Report #5717

Binary

DLL False

Size 436.50KB

trid 52.9% Win32 Executable

23.5% Generic Win/DOS Executable 23.5% DOS Executable Generic

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 71077b9e917c8eb899d8541b2312329b

sha1 8422300b76c2fe7a1f4430dd32e3dff5ffd1b540

crc32 0xb32202ec

sha224 e5f248a376bcbc61494b07c27564e8c3f5e65dc5cd47df724fced552

sha256 158aa6cd0eaa2fd08879cdd8ce0c6fd71e4a7713b46853c397a9a4b01d03ff d8

sha384 4b0087a7653de0d848b403904b66896909cc89cb3fa2dc161e784b8e11df7 2ec5838bb47a05e319871703711bab89e48

sha512 962e6f5346b41c2e225869f43374cfc93c00168f9cb351a0bcee9189a902be 90138c66e5ef5db03d62b61964387bef3f32521704e1974fb4c27a9a57b37c 11b6

ssdeep 12288:eqbSSQ4p6YXcyJQzIa/U2dMQVHDnoohJBnVw0K18:pbC/Ia8qvDoonBV 28

Community

Report #5717

Creation Date: Feb. 12, 2020, 12:04 p.m.

Last Update: Feb. 12, 2020, 1:42 p.m.

File:

1587965878532512578547589.exe Results:

Google False

HashLib False

YARA

Matches maldoc_getEIP_method_1, domain, HasModified_DOS_Message, contentis_b ase64, yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h, mpress_2_xx_x 86, IsPacked, MPRESS_V200_V20X_MATCODE_Software_20090423, win_regi stry, IsPE32, IsWindowsGUI

Suspicious True

Strings

List

uS.Nc Vv.BI

winspool.drv comctl32.dll msimg32.dll version.dll mpr.dll

aaDcAkgfQs.exe<

*.!:

t_%+1dlA*

lO}%5ne

$%i?9E

"%E>'3 V%En+

d_%A t

CommandLinkHint GetProcAddress Fh4O

5DNs

ShellExecuteW ed1

GetModuleHandleA Fe8e

}H<,N TRCMDNWN N\{s

|$7F7'#$rtPtQttttttt}^c N_LD

I-H0a6Esf1

%wj5eCA3 .7NP/N5OQS

#M>U,piFV6 7T{WFIwO 7|E6$LFEp .MPRESS2 .MPRESS1

!eg?&e4s TYHOVBAK id>+=WL1 O);C2(A

!RMNeG!""""""Du /012345678 +}vIEhs*

<in#Dr'^

$9nopqrrrrrrst^gu^$uhetrrrrrrrrrrv E<lScU1

OuV))7E [r&i3pO 8///////////01234 p-Eet2S 0Ter&aM av6II-t ,TAAB!@

[$LIGA.

S?T8M.i +MB<opR\

!Win32 .EXE.

^9_bcdce {Na(C*/

o{/c-uT

^gfhhfhe 9(99:;;<==>

G&re7yg h`THE=?

&)adP$s

'?,@@@@@@@@@8 bE-OAu+l

A&wnfir\

Comments 8 htS,(k TUOFPUXE U&\dKFDhr 2AgqylOE TWPHIWPO TFNTOOFX CompanyName CHARTABLE LMNOOOOOOPA PACKAGEINFO ik'aprk

%IHG4) Ev%Tdi?

l+Mfaa]

54Sgo]

$oswsxssssssst^yzffzhetssssssssss{

8TR_]9D 0f=RO ProductName

@ HuLhE.V3 TOWLAUHX TAIIHFGE MAINICON TEUIEHFH TQPEIERS TEHAVJAF

TEODEDDG TUAQOBIR TOOMYUXL TINUELCQ TISYAIXA

Foremost

Matches 0.exe, 436 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: user32.dll, ole32.dll, advapi32.dll, comctl32.dll, gdi32.dll, oleaut3 2.dll, msimg32.dll, KERNEL32.DLL, shell32.dll, version.dll, mpr.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 236032 Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 53248 Suspicious: False Headers

Headers: 512 Suspicious: False Suspicious: False

Symbols Number Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .mpress, .mpress, .rsrc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 5

