141ec24" xmlns:exif="http://ns.adobe.com/exi f/1.0/">

<rdf:Description rdf:about="uuid:0bbddd83-7818-11dc-b3b7-80a45141ec24" xmlns:exif="http://ns.adobe.com/exi f/1.0/">

<rdf:Description rdf:about="uuid:0bbddd83-7818-11dc-b3b7-80a45141ec24" xmlns:photoshop="http://ns.adobe.c om/photoshop/1.0/">

<rdf:Description rdf:about="uuid:0bbddd7d-7818-11dc-b3b7-80a45141ec24" xmlns:photoshop="http://ns.adobe.c om/photoshop/1.0/">

qhttp://ns.adobe.com/xap/1.0/

http://ns.adobe.com/xap/1.0/

=http://ns.adobe.com/xap/1.0/

<rdf:Description rdf:about="uuid:1acf7d56-923e-11dc-bf0f-889ae1191ecf" xmlns:dc="http://purl.org/dc/elements/

1.1/">

Foremost

Matches 0.exe, 41 KB

Heuristics

IPs hasIPs: False

Allowed

(6)

Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: ntdll.dll, user32.dll, shlwapi.dll, MSVCR110.dll, KERNEL32.DLL, UR LMON.DLL, wininet.dll, advapi32.dll, oleaut32.dll, shell32.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 39424

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 4096 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .text, .rdata, .data, .rsrc, .reloc Suspicious

(7)

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 6

Suspicious: False Image

Version: True Suspicious: 6 Linker

Version: 11.0 Suspicious: False Subsystem

Version: 6.0 Suspicious: False Suspicious: False

EntryPoint Address: 4951

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: ntdll.dll, user32.dll, shlwapi.dll, kernel32.dll, urlmon.dll, wininet.dl l, advapi32.dll, oleaut32.dll, shell32.dll

hasLibs: True

Suspicious: msvcr110.dll hasAllowed: True hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2019-08-28 16:19:07 Future: False

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation XOR: True

Fuzzing: False

PEDetector

(8)

Matches 6304

Disassembly

hasTricks True

Tricks

pushret .rsrc: 10

.text: 1

nopsequence .rsrc: 1

pushpopmath .rsrc: 13

ss register .rsrc: 1

garbagebytes .rsrc: 4

.text: 1

programcontrolflowchange .rsrc: 4 .text: 1

cpuinstructionsresultscomparison .rdata: 1

AVclass

xtrat 1

VirusTotal

md5 f6701e2f1054fa298bbdebca6822ca7c

sha1 b6e29a701c2896a019446ac9df09b6b096c264c6

SCANS (DETECTION RATE = 53.62%)

AVG result: Win32:Evo-gen [Susp]

update: 20190828 version: 18.4.3895.0 detected: True

(9)

CMC update: 20190321 version: 1.1.0.977 detected: False

MAX result: malware (ai score=88)

APEX result: Malicious

update: 20190827 version: 5.56 detected: True

Bkav update: 20190828

version: 1.3.0.10239 detected: False

K7GW update: 20190828

version: 11.64.31845 detected: False

ALYac result: Trojan.Delf.Agent.AH

Avast result: Win32:Evo-gen [Susp]

Avira result: BDS/Backdoor.Gen5

Baidu result: Win32.Backdoor.Agent.ag

Cyren result: W32/Xtrat.A.gen!Eldorado

(10)

DrWeb result: Trojan.DownLoader4.34932 update: 20190828

version: 7.0.41.7240 detected: True

GData result: Trojan.Delf.Agent.AH

update: 20190829

version: A:25.23218B:26.15895 detected: True

Panda update: 20190828

VBA32 result: TrojanSpy.KeyLogger

update: 20190828 version: 4.0.0 detected: True

VIPRE update: 20190829

version: 77488 detected: False

Zoner update: 20190828

ClamAV result: Win.Trojan.Agent-36788

Comodo update: 20190828

version: 31390 detected: False

F-Prot result: W32/Xtrat.A.gen!Eldorado

Ikarus update: 20190828

McAfee result: GenericRXAA-EO!9428CBF71D4F

(11)

Rising result: Backdoor.Xtrat!1.6A25 (CLASSIC) update: 20190829

Sophos update: 20190828

Yandex result: Backdoor.XTrat.Gen

Zillya update: 20190820

Acronis update: 20190822

Alibaba update: 20190527

Arcabit result: Trojan.Delf.Agent.AH

Cylance update: 20190829

FireEye result: Trojan.Delf.Agent.AH

TACHYON update: 20190829

version: 2019-08-29.01 detected: False

(12)

