Binary
DLL False
Size 199.00KB
trid 47.2% Win32 EXE PECompact compressed
16.1% Win32 Executable Delphi generic 14.8% Windows screen saver
7.4% Win32 Dynamic Link Library 5.1% Win32 Executable
type PE
wordsize 32
Subsystem Windows GUI
Hashes
md5 9061b0f7c543051f1d02eaf455da8980
sha1 adddae60e254ba38317ba41558d57e8dfa9c0130
crc32 0xf6cd22e2
sha224 70b33e0d44f442f6651061f3aa82f653a8db5d1a46be78dda3e9ce11
sha256 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea
sha384 f6f7c9729ba1925d65abae756fd77629fdbd7db49c5f41d82ad2cb8487daf8a 6995476b36997845e4aac0c8fec74ca7e
sha512 5599c5d7be419cfea5e6ca96e869c50ae66291d0cf229c43de06edfa25f7e1 91b27795a25153ffe62a76f79cd1b9aa965427c26c8d41e790e8203be92d6b 0568
ssdeep 6144:pXV3P+8FuRHHTaAThVkC9R888888888888W88888888888:pgHz99R 888888888888W88888888888
Community
Report #1065
Creation Date: Oct. 30, 2019, 5:43 p.m.
Last Update: Oct. 30, 2019, 6:15 p.m.
File:
guzdUxrdcjVN.exe Results:
Google False
HashLib False
YARA
Matches domain, borland_delphi, Borland, contentis_base64, win_token, win_files_op eration, win_registry, Microsoft_Visual_Cpp_v50v60_MFC, Delphi_Random, I sPE32, IsWindowsGUI
Suspicious True
Strings
List
t.Ht
n}1&n4l *!ml16/lqmy0z)1"o1o}y,kj4 /"{t|}| - !$#$x#|q~4.mim!4n .#!#!{y{{k(4|n q 1j}}2l}n2x kn56}$mp 1mx ! }!t!*! }&#.t n{2 {}$r%o||}jz!)}"|l"%owz"m3"}*.pi$!xso#-}z|1 m|$|+zoo(5#s
B.rsrc
Software\Borland\Locales Software\Borland\Delphi\Locales Reserved3
Software\CodeGear\Locales Apartment
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom varia nt type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Division by zero Author
Next Next Reserved
August September Too many open files Assertion failed pvReserved wReserved
%s (%s, line %d)
Privileged instruction(Exception %s in module %s at %p.
I/O error %d ESafecallException ESafecallException PLibModule@ @
my${|%s/){| %~0t}u!#mx!3 $p&!x !4 0 os/}
No argument for format '%s'"Variant method calls not supported etPrivilege
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p Application Error1Format '%s' invalid or incompatible with argument
GetProcAddress GetProcAddress
EPrivilege EPrivilege
Invalid class typecast0Access violation at address %p. %s of address %p ExitProcess
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7 Dispatch methods do not support more than 64 parameters
E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 PInterfaceEntry
TInterfaceEntry GetInterfaceEntry SysUtils0
Identifier E957D 70ED6 61DE5
CreateEventW GetInterfaceTable TInterfaceTable GetInterface PInterfaceTablel RegistrationInfo GetDiskFreeSpaceW 6FEC6
E05ED 7DFA7 4DCA4 D04EC 5EDB5 E05ED OpenProcess OpenProcessToken
The unexpected small block leaks are:
This program must be run under Win32 sActiveX
VirtualAlloc
CoCreateInstanceEx NewInstance SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils
SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils
Foremost
Matches 0.exe, 199 KB
Suspicious True
Heuristics
IPs hasIPs: False
Allowed Suspicious
hasAllowed: False hasSuspicious: False
URLs Allowed
hasURLs: False Suspicious
hasAllowed: False hasSuspicious: False
Files Allowed: ole32.dll, kernel32.dll, oleaut32.dll, user32.dll, advapi32.dll hasFiles: True
Suspicious
hasAllowed: True hasSuspicious: False
Binary
Sizes RVA
RVA: 16
Suspicious: False Code
Size: 61440
Suspicious: False Image
Address: 4194304 Suspicious: False Stack
Stack: 16384 Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number
Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 0
Suspicous: True
Sections Allowed: .text, .itext, .data, .bss, .idata, .tls, .rdata, .reloc, .rsrc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 5
Suspicious: False Image
Version: True Suspicious: 5 Linker
Version: 2.25 Suspicious: False Subsystem
Version: 5.0 Suspicious: False Suspicious: False
EntryPoint Address: 139908
Suspicious: False
Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.
