Report #7699

Binary

DLL False

Size 160.00KB

trid 41.0% Win32 Executable MS Visual C++

36.3% Win64 Executable

8.6% Win32 Dynamic Link Library 5.9% Win32 Executable

2.6% OS/2 Executable

type PE

wordsize 32

Subsystem Windows CLI

Hashes

md5 a51d90f2f9394f5ea0a3acae3bd2b219

sha1 20fea1314dbed552d5fedee096e2050369172ee1

crc32 0xd8c6c1c

sha224 4dea7ee5d626fa2c05b26ee2839277501ebc47adc1e1bbdbc6bb8057

sha256 ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044 f

sha384 3f08577cbc7c4e2e7a226b02c55998325731ab7219302e4c5f2bb1b243026 6d89149304e31ce3b28efe20d51854de613

sha512 c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e273 90cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa98 5bf6

ssdeep 3072:6nkCMZlG+fHlDum7uVouWEHR92dZH5TTY8A7GyH367uPlDKw:6kCMn dv8WiYZH5A8sGw367Y+

Report #7699

Creation Date: Feb. 27, 2020, 5:20 p.m.

Last Update: Feb. 27, 2020, 10:52 p.m.

File:

_1x9P0g94QW6sZaKacXmH.exe Results:

Community

Google False

HashLib False

YARA

Matches Microsoft_Visual_Cpp_v50v60_MFC_additional, Microsoft_Visual_Cpp, domai n, DebuggerException__SetConsoleCtrl, Armadillo_v171_additional, IsPE32, win_token, contentis_base64, Armadillo_v171, win_registry, Microsoft_Visua l_Cpp_v50v60_MFC, IsConsole, Microsoft_Visual_Cpp_v60, CRC32_poly_Cons tant, win_files_operation, Microsoft_Visual_Cpp_50, escalate_priv, HasRichSi gnature

Suspicious True

Strings

List

Mapi32.dll Encrypted

there is no such archive 7-Zip cannot load Mapi32.dll Commented

can't decompress folder

stdout mode and email mode cannot be combined Created

switch is not full is not file

7-Zip cannot find the code that works with archives.

MB, # %s %3d

I won't write compressed data to a terminal Software\7-zip

KB/s %% MIPS MIPS RAM %s

Can not open file as archive x: eXtract files with full paths [Content]

<Commands>

Compressed:

SeLockMemoryPrivilege Archives:

Archive Errors:

PSShL@

Dict Compressing | Decompressing CPU hardware threads:

7z.dll

Compressing Compressed

BERROR: Can not delete output file B7zCon.sfx

GetProcAddress PhysicalDrive PhysicalDrive PSSh

Extracting

OpenProcessToken Multivolume DeviceIoControl VirtualAlloc MapViewOfFile

Incorrect command line LoadLibraryA

RemoveDirectoryW CreateFileW

MoveFileA LoadLibraryExA FreeLibrary

GetModuleFileNameA RemoveDirectoryA SetFileTime FindFirstFileA MoveFileW

GetModuleHandleA RegOpenKeyExA SetFilePointer RegQueryValueExA CreateDirectoryA CreateFileA FindNextFileA FindNextFileW FindFirstFileW DeleteFileW DeleteFileA CreateDirectoryW WriteFile

CRC Failed in encrypted file. Wrong password?

Everything is Ok

7-Zip cannot delete the file switch must be single 7-Zip cannot move the file ReadFile

7-Zip cannot open file Creating archive 3EEf

already exists. Overwrite with

I won't write data and program's messages to same terminal Volumes

GetTickCount

Data Error in encrypted file. Wrong password?

Can not open encrypted archive. Wrong password?

cannot find archive Host OS

Volume fprintf

-m{Parameters}: set compression Method

Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...]

7z.exe

-u[-][p#][q#][r#][x#][y#][z#][!newArchiveName]: Update options Processing archive:

-v{Size}[b|k|m|g]: Create volumes -ssw: compress shared files

.?AUCArchiveCommandLineException@@

-sfx[{name}]: Create SFX archive

-ax[r[-|0]]{@listfile|!wildcard}: eXclude archives -ai[r[-|0]]{@listfile|!wildcard}: Include archives -p{Password}: set Password

a: Add files to archive -t{Type}: Set type of archive

Foremost

Matches 0.exe, 160 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: 7-Zip cannot load Mapi32.dll, Mapi32.dll, MSVCRT.dll, ADVAPI32.dl l, kernel32.dll, USER32.dll, OLEAUT32.dll, 7z.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 44544

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 4096 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .text, .rdata, .data, .rsrc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 4

Suspicious: False Image

Version: True Suspicious: 4 Linker

Version: 6.0 Suspicious: False Subsystem

Version: 4.0 Suspicious: False Suspicious: False

EntryPoint Address: 118988

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: mapi32.dll, msvcrt.dll, advapi32.dll, kernel32.dll, user32.dll, olea ut32.dll

hasLibs: True

Suspicious: 7-zip cannot load mapi32.dll, 7z.dll hasAllowed: True

hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2010-11-18 14:08:03 Future: False

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C++ v6.0, Microsoft Visual C++ 5.0, Microsoft Visual C++

MainPacker: Armadillo v1.71

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .text: 2

nopsequence .text: 17

pushpopmath .data: 7

.text: 4 .rdata: 2

garbagebytes .text: 2

software breakpoint .text: 4

programcontrolflowchange .text: 2

AVclass

None 1

VirusTotal

md5 a51d90f2f9394f5ea0a3acae3bd2b219

sha1 20fea1314dbed552d5fedee096e2050369172ee1

SCANS (DETECTION RATE = 0.00%)

