Binary
DLL False
Size 1.38MB
trid 41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library 5.9% Win32 Executable
2.6% OS/2 Executable
type PE
wordsize 32
Subsystem Windows GUI
Hashes
md5 d7b20f933be6cdae41efbe75548eba5f
sha1 9fa11a63b43f83980e0b48dc9ba2cb59d545a4e8
crc32 0xb235448d
sha224 536471d07eccc034c0ca86951e892b03b5d2e35a80d066532e7ecb8e
sha256 0f5d4dbbe5e55b7aa31b91e5925ed901fdf46a367491d81381846f05ad54c4 5e
sha384 7be088b9087018b08de51d4718f32eb6103a14601262e481a0db8669f1ab5 323f6e90814551f485a9838f4d99ba6791f
sha512 af8f38679e16c996ffac152cac49369cf4b609abbd2cad07f49a114a82c6b5e 564be29630c0fd2418110cf1a3d0ef3c9cc12f9164a69a575c91d9b98ce0df1 a9
ssdeep 24576:D4EspaiGhP1x+96UBz1V/7hw5CILSbvCDpmdLq9zyMfNyAGW6xRZz XeyNbgQF1:D4CiI1k9/HYCtMpK2zyM45fzuYbgQF1
Report #245
Creation Date: Sept. 24, 2019, 1:53 p.m.
Last Update: Sept. 24, 2019, 2:20 p.m.
File:
7z1900-x64.exe Results:
Community
Google True
HashLib False
YARA
Matches domain, Armadillo_v171_additional, Microsoft_Visual_Cpp_v60, CRC32_poly _Constant, escalate_priv, HasRichSignature, possible_includes_base64_pac ked_functions, Microsoft_Visual_Cpp_v50v60_MFC_additional, Microsoft_Vis ual_Cpp_v50v60_MFC, win_files_operation, IsPE32, IP, contentis_base64, Ar madillo_v171, win_token, Microsoft_Visual_Cpp_50, IsWindowsGUI, IsPacked , Microsoft_Visual_Cpp, url, win_registry, HasOverlay
Suspicious True
Strings
List
<asmv3:application><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"
>
M.sr t.NG E.Im D.gE o2.Ph L.ai
Software\Microsoft\Windows\CurrentVersion\App Paths\7zFM.exe a.uS
-.Se k.MT m.VG W.Md 0.bB S.SX 5.gm Ht.Hu>
<dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Cont rols" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"/></depend entAssembly></dependency>
Uninstall.exe 7zipInstall.exe l.UZ
9.pK 2.aX C$rDP(%e (mAc.Sn
7-Zip File Manager.lnk
Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved 7-Zip Help.lnk
Axr.nck
!2.afh
%E#o}%
Wversion.dll
*."3 [(weL WhI:&
vI:<!E
<Rdn td&ovL hrmd&PKE s|%4o}@
%uxoS/5i /%E2{
2tO%E|
|OI%E_'`
6R3%a H%Gr{R}
%e-&@
/T}%ol da2l%A Apartment S%gcR(n fDEc tryMk N%psy wO%et p%ehS
Software\Microsoft\Windows\CurrentVersion foMk%i
mNe%oQ ]R%gE zM@ap Software\7-Zip R $%a
Decoder doesn't support this archive SeShutdownPrivilege
<!-- Win 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Win 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Win 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Win 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
&Install Install 7-Zip 7-zip.chm 7-zip.dll 7-zip.dll 7-zip32.dll 7-zip32.dll F&u.Cc{l p.hbx]
_acmdln
GetProcAddress IsWow64Process 7zipInstall v.ST}.