hasAnomalies: True
Libraries Allowed: ole32.dll, kernel32.dll, oleaut32.dll, user32.dll, advapi32.dll hasLibs: True
Suspicious
hasAllowed: True hasSuspicious: False
Timestamp Past: False Valid: True
Value: 2019-03-28 08:49:37 Future: False
Compilation Packed: False
Missing: True Packers
Compiled: False Compilers
Obfuscation XOR: False
Fuzzing: False
PEDetector
Matches None
Suspicious False
Disassembly
hasTricks True
Tricks
pushret .text: 6
.idata: 6 .itext: 2
pushpopmath .rsrc: 3
.text: 2 .reloc: 8
garbagebytes .text: 6
.itext: 2
hookdetection .text: 2
software breakpoint .text: 2 .reloc: 3
programcontrolflowchange .text: 6 .itext: 2
cpuinstructionsresultscomparison .rsrc: 1 .text: 2
AVclass
alien 1
VirusTotal
md5 9061b0f7c543051f1d02eaf455da8980
sha1 adddae60e254ba38317ba41558d57e8dfa9c0130
SCANS (DETECTION RATE = 62.12%)
AVG result: Win32:Malware-gen
update: 20190417 version: 18.4.3895.0 detected: True
CMC update: 20190321
version: 1.1.0.977 detected: False
MAX update: 20190417
version: 2018.9.12.1 detected: False
Bkav update: 20190416
version: 1.3.0.9899 detected: False
K7GW result: Trojan ( 0054afdc1 )
update: 20190417 version: 11.39.30623 detected: True
ALYac result: Gen:Variant.Barys.59915
update: 20190417 version: 1.1.1.5 detected: True
Avast result: Win32:Malware-gen
update: 20190417 version: 18.4.3895.0 detected: True
Avira result: TR/Alien.djauj update: 20190417 version: 8.3.3.8 detected: True
Baidu update: 20190318
version: 1.0.0.2 detected: False
Cyren result: W32/Trojan.PBIW-6116
update: 20190417 version: 6.2.0.1 detected: True
DrWeb update: 20190417
version: 7.0.34.11020 detected: False
GData result: Gen:Variant.Barys.59915
update: 20190417
version: A:25.21565B:25.14866 detected: True
Panda result: Trj/GdSda.A
update: 20190416 version: 4.6.4.2 detected: True
VBA32 result: Trojan.Alien
update: 20190416 version: 4.0.0 detected: True
Zoner update: 20190417
version: 1.0 detected: False
ClamAV update: 20190416
version: 0.101.2.0 detected: False
Comodo result: Malware@#3i6oldeel9wze
update: 20190417 version: 30732 detected: True
Ikarus result: Trojan.Win32.Vobfus update: 20190416
version: 0.1.5.2 detected: True
McAfee result: RDN/Generic.grp
update: 20190417 version: 6.0.6.653 detected: True
Rising result: Downloader.Banload!8.15B (CLOUD) update: 20190417
version: 25.0.0.24 detected: True
Sophos result: Mal/Generic-S
update: 20190417 version: 4.98.0 detected: True
Yandex update: 20190416
version: 5.5.1.3 detected: False
Zillya result: Trojan.Alien.Win32.371
update: 20190416 version: 2.0.0.3797 detected: True
Acronis update: 20190415
version: 1.0.1.44 detected: False
Alibaba result: Trojan:Win32/Tiggre.9768bbc8 update: 20190402
version: 0.3.0.4 detected: True
Arcabit result: Trojan.Barys.DEA0B
update: 20190417 version: 1.0.0.845 detected: True
Babable update: 20180918
version: 9107201 detected: False
Endgame update: 20190403 version: 3.0.9 detected: False
FireEye result: Generic.mg.9061b0f7c543051f
update: 20190417 version: 29.7.0.0 detected: True
TACHYON update: 20190417
version: 2019-04-17.02 detected: False
Tencent result: Win32.Trojan.Alien.Hqur
update: 20190417 version: 1.0.0.1 detected: True
ViRobot update: 20190417
version: 2014.3.20.0 detected: False
eGambit update: 20190417
version: v4.3.6 detected: False
Ad-Aware result: Gen:Variant.Barys.59915
update: 20190417 version: 3.0.5.370 detected: True
AegisLab result: Trojan.Multi.Generic.4!c update: 20190417
version: 4.2 detected: True
Emsisoft result: Gen:Variant.Barys.59915 (B) update: 20190417
version: 2018.4.0.1029 detected: True
F-Secure result: Trojan.TR/Alien.djauj update: 20190416
version: 12.0.86.52 detected: True
Fortinet result: W32/Alien!tr update: 20190417 version: 5.4.247.0 detected: True
Invincea update: 20190313
version: 6.3.6.26157 detected: False
Jiangmin update: 20190417
version: 16.0.100 detected: False
Kingsoft update: 20190417
version: 2013.8.14.323 detected: False
Paloalto result: generic.ml
update: 20190417 version: 1.0 detected: True
Trapmine update: 20190325
version: 3.1.52.760 detected: False
AhnLab-V3 result: Malware/Win32.Generic.C3127207 update: 20190417
version: 3.15.0.23609 detected: True
Antiy-AVL result: Trojan/Win32.Alien
update: 20190417 version: 3.0.0.1 detected: True
