Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-02-14 13:36:48 2020-02-14 13:37:57 69 seconds Show Options Show Log
route = inetsim
procdump = 1
2020-02-14 14:37:02,015 [root] INFO: Date set to: 02-14-20, time set to: 13:37:02, timeout set to: 200
2020-02-14 14:37:02,046 [root] DEBUG: Starting analyzer from: C:\pfjdlpdfqz
2020-02-14 14:37:02,046 [root] DEBUG: Storing results at: C:\fNRzOFvR
2020-02-14 14:37:02,046 [root] DEBUG: Pipe server name: \\.\PIPE\SpGicbp
2020-02-14 14:37:02,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-14 14:37:02,046 [root] INFO: Automatically selected analysis package "exe"
2020-02-14 14:37:27,828 [root] DEBUG: Started auxiliary module Browser
2020-02-14 14:37:27,842 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 14:37:27,842 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 14:37:28,390 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 14:37:28,390 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 14:37:28,390 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 14:37:28,405 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 14:37:28,405 [root] DEBUG: Started auxiliary module Human
2020-02-14 14:37:28,405 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 14:37:28,405 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 14:37:28,405 [root] DEBUG: Started auxiliary module Usage
2020-02-14 14:37:28,405 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-02-14 14:37:28,405 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-02-14 14:37:28,655 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\BITE15F.tmp" with arguments "" with pid 2180
2020-02-14 14:37:28,953 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-14 14:37:28,953 [lib.api.process] INFO: 32-bit DLL to inject is C:\pfjdlpdfqz\dll\Xlyvenp.dll, loader C:\pfjdlpdfqz\bin\EjleMsS.exe
2020-02-14 14:37:31,546 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\SpGicbp.
2020-02-14 14:37:31,687 [root] DEBUG: Loader: Injecting process 2180 (thread 316) with C:\pfjdlpdfqz\dll\Xlyvenp.dll.
2020-02-14 14:37:31,812 [root] DEBUG: Process image base: 0x00400000
2020-02-14 14:37:31,905 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pfjdlpdfqz\dll\Xlyvenp.dll.
2020-02-14 14:37:32,062 [root] DEBUG: InjectDllViaIAT: Blank import descriptor, aborting IAT patch.
2020-02-14 14:37:32,125 [root] DEBUG: Successfully injected DLL C:\pfjdlpdfqz\dll\Xlyvenp.dll.
2020-02-14 14:37:32,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2180
2020-02-14 14:37:34,515 [lib.api.process] INFO: Successfully resumed process with pid 2180
2020-02-14 14:37:34,515 [root] INFO: Added new process to list with pid: 2180
2020-02-14 14:37:40,530 [root] INFO: Process with pid 2180 has terminated
2020-02-14 14:37:45,546 [root] INFO: Process list is empty, terminating analysis.
2020-02-14 14:37:46,546 [root] INFO: Created shutdown mutex.
2020-02-14 14:37:47,546 [root] INFO: Shutting down package.
2020-02-14 14:37:47,546 [root] INFO: Stopping auxiliary modules.
2020-02-14 14:37:47,562 [root] INFO: Finishing auxiliary modules.
2020-02-14 14:37:47,562 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-14 14:37:47,562 [root] WARNING: File at path "C:\fNRzOFvR\debugger" does not exist, skip.
2020-02-14 14:37:47,562 [root] INFO: Analysis completed.

MalScore

7.35

Malicious

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-02-14 13:36:48 2020-02-14 13:37:55

File Details

File Name BITE15F.tmp
File Size 405248 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 57f65f9ccec082085a95a163aa19d350
SHA1 fa5f24cdb55e2baec33b217e0fa2415d30d95562
SHA256 1fa8288705476766f0ffccb4a243a8917631022ea4de440d1944bb031f9e9a84
SHA512 d31db1757c08dfe157e4f90f11e571201f5eee91b49a16c7adf899f29ea92e022d6209428b7d58d07618ac3361460c6e81d63f505a3255611b429ce692183acb
CRC32 8C8DC8D7
Ssdeep 96:Bs38nyX8xrNC1ywlgwJgnwqavg1Dxc0QFLoghPGjY+tD0OBsB:b90WwKnwBv8DxcHkgiY+tDHBs
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

