Binary
DLL False
Size 69.00KB
trid 64.5% Win32 Executable MS Visual C++
13.6% Win32 Dynamic Link Library 9.3% Win32 Executable
4.1% OS/2 Executable
4.1% Generic Win/DOS Executable
type PE
wordsize 32
Subsystem Windows GUI
Hashes
md5 4e16859537d1cbd9311195db39b2d9cd
sha1 22ad1a00b710e6ef74baab310f3cf3e47419b7dd
crc32 0x1ff2647f
sha224 90980902b9f7e7e86a6d37076d545c97f9c263ea07a7d5af88206360
sha256 27b6f8fb275c3cb798271487d94e031feb5c3a4c3ad302d9cd26a2226814d1 02
sha384 560946007a938f0179b6761104e28eba37adb2c1f9b662b25b13703aac951 294a75f7428ad1f6ad7505e058a59c8ac8b
sha512 074f022643341211204ac94a8b5b56ee555cba7d879f52f2268ccb90fd26b0 87e69c4778ecc261cb131a0cd1f0ed56026896acb0447c81686685577d971 e5e1c
ssdeep 1536:mvvYfDPDfJOabT/SenuHWkLg0ZiyoIkN1A:mvQfDP0aO6uJPZiyOe
Community
Report #7250
Creation Date: Feb. 21, 2020, 3:11 p.m.
Last Update: Feb. 21, 2020, 4:44 p.m.
File:
Avaliacao_de_Custos.exe Results:
Google False
HashLib False
YARA
Matches TASM_MASM_additional, TASM_MASM, screenshot, HasRichSignature, conte ntis_base64, keylogger, domain, PE_Diminisher_v01_additional, MASMTASM , IP, IsPE32, IsWindowsGUI
Suspicious True
Strings
List
comctl32.dll uxtheme.dll NZLtKbJmAaL.exe ddraw.dll
winmm.dll ntdll.dll
name="Microsoft.Windows.Common-Controls"
i sy@%in
publicKeyToken="6595b64144ccf1df"
ExitProcess IsWow64Process VirtualAlloc MapViewOfFile MapViewOfFileEx GetAsyncKeyState GetModuleHandleA LoadResource
GetConsoleProcessList version="6.0.0.0"
GdiplusNotificationUnhook language="*"
type="win32"
eS1{0,sf l2.i@l*d5d os8n-pwT
=g<-egtril
msctls_progress32 msctls_progress32 msctls_progress32 msctls_progress32 msctls_progress32
<dependentAssembly>
c5D12o80AK PLOCzS77a3 oIewa.dC 4OvZU43sIb
<assemblyIdentity msctls_trackbar32 msctls_trackbar32 msctls_trackbar32 msctls_trackbar32 msctls_trackbar32
</dependentAssembly>
msctls_statusbar32 msctls_statusbar32 ftmuor:a=m."nso
<dependency>
ToolbarWindow32 ToolbarWindow32 e45f7NRS
</dependency>
sssexsrit%v 89rkmOyO C1EyoO5Hz iLivTL08V SuLcw68eH SysTreeView32 SysListView32 SysTreeView32 SysListView32 SysTreeView32 quUZ5lECR1N SysTreeView32 SysListView32 SysTreeView32 SysTreeView32 SysListView32 SysTreeView32
</assembly>
hS9udsI3zw
CreateToolhelp32Snapshot CompanyName
hDn5wattNT 0[492:!
EnumICMProfilesA GetICMProfileA
`.rdata 4\Wro
ProductName _llseek kWcd08Lht s9iwSkp1jH yZC1oDhl8P A4pO4HH OriginalFilename GdipCreatePathIter InternalName VarFileInfo FileDescription FileVersion GdipCreateFont GdipCreatePath CoRegisterClassObject Rich'gG
b$ =inG
Translation ' n_vat AGeAviAk 86ynoti
@.data
Foremost
Matches 50.bmp, 23 KB, 0.exe, 69 KB
Suspicious True
Heuristics
IPs hasIPs: False
Allowed Suspicious
hasAllowed: False hasSuspicious: False
URLs Allowed
hasURLs: False Suspicious
hasAllowed: False hasSuspicious: False
Files Allowed: ntdll.dll, ole32.dll, gdi32.dll, gdiplus.dll, advapi32.dll, kernel32.dll, uxtheme.dll, user32.dll, rpcrt4.dll, winmm.dll, comctl32.dll, ddraw.dll hasFiles: True
Suspicious
hasAllowed: True hasSuspicious: False
Binary
Sizes RVA
RVA: 16
Suspicious: False Code
Size: 53760
Suspicious: False Image
Address: 4194304 Suspicious: False Stack
Stack: 4096 Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 0
Suspicous: True
Sections Allowed: .text, .rdata, .data, .rsrc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 4
Suspicious: False Image
Version: True Suspicious: 4 Linker
Version: 5.12 Suspicious: False Subsystem
Version: 4.0 Suspicious: False Suspicious: False
EntryPoint Address: 4096
Suspicious: False
Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.