sRdp
OpenProcessToken CoCreateInstance
UninstallString InstallLocation CreateFileW RegSetValueExW GetModuleHandleA LoadLibraryExW SetFilePointer WriteFile DeleteFileW CreateDirectoryW LoadLibraryW
GetModuleFileNameW SetFileTime
MoveFileExW
Foremost
Matches 0.exe, 36 KB
Suspicious True
Heuristics
IPs hasIPs: False
Allowed Suspicious
hasAllowed: False hasSuspicious: False
URLs Allowed: http://schemas.microsoft.com/smi/2005/windowssettings hasURLs: True
Suspicious
hasAllowed: True hasSuspicious: False
Files Allowed: Wversion.dll, kernel32.dll, 7-zip.dll, 7-zip32.dll, ADVAPI32.dll, MSV CRT.dll, SHELL32.dll, ole32.dll, USER32.dll
hasFiles: True
Suspicious: 7-Zip Help.lnk, 7-Zip File Manager.lnk hasAllowed: True
hasSuspicious: True
Binary
Sizes RVA
RVA: 16
Suspicious: False Code
Size: 19456
Suspicious: False Image
Address: 4194304 Suspicious: False Stack
Stack: 4096 Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number
Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 0
Suspicous: True
Sections Allowed: .text, .rdata, .data, .rsrc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 4
Suspicious: False Image
Version: True Suspicious: 4 Linker
Version: 6.0 Suspicious: False Subsystem
Version: 4.0 Suspicious: False Suspicious: False
EntryPoint Address: 29524
Suspicious: False
Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.
hasAnomalies: True
Libraries Allowed: kernel32.dll, advapi32.dll, msvcrt.dll, shell32.dll, ole32.dll, user32 .dll
hasLibs: True
Suspicious: wversion.dll, 7-zip.dll, 7-zip32.dll hasAllowed: True
hasSuspicious: True
Timestamp Past: False
Valid: True
Value: 2019-02-21 14:00:00 Future: False
Compilation Packed: False
Missing: False Packers
Compiled: True
Compilers: Microsoft Visual C++ v6.0, Microsoft Visual C++ 5.0, Microsoft Visual C++
MainPacker: Armadillo v1.71
Obfuscation XOR: False
Fuzzing: False
PEDetector
Matches None
Suspicious False
Disassembly
hasTricks True
Tricks
pushret .text: 1
pushpopmath .rsrc: 1
.text: 1 .rdata: 1
garbagebytes .text: 1
hookdetection .text: 1
programcontrolflowchange .text: 1
cpuinstructionsresultscomparison .rsrc: 4
AVclass
None 1
VirusTotal
md5 d7b20f933be6cdae41efbe75548eba5f
sha1 9fa11a63b43f83980e0b48dc9ba2cb59d545a4e8
SCANS (DETECTION RATE = 1.47%)
AVG update: 20190924
version: 18.4.3895.0 detected: False
CMC update: 20190321
version: 1.1.0.977 detected: False
MAX update: 20190924
version: 2019.9.16.1 detected: False
APEX update: 20190924
version: 5.66 detected: False
Bkav update: 20190924
version: 1.3.0.10239 detected: False
K7GW update: 20190924
version: 11.68.32087 detected: False
ALYac update: 20190924
version: 1.1.1.5 detected: False
Avast update: 20190924
version: 18.4.3895.0 detected: False
Avira update: 20190924
version: 8.3.3.8 detected: False
Baidu update: 20190318
version: 1.0.0.2 detected: False
Cyren update: 20190924
version: 6.2.2.2 detected: False
DrWeb update: 20190924
version: 7.0.41.7240 detected: False
GData update: 20190924
version: A:25.23479B:26.16100 detected: False
Panda update: 20190924
version: 4.6.4.2 detected: False
VBA32 update: 20190924
version: 4.1.0 detected: False
VIPRE update: 20190922
version: 78050 detected: False
Zoner update: 20190924
version: 1.0.0.1 detected: False
ClamAV update: 20190924
version: 0.101.4.0 detected: False
Comodo update: 20190924
version: 31523
detected: False
F-Prot update: 20190924
version: 4.7.1.166 detected: False
Ikarus update: 20190924
version: 0.1.5.2 detected: False
McAfee update: 20190924
version: 6.0.6.653 detected: False
Rising update: 20190924
version: 25.0.0.24 detected: False
Sophos update: 20190924
version: 4.98.0 detected: False
Yandex result: Trojan.Agent!/8FtbJuRgIU
update: 20190923 version: 5.5.2.24 detected: True
Zillya update: 20190924