Kaspersky result: HEUR:Trojan.Win32.Alien.gen update: 20190417
version: 15.0.1.13 detected: True
Microsoft result: Trojan:Win32/Tiggre!rfn update: 20190417
version: 1.1.15800.1 detected: True
Qihoo-360 result: Win32/Trojan.631
update: 20190417 version: 1.0.0.1120 detected: True
TheHacker update: 20190411
version: 6.8.0.5.4154 detected: False
Trustlook update: 20190417
version: 1.0 detected: False
ZoneAlarm result: HEUR:Trojan.Win32.Alien.gen update: 20190417
version: 1.0 detected: True
Cybereason result: malicious.7c5430
update: 20190417 version: 1.2.449 detected: True
ESET-NOD32 result: a variant of Win32/Injector.EEQO update: 20190417
version: 19208 detected: True
BitDefender result: Gen:Variant.Barys.59915 update: 20190417
version: 7.2 detected: True
CrowdStrike result: win/malicious_confidence_60% (D) update: 20190212
version: 1.0 detected: True
K7AntiVirus result: Trojan ( 0054afdc1 ) update: 20190417
version: 11.39.30623 detected: True
SentinelOne update: 20190407
version: 1.0.25.312 detected: False
Avast-Mobile update: 20190415
version: 190415-00 detected: False
Malwarebytes update: 20190417
version: 2.1.1.1115 detected: False
TotalDefense update: 20190416
version: 37.1.62.1 detected: False
CAT-QuickHeal result: Trojan.Multi update: 20190416 version: 14.00 detected: True
NANO-Antivirus result: Trojan.Win32.Alien.fothyb update: 20190417
version: 1.0.134.24576 detected: True
MicroWorld-eScan result: Gen:Variant.Barys.59915 update: 20190417
version: 14.0.297.0 detected: True
SUPERAntiSpyware update: 20190410 version: 5.6.0.1032 detected: False
McAfee-GW-Edition result: RDN/Generic.grp update: 20190416 version: v2017.3010 detected: True
TrendMicro-HouseCall result: TROJ_GEN.R002C0WCU19 update: 20190417
version: 10.0.0.1040 detected: True
total 66
sha256 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea scan_id 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea
-1555507827
resource 9061b0f7c543051f1d02eaf455da8980
permalink https://www.virustotal.com/file/20799515e1ff7efe2ef608036024ad6082b05 a8d0ef64d1bff6f3e72fb5695ea/analysis/1555507827/
positives 41
scan_date 2019-04-17 13:30:27
verbose_msg Scan finished, information embedded
response_code 1
File
Trace
30/10/2019 - 17:45:45.
481 Open 148
0
C:\malware.e
xe C:\Windows\Fonts\StaticCache.dat
30/10/2019 - 17:45:45.
481 Read 148
0
C:\malware.e
xe C:\Windows\Fonts\StaticCache.dat StaticCache.d at
30/10/2019 - 17:45:45.
528 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\uxtheme.dll
30/10/2019 - 17:45:45.
528 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\uxtheme.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e
xe C:\dwmapi.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\dwmapi.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\dwmapi.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\ole32.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\ole32.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\rpcss.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e
xe C:\Windows\SysWOW64\rpcss.dll
30/10/2019 - 17:45:45.
575 Open 148
0
C:\malware.e xe
C:\Windows\Globalization\Sorting\SortDefau lt.nls
30/10/2019 - 17:45:45.
575
Unknow n
148 0
C:\malware.e xe
C:\Windows\Globalization\Sorting\SortDefau lt.nls
SortDefault.nl s
Process
Trace
Analysis
Reason Timeout
Status Sucessfully Executed
Results 1
Registry
Trace
File Summary
Created Identified: False
Deleted Identified: False
Process Summary
Created Identified: False
Deleted Identified: False
Registry Summary
Proxy Identified: False
AutoRun Identified: False
Created Identified: False
Deleted Identified: False
Browsers Identified: False
Internet Identified: False
DNS
Query
Response
TCP
Info
UDP
Info
HTTP
Info
Summary
DNS False
TCP False
UDP False
HTTP False
Results
BINARY
KNN (K=3, NFS-BRMalware) confidence: 100.00%
suspicious: True
Decision Tree (NFS-BRMalware) confidence: 100.00%
suspicious: True
SVC (Kernel=Linear, NFS-BRMalware) confidence: 65.82%
suspicious: True
MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 56.30%
suspicious: False
Random Forest (100 estimators, NFS-BRMalware) confidence: 69.00%
suspicious: True
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 86.38%
suspicious: False
LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 91.61%
suspicious: False