hasAnomalies: True
Libraries Allowed: ntdll.dll, ole32.dll, gdi32.dll, gdiplus.dll, advapi32.dll, kernel32.dll, uxtheme.dll, user32.dll, rpcrt4.dll, winmm.dll, comctl32.dll, ddraw.dll hasLibs: True
Suspicious
hasAllowed: True hasSuspicious: False
Timestamp Past: False
Valid: True
Value: 2012-04-06 06:35:27 Future: False
Compilation Packed: True
Missing: False
Packers: PE Diminisher v0.1 Compiled: False
Compilers
Obfuscation XOR: False
Fuzzing: False
PEDetector
Matches None
Suspicious False
Disassembly
hasTricks True
Tricks
pushret .rsrc: 4
pushpopmath .rsrc: 5
.text: 2
garbagebytes .rsrc: 1
hookdetection .text: 1
programcontrolflowchange .rsrc: 1
cpuinstructionsresultscomparison .rsrc: 22
AVclass
tecoque 1
VirusTotal
md5 4e16859537d1cbd9311195db39b2d9cd
sha1 22ad1a00b710e6ef74baab310f3cf3e47419b7dd
SCANS (DETECTION RATE = 80.30%)
AVG result: Win32:Malware-gen
update: 20180325 version: 18.2.3827.0 detected: True
CMC update: 20180324
version: 1.1.0.977 detected: False
MAX result: malware (ai score=100)
update: 20180325 version: 2017.11.15.1 detected: True
Bkav update: 20180325
version: 1.3.0.9466 detected: False
K7GW result: Trojan-Downloader ( 004f63cc1 )
update: 20180325 version: 10.42.26600 detected: True
ALYac result: Trojan.GenericKD.3564533
update: 20180325 version: 1.1.1.5 detected: True
Avast result: Win32:Malware-gen
update: 20180325 version: 18.2.3827.0 detected: True
Avira result: TR/Dldr.Agent.geoll
update: 20180324 version: 8.3.3.6 detected: True
Baidu result: Win32.Trojan.WisdomEyes.16070401.9500.9999 update: 20180323
version: 1.0.0.2 detected: True
Cyren result: W32/Trojan.IDYH-0640
update: 20180325 version: 5.4.30.7 detected: True
DrWeb result: Trojan.DownLoader23.4712
update: 20180325 version: 7.0.28.2020 detected: True
GData result: Win32.Trojan.Agent.YOPOUD
update: 20180325
version: A:25.16493B:25.11870 detected: True
Panda result: Trj/WLT.C
update: 20180324 version: 4.6.4.2 detected: True
VBA32 result: TrojanDownloader.Agent
update: 20180323 version: 3.12.28.0 detected: True
VIPRE result: Trojan.Win32.Generic!BT
update: 20180325 version: 65504 detected: True
Zoner result: Trojan.Agent
update: 20180325 version: 1.0 detected: True
AVware result: Trojan.Win32.Generic!BT
update: 20180325 version: 1.5.0.42 detected: True
ClamAV result: Win.Malware.004f63cc-1
update: 20180324 version: 0.99.2.0
detected: True
Comodo update: 20180325
detected: False
F-Prot result: W32/Trojan3.XQP
update: 20180325 version: 4.7.1.166 detected: True
Ikarus result: Trojan-Downloader.Win32.Agent
update: 20180324 version: 0.1.5.2 detected: True
McAfee result: Generic.zm
update: 20180325 version: 6.0.6.653 detected: True
Rising update: 20180325
version: 25.0.0.1 detected: False
Sophos result: Mal/Generic-L
update: 20180325 version: 4.98.0 detected: True
Yandex result: Trojan.DL.Agent!TeHyfa02ISM
update: 20180324 version: 5.5.1.3 detected: True
Zillya update: 20180323
version: 2.0.0.3519 detected: False
Arcabit result: Trojan.Generic.D3663F5
update: 20180325 version: 1.0.0.831 detected: True
Cylance result: Unsafe
update: 20180325 version: 2.3.1.101 detected: True
Endgame result: malicious (high confidence) update: 20180316
version: 2.0.5 detected: True
Tencent result: Win32.Trojan-downloader.Agent.Pdmk update: 20180325
version: 1.0.0.1 detected: True
