• Nenhum resultado encontrado

Report #1065

N/A
N/A
Protected

Academic year: 2023

Share "Report #1065"

Copied!
17
0
0

Texto

(1)

Binary

DLL False

Size 199.00KB

trid 47.2% Win32 EXE PECompact compressed

16.1% Win32 Executable Delphi generic 14.8% Windows screen saver

7.4% Win32 Dynamic Link Library 5.1% Win32 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 9061b0f7c543051f1d02eaf455da8980

sha1 adddae60e254ba38317ba41558d57e8dfa9c0130

crc32 0xf6cd22e2

sha224 70b33e0d44f442f6651061f3aa82f653a8db5d1a46be78dda3e9ce11

sha256 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea

sha384 f6f7c9729ba1925d65abae756fd77629fdbd7db49c5f41d82ad2cb8487daf8a 6995476b36997845e4aac0c8fec74ca7e

sha512 5599c5d7be419cfea5e6ca96e869c50ae66291d0cf229c43de06edfa25f7e1 91b27795a25153ffe62a76f79cd1b9aa965427c26c8d41e790e8203be92d6b 0568

ssdeep 6144:pXV3P+8FuRHHTaAThVkC9R888888888888W88888888888:pgHz99R 888888888888W88888888888

Community

Report #1065

Creation Date: Oct. 30, 2019, 5:43 p.m.

Last Update: Oct. 30, 2019, 6:15 p.m.

File:

guzdUxrdcjVN.exe Results:

(2)

Google False

HashLib False

YARA

Matches domain, borland_delphi, Borland, contentis_base64, win_token, win_files_op eration, win_registry, Microsoft_Visual_Cpp_v50v60_MFC, Delphi_Random, I sPE32, IsWindowsGUI

Suspicious True

Strings

List

t.Ht

n}1&n4l *!ml16/lqmy0z)1"o1o}y,kj4 /"{t|}| - !$#$x#|q~4.mim!4n .#!#!{y{{k(4|n q 1j}}2l}n2x kn56}$mp 1mx ! }!t!*! }&#.t n{2 {}$r%o||}jz!)}"|l"%owz"m3"}*.pi$!xso#-}z|1 m|$|+zoo(5#s

B.rsrc

Software\Borland\Locales Software\Borland\Delphi\Locales Reserved3

Software\CodeGear\Locales Apartment

%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom varia nt type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Division by zero Author

Next Next Reserved

August September Too many open files Assertion failed pvReserved wReserved

%s (%s, line %d)

Privileged instruction(Exception %s in module %s at %p.

I/O error %d ESafecallException ESafecallException PLibModule@ @

my${|%s/){| %~0t}u!#mx!3 $p&!x !4 0 os/}

No argument for format '%s'"Variant method calls not supported etPrivilege

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p Application Error1Format '%s' invalid or incompatible with argument

GetProcAddress GetProcAddress

(3)

EPrivilege EPrivilege

Invalid class typecast0Access violation at address %p. %s of address %p ExitProcess

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7 Dispatch methods do not support more than 64 parameters

E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 PInterfaceEntry

TInterfaceEntry GetInterfaceEntry SysUtils0

Identifier E957D 70ED6 61DE5

CreateEventW GetInterfaceTable TInterfaceTable GetInterface PInterfaceTablel RegistrationInfo GetDiskFreeSpaceW 6FEC6

E05ED 7DFA7 4DCA4 D04EC 5EDB5 E05ED OpenProcess OpenProcessToken

The unexpected small block leaks are:

This program must be run under Win32 sActiveX

VirtualAlloc

CoCreateInstanceEx NewInstance SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils

(4)

SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils

Foremost

Matches 0.exe, 199 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: ole32.dll, kernel32.dll, oleaut32.dll, user32.dll, advapi32.dll hasFiles: True

Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 61440

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 16384 Suspicious: False Headers

(5)

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .text, .itext, .data, .bss, .idata, .tls, .rdata, .reloc, .rsrc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 5

Suspicious: False Image

Version: True Suspicious: 5 Linker

Version: 2.25 Suspicious: False Subsystem

Version: 5.0 Suspicious: False Suspicious: False

EntryPoint Address: 139908

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: ole32.dll, kernel32.dll, oleaut32.dll, user32.dll, advapi32.dll hasLibs: True

Suspicious

hasAllowed: True hasSuspicious: False

(6)

Timestamp Past: False Valid: True

Value: 2019-03-28 08:49:37 Future: False

Compilation Packed: False

Missing: True Packers

Compiled: False Compilers

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .text: 6

.idata: 6 .itext: 2

pushpopmath .rsrc: 3

.text: 2 .reloc: 8

garbagebytes .text: 6

.itext: 2

hookdetection .text: 2

software breakpoint .text: 2 .reloc: 3

programcontrolflowchange .text: 6 .itext: 2

(7)

cpuinstructionsresultscomparison .rsrc: 1 .text: 2

AVclass

alien 1

VirusTotal

md5 9061b0f7c543051f1d02eaf455da8980

sha1 adddae60e254ba38317ba41558d57e8dfa9c0130

SCANS (DETECTION RATE = 62.12%)