Suspicious: False Image

Version: True Suspicious: 5 Linker

Version: 2.25 Suspicious: False Subsystem

Version: 5.0 Suspicious: False Suspicious: False

EntryPoint Address: 1508339

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: user32.dll, ole32.dll, advapi32.dll, comctl32.dll, gdi32.dll, oleaut3 2.dll, msimg32.dll, kernel32.dll, shell32.dll, version.dll, mpr.dll

hasLibs: True Suspicious

hasAllowed: True hasSuspicious: False

Timestamp Past: False

Valid: True

Value: 2018-03-15 16:50:12 Future: False

Compilation Packed: False

Missing: True Packers

Compiled: False Compilers

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret none: 212

.rsrc: 2

pushpopmath none: 110

.rsrc: 1

ss register none: 4

garbagebytes none: 85

.rsrc: 2

hookdetection none: 8

software breakpoint none: 6

fakeconditionaljumps none: 6

programcontrolflowchange none: 79

.rsrc: 2

cpuinstructionsresultscomparison none: 2 .rsrc: 8

AVclass

ranpax 1

VirusTotal

md5 71077b9e917c8eb899d8541b2312329b

sha1 8422300b76c2fe7a1f4430dd32e3dff5ffd1b540

SCANS (DETECTION RATE = 67.65%)

AVG result: Win32:Malware-gen

update: 20180412 version: 18.3.3860.0 detected: True

CMC result: Virus.Win32.Sality!O

update: 20180411 version: 1.1.0.977 detected: True

MAX result: malware (ai score=97)

update: 20180412 version: 2017.11.15.1 detected: True

Bkav result: W32.eHeur.Virus02

update: 20180410 version: 1.3.0.9466 detected: True

K7GW result: Trojan ( 7000000f1 )

update: 20180412 version: 10.44.26797 detected: True

ALYac update: 20180412

version: 1.1.1.5 detected: False

Avast result: Win32:Malware-gen update: 20180412

version: 18.3.3860.0 detected: True

Avira result: TR/Dropper.Gen

update: 20180411 version: 8.3.3.6 detected: True

Baidu result: Win32.Trojan.WisdomEyes.16070401.9500.9888 update: 20180411

version: 1.0.0.2 detected: True

Cyren result: W32/Trojan.WOQT-4651

update: 20180412 version: 5.4.30.7 detected: True

DrWeb update: 20180412

version: 7.0.28.2020 detected: False

GData result: Gen:Heur.Ranpax.1

update: 20180412

version: A:25.16694B:25.12011 detected: True

Panda result: Trj/CI.A

update: 20180411 version: 4.6.4.2 detected: True

VBA32 result: suspected of Trojan.Downloader.gen.h update: 20180411

version: 3.12.28.0 detected: True

VIPRE update: 20180412

version: 65930 detected: False

Zoner update: 20180412

version: 1.0 detected: False

AVware update: 20180412 version: 1.5.0.42 detected: False

ClamAV update: 20180412

version: 0.99.2.0 detected: False

Comodo update: 20180412

version: 28849 detected: False

F-Prot update: 20180412

version: 4.7.1.166 detected: False

Ikarus result: Trojan.Lebros

update: 20180411 version: 0.1.5.2 detected: True

McAfee result: RDN/Generic PWS.y

update: 20180412 version: 6.0.6.653 detected: True

Rising result: Spyware.Zumanek!8.EC44 (TFE:5:t6ZgcgUfFkJ) update: 20180412

version: 25.0.0.1 detected: True

Sophos result: Troj/DwnLdr-VHV

update: 20180412 version: 4.98.0 detected: True

Yandex result: Trojan.PWS.BestaFera!

update: 20180411 version: 5.5.1.3 detected: True

Zillya update: 20180411

version: 2.0.0.3533 detected: False

Arcabit result: Trojan.Ranpax.1

update: 20180412

version: 1.0.0.831 detected: True

Cylance result: Unsafe

update: 20180412 version: 2.3.1.101 detected: True

Endgame result: malicious (high confidence) update: 20180403

version: 2.1.0 detected: True

Tencent update: 20180412

version: 1.0.0.1 detected: False

ViRobot result: Trojan.Win32.Z.Ranpax.446976 update: 20180412

version: 2014.3.20.0 detected: True

Webroot update: 20180412

version: 1.0.0.403 detected: False

eGambit update: 20180412

version: v4.3.5 detected: False

Ad-Aware result: Gen:Heur.Ranpax.1

update: 20180412 version: 3.0.5.370 detected: True

AegisLab result: Troj.W32.Generic!c

update: 20180412 version: 4.2 detected: True

Emsisoft result: Gen:Heur.Ranpax.1 (B)