ViRobot result: Trojan.Win32.Z.Agent.70656.IT update: 20180324
version: 2014.3.20.0 detected: True
eGambit result: Unsafe.AI_Score_91%
update: 20180325 version: v4.3.5 detected: True
Ad-Aware result: Trojan.GenericKD.3564533
update: 20180325 version: 3.0.3.1010 detected: True
AegisLab result: Uds.Dangerousobject.Multi!c update: 20180325
version: 4.2 detected: True
Emsisoft result: Trojan.GenericKD.3564533 (B) update: 20180325
version: 4.0.2.899 detected: True
F-Secure result: Trojan.GenericKD.3564533
update: 20180325 version: 11.0.19100.45 detected: True
Fortinet result: W32/Agent.CQD!tr.dldr
update: 20180325 version: 5.4.247.0 detected: True
Invincea result: heuristic
update: 20180121 version: 6.3.4.26036 detected: True
Jiangmin result: TrojanDownloader.Agent.fjzr update: 20180325
version: 16.0.100 detected: True
Kingsoft update: 20180325
version: 2013.8.14.323 detected: False
Paloalto update: 20180325
version: 1.0 detected: False
Symantec result: Trojan.Gen
update: 20180324 version: 1.5.0.0 detected: True
nProtect update: 20180325
version: 2018-03-25.01 detected: False
AhnLab-V3 result: Downloader/Win32.Agent.C1599351 update: 20180324
version: 3.12.0.20130 detected: True
Antiy-AVL result: Trojan[Downloader]/Win32.Agent update: 20180325
version: 3.0.0.1 detected: True
Kaspersky result: Trojan-Downloader.Win32.Agent.hhdc update: 20180325
version: 15.0.1.13 detected: True
Microsoft result: TrojanDownloader:Win32/Tecoque.A update: 20180325
version: 1.1.14600.4 detected: True
Qihoo-360 update: 20180325
version: 1.0.0.1120 detected: False
TheHacker update: 20180319
version: 6.8.0.5.2551 detected: False
ZoneAlarm result: Trojan-Downloader.Win32.Agent.hhdc update: 20180325
version: 1.0 detected: True
Cybereason result: malicious.537d1c
update: 20180225 version: 1.2.27 detected: True
ESET-NOD32 result: Win32/TrojanDownloader.Agent.CQD update: 20180325
version: 17111 detected: True
TrendMicro result: TROJ_GEN.R002C0DBG18
update: 20180325 version: 9.862.0.1074 detected: True
WhiteArmor result: Malware.HighConfidence update: 20180324
detected: True
BitDefender result: Trojan.GenericKD.3564533 update: 20180325
version: 7.2 detected: True
CrowdStrike result: malicious_confidence_100% (W) update: 20170201
version: 1.0 detected: True
K7AntiVirus result: Trojan-Downloader ( 004f63cc1 ) update: 20180325
version: 10.42.26601 detected: True
SentinelOne result: static engine - malicious
update: 20180225 version: 1.0.15.206 detected: True
Avast-Mobile update: 20180324
version: 180324-00 detected: False
Malwarebytes update: 20180325
version: 2.1.1.1115 detected: False
TotalDefense update: 20180324
version: 37.1.62.1 detected: False
CAT-QuickHeal result: TrojanDownloader.Tecoque update: 20180324
version: 14.00 detected: True
NANO-Antivirus result: Trojan.Win32.Agent.egypvs update: 20180325
version: 1.0.100.22043 detected: True
MicroWorld-eScan result: Trojan.GenericKD.3564533 update: 20180325
version: 14.0.297.0 detected: True
SUPERAntiSpyware result: Trojan.Agent/Gen-Banload update: 20180324
version: 5.6.0.1032 detected: True
McAfee-GW-Edition result: BehavesLike.Win32.Ransomware.km update: 20180324
version: v2015 detected: True
total 66
sha256 27b6f8fb275c3cb798271487d94e031feb5c3a4c3ad302d9cd26a2226814d1 02
scan_id 27b6f8fb275c3cb798271487d94e031feb5c3a4c3ad302d9cd26a2226814d1
02-1521950222
