• Nenhum resultado encontrado

Report #1398

N/A
N/A
Info
Descarregar agora
Protected

Academic year: 2023

Share "Report #1398"

Copied!
17
0
0

Carregando.... (Ver texto completo agora)

Descarregar agora ( 17 páginas )

Texto

(1)

Binary

DLL False

Size 1.56MB

trid 90.8% Win32 Executable Borland Delphi 7

3.6% UPX compressed Win32 Executable 1.9% Win32 Executable Delphi generic 1.7% Windows screen saver

0.6% Win32 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 e94cfc3dd0380413c143c9487207408f

sha1 d057b6398e31088caa1ebdbc2e32571e9652f9eb

crc32 0xf33ff268

sha224 c328a056de525cd4799cc6c7aeddf50cb65b8833aefa957a6f25b211

sha256 a4c16699b3b2a077be6f8f3ff6c4f3eca032098aa98ec65ba5e1a3e733e0da4 0

sha384 d60982f246083855ed281e74c51a606ebb153461afbda480815f0806e559c b6ee3033bf81ad20121978a1524b7310138

sha512 48b07115df33e03aad15f998c865cdfa50eb1eda1e930815f6df6b7be0d6c7 af1f847005cc4f48ea5837c91fb1bd11ad2af955ce76fd1456a77c0250a7ddd 802

ssdeep 49152:yCVn8ueXtzKnalh5WaTFSivKWLLiZXKz66n5L:yO8N2naX8aTptfihit

Community

Report #1398

Creation Date: Nov. 16, 2019, 11:17 p.m.

Last Update: Nov. 17, 2019, 11:27 a.m.

File:

new.exe Results:

(2)

Google False

HashLib False

YARA

Matches domain, Borland, IP, disable_antivirus, Dropper_Strings, Borland_Delphi_30_

, escalate_priv, Delphi_DecodeDate, borland_delphi, Delphi_FormShow, UPX V200V290MarkusOberhumerLaszloMolnarJohnReiser, Antivirus, Microsoft_Vi sual_Cpp_v50v60_MFC, win_token, IsPacked, win_hook, contentis_base64, n etwork_tcp_socket, screenshot, Borland_Delphi_v40_v50, keylogger, win_fil es_operation, Borland_Delphi_40_additional, IsPE32, Borland_Delphi_40, UP X, Borland_Delphi_v60_v70, IsWindowsGUI, inject_thread, Delphi_Copy, Borl and_Delphi_Setup_Module, Borland_Delphi_DLL, url, win_registry, Delphi_Co mpareCall, Delphi_StrToInt, Borland_Delphi_30_additional, Borland_Delphi_v 30, System_Tools

Suspicious True

Strings

List

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

t.Ht

TitleFont.Style TitleFont.Name TY.PN

W.Sr N.gr P.re h.AC Font.Name Font.Style e.bt

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

\SOFTWARE\Microsoft\Security Center

%s.Seek not implemented$Operation not allowed on sorted list Too many rows or columns deleted$%s not in a cla ss registration group

6.Hu V.TH

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

\SOFTWARE\Policies\Microsoft\Windows Defender zP.UG

H.Sm?

wsock32.dll

\SOFTWARE\Policies\Google\Chrome P.rsrc

SOFTWARE\Borland\Delphi\RTL Delphi%.8X

Software\Borland\Locales

(3)

Software\Borland\Delphi\Locales winspool.drv

msinfo32.exe

!foQ.rml comctl32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll version.dll version.dll Mes05.dll uxtheme.dll vcltest3.dll winmm.dll RdPS regedit.exe Username SOFTWARE\B OnDeleteError OnDeleteError SeDebugPrivilege

=8.>

*H$<Sw f{}rI:VS

^@%/

wM%/anL try~

o(ws GFn't

ControlOfs%.8X%.8X WndProcPtr%.8X%.8X T"udtl

t%,%.%0%2%4%6%8%O 7IE(AL("%s",4),"

