Binary
DLL False
Size 1.18MB
trid 51.0% Win32 EXE PECompact compressed
17.4% Win32 Executable Delphi generic 16.0% Windows screen saver
5.5% Win32 Executable
2.5% Win16/32 Executable Delphi generic
type PE
wordsize 32
Subsystem Windows GUI
Hashes
md5 fc434c29b6dc375b7f9875aeca7e16dc
sha1 b005756e1ef8a31ef5d76436bdf30a5d352c4edd
crc32 0xabde353d
sha224 9f9ed05a57e3ccc996096e6a9c07b58bf19f9238b9fe411ae801d473
sha256 ea733908391bd2074065458b2e5ddff16e4108487d990242fc786c391913f2 fe
sha384 6a461deb0ce241969b5216b4963147e8afaa3a78da54697c2a50cbe4a609f 6dfb36e193cfba2293f72b56343334f0e61
sha512 7cc79050a0aadc944cab4504b32f0fa7fc0c5ae90fef968dc42bc3e3f4bc32c6 03c5232d648112f0591d80da19b2d66450e8ed472b8ecb5841926a9716ca2 de6
ssdeep 24576:DPpwabBilsYmYigTJWmQYQMaqkb3j6uGqvhN+NDA:7RZgpQTqkb3jx 38
Report #9200
Creation Date: March 10, 2020, 5:08 p.m.
Last Update: March 11, 2020, 2:13 a.m.
File:
AdobeFlashPlayer_11.7.700.169.exe Results:
Community
Google False
HashLib False
YARA
Matches domain, Borland, IP, Borland_Delphi_30_, BASE64_table, borland_delphi, De lphi_FormShow, network_dns, BobSoftMiniDelphiBoBBobSoft, Microsoft_Visu al_Cpp_v50v60_MFC, BobSoft_Mini_Delphi_BoB_BobSoft_additional, win_file s_operation, IsPE32, win_hook, network_tcp_socket, screenshot, network_tc p_listen, Borland_Delphi_v40_v50, keylogger, contentis_base64, Borland_D elphi_40_additional, IsPacked, Borland_Delphi_40, Delphi_Random, IsWindo wsGUI, network_udp_sock, Delphi_Copy, Borland_Delphi_Setup_Module, Bor land_Delphi_DLL, win_registry, Delphi_StrToInt, Borland_Delphi_30_addition al, Borland_Delphi_v30, Big_Numbers2, Big_Numbers1, Big_Numbers0
Suspicious True
Strings
List
t.Ht
C:\builds\TpAddons\IndyNet\System\IdStack.pas C:\builds\TpAddons\IndyNet\System\IdStack.pas C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas b0r.Td
GlassFrame.Top Uh.rE
Font.Style Font.Style Font.Name Font.Name
C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas
C:\builds\TpAddons\IndyNet\Protocols\IdZLibCompressorBase.pas .stl=application/vnd.ms-pki.stl
.pko=application/vnd.ms-pki.pko
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Uh.gG 127.0.0.1
C:\builds\TpAddons\IndyNet\Protocols\IdCoder3to4.pas C:\builds\TpAddons\IndyNet\Protocols\IdGlobalProtocols.pas System\CurrentControlSet\Control\Keyboard Layouts\%.8x C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas
C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas h.kH
(Request method requires HTTP version 1.1DThis authentication method is already registered with class name %s.
B.rsrc
SOFTWARE\Borland\Delphi\RTL Delphi%.8X
Software\Borland\Locales ISO_646.irv:1991
Software\Borland\Delphi\Locales .xfdf=application/vnd.adobe.xfdf comctl32.dll
comctl32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll Wship6.dll
.fdf=application/vnd.fdf version.dll
uxtheme.dll
.wbmp=image/vnd.wap.wbmp 0.0.0.0
0.0.0.1
Network is down.
Host is down.
mpr.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes Username
Username Username Username Username
Host field is empty
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.