version: 2.0.0.3907 detected: False
Acronis update: 20190923
version: 1.1.1.58 detected: False
Alibaba update: 20190527
version: 0.3.0.5 detected: False
Arcabit update: 20190924
version: 1.0.0.857 detected: False
Cylance update: 20190924
version: 2.3.1.101
detected: False
Endgame update: 20190918
version: 3.0.15 detected: False
FireEye update: 20190924
version: 29.7.0.0 detected: False
TACHYON update: 20190924
version: 2019-09-24.02 detected: False
Tencent update: 20190924
version: 1.0.0.1 detected: False
ViRobot update: 20190924
version: 2014.3.20.0 detected: False
Webroot update: 20190924
version: 1.0.0.403 detected: False
eGambit update: 20190924
version: v5.0.5 detected: False
Ad-Aware update: 20190924
version: 3.0.5.370 detected: False
AegisLab update: 20190924
version: 4.2 detected: False
Emsisoft update: 20190924
version: 2018.12.0.1641 detected: False
F-Secure update: 20190924
version: 12.0.86.52 detected: False
Fortinet update: 20190924 version: 5.4.247.0 detected: False
Invincea update: 20190904
version: 6.3.6.26157 detected: False
Jiangmin update: 20190924
version: 16.0.100 detected: False
Kingsoft update: 20190924
version: 2013.8.14.323 detected: False
Paloalto update: 20190924
version: 1.0 detected: False
Symantec update: 20190924
version: 1.10.0.0 detected: False
Trapmine update: 20190826
version: 3.1.81.800 detected: False
AhnLab-V3 update: 20190924
version: 3.16.2.25355 detected: False
Antiy-AVL update: 20190924
version: 3.0.0.1 detected: False
Kaspersky update: 20190924
version: 15.0.1.13 detected: False
Microsoft update: 20190924
version: 1.1.16400.2 detected: False
Qihoo-360 update: 20190924 version: 1.0.0.1120 detected: False
ZoneAlarm update: 20190924
version: 1.0 detected: False
ESET-NOD32 update: 20190924
version: 20071 detected: False
TrendMicro update: 20190924
version: 11.0.0.1006 detected: False
BitDefender update: 20190924
version: 7.2 detected: False
CrowdStrike update: 20190702
version: 1.0 detected: False
K7AntiVirus update: 20190924
version: 11.67.32086 detected: False
SentinelOne update: 20190807
version: 1.0.31.22 detected: False
Avast-Mobile update: 20190924
version: 190924-08 detected: False
Malwarebytes update: 20190924
version: 2.1.1.1115 detected: False
CAT-QuickHeal update: 20190923
version: 14.00 detected: False
NANO-Antivirus update: 20190924
version: 1.0.134.24859 detected: False
MicroWorld-eScan update: 20190924 version: 14.0.297.0 detected: False
SUPERAntiSpyware update: 20190920 version: 5.6.0.1032 detected: False
McAfee-GW-Edition update: 20190924 version: v2017.3010 detected: False
TrendMicro-HouseCall update: 20190924 version: 10.0.0.1040 detected: False
total 68
sha256 0f5d4dbbe5e55b7aa31b91e5925ed901fdf46a367491d81381846f05ad54c4 5e
scan_id 0f5d4dbbe5e55b7aa31b91e5925ed901fdf46a367491d81381846f05ad54c4 5e-1569342954
resource d7b20f933be6cdae41efbe75548eba5f
permalink https://www.virustotal.com/file/0f5d4dbbe5e55b7aa31b91e5925ed901fdf4 6a367491d81381846f05ad54c45e/analysis/1569342954/
positives 1
scan_date 2019-09-24 16:35:54
verbose_msg Scan finished, information embedded
response_code 1
File
Trace
Process
Trace
Analysis
Reason Blue Screen
Status Execution Failed
Results 0
Registry
Trace
File Summary
Created Identified: False
Deleted Identified: False
Process Summary
Created Identified: False
Deleted Identified: False
Registry Summary
Proxy Identified: False
AutoRun Identified: False
Created Identified: False
Deleted Identified: False
Browsers Identified: False
Internet Identified: False
DNS
Query
Response
TCP
Info
localhost:27015 localhost:53550 localhost:53550 localhost:27015
UDP
Info
localhost:51870 239.255.255.250:1900
HTTP
Info
Summary
DNS True
TCP True
UDP True
HTTP True
Results
Random Forest detected: TBD confidence: TBD