Report #310

Binary

DLL False

Size 4.00KB

trid 33.4% OS/2 Executable

33.0% Generic Win/DOS Executable 32.9% DOS Executable Generic 0.5% VXD Driver

type PE

wordsize 0

Subsystem unknown

Hashes

md5 594b71a4b95c441a1342df8d5b95fdfb

sha1 c5c790b9680e1b39765aaa510ecc527534d16645

crc32 0xe7e62dbb

sha224 6b61aca7bebcc74bd8bd4283fa02ce61fc0fd0e9d9ed16a9e1342a39

sha256 8a7ee2b9c5d03c6f2b2f03ba8feee99c01f8cc1403fd49ecaa9d22c1b8dcceb 5

sha384 ff4ae5f2bf882dfcfce3ee6ffb8a3f93362c150abfde21481f217188de264b1cdf a4eb992673223e096b6956a81ca01e

sha512 d877739f790615784f070d77f2bf5035732cd81c176f2633d92e7259cff57bb 7c819362dce94e782ec983b567e7571c5317e325c7015ced687c558aca4db efb2

ssdeep 48:ZvtsoFoUBpXXbqk/d4twFwU237S7LrZvjQ4k1Rdt:Z1sotX8twKU2LS7RrHM r

Community

Report #310

Creation Date: Oct. 11, 2019, 4:51 p.m.

Last Update: Oct. 11, 2019, 5:13 p.m.

File:

006 Results:

Google True

HashLib False

YARA

Matches domain, contentis_base64, IsPE64, HasOverlay, FASM, IsWindowsGUI

Suspicious True

Strings

List

GetProcAddress ShellExecuteA VirtualAlloc LoadLibraryA

GetModuleFileNameA CreateFileA

.flat

!This program cannot be run in DOS mode.

shell32.dll

GetComputerNameA GetShortPathNameA lstrlenA

lstrcatA kernel32.dll .fsddd s f5 peJ<>

dadzx J>v- J<~- J>v- zy#J

Foremost

Matches None

Suspicious False

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: ​shell32.dll, kernel32.dll hasFiles: True

Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 2560

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 4096 Suspicious: False Headers

Headers: 512 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 47801

Suspicous: False

Sections Allowed: .flat, dadzx, .fsddd

Suspicious

hasAllowed: True hasSections: True

hasSuspicious: False

Versions OS

Version: 1

Suspicious: False Image

Version: True Suspicious: 1 Linker

Version: 1.71 Suspicious: False Subsystem

Version: 4.0 Suspicious: False Suspicious: False

EntryPoint Address: 4116

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: kernel32.dll

hasLibs: True

Suspicious: ​shell32.dll hasAllowed: True hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2018-03-27 11:48:43 Future: False

Compilation Packed: False

Missing: True Packers

Compiled: False Compilers

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

nopsequence .flat: 3

AVclass

tinyloader 1

VirusTotal

md5 594b71a4b95c441a1342df8d5b95fdfb

sha1 c5c790b9680e1b39765aaa510ecc527534d16645

SCANS (DETECTION RATE = 75.47%)

CMC update: 20190321

version: 1.1.0.977 detected: False

MAX result: malware (ai score=98)

update: 20191011 version: 2019.9.16.1 detected: True

APEX result: Malicious

update: 20191010 version: 5.72 detected: True

Bkav update: 20191010

version: 1.3.0.10239 detected: False

K7GW result: Trojan ( 0052b5941 )

