Report #1065

(1)

Binary

DLL False

Size 199.00KB

trid 47.2% Win32 EXE PECompact compressed

16.1% Win32 Executable Delphi generic 14.8% Windows screen saver

7.4% Win32 Dynamic Link Library 5.1% Win32 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 9061b0f7c543051f1d02eaf455da8980

sha1 adddae60e254ba38317ba41558d57e8dfa9c0130

crc32 0xf6cd22e2

sha224 70b33e0d44f442f6651061f3aa82f653a8db5d1a46be78dda3e9ce11

sha256 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea

sha384 f6f7c9729ba1925d65abae756fd77629fdbd7db49c5f41d82ad2cb8487daf8a 6995476b36997845e4aac0c8fec74ca7e

sha512 5599c5d7be419cfea5e6ca96e869c50ae66291d0cf229c43de06edfa25f7e1 91b27795a25153ffe62a76f79cd1b9aa965427c26c8d41e790e8203be92d6b 0568

ssdeep 6144:pXV3P+8FuRHHTaAThVkC9R888888888888W88888888888:pgHz99R 888888888888W88888888888

Community

Report #1065

Creation Date: Oct. 30, 2019, 5:43 p.m.

Last Update: Oct. 30, 2019, 6:15 p.m.

File:

guzdUxrdcjVN.exe Results:

(2)

Google False

HashLib False

YARA

Matches domain, borland_delphi, Borland, contentis_base64, win_token, win_files_op eration, win_registry, Microsoft_Visual_Cpp_v50v60_MFC, Delphi_Random, I sPE32, IsWindowsGUI

Suspicious True

Strings

List

t.Ht

n}1&n4l *!ml16/lqmy0z)1"o1o}y,kj4 /"{t|}| - !$#$x#|q~4.mim!4n .#!#!{y{{k(4|n q 1j}}2l}n2x kn56}$mp 1mx ! }!t!*! }&#.t n{2 {}$r%o||}jz!)}"|l"%owz"m3"}*.pi$!xso#-}z|1 m|$|+zoo(5#s

B.rsrc

Software\Borland\Locales Software\Borland\Delphi\Locales Reserved3

Software\CodeGear\Locales Apartment

%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom varia nt type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Division by zero Author

Next Next Reserved

August September Too many open files Assertion failed pvReserved wReserved

%s (%s, line %d)

Privileged instruction(Exception %s in module %s at %p.

I/O error %d ESafecallException ESafecallException PLibModule@ @

my${|%s/){| %~0t}u!#mx!3 $p&!x !4 0 os/}

No argument for format '%s'"Variant method calls not supported etPrivilege

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p Application Error1Format '%s' invalid or incompatible with argument

GetProcAddress GetProcAddress

(3)

EPrivilege EPrivilege

Invalid class typecast0Access violation at address %p. %s of address %p ExitProcess

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7 Dispatch methods do not support more than 64 parameters

E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 E853C2B386FE006BEB61 PInterfaceEntry

TInterfaceEntry GetInterfaceEntry SysUtils0

Identifier E957D 70ED6 61DE5

CreateEventW GetInterfaceTable TInterfaceTable GetInterface PInterfaceTablel RegistrationInfo GetDiskFreeSpaceW 6FEC6

E05ED 7DFA7 4DCA4 D04EC 5EDB5 E05ED OpenProcess OpenProcessToken

The unexpected small block leaks are:

This program must be run under Win32 sActiveX

VirtualAlloc

CoCreateInstanceEx NewInstance SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils

(4)

SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils SysUtils

Foremost

Matches 0.exe, 199 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: ole32.dll, kernel32.dll, oleaut32.dll, user32.dll, advapi32.dll hasFiles: True

Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 61440

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 16384 Suspicious: False Headers

(5)

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .text, .itext, .data, .bss, .idata, .tls, .rdata, .reloc, .rsrc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 5

Suspicious: False Image

Version: True Suspicious: 5 Linker

Version: 2.25 Suspicious: False Subsystem

Version: 5.0 Suspicious: False Suspicious: False

EntryPoint Address: 139908

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: ole32.dll, kernel32.dll, oleaut32.dll, user32.dll, advapi32.dll hasLibs: True

Suspicious

hasAllowed: True hasSuspicious: False

(6)

Timestamp Past: False Valid: True

Value: 2019-03-28 08:49:37 Future: False

Compilation Packed: False

Missing: True Packers

Compiled: False Compilers

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .text: 6

.idata: 6 .itext: 2

pushpopmath .rsrc: 3

.text: 2 .reloc: 8

garbagebytes .text: 6

.itext: 2

hookdetection .text: 2

software breakpoint .text: 2 .reloc: 3

programcontrolflowchange .text: 6 .itext: 2

(7)

cpuinstructionsresultscomparison .rsrc: 1 .text: 2

AVclass

alien 1

VirusTotal

md5 9061b0f7c543051f1d02eaf455da8980

sha1 adddae60e254ba38317ba41558d57e8dfa9c0130

SCANS (DETECTION RATE = 62.12%)

AVG result: Win32:Malware-gen

update: 20190417 version: 18.4.3895.0 detected: True

CMC update: 20190321

version: 1.1.0.977 detected: False

MAX update: 20190417

Bkav update: 20190416

K7GW result: Trojan ( 0054afdc1 )

update: 20190417 version: 11.39.30623 detected: True

ALYac result: Gen:Variant.Barys.59915

Avast result: Win32:Malware-gen

(8)