36
1E6EF40D0F0E0F70 Socket Error # %d OnItemSelected OnDeletion OnReceive OnItemSelected OnItemSelected uAntivirus uAntivirus jp-ocr-b-add
Socks server did not respond.$Invalid socks authentication method.%Authentication error to socks server.#Too ma ny references, cannot splice.
Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.
ControlOfs%.8X%.8X WndProcPtr%.8X%.8X ))====3%%%*&
BevelEdges$-D
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
%f9i<O Connected.
, finished at , about to go Not connected.
%%lst BT%+o H!%i{A c,S%%i
Index out of bounds.
Connect timed out.
Command not supported.
WindowStated Connection refused.
Too many open files.
TLVDeletedEvent
Foremost
Matches 0.exe, 1 MB
Suspicious True
Heuristics
IPs hasIPs: True
Allowed: 127.0.0.1, 1, localhost.
Suspicious: 0.0.0.1, 0, Unknown hasAllowed: True
hasSuspicious: True
URLs Allowed
hasURLs: False Suspicious
hasAllowed: False hasSuspicious: False
Files Allowed: MAPI32.DLL, user32.dll, uxtheme.dll, oleaut32.dll, WS2_32.DLL, P SAPI.dll, comctl32.dll, ole32.dll, imm32.dll, advapi32.dll, gdi32.dll, Wship6.d ll, DWMAPI.DLL, kernel32.dll, shell32.dll, version.dll, mpr.dll
hasFiles: True Suspicious
hasAllowed: True hasSuspicious: False
Binary
Sizes RVA
RVA: 16
Suspicious: False
Code
Size: 560640 Suspicious: False Image
Address: 4194304 Suspicious: False Stack
Stack: 16384 Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number
Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 0
Suspicous: True
Sections Allowed: .text, .itext, .data, .bss, .idata, .tls, .rdata, .reloc, .rsrc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 4
Suspicious: False Image
Version: True Suspicious: 4 Linker
Version: 2.25 Suspicious: False Subsystem
Version: 4.0 Suspicious: False Suspicious: False
EntryPoint Address: 682752
Suspicious: False
Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.
hasAnomalies: True
Libraries Allowed: mapi32.dll, user32.dll, uxtheme.dll, oleaut32.dll, ws2_32.dll, psap i.dll, comctl32.dll, ole32.dll, imm32.dll, advapi32.dll, gdi32.dll, wship6.dll, d wmapi.dll, kernel32.dll, shell32.dll, version.dll, mpr.dll
hasLibs: True Suspicious
hasAllowed: True hasSuspicious: False
Timestamp Past: False
Valid: True
Value: 2014-04-23 00:09:40 Future: False
Compilation Packed: True
Missing: False
Packers: BobSoft Mini Delphi -> BoB / BobSoft Compiled: True
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.
0, Borland Delphi v6.0 - v7.0
MainPacker: BobSoft Mini Delphi -> BoB / BobSoft
Obfuscation XOR: False
Fuzzing: True
PEDetector
Matches None
Suspicious False
Disassembly
hasTricks True
Tricks
pushret .rsrc: 318
.text: 61 .itext: 5
pushpopmath .rsrc: 124
.text: 15 .idata: 2 .reloc: 41
ss register .rsrc: 3
garbagebytes .rsrc: 142
.text: 55 .itext: 5
hookdetection .rsrc: 5
.text: 2 .reloc: 2
software breakpoint .rsrc: 12 .text: 5 .reloc: 15
fakeconditionaljumps .rsrc: 1
programcontrolflowchange .rsrc: 141 .text: 55 .itext: 5
cpuinstructionsresultscomparison .rsrc: 5 .text: 11
AVclass
delf 1
VirusTotal
md5 fc434c29b6dc375b7f9875aeca7e16dc
sha1 b005756e1ef8a31ef5d76436bdf30a5d352c4edd
SCANS (DETECTION RATE = 65.15%)
AVG result: FileRepMalware
update: 20180325 version: 18.2.3827.0 detected: True
CMC update: 20180324
version: 1.1.0.977 detected: False