%GI;L6"/i<

%R%U%X%[%^%_%`%a%b%d%f%h%i%j%km$n fkCalculated

Calculated A%GMenu0:3

%Lc*A!7

TRecordsetReasonEvent r%!%#%'%)%c%e%g%C%<2%

9%;%=%?%A%D%F%H%J%K%L%M%

:6%>%@%B%E%G%I%[P%S

%l%m%o%s JumpID("","%s") Uh1%A

BitBtn6L BitBtn6 FLVhP4E D\'f%sA t\%a`

hF%n\

Tlr%o)

%d&iS rL:%s

(4)

- Dock zone has no control

\Software\Microsoft\Windows\CurrentVersion\Policies\System TEventReason

TEventReason TEventReason TEventReason TEventReason Apartment OcNov

AfterDeleteliG AfterDeleteliG

Sub-menu is not in menu ilReadCommitted

Foremost

Matches 0.exe, 1 MB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed: http://schemas.microsoft.com/smi/2005/windowssettings hasURLs: True

Suspicious

hasAllowed: True hasSuspicious: False

Files Allowed: MAPI32.DLL, mtxex.dll, uxtheme.dll, comctl32.dll, ole32.dll, imm3 2.dll, advapi32.dll, USER32.DLL, gdi32.dll, Mes05.dll, wsock32.dll, oleaut32.

dll, kernel32.dll, winmm.dll, comdlg32.dll, vcltest3.dll, shell32.dll, version.dl l

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 916992 Suspicious: False

(5)

Image

Address: 4194304 Suspicious: False Stack

Stack: 16384 Suspicious: False Headers

Headers: 4096 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: code, data, bss, .idata, .tls, .rdata, .reloc, .rsrc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 4

Suspicious: False Image

Version: True Suspicious: 4 Linker

Version: 2.25 Suspicious: False Subsystem

Version: 4.0 Suspicious: False Suspicious: False

EntryPoint Address: 720440

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

(6)

Libraries Allowed: mapi32.dll, mtxex.dll, uxtheme.dll, comctl32.dll, ole32.dll, imm32 .dll, advapi32.dll, user32.dll, gdi32.dll, wsock32.dll, oleaut32.dll, kernel32.dl l, winmm.dll, comdlg32.dll, shell32.dll, version.dll

hasLibs: True

Suspicious: mes05.dll, vcltest3.dll hasAllowed: True

hasSuspicious: True

Timestamp Past: True

Valid: True

Value: 1992-06-19 19:22:17 Future: False

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.

0, Borland Delphi v6.0 - v7.0

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches 822076

Suspicious True

Disassembly

hasTricks True

Tricks

pushret none: 93

.rsrc: 370

nopsequence .rsrc: 1

pushpopmath none: 16

.rsrc: 238

ss register .rsrc: 7

(7)

garbagebytes none: 91 .rsrc: 130

hookdetection none: 6

.rsrc: 8

software breakpoint none: 5 .rsrc: 15

fakeconditionaljumps .rsrc: 10

programcontrolflowchange none: 91 .rsrc: 123

cpuinstructionsresultscomparison none: 20 .rsrc: 31

AVclass

banbra 1

VirusTotal

md5 e94cfc3dd0380413c143c9487207408f

sha1 d057b6398e31088caa1ebdbc2e32571e9652f9eb

SCANS (DETECTION RATE = 50.00%)

AVG result: Win32:Trojan-gen

update: 20190510 version: 18.4.3895.0 detected: True

CMC update: 20190321

version: 1.1.0.977 detected: False

MAX result: malware (ai score=89)

update: 20190510 version: 2018.9.12.1 detected: True

Bkav update: 20190509

(8)

version: 1.3.0.10239 detected: False

K7GW update: 20190510

version: 11.42.30863 detected: False

ALYac result: Gen:Variant.Symmi.64405

update: 20190510 version: 1.1.1.5 detected: True

Avast result: Win32:Trojan-gen

update: 20190510 version: 18.4.3895.0 detected: True

Avira result: TR/Spy.Banker.ooigd

update: 20190510 version: 8.3.3.8 detected: True

Baidu update: 20190318

version: 1.0.0.2 detected: False

Cyren update: 20190510

version: 6.2.0.1 detected: False

DrWeb update: 20190510

version: 7.0.34.11020 detected: False

GData result: Gen:Variant.Symmi.64405

update: 20190510

version: A:25.21880B:25.15043 detected: True

Panda update: 20190509

version: 4.6.4.2 detected: False

VBA32 result: BScope.Trojan.Delf

update: 20190504 version: 4.0.0 detected: True

(9)