Avira result: TR/Alien.djauj update: 20190417 version: 8.3.3.8 detected: True

Baidu update: 20190318

Cyren result: W32/Trojan.PBIW-6116

DrWeb update: 20190417

GData result: Gen:Variant.Barys.59915

update: 20190417

version: A:25.21565B:25.14866 detected: True

Panda result: Trj/GdSda.A

VBA32 result: Trojan.Alien

Zoner update: 20190417

version: 1.0 detected: False

ClamAV update: 20190416

Comodo result: Malware@#3i6oldeel9wze

update: 20190417 version: 30732 detected: True

(9)

Ikarus result: Trojan.Win32.Vobfus update: 20190416

version: 0.1.5.2 detected: True

McAfee result: RDN/Generic.grp

Rising result: Downloader.Banload!8.15B (CLOUD) update: 20190417

Sophos result: Mal/Generic-S

Yandex update: 20190416

Zillya result: Trojan.Alien.Win32.371

Acronis update: 20190415

Alibaba result: Trojan:Win32/Tiggre.9768bbc8 update: 20190402

Arcabit result: Trojan.Barys.DEA0B

Babable update: 20180918

version: 9107201 detected: False

(10)

Endgame update: 20190403 version: 3.0.9 detected: False

FireEye result: Generic.mg.9061b0f7c543051f

TACHYON update: 20190417

version: 2019-04-17.02 detected: False

Tencent result: Win32.Trojan.Alien.Hqur

ViRobot update: 20190417

eGambit update: 20190417

version: v4.3.6 detected: False

Ad-Aware result: Gen:Variant.Barys.59915

AegisLab result: Trojan.Multi.Generic.4!c update: 20190417

version: 4.2 detected: True

Emsisoft result: Gen:Variant.Barys.59915 (B) update: 20190417

F-Secure result: Trojan.TR/Alien.djauj update: 20190416

(11)

Fortinet result: W32/Alien!tr update: 20190417 version: 5.4.247.0 detected: True

Invincea update: 20190313

Jiangmin update: 20190417

version: 16.0.100 detected: False

Kingsoft update: 20190417

Paloalto result: generic.ml

update: 20190417 version: 1.0 detected: True

Trapmine update: 20190325

AhnLab-V3 result: Malware/Win32.Generic.C3127207 update: 20190417

Antiy-AVL result: Trojan/Win32.Alien

Kaspersky result: HEUR:Trojan.Win32.Alien.gen update: 20190417

Microsoft result: Trojan:Win32/Tiggre!rfn update: 20190417

Qihoo-360 result: Win32/Trojan.631

(12)

TheHacker update: 20190411

version: 6.8.0.5.4154 detected: False

Trustlook update: 20190417

version: 1.0 detected: False

ZoneAlarm result: HEUR:Trojan.Win32.Alien.gen update: 20190417

Cybereason result: malicious.7c5430

ESET-NOD32 result: a variant of Win32/Injector.EEQO update: 20190417

version: 19208 detected: True

BitDefender result: Gen:Variant.Barys.59915 update: 20190417

CrowdStrike result: win/malicious_confidence_60% (D) update: 20190212

K7AntiVirus result: Trojan ( 0054afdc1 ) update: 20190417

version: 11.39.30623 detected: True

SentinelOne update: 20190407

Avast-Mobile update: 20190415

(13)

version: 190415-00 detected: False

Malwarebytes update: 20190417

TotalDefense update: 20190416

CAT-QuickHeal result: Trojan.Multi update: 20190416 version: 14.00 detected: True

NANO-Antivirus result: Trojan.Win32.Alien.fothyb update: 20190417

MicroWorld-eScan result: Gen:Variant.Barys.59915 update: 20190417

SUPERAntiSpyware update: 20190410 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: RDN/Generic.grp update: 20190416 version: v2017.3010 detected: True

TrendMicro-HouseCall result: TROJ_GEN.R002C0WCU19 update: 20190417

total 66

sha256 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea scan_id 20799515e1ff7efe2ef608036024ad6082b05a8d0ef64d1bff6f3e72fb5695ea

-1555507827

(14)

resource 9061b0f7c543051f1d02eaf455da8980

permalink https://www.virustotal.com/file/20799515e1ff7efe2ef608036024ad6082b05 a8d0ef64d1bff6f3e72fb5695ea/analysis/1555507827/

positives 41

scan_date 2019-04-17 13:30:27

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

30/10/2019 - 17:45:45.

481 Open 148

0

C:\malware.e

xe C:\Windows\Fonts\StaticCache.dat

30/10/2019 - 17:45:45.

481 Read 148

0

C:\malware.e

xe C:\Windows\Fonts\StaticCache.dat StaticCache.d at

30/10/2019 - 17:45:45.

528 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\uxtheme.dll

30/10/2019 - 17:45:45.

528 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\uxtheme.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\dwmapi.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\dwmapi.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\dwmapi.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\ole32.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\ole32.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\rpcss.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e

xe C:\Windows\SysWOW64\rpcss.dll

30/10/2019 - 17:45:45.

575 Open 148

0

C:\malware.e xe

C:\Windows\Globalization\Sorting\SortDefau lt.nls

(15)

30/10/2019 - 17:45:45.

575

Unknow n

148 0

C:\malware.e xe

C:\Windows\Globalization\Sorting\SortDefau lt.nls

SortDefault.nl s

Process

Trace

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

File Summary

Created Identified: False

Deleted Identified: False

Process Summary

Registry Summary

Proxy Identified: False

(16)

AutoRun Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

(17)

UDP False

HTTP False

Results

BINARY

KNN (K=3, NFS-BRMalware) confidence: 100.00%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

SVC (Kernel=Linear, NFS-BRMalware) confidence: 65.82%

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 56.30%

suspicious: False

Random Forest (100 estimators, NFS-BRMalware) confidence: 69.00%

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 86.38%

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 91.61%