Tencent update: 20190829 version: 1.0.0.1 detected: False

ViRobot update: 20190828

Webroot update: 20190829

eGambit result: Trojan.Generic

update: 20190829 version: v4.3.6 detected: True

Ad-Aware result: Trojan.Delf.Agent.AH

AegisLab update: 20190828

version: 4.2 detected: False

Emsisoft result: Trojan.Delf.Agent.AH (B) update: 20190828

F-Secure result: Backdoor.BDS/Backdoor.Gen5 update: 20190829

Fortinet update: 20190828

Invincea update: 20190717

(13)

Jiangmin update: 20190829 version: 16.0.100 detected: False

Kingsoft update: 20190829

Paloalto update: 20190829

version: 1.0 detected: False

Symantec update: 20190828

Trapmine update: 20190826

AhnLab-V3 update: 20190828

Antiy-AVL result: Trojan/Win32.Sasfis

Kaspersky result: Backdoor.Win32.Xtreme.axdx update: 20190828

Microsoft result: Trojan:Win32/Occamy.C

Qihoo-360 update: 20190829

ZoneAlarm result: Backdoor.Win32.Xtreme.axdx update: 20190828

version: 1.0 detected: True

(14)

Cybereason result: malicious.f1054f update: 20190616 version: 1.2.449 detected: True

ESET-NOD32 result: a variant of Win32/AutoRun.Remtasu.E update: 20190829

version: 19932 detected: True

TrendMicro result: BKDR_XTREME.SMUJ

BitDefender result: Trojan.Delf.Agent.AH update: 20190828

CrowdStrike result: win/malicious_confidence_60% (D) update: 20190702

K7AntiVirus update: 20190828

SentinelOne result: DFI - Malicious PE update: 20190807 version: 1.0.31.22 detected: True

Avast-Mobile update: 20190828

version: 190828-02 detected: False

Malwarebytes update: 20190828

TotalDefense update: 20190828

(15)

CAT-QuickHeal result: Backdoor.Xtrat.AA8 update: 20190827

NANO-Antivirus result: Trojan.Win32.MLW.coqsl update: 20190829

MicroWorld-eScan result: Trojan.Delf.Agent.AH update: 20190829

SUPERAntiSpyware update: 20190823 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: GenericRXAA-EO!9428CBF71D4F update: 20190828

version: v2017.3010 detected: True

TrendMicro-HouseCall result: BKDR_XTREME.SMUJ update: 20190829

total 69

sha256 d1f275a39d0d60f83bb77c46022034b63bea8582a005b8a1c36f223da0b08 18f

scan_id d1f275a39d0d60f83bb77c46022034b63bea8582a005b8a1c36f223da0b08 18f-1567041045

resource f6701e2f1054fa298bbdebca6822ca7c

permalink https://www.virustotal.com/file/d1f275a39d0d60f83bb77c46022034b63bea 8582a005b8a1c36f223da0b0818f/analysis/1567041045/

positives 37

scan_date 2019-08-29 01:10:45

verbose_msg Scan finished, information embedded

(16)

response_code 1

File

Trace

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

C:\malware.exe C:\Monitor\proc.exe

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

C:\malware.exe C:\Windows\SysWOW64\apphelp.dll

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

C:\malware.exe C:\Windows\SysWOW64\apphelp.dll

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

C:\malware.exe C:\Windows\AppPatch\sysmain.sdb

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

C:\malware.exe C:\Monitor

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

C:\malware.exe C:\

19/10/201 9 - 4:45:43

Un kno

1 4

8 C:\malware.exe C:\

(17)

.637 wn 0

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

19/10/201 9 - 4:45:43 .637

Re ad

1 4 8 0

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

C:\malware.exe C:\Monitor\ui\SwDRM.dll

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

19/10/201 9 - 4:45:43 .637

Op en

1 4 8 0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Op en

1 4

8 C:\malware.exe C:\Monitor\proc.exe

(18)

0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

C:\malware.exe C:\Windows

19/10/201 9 - 4:45:43 .637

Un kno wn

1 4 8 0

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\Prefetch\PROC.EXE-5509F567.pf

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\System32\wow64.dll

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\System32\wow64.dll

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\System32\wow64win.dll

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\System32\wow64win.dll

(19)