update: 20180412 version: 4.0.2.899 detected: True

F-Secure result: Gen:Heur.Ranpax.1

update: 20180412

version: 11.0.19100.45 detected: True

Fortinet result: W32/DwnLdr.CV!tr

update: 20180412 version: 5.4.247.0 detected: True

Invincea result: heuristic

update: 20180121 version: 6.3.4.26036 detected: True

Jiangmin update: 20180412

version: 16.0.100 detected: False

Kingsoft update: 20180412

version: 2013.8.14.323 detected: False

Paloalto update: 20180412

version: 1.0 detected: False

Symantec result: Downloader

update: 20180412 version: 1.5.0.0 detected: True

nProtect update: 20180412

version: 2018-04-12.02 detected: False

AhnLab-V3 result: Malware/Win32.Generic.C2439006 update: 20180411

version: 3.12.0.20130 detected: True

Antiy-AVL update: 20180412

version: 3.0.0.1 detected: False

Kaspersky result: Trojan-Banker.Win32.BestaFera.arkg update: 20180412

version: 15.0.1.13 detected: True

Microsoft result: Trojan:Win32/Dynamer!rfn update: 20180412

version: 1.1.14700.5 detected: True

Qihoo-360 result: Win32/Trojan.d53

update: 20180412 version: 1.0.0.1120 detected: True

TheHacker update: 20180410

version: 6.8.0.5.2619 detected: False

ZoneAlarm result: Trojan-Banker.Win32.BestaFera.arkg update: 20180412

version: 1.0 detected: True

Cybereason result: malicious.e917c8

update: 20180225 version: 1.2.27 detected: True

ESET-NOD32 result: a variant of Win32/Spy.Zumanek.CV update: 20180412

version: 17208 detected: True

TrendMicro result: TROJ_GEN.R002C0OCI18

update: 20180412 version: 9.862.0.1074 detected: True

WhiteArmor result: Malware.HighConfidence update: 20180408

detected: True

BitDefender result: Gen:Heur.Ranpax.1

update: 20180412 version: 7.2 detected: True

CrowdStrike result: malicious_confidence_90% (W) update: 20170201

version: 1.0

detected: True

K7AntiVirus result: Trojan ( 7000000f1 ) update: 20180412

version: 10.44.26798 detected: True

SentinelOne result: static engine - malicious update: 20180225

version: 1.0.15.206 detected: True

Avast-Mobile update: 20180411

version: 180411-06 detected: False

Malwarebytes update: 20180412

version: 2.1.1.1115 detected: False

TotalDefense update: 20180412

version: 37.1.62.1 detected: False

CAT-QuickHeal result: Trojan.IGENERIC update: 20180411 version: 14.00 detected: True

NANO-Antivirus result: Trojan.Win32.BestaFera.eyyiqo update: 20180412

version: 1.0.102.22527 detected: True

MicroWorld-eScan result: Gen:Heur.Ranpax.1 update: 20180412

version: 14.0.297.0 detected: True

SUPERAntiSpyware update: 20180412 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: BehavesLike.Win32.SoftPulse.gc update: 20180411

version: v2015 detected: True

TrendMicro-HouseCall result: TROJ_GEN.R002C0OCI18 update: 20180412

version: 9.950.0.1006 detected: True

total 68

sha256 158aa6cd0eaa2fd08879cdd8ce0c6fd71e4a7713b46853c397a9a4b01d03ff d8

scan_id 158aa6cd0eaa2fd08879cdd8ce0c6fd71e4a7713b46853c397a9a4b01d03ff d8-1523520308

resource 71077b9e917c8eb899d8541b2312329b

permalink https://www.virustotal.com/file/158aa6cd0eaa2fd08879cdd8ce0c6fd71e4a7 713b46853c397a9a4b01d03ffd8/analysis/1523520308/

positives 46

scan_date 2018-04-12 08:05:08

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

Process

Trace

Analysis

Reason Blue Screen

Status Machine Crashed

Results 0

Registry

Trace

File Summary

Created Identified: False

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: False

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: False

Deleted Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

localhost gateway:50273 folha16jornal.com.br.

localhost gateway:DNS folha16jornal.com.br.

Response

TCP

Info

UDP

Info

localhost:53 localhost:50273 localhost:68 255.255.255.255:67 localhost:67 localhost:68

localhost:50273 localhost:53

HTTP

Info

Summary

DNS True

TCP False

UDP True

HTTP False

Results

BINARY

KNN (K=3, NFS-BRMalware) confidence: 100.00%

suspicious: False

Decision Tree (NFS-BRMalware) confidence: 100.00%

suspicious: True

SVC (Kernel=Linear, NFS-BRMalware) confidence: 100.00%

suspicious: True

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 61.61%

suspicious: False

Random Forest (100 estimators, NFS-BRMalware) confidence: 78.00%

suspicious: True

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 69.28%

suspicious: False

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 96.67%

suspicious: True