AVG result: Win32:Malware-gen

update: 20190417 version: 18.4.3895.0 detected: True

CMC update: 20190321

version: 1.1.0.977 detected: False

MAX update: 20190417

version: 2018.9.12.1 detected: False

Bkav update: 20190416

version: 1.3.0.9899 detected: False

K7GW result: Trojan ( 0054afdc1 )

update: 20190417 version: 11.39.30623 detected: True

ALYac result: Gen:Variant.Barys.59915

update: 20190417 version: 1.1.1.5 detected: True

Avast result: Win32:Malware-gen

update: 20190417 version: 18.4.3895.0 detected: True

(8)

Avira result: TR/Alien.djauj update: 20190417 version: 8.3.3.8 detected: True

Baidu update: 20190318

version: 1.0.0.2 detected: False

Cyren result: W32/Trojan.PBIW-6116

update: 20190417 version: 6.2.0.1 detected: True

DrWeb update: 20190417

version: 7.0.34.11020 detected: False

GData result: Gen:Variant.Barys.59915

update: 20190417

version: A:25.21565B:25.14866 detected: True

Panda result: Trj/GdSda.A

update: 20190416 version: 4.6.4.2 detected: True

VBA32 result: Trojan.Alien

update: 20190416 version: 4.0.0 detected: True

Zoner update: 20190417

version: 1.0 detected: False

ClamAV update: 20190416

version: 0.101.2.0 detected: False

Comodo result: Malware@#3i6oldeel9wze

update: 20190417 version: 30732 detected: True

(9)

Ikarus result: Trojan.Win32.Vobfus update: 20190416

version: 0.1.5.2 detected: True

McAfee result: RDN/Generic.grp

update: 20190417 version: 6.0.6.653 detected: True

Rising result: Downloader.Banload!8.15B (CLOUD) update: 20190417

version: 25.0.0.24 detected: True

Sophos result: Mal/Generic-S

update: 20190417 version: 4.98.0 detected: True

Yandex update: 20190416

version: 5.5.1.3 detected: False

Zillya result: Trojan.Alien.Win32.371

update: 20190416 version: 2.0.0.3797 detected: True

Acronis update: 20190415

version: 1.0.1.44 detected: False

Alibaba result: Trojan:Win32/Tiggre.9768bbc8 update: 20190402

version: 0.3.0.4 detected: True

Arcabit result: Trojan.Barys.DEA0B

update: 20190417 version: 1.0.0.845 detected: True

Babable update: 20180918

version: 9107201 detected: False

(10)

Endgame update: 20190403 version: 3.0.9 detected: False

FireEye result: Generic.mg.9061b0f7c543051f

update: 20190417 version: 29.7.0.0 detected: True

TACHYON update: 20190417

version: 2019-04-17.02 detected: False

Tencent result: Win32.Trojan.Alien.Hqur

update: 20190417 version: 1.0.0.1 detected: True

ViRobot update: 20190417

version: 2014.3.20.0 detected: False

eGambit update: 20190417

version: v4.3.6 detected: False

Ad-Aware result: Gen:Variant.Barys.59915

update: 20190417 version: 3.0.5.370 detected: True

AegisLab result: Trojan.Multi.Generic.4!c update: 20190417

version: 4.2 detected: True

Emsisoft result: Gen:Variant.Barys.59915 (B) update: 20190417

version: 2018.4.0.1029 detected: True

F-Secure result: Trojan.TR/Alien.djauj update: 20190416

version: 12.0.86.52 detected: True

(11)

Fortinet result: W32/Alien!tr update: 20190417 version: 5.4.247.0 detected: True

Invincea update: 20190313

version: 6.3.6.26157 detected: False

Jiangmin update: 20190417

version: 16.0.100 detected: False

Kingsoft update: 20190417

version: 2013.8.14.323 detected: False

Paloalto result: generic.ml

update: 20190417 version: 1.0 detected: True

Trapmine update: 20190325

version: 3.1.52.760 detected: False

AhnLab-V3 result: Malware/Win32.Generic.C3127207 update: 20190417

version: 3.15.0.23609 detected: True

Antiy-AVL result: Trojan/Win32.Alien

update: 20190417 version: 3.0.0.1 detected: True

Kaspersky result: HEUR:Trojan.Win32.Alien.gen update: 20190417

version: 15.0.1.13 detected: True

Microsoft result: Trojan:Win32/Tiggre!rfn update: 20190417

version: 1.1.15800.1 detected: True

Qihoo-360 result: Win32/Trojan.631

(12)