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\System32\wow64cpu.dll

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\System32\wow64cpu.dll

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\System32\wow64log.dll

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows

19/10/201 9 - 4:45:43 .653

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Windows

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\sechost.dll

19/10/201 9 - 4:45:43 .653

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\sechost.dll

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor\version.DLL

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\version.dll

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\version.dll

(20)

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\imm32.dll

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\Globalization\Sorting\SortDefault.nls

19/10/201 9 - 4:45:43 .668

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\Globalization\Sorting\SortDefault.nls SortDefau lt.nls

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Roaming

19/10/201 9 - 4:45:43 .668

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\rpcss.dll

1

(21)

19/10/201 9 - 4:45:43 .668

Op en

4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\rpcss.dll

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\uxtheme.dll

19/10/201 9 - 4:45:43 .668

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\uxtheme.dll

19/10/201 9 - 4:45:43 .762

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\shell32.dll

19/10/201 9 - 4:45:43 .762

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor\proc.exe.Local

19/10/201 9 - 4:45:43 .762

Op en

1 4 8 8

C:\Monitor\proc.

exe

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d

19/10/201 9 - 4:45:43 .762

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe

19/10/201 9 - 4:45:43 .762

Op en

1 4 8 8

C:\Monitor\proc.

exe

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\co mctl32.dll

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\co mctl32.dll

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\WindowsShell.Manifest

19/10/201 Un 1 WindowsS

(22)

9 - 4:45:43 .778

kno wn

4 8 8

C:\Monitor\proc.

exe

C:\Windows\WindowsShell.Manifest hell.Manif

est

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\

19/10/201 9 - 4:45:43 .778

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\propsys.dll

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\propsys.dll

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cve rsions.1.db

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cve rsions.1.db

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\{AF BF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x00000000000 00000.db

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\desktop.ini

19/10/201 Re 1

4 C:\Monitor\proc.

(23)

9 - 4:45:43 .778

ad 8 8

exe C:\Users\desktop.ini

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users

19/10/201 9 - 4:45:43 .778

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Users

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot

19/10/201 9 - 4:45:43 .778

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData

19/10/201 9 - 4:45:43 .778

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\Desktop\desktop.ini

19/10/201 9 - 4:45:43 .778

Re ad

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .778

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 Un 1

4 C:\Monitor\proc.

(24)

9 - 4:45:43 .778

kno wn

8 8

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Roaming\e4spRxWAdo8u.cfg

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Roaming\e4spRxWAdo8u.cfg

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor\svchost.exe

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor\svchost.exe

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\svchost.exe

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .778

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\apphelp.dll

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\apphelp.dll

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\AppPatch\sysmain.sdb

19/10/201 9 - 4:45:43 Op

1

4 C:\Monitor\proc.

C:\Windows\SysWOW64

(25)

.793 en 8 8

exe

19/10/201 9 - 4:45:43 .793

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\

19/10/201 9 - 4:45:43 .793

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows

19/10/201 9 - 4:45:43 .793

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Windows

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .793

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .793

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .793

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 Op

en 1 4 8

C:\Monitor\proc.

(26)

.793 8

19/10/201 9 - 4:45:43 .793

Re ad

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .793

Re ad

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .856

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Windows\SysWOW64\ui\SwDRM.dll

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Local\Temp\x.html

19/10/201 9 - 4:45:43 .997

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Local\Temp\x.html x.html

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Local\Temp

19/10/201 9 - 4:45:43 .997

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Users\Behemot\AppData\Local\Temp

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\

19/10/201 9 - 4:45:43

Un kno

1 4 8

C:\Monitor\proc.

exe C:\

(27)

.997 wn 8

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Program Files\Internet Explorer\iexplore.exe

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor\Files\DeletedFiles\x.html

19/10/201 9 - 4:45:43 .997

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor\Files\DeletedFiles\x.html x.html

19/10/201 9 - 4:45:43 .997

Del ete

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Program

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Program.exe

19/10/201 9 - 4:45:43 .997

Op en

1 4 8

C:\Monitor\proc.

exe C:\Program Files\Internet

(28)

8

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

exe C:\Program Files\Internet.exe

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Op en

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:43 .997

Un kno wn

1 4 8 8

C:\Monitor\proc.