update: 20191010 version: 11.72.32236 detected: True

ALYac result: Trojan.Downloader.TinyLoader

update: 20191010

version: 1.1.1.5 detected: True

Avira result: HEUR/AGEN.1000670

update: 20191010 version: 8.3.3.8 detected: True

Cyren result: W64/S-8855be7a!Eldorado

update: 20191010 version: 6.2.2.2 detected: True

DrWeb update: 20191010

version: 7.0.41.7240 detected: False

Panda result: Trj/CI.A

update: 20191010 version: 4.6.4.2 detected: True

VBA32 result: Trojan.Cloxer

update: 20191010 version: 4.1.0 detected: True

Zoner update: 20191010

version: 1.0.0.1 detected: False

ClamAV update: 20191010

version: 0.102.0.0 detected: False

Comodo result: Malware@#2e2z6pb0gficr

update: 20191010 version: 31586 detected: True

Rising result: Downloader.Tinyloader!8.D74 (TFE:2:qdoyqawktq) update: 20191010

version: 25.0.0.24 detected: True

Yandex result: Trojan.Agent!j9Zvx+iJ7vs

update: 20191009

version: 5.5.2.24 detected: True

Zillya result: Downloader.TinyLoader.Win64.16 update: 20191010

version: 2.0.0.3922 detected: True

Acronis result: suspicious

update: 20191005 version: 1.1.1.58 detected: True

Alibaba result: Trojan:Win32/Generic.85f42cc9 update: 20190527

version: 0.3.0.5 detected: True

Arcabit update: 20191010

version: 1.0.0.858 detected: False

Endgame result: malicious (high confidence) update: 20190918

version: 3.0.15 detected: True

FireEye result: Generic.mg.594b71a4b95c441a

update: 20191010 version: 29.7.0.0 detected: True

TACHYON update: 20191010

version: 2019-10-10.02 detected: False

Tencent result: Win32.Trojan.Generic.Svrn update: 20191011

version: 1.0.0.1 detected: True

ViRobot result: Trojan.Win32.Z.Cerbu.4096.BL update: 20191010

version: 2014.3.20.0 detected: True

Webroot result: W32.Trojan.Gen

update: 20191011 version: 1.0.0.403 detected: True

eGambit update: 20191011

version: v5.0.5 detected: False

Ad-Aware result: Gen:Variant.Cerbu.4519

update: 20191010 version: 3.0.5.370 detected: True

AegisLab result: Trojan.Win32.Generic.4!c update: 20191010

version: 4.2 detected: True

Emsisoft result: Gen:Variant.Cerbu.4519 (B) update: 20191010

version: 2018.12.0.1641 detected: True

Jiangmin result: Trojan.Generic.cbonn

update: 20191010 version: 16.0.100 detected: True

Kingsoft update: 20191011

version: 2013.8.14.323 detected: False

Paloalto result: generic.ml

update: 20191011 version: 1.0 detected: True

Symantec result: Trojan.Gen.MBT

update: 20191010 version: 1.10.0.0 detected: True

AhnLab-V3 result: Unwanted/Win32.Downloader.C2445377 update: 20191010

version: 3.16.3.25410 detected: True

Antiy-AVL result: Trojan/Win32.AGeneric update: 20191010

version: 3.0.0.1 detected: True

Qihoo-360 result: Win32/Trojan.d05

update: 20191011 version: 1.0.0.1120 detected: True

ZoneAlarm result: HEUR:Trojan.Win32.Generic update: 20191010

version: 1.0 detected: True

Cybereason result: malicious.4b95c4

update: 20190616 version: 1.2.449 detected: True

ESET-NOD32 result: a variant of Win64/Agent.BR.gen update: 20191010

version: 20160 detected: True

BitDefender result: Gen:Variant.Cerbu.4519 update: 20191010

version: 7.2 detected: True

CrowdStrike result: win/malicious_confidence_100% (W) update: 20190702

version: 1.0 detected: True

K7AntiVirus result: Trojan ( 0052b5941 ) update: 20191010

version: 11.72.32242 detected: True

SentinelOne result: DFI - Malicious PE update: 20190807 version: 1.0.31.22 detected: True

Avast-Mobile update: 20191010

version: 191010-00 detected: False

Malwarebytes result: Trojan.Tiny update: 20191010 version: 2.1.1.1115 detected: True

TotalDefense update: 20191009

version: 37.1.62.1 detected: False

CAT-QuickHeal update: 20191009

version: 14.00 detected: False

NANO-Antivirus result: Trojan.Win64.Midie.fbqmej update: 20191010

version: 1.0.134.24859 detected: True

MicroWorld-eScan result: Gen:Variant.Cerbu.4519 update: 20191010

version: 14.0.297.0 detected: True

SUPERAntiSpyware update: 20191004 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: BehavesLike.Win64.Generic.xt update: 20191010

version: v2017.3010 detected: True

TrendMicro-HouseCall result: TrojanSpy.Win64.TINYPOS.AB update: 20191010

version: 10.0.0.1040 detected: True

total 53

sha256 8a7ee2b9c5d03c6f2b2f03ba8feee99c01f8cc1403fd49ecaa9d22c1b8dcceb 5

scan_id 8a7ee2b9c5d03c6f2b2f03ba8feee99c01f8cc1403fd49ecaa9d22c1b8dcceb 5-1570746749

resource 594b71a4b95c441a1342df8d5b95fdfb

permalink https://www.virustotal.com/file/8a7ee2b9c5d03c6f2b2f03ba8feee99c01f8cc 1403fd49ecaa9d22c1b8dcceb5/analysis/1570746749/

positives 40

scan_date 2019-10-10 22:32:29

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

3/5/2018 - 18:45:42.82

5 Open C:\malware.ex

e C:\wsock32.dll

3/5/2018 - 18:45:42.82

5 Open C:\malware.ex

e C:\Windows\System32\wsock32.dll

3/5/2018 - 18:45:42.82

5 Open C:\malware.ex

e C:\Windows\System32\wsock32.dll

3/5/2018 - 18:45:42.87

2 Open C:\malware.ex

e

C:\Windows\Globalization\Sorting\SortDefault.n ls

3/5/2018 - 18:45:42.87 2

Unknow n

C:\malware.ex e

C:\Windows\Globalization\Sorting\SortDefault.n ls

SortDefault.nl s

3/5/2018 - 18:45:42.87

2 Open C:\malware.ex

e C:\Windows\System32\mswsock.dll

3/5/2018 - 18:45:42.87

2 Open C:\malware.ex

e C:\Windows\System32\mswsock.dll

3/5/2018 - 18:45:42.87

2 Open C:\malware.ex

e C:\Windows\System32\WSHTCPIP.DLL

3/5/2018 - 18:45:42.87

2 Open C:\malware.ex

e C:\Windows\System32\WSHTCPIP.DLL

Process

Trace

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

File Summary

Created Identified: False

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: False

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: False

Deleted Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

localhost gateway:50273 dns.msftncsi.com.

localhost gateway:DNS dns.msftncsi.com.

Response

gateway:DNS localhost dns.msftncsi.com. 131.107.255.255

TCP

Info

localhost:65193 194.165.16.165:7451 localhost:65191 194.165.16.165:7451 localhost:65192 194.165.16.165:7451 localhost:65200 194.165.16.165:7451 localhost:65197 194.165.16.165:7451 localhost:65199 194.165.16.165:7451 localhost:27015 localhost:44398 localhost:65194 194.165.16.165:7451 localhost:65201 194.165.16.165:7451 localhost:44398 localhost:27015 localhost:65198 194.165.16.165:7451 localhost:65195 194.165.16.165:7451 localhost:65196 194.165.16.165:7451

UDP

Info

localhost:51870 239.255.255.250:1900 localhost:50273 localhost:53

localhost:53 localhost:50273

HTTP

Info

Summary

DNS True

TCP True

UDP True

HTTP False

Results

Random Forest detected: TBD confidence: TBD