update: 20190417 version: 1.0.0.1120 detected: True

TheHacker update: 20190411

version: 6.8.0.5.4154 detected: False

Trustlook update: 20190417

version: 1.0 detected: False

ZoneAlarm result: HEUR:Trojan.Win32.Alien.gen update: 20190417

version: 1.0 detected: True

Cybereason result: malicious.7c5430

update: 20190417 version: 1.2.449 detected: True

ESET-NOD32 result: a variant of Win32/Injector.EEQO update: 20190417

version: 19208 detected: True

BitDefender result: Gen:Variant.Barys.59915 update: 20190417

version: 7.2 detected: True

CrowdStrike result: win/malicious_confidence_60% (D) update: 20190212

version: 1.0 detected: True

K7AntiVirus result: Trojan ( 0054afdc1 ) update: 20190417

version: 11.39.30623 detected: True

SentinelOne update: 20190407

version: 1.0.25.312 detected: False

Avast-Mobile update: 20190415

(13)

version: 190415-00 detected: False

Malwarebytes update: 20190417

version: 2.1.1.1115 detected: False

TotalDefense update: 20190416

version: 37.1.62.1 detected: False

CAT-QuickHeal result: Trojan.Multi update: 20190416 version: 14.00 detected: True

NANO-Antivirus result: Trojan.Win32.Alien.fothyb update: 20190417

version: 1.0.134.24576 detected: True

MicroWorld-eScan result: Gen:Variant.Barys.59915 update: 20190417

version: 14.0.297.0 detected: True

SUPERAntiSpyware update: 20190410 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: RDN/Generic.grp update: 20190416 version: v2017.3010 detected: True

TrendMicro-HouseCall result: TROJ_GEN.R002C0WCU19 update: 20190417

version: 10.0.0.1040 detected: True

total 66

sha256 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea scan_id 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea

-1555507827

(14)

resource 9061b0f7c543051f1d02eaf455da8980

permalink https://www.virustotal.com/file/20799515e1ff7efe2ef608036024ad6082b05 a8d0ef64d1bff6f3e72fb5695ea/analysis/1555507827/

positives 41

scan_date 2019-04-17 13:30:27

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

30/10/2019 - 17:45:45.

481 Open 148

0

C:\malware.e

xe C:\Windows\Fonts\StaticCache.dat

30/10/2019 - 17:45:45.

481 Read 148

0

C:\malware.e

xe C:\Windows\Fonts\StaticCache.dat StaticCache.d at

30/10/2019 - 17:45:45.

528 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\uxtheme.dll

30/10/2019 - 17:45:45.

528 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\uxtheme.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\dwmapi.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\dwmapi.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\dwmapi.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\ole32.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\ole32.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\rpcss.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\rpcss.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e xe

C:\Windows\Globalization\Sorting\SortDefau lt.nls

(15)

30/10/2019 - 17:45:45.

575

Unknow n

148 0

C:\malware.e xe

C:\Windows\Globalization\Sorting\SortDefau lt.nls

SortDefault.nl s

Process

Trace

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

File Summary

Created Identified: False

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: False

Registry Summary

Proxy Identified: False

(16)

AutoRun Identified: False

Created Identified: False

Deleted Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

(17)

UDP False

HTTP False

Results

BINARY

KNN (K=3, NFS-BRMalware) confidence: 100.00%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

suspicious: True

SVC (Kernel=Linear, NFS-BRMalware) confidence: 65.82%

suspicious: True

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 56.30%

suspicious: False

Random Forest (100 estimators, NFS-BRMalware) confidence: 69.00%

suspicious: True

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 86.38%

suspicious: False

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 91.61%

suspicious: False

Referências

Documentos relacionados

Sections Allowed: .text, .itext, .data, .bss, .idata, .didata, .edata, .tls, .rdata, .reloc, .rsr

Suspicious: 7-zip cannot load mapi32.dll, 7z.dll hasAllowed: True.

hasAllowed: True hasSections: True hasSuspicious: False.

Files Allowed: kernel32.dll, USER32.dll, mscoree.dll, GDI32.dll hasFiles:

Sections Allowed: .text, .rdata, .data, .rsrc, .reloc Suspicious. hasAllowed: True hasSections: True

Sections Allowed: .text, .rdata, .data, .ndata, .rsrc Suspicious. hasAllowed: True hasSections: True

Retirada do Veículo do Local de Trabalho. Cumprir o procedimento FECO-S-07 014 – Abertura e Fechamento de Chave Fusível ou Seccionadora Tipo Faca utilizando quando necessário,

Portanto, uma Tru, ou True Ortofoto não mais se trata de um rearranjo de pixels de uma imagem, mas sim, da mosaicagem, patchwork, ou uma “colcha de retalhos” com a inserção