VIPRE update: 20190510 version: 74930 detected: False

Zoner update: 20190509

version: 1.0 detected: False

ClamAV update: 20190509

version: 0.101.2.0 detected: False

Comodo update: 20190510

version: 30842 detected: False

F-Prot update: 20190510

version: 4.7.1.166 detected: False

Ikarus result: Trojan-Spy.Agent

update: 20190509 version: 0.1.5.2 detected: True

McAfee result: Artemis!E94CFC3DD038

update: 20190503 version: 6.0.6.653 detected: True

Rising result: Spyware.Banker!8.8D (TFE:4:EoLeqFXyO5C) update: 20190510

version: 25.0.0.24 detected: True

Sophos result: Mal/Generic-S

update: 20190510 version: 4.98.0 detected: True

Yandex update: 20190501

version: 5.5.1.3 detected: False

(10)

Zillya update: 20190508 version: 2.0.0.3809 detected: False

Acronis result: suspicious

update: 20190504 version: 1.0.1.48 detected: True

Alibaba update: 20190426

version: 0.4.0.6 detected: False

Arcabit result: Trojan.Symmi.DFB95

update: 20190510 version: 1.0.0.845 detected: True

Babable update: 20190424

version: 9107201 detected: False

Cylance result: Unsafe

update: 20190510 version: 2.3.1.101 detected: True

Endgame result: malicious (high confidence) update: 20190403

version: 3.0.9 detected: True

FireEye result: Generic.mg.e94cfc3dd0380413

update: 20190510 version: 29.7.0.0 detected: True

TACHYON update: 20190510

version: 2019-05-10.01 detected: False

Tencent update: 20190510

version: 1.0.0.1 detected: False

ViRobot update: 20190509

version: 2014.3.20.0

(11)

detected: False

Webroot update: 20190510

version: 1.0.0.403 detected: False

eGambit update: 20190510

version: v4.3.6 detected: False

Ad-Aware result: Gen:Variant.Symmi.64405

update: 20190510 version: 3.0.5.370 detected: True

AegisLab update: 20190510

version: 4.2 detected: False

Emsisoft result: Gen:Variant.Symmi.64405 (B) update: 20190510

version: 2018.4.0.1029 detected: True

F-Secure result: Trojan.TR/Spy.Banker.ooigd update: 20190510

version: 12.0.86.52 detected: True

Fortinet result: W32/SpyBanker.ACZM!tr

update: 20190510 version: 5.4.247.0 detected: True

Invincea update: 20190313

version: 6.3.6.26157 detected: False

Jiangmin result: TrojanDownloader.Agent.bmrr update: 20190510

version: 16.0.100 detected: True

Kingsoft update: 20190510

version: 2013.8.14.323 detected: False

(12)

Paloalto update: 20190510 version: 1.0 detected: False

Symantec result: ML.Attribute.HighConfidence update: 20190510

version: 1.9.0.0 detected: True

Trapmine result: malicious.high.ml.score update: 20190325

version: 3.1.52.760 detected: True

AhnLab-V3 update: 20190509

version: 3.15.1.23978 detected: False

Antiy-AVL result: Trojan[Banker]/Win32.Banbra update: 20190510

version: 3.0.0.1 detected: True

Kaspersky result: Trojan-Banker.Win32.Banbra.wqgj update: 20190510

version: 15.0.1.13 detected: True

Microsoft result: Trojan:Win32/Dynamer!rfn update: 20190510

version: 1.1.15900.4 detected: True

Qihoo-360 update: 20190510

version: 1.0.0.1120 detected: False

TheHacker update: 20190506

version: 6.8.0.5.4206 detected: False

Trustlook update: 20190510

version: 1.0 detected: False

ZoneAlarm result: Trojan-Banker.Win32.Banbra.wqgj

(13)