AVG update: 20200225

version: 18.4.3895.0 detected: False

CMC update: 20190321

version: 1.1.0.977 detected: False

MAX update: 20200226

version: 2019.9.16.1 detected: False

APEX update: 20200225

version: 5.122 detected: False

Bkav update: 20200221

version: 1.3.0.9899 detected: False

K7GW update: 20200225

version: 11.96.33379 detected: False

ALYac update: 20200225

version: 1.1.1.5 detected: False

Avast update: 20200225

version: 18.4.3895.0 detected: False

Baidu update: 20190318 version: 1.0.0.2 detected: False

Cyren update: 20200225

version: 6.2.2.2 detected: False

DrWeb update: 20200225

version: 7.0.44.12030 detected: False

GData update: 20200225

version: A:25.24988B:26.17814 detected: False

Panda update: 20200225

version: 4.6.4.2 detected: False

VBA32 update: 20200225

version: 4.3.0 detected: False

VIPRE update: 20200225

version: 81800 detected: False

Zoner update: 20200224

version: 1.0.0.1 detected: False

ClamAV update: 20200225

version: 0.102.2.0 detected: False

Comodo update: 20200225

version: 32129 detected: False

F-Prot update: 20200225

version: 4.7.1.166 detected: False

McAfee update: 20200225 version: 6.0.6.653 detected: False

Rising update: 20200225

version: 25.0.0.24 detected: False

Sophos update: 20200225

version: 4.98.0 detected: False

Yandex update: 20200223

version: 5.5.2.24 detected: False

Zillya update: 20200225

version: 2.0.0.4034 detected: False

Acronis update: 20200225

version: 1.1.1.73 detected: False

Alibaba update: 20190527

version: 0.3.0.5 detected: False

Arcabit update: 20200225

version: 1.0.0.869 detected: False

Cylance update: 20200226

version: 2.3.1.101 detected: False

Endgame update: 20200131

version: 3.0.16 detected: False

FireEye update: 20200225

version: 29.7.0.0 detected: False

Sangfor update: 20200221

version: 1.0 detected: False

TACHYON update: 20200225

version: 2020-02-25.02 detected: False

Tencent update: 20200226

version: 1.0.0.1 detected: False

ViRobot update: 20200225

version: 2014.3.20.0 detected: False

Webroot update: 20200226

version: 1.0.0.403 detected: False

eGambit update: 20200226

detected: False

Ad-Aware update: 20200225

version: 3.0.5.370 detected: False

Emsisoft update: 20200225

version: 2018.12.0.1641 detected: False

F-Secure update: 20200225

version: 12.0.86.52 detected: False

Fortinet update: 20200225

version: 6.2.142.0 detected: False

Invincea update: 20200219

version: 6.3.6.26157 detected: False

Jiangmin update: 20200225

version: 16.0.100 detected: False

Kingsoft update: 20200226 version: 2013.8.14.323 detected: False

Paloalto update: 20200226

version: 1.0 detected: False

Trapmine update: 20200123

version: 3.2.22.914 detected: False

AhnLab-V3 update: 20200225

version: 3.17.1.26513 detected: False

Antiy-AVL update: 20200225

version: 3.0.0.1 detected: False

Kaspersky update: 20200225

version: 15.0.1.13 detected: False

MaxSecure update: 20200225

version: 1.0.0.1 detected: False

Microsoft update: 20200225

version: 1.1.16800.2 detected: False

Qihoo-360 update: 20200226

version: 1.0.0.1120 detected: False

ZoneAlarm update: 20200225

version: 1.0 detected: False

Cybereason update: 20190616

version: 1.2.449 detected: False

ESET-NOD32 update: 20200225 version: 20900 detected: False

TrendMicro update: 20200225

version: 11.0.0.1006 detected: False

BitDefender update: 20200225

version: 7.2 detected: False

CrowdStrike update: 20190702

version: 1.0 detected: False

K7AntiVirus update: 20200225

version: 11.96.33379 detected: False

SentinelOne update: 20200220

version: 2.0.0.2603 detected: False

Avast-Mobile update: 20200225

version: 200225-00 detected: False

Malwarebytes update: 20200225

version: 3.6.4.335 detected: False

CAT-QuickHeal update: 20200225

version: 14.00 detected: False

NANO-Antivirus update: 20200225

version: 1.0.134.25032 detected: False

BitDefenderTheta update: 20200211 version: 7.2.37796.0 detected: False

MicroWorld-eScan update: 20200225

version: 14.0.409.0 detected: False

SUPERAntiSpyware update: 20200221 version: 5.6.0.1032 detected: False

McAfee-GW-Edition update: 20200225 version: v2017.3010 detected: False

TrendMicro-HouseCall update: 20200225 version: 10.0.0.1040 detected: False

total 68

sha256 ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044 f

scan_id ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044 f-1582672117

resource a51d90f2f9394f5ea0a3acae3bd2b219

permalink https://www.virustotal.com/file/ac9674feb8f2fad20c1e046de67f899419276 ae79a60e8cc021a4bf472ae044f/analysis/1582672117/

positives 0

scan_date 2020-02-25 23:08:37

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

Process

Trace

Analysis

Reason Blue Screen

Status Execution Failed

Results 0

Registry

Trace

File Summary

Created Identified: False

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: False

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: False

Deleted Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

UDP False

HTTP False

Results

BINARY

KNN (K=3, NFS-BRMalware) confidence: 100.00%

suspicious: False

Decision Tree (NFS-BRMalware) confidence: 100.00%

suspicious: False

SVC (Kernel=Linear, NFS-BRMalware) confidence: 71.54%

suspicious: False

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 98.84%

suspicious: True

Random Forest (100 estimators, NFS-BRMalware) confidence: 50.00%

suspicious: False

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 62.91%

suspicious: True

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 100.00%

suspicious: False