MAX result: malware (ai score=85) update: 20180325
version: 2017.11.15.1 detected: True
Bkav update: 20180325
version: 1.3.0.9466 detected: False
K7GW result: Trojan ( 7000000f1 )
update: 20180325 version: 10.42.26601 detected: True
ALYac result: Gen:Variant.Strictor.55717
update: 20180325 version: 1.1.1.5 detected: True
Avast result: FileRepMalware
update: 20180325 version: 18.2.3827.0 detected: True
Avira result: TR/Delf.rtg.6
update: 20180324 version: 8.3.3.6 detected: True
Baidu update: 20180323
version: 1.0.0.2 detected: False
Cyren result: W32/Trojan.YARR-2385
update: 20180325 version: 5.4.30.7 detected: True
DrWeb update: 20180325
version: 7.0.28.2020 detected: False
GData result: Gen:Variant.Strictor.55717
update: 20180325
version: A:25.16495B:25.11872 detected: True
Panda result: Generic Malware update: 20180324 version: 4.6.4.2 detected: True
VBA32 result: TScope.Malware-Cryptor.SB
update: 20180323 version: 3.12.28.0 detected: True
VIPRE result: Trojan.Win32.Generic!BT
update: 20180325 version: 65508 detected: True
Zoner update: 20180325
version: 1.0 detected: False
AVware result: Trojan.Win32.Generic!BT
update: 20180325 version: 1.5.0.42 detected: True
ClamAV update: 20180325
version: 0.99.2.0 detected: False
Comodo update: 20180325
detected: False
F-Prot update: 20180325
version: 4.7.1.166 detected: False
McAfee result: Artemis!FC434C29B6DC
update: 20180325 version: 6.0.6.653 detected: True
Rising update: 20180327
version: 25.0.0.1 detected: False
Sophos result: Mal/Generic-S
update: 20180325 version: 4.98.0
detected: True
Yandex update: 20180324
version: 5.5.1.3 detected: False
Zillya update: 20180323
version: 2.0.0.3519 detected: False
Arcabit result: Trojan.Strictor.DD9A5
update: 20180325 version: 1.0.0.831 detected: True
Cylance result: Unsafe
update: 20180325 version: 2.3.1.101 detected: True
Endgame result: malicious (high confidence) update: 20180316
version: 2.0.5 detected: True
Tencent result: Win32.Trojan.Delf.Eegx
update: 20180325 version: 1.0.0.1 detected: True
ViRobot update: 20180324
version: 2014.3.20.0 detected: False
eGambit update: 20180325
version: v4.3.5 detected: False
Ad-Aware result: Gen:Variant.Strictor.55717 update: 20180325
version: 3.0.3.1010 detected: True
AegisLab result: Troj.W32.Delf.dmqp!c
update: 20180325 version: 4.2 detected: True
Emsisoft result: Gen:Variant.Strictor.55717 (B) update: 20180325
version: 4.0.2.899 detected: True
F-Secure result: Gen:Variant.Strictor.55717 update: 20180325
version: 11.0.19100.45 detected: True
Fortinet result: W32/Delf.RTG!tr
update: 20180325 version: 5.4.247.0 detected: True
Invincea update: 20180121
version: 6.3.4.26036 detected: False
Jiangmin result: Trojan.Delf.xy
update: 20180325 version: 16.0.100 detected: True
Kingsoft result: Win32.Troj.Delf.dm.(kcloud) update: 20180325
version: 2013.8.14.323 detected: True
Paloalto result: generic.ml
update: 20180325 version: 1.0 detected: True
Symantec result: Trojan.Gen
update: 20180324 version: 1.5.0.0 detected: True
nProtect update: 20180325
version: 2018-03-25.01 detected: False
AhnLab-V3 result: Trojan/Win32.Agent.C1927915 update: 20180324
version: 3.12.0.20130
detected: True
Antiy-AVL result: Trojan/Win32.Delf
update: 20180325 version: 3.0.0.1 detected: True