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\Sys WOW64\svchost .exe

C:\Windows\Prefetch\SVCHOST.EXE-672DEC87.pf

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\System32\wow64.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\System32\wow64.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\System32\wow64win.dll

19/10/201 9 - 4:45:44 Op

en 2 4 1

C:\Windows\Sys

WOW64\svchost C:\Windows\System32\wow64win.dll

(29)

.43 2 .exe

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\System32\wow64cpu.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\System32\wow64cpu.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\System32\wow64log.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows

19/10/201 9 - 4:45:44 .43

Un kno wn

2 4 1 2

C:\Windows

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Monitor

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\sechost.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\sechost.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\imm32.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

19/10/201 9 - 4:45:44 Op

en 2 4 1

C:\Windows\Sys

WOW64\svchost C:\Windows\SysWOW64\imm32.dll

(30)

.43 2 .exe

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\Sys WOW64\svchost

.exe C:\Windows\SysWOW64\imm32.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\mpr.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\mpr.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\version.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\version.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\SysWOW64\svchost.exe.Local

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc

19/10/201 9 - 4:45:44 .43

Un kno wn

2 4 1 2

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc

19/10/201 9 - 4:45:44 Op

en 2 4 1

C:\Windows\Sys

WOW64\svchost C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc

(31)

.43 2 .exe

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\co mctl32.dll

19/10/201 9 - 4:45:44 .43

Op en

2 4 1 2

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\co mctl32.dll

19/10/201 9 - 4:45:44 .59

Op en

2 4 1 2

C:\Windows\SysWOW64\opengl32.dll

19/10/201 9 - 4:45:44 .59

Op en

2 4 1 2

C:\Windows\SysWOW64\opengl32.dll

19/10/201 9 - 4:45:44 .153

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Windows

19/10/201 9 - 4:45:44 .153

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe C:\Monitor

19/10/201 9 - 4:45:44 .153

Un kno wn

1 4 8 8

C:\Monitor\proc.

exe

19/10/201 9 - 4:45:44 .200

Op en

2 4 1 2

C:\Windows\SysWOW64\glu32.dll

19/10/201 9 - 4:45:44 .247

Op en

2 4 1 2

C:\Windows\SysWOW64\glu32.dll

19/10/201 9 - 4:45:44 .481

Op en

2 4 1 2

C:\Windows\SysWOW64\ddraw.dll

19/10/201 9 - 4:45:44 .481

Op en

2 4 1

C:\Windows\SysWOW64\ddraw.dll

(32)

2

19/10/201 9 - 4:45:44 .809

Op en

2 4 1 2

C:\Windows\SysWOW64\dciman32.dll

19/10/201 9 - 4:45:44 .856

Op en

2 4 1 2

C:\Windows\Sys WOW64\svchost

.exe C:\Windows\SysWOW64\dciman32.dll

19/10/201 9 - 4:45:44 .997

Op en

2 4 1 2

C:\Windows\SysWOW64\dwmapi.dll

19/10/201 9 - 4:45:44 .997

Op en

2 4 1 2

C:\Windows\SysWOW64\dwmapi.dll

19/10/201 9 - 4:45:45 .325

Op en

2 4 1 2

C:\Windows\SysWOW64\msimg32.dll

19/10/201 9 - 4:45:45 .325

Op en

2 4 1 2

C:\Windows\SysWOW64\msimg32.dll

Process

Trace

19/10/2019 - 4:45:43.63

7 Create 148

0 C:\malware.exe 148

8 C:\Monitor\proc.exe

19/10/2019 - 4:45:43.79

3 Create 148

8

C:\Monitor\proc.ex e

241

2 C:\Windows\SysWOW64\svchost.exe

19/10/2019 - 4:45:43.99

7 Create 148

8

C:\Monitor\proc.ex

e 804 C:\Program Files\Internet Explorer\iexplore.ex e

19/10/2019 - 4:45:44.15 3

Terminat e

148

0 C:\malware.exe 148

8 C:\Monitor\proc.exe

Analysis

(33)

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

19/10/2019 - 4:45:43.668 Write 1488 C:\Monitor\proc.exe HKCU\Software\XtremeRAT Mutex

File Summary

Created Identified: False

Deleted Identified: True

Process Summary

Created Identified: True

Deleted Identified: True

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: True

Deleted Identified: False

Browsers Identified: False

(34)

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

UDP False

HTTP False

Results

KNN (K=3, NFS-BRMalware)

(35)

confidence: 66.67%

suspicious: False

Decision Tree (NFS-BRMalware) confidence: 100.00%

suspicious: True

SVC (Kernel=Linear, NFS-BRMalware) confidence: 94.82%

Random Forest (100 estimators, NFS-BRMalware) confidence: 63.00%