resource 4e16859537d1cbd9311195db39b2d9cd
permalink https://www.virustotal.com/file/27b6f8fb275c3cb798271487d94e031feb5c3 a4c3ad302d9cd26a2226814d102/analysis/1521950222/
positives 53
scan_date 2018-03-25 03:57:02
verbose_msg Scan finished, information embedded
response_code 1
File
Trace
21/2/2020 - 1 5:46:3.793
Ope n
1 4 8 0
C:\malw
are.exe C:\OPENGL32.DLL
21/2/2020 - 1 5:46:3.793
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\opengl32.dll
21/2/2020 - 1 5:46:3.793
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\opengl32.dll
21/2/2020 - 1 5:46:3.793
Ope n
1 4 8 0
C:\malw
are.exe C:\GLU32.dll
21/2/2020 - 1 5:46:3.793
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\glu32.dll
21/2/2020 - 1 5:46:3.793
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\glu32.dll
21/2/2020 - 1 5:46:3.872
Ope n
1 4 8 0
C:\malw
are.exe C:\version.DLL
21/2/2020 - 1 5:46:3.872
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\version.dll
21/2/2020 - 1 5:46:3.872
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\version.dll
21/2/2020 - 1 5:46:33.75
Ope n
1 4 8 0
C:\malw
are.exe C:\Program Files (x86)
21/2/2020 - 1 5:46:33.75
Unk now n
1 4 8 0
C:\malw
are.exe C:\Program Files (x86)
21/2/2020 - 1 5:46:33.75
Ope n
1 4 8 0
C:\malw
are.exe C:\Program Files (x86)\scpbrad
21/2/2020 - 1 5:46:33.75
Ope n
1 4 8 0
C:\malw
are.exe C:\Program Files (x86)\AppBrad
21/2/2020 - 1 5:46:33.75
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\Globalization\Sorting\SortDefault.nls
21/2/2020 - 1 5:46:33.75
Unk now n
1 4 8 0
C:\malw
are.exe C:\Windows\Globalization\Sorting\SortDefault.nls SortDef ault.nls
21/2/2020 - 1 5:46:33.75
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 5:46:33.75
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 5:46:33.75
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\Aplicativo Itau
1
21/2/2020 - 1 5:46:33.122
Unk now n
4 8 0
C:\malw
are.exe C:\Windows
21/2/2020 - 1 5:46:33.122
Unk now n
1 4 8 0
C:\malw
are.exe C:\Monitor
21/2/2020 - 1 5:46:33.122
Unk now n
1 4 8 0
C:\malw are.exe
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64 144ccf1df_6.0.7601.18837_none_41e855142bd5705d
21/2/2020 - 1 5:46:33.122
Unk now n
1 4 8 0
C:\malw are.exe
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df _1.1.7601.23407_none_5c02a2f5a011f9be
Process
Trace
Analysis
Reason Finished
Status Sucessfully Executed
Results 1
Registry
Trace
File Summary
Created Identified: False
Deleted Identified: False
Process Summary
Created Identified: False
Deleted Identified: False
Registry Summary
Proxy Identified: False
AutoRun Identified: False
Created Identified: False
Deleted Identified: False
Browsers Identified: False
Internet Identified: False
DNS
Query
Response
TCP
Info
UDP
Info
HTTP
Info
Summary
DNS False
TCP False
UDP False
HTTP False
Results
BINARY
KNN (K=3, NFS-BRMalware) confidence: 66.67%
suspicious: False
Decision Tree (NFS-BRMalware) confidence: 100.00%
suspicious: True
SVC (Kernel=Linear, NFS-BRMalware) confidence: 99.44%
suspicious: False
MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 96.97%
suspicious: True
Random Forest (100 estimators, NFS-BRMalware) confidence: 82.00%
suspicious: True
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 91.23%
suspicious: True
LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 87.03%
suspicious: False