Kaspersky result: Trojan.Win32.Delf.dmqo update: 20180325
version: 15.0.1.13 detected: True
Microsoft update: 20180325
version: 1.1.14600.4 detected: False
Qihoo-360 result: Win32/Trojan.3c0
update: 20180325 version: 1.0.0.1120 detected: True
TheHacker update: 20180319
version: 6.8.0.5.2551 detected: False
ZoneAlarm result: Trojan.Win32.Delf.dmqo update: 20180325
version: 1.0 detected: True
Cybereason result: malicious.9b6dc3
update: 20180225 version: 1.2.27 detected: True
ESET-NOD32 result: a variant of Win32/Delf.RTG update: 20180325
version: 17111 detected: True
TrendMicro result: TROJ_GEN.R002C0GBF18
update: 20180325 version: 9.862.0.1074 detected: True
WhiteArmor update: 20180324
detected: False
BitDefender result: Gen:Variant.Strictor.55717 update: 20180325
version: 7.2 detected: True
CrowdStrike result: malicious_confidence_90% (W) update: 20170201
version: 1.0 detected: True
K7AntiVirus result: Trojan ( 7000000f1 ) update: 20180325
version: 10.42.26601 detected: True
SentinelOne update: 20180225
version: 1.0.15.206 detected: False
Avast-Mobile update: 20180324
version: 180324-00 detected: False
Malwarebytes update: 20180325
version: 2.1.1.1115 detected: False
TotalDefense update: 20180325
version: 37.1.62.1 detected: False
CAT-QuickHeal result: Trojan.Delf update: 20180324 version: 14.00 detected: True
NANO-Antivirus result: Trojan.Win32.Delf.cxpamv update: 20180325
version: 1.0.100.22043 detected: True
MicroWorld-eScan result: Gen:Variant.Strictor.55717 update: 20180325
version: 14.0.297.0 detected: True
SUPERAntiSpyware update: 20180325 version: 5.6.0.1032 detected: False
McAfee-GW-Edition result: BehavesLike.Win32.Dropper.tc update: 20180324
version: v2015 detected: True
TrendMicro-HouseCall result: TROJ_GEN.R002C0GBF18 update: 20180325
version: 9.950.0.1006 detected: True
total 66
sha256 ea733908391bd2074065458b2e5ddff16e4108487d990242fc786c391913f2 fe
scan_id ea733908391bd2074065458b2e5ddff16e4108487d990242fc786c391913f2 fe-1521958481
resource fc434c29b6dc375b7f9875aeca7e16dc
permalink https://www.virustotal.com/file/ea733908391bd2074065458b2e5ddff16e41 08487d990242fc786c391913f2fe/analysis/1521958481/
positives 43
scan_date 2018-03-25 06:14:41
verbose_msg Scan finished, information embedded
response_code 1
File
Trace
Process
Trace
Analysis
Reason Blue Screen
Status Machine Crashed
Results 0
Registry
Trace
File Summary
Created Identified: False
Deleted Identified: False
Process Summary
Created Identified: False
Deleted Identified: False
Registry Summary
Proxy Identified: False
AutoRun Identified: False
Created Identified: False
Deleted Identified: False
Browsers Identified: False
Internet Identified: False
DNS
Query
Response
TCP
Info
UDP
Info
HTTP
Info
Summary
DNS False
TCP False
UDP False
HTTP False
Results
BINARY
KNN (K=3, NFS-BRMalware) confidence: 100.00%
suspicious: True
Decision Tree (NFS-BRMalware) confidence: 100.00%
suspicious: True
SVC (Kernel=Linear, NFS-BRMalware) confidence: 55.82%
suspicious: False
MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 85.86%
suspicious: True
Random Forest (100 estimators, NFS-BRMalware) confidence: 66.00%
suspicious: True
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 60.73%
suspicious: True
LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 63.01%
suspicious: False