update: 20190510 version: 1.0 detected: True

Cybereason result: malicious.dd0380

update: 20190417 version: 1.2.449 detected: True

ESET-NOD32 result: a variant of Win32/Spy.Banker.ACZM update: 20190510

version: 19331 detected: True

TrendMicro result: TROJ_GEN.R004C0PE919

update: 20190510 version: 10.0.0.1040 detected: True

BitDefender result: Gen:Variant.Symmi.64405 update: 20190510

version: 7.2 detected: True

CrowdStrike result: win/malicious_confidence_60% (W) update: 20190212

version: 1.0 detected: True

K7AntiVirus update: 20190509

version: 11.42.30861 detected: False

SentinelOne update: 20190508

version: 1.0.26.322 detected: False

Avast-Mobile update: 20190509

version: 190509-00 detected: False

Malwarebytes update: 20190510

version: 2.1.1.1115 detected: False

TotalDefense update: 20190509

version: 37.1.62.1

(14)

detected: False

CAT-QuickHeal update: 20190509

version: 14.00 detected: False

NANO-Antivirus result: Trojan.Win32.Banbra.fpxnfe update: 20190510

version: 1.0.134.24788 detected: True

MicroWorld-eScan result: Gen:Variant.Symmi.64405 update: 20190510

version: 14.0.297.0 detected: True

SUPERAntiSpyware update: 20190507 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: BehavesLike.Win32.Injector.tc update: 20190510

version: v2017.3010 detected: True

TrendMicro-HouseCall result: TROJ_GEN.R004C0PE919 update: 20190510

version: 10.0.0.1040 detected: True

total 72

sha256 a4c16699b3b2a077be6f8f3ff6c4f3eca032098aa98ec65ba5e1a3e733e0da4 0

scan_id a4c16699b3b2a077be6f8f3ff6c4f3eca032098aa98ec65ba5e1a3e733e0da4 0-1557466867

resource e94cfc3dd0380413c143c9487207408f

permalink https://www.virustotal.com/file/a4c16699b3b2a077be6f8f3ff6c4f3eca03209 8aa98ec65ba5e1a3e733e0da40/analysis/1557466867/

positives 36

scan_date 2019-05-10 05:41:07

verbose_msg Scan finished, information embedded

(15)

response_code 1

File

Trace

Process

Trace

Analysis

Reason Blue Screen

Status Machine Crashed

Results 0

Registry

Trace

File Summary

Created Identified: False

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: False

(16)

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: False

Deleted Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

(17)

Summary

DNS False

TCP False

UDP False

HTTP False

Results

BINARY

KNN (K=3, NFS-BRMalware) confidence: 100.00%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

suspicious: True

SVC (Kernel=Linear, NFS-BRMalware) confidence: 58.21%

suspicious: False

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 93.14%

suspicious: False

Random Forest (100 estimators, NFS-BRMalware) confidence: 62.00%

suspicious: True

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 40.71%

suspicious: True

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 90.53%

suspicious: True

Referências

Descarregar agora ( PDF - 17 páginas - 105.11 KB )

Documentos relacionados

Report #13394

Stack: 4096 Suspicious: False Headers. Headers: 512 Suspicious: False

Report #6637

Stack: 16384 Suspicious: False Headers. Headers: 1024 Suspicious: False

Report #6244

Stack: 4096 Suspicious: False Headers. Headers: 512 Suspicious: False

Report #9570

Suspicious: True Directories Number: 16 Suspicious: False. Checksum

Report #10652

Stack: 4096 Suspicious: False Headers. Headers: 512

Report #10675

Stack: 4096 Suspicious: False Headers. Headers: 4096 Suspicious: False

Report #6158

Stack Stack: 4096 Suspicious: False Headers. Headers: 512 Suspicious: False

Report #13346

Address: 4194304 Suspicious: False Stack. Stack: 8192 Suspicious: False