File has been identified by 9 Antiviruses on VirusTotal as malicious
Cylance: Unsafe
BitDefenderTheta: Gen:[email protected]
F-Prot: W32/S-0286e422!Eldorado
Rising: Malware.Heuristic!ET#99% (RDMK:cmRtazrgNwVl6jQoVBDVfctaV5Nr)
Endgame: malicious (high confidence)
Cyren: W32/S-0286e422!Eldorado
ALYac: Gen:Variant.Graftor.708539
Fortinet: W32/Graftor.CAF4!tr
Qihoo-360: HEUR/QVM20.1.3E35.Malware.Gen
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary contains an unknown PE section name indicative of packing
unknown section: name: .00cfg, entropy: 0.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00000200, virtual_size: 0x00000004
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x00401000
Reported Checksum 0x0006fc5e
Actual Checksum 0x00071115
Minimum OS Version 5.1
Compile Time 2020-02-13 01:08:07

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000283e 0x00002a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.56
.rdata 0x00004000 0x00001041 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x00006000 0x00000068 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.00cfg 0x00007000 0x00000004 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.rsrc 0x00008000 0x0005a770 0x0005a800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.reloc 0x00063000 0x00000298 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.00

Overlay

Offset 0x0005f000
Size 0x00003f00

!This program cannot be run in DOS mode.$
.text
`.rdata
@.data
.00cfg
@.rsrc
@.reloc
RQPPh

Full Results

VirusTotal Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
Qihoo-360 HEUR/QVM20.1.3E35.Malware.Gen
McAfee Clean
Cylance Unsafe
VIPRE Clean
AegisLab Clean
Sangfor Clean
K7AntiVirus Clean
BitDefender Clean
K7GW Clean
Cybereason Clean
TrendMicro Clean
BitDefenderTheta Gen:[email protected]
F-Prot W32/S-0286e422!Eldorado
Symantec Clean
ESET-NOD32 Clean
Baidu Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Clean
SUPERAntiSpyware Clean
Tencent Clean
Endgame malicious (high confidence)
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
Invincea Clean
McAfee-GW-Edition Clean
SentinelOne Clean
Trapmine Clean
FireEye Clean
Sophos Clean
APEX Clean
Cyren W32/S-0286e422!Eldorado
Jiangmin Clean
Webroot Clean
Avira Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Arcabit Clean
ViRobot Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Clean
TACHYON Clean
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
ALYac Gen:Variant.Graftor.708539
MAX Clean
Ad-Aware Clean
Panda Clean
Zoner Clean
Rising Malware.Heuristic!ET#99% (RDMK:cmRtazrgNwVl6jQoVBDVfctaV5Nr)
Yandex Clean
Ikarus Clean
eGambit Clean
Fortinet W32/Graftor.CAF4!tr
AVG Clean
Avast Clean
CrowdStrike Clean
MaxSecure Clean

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 51142 1.1.1.1 53
192.168.1.2 51584 1.1.1.1 53
192.168.1.2 51997 1.1.1.1 53
192.168.1.2 64163 1.1.1.1 53
192.168.1.2 138 192.168.1.255 138

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-14 13:37:44.666 192.168.1.2 [VT] 49167 192.0.2.123 [VT] 443 CN=localhost a6:44:d8:14:40:2b:de:72:ea:9b:93:d1:5c:49:a9:20:4f:f9:21:0e TLSv1

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.2 49167 192.0.2.123 443 26b795b92394b98210b2495089be3a26 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
MAEC Report Download

Comments



No comments posted
Defense Evasion
  • T1045 - Software Packing
    • Signature - packer_unknown_pe_section_name

    Processing ( 6.398 seconds )

    • 5.026 Suricata
    • 0.521 Static
    • 0.312 peid
    • 0.307 VirusTotal
    • 0.084 NetworkAnalysis
    • 0.048 Deduplicate
    • 0.039 CAPE
    • 0.038 TargetInfo
    • 0.011 BehaviorAnalysis
    • 0.009 AnalysisInfo
    • 0.002 Debug
    • 0.001 Strings

    Signatures ( 0.024 seconds )

    • 0.005 ransomware_files
    • 0.004 antiav_detectreg
    • 0.002 persistence_autorun
    • 0.002 antiav_detectfile
    • 0.002 infostealer_ftp
    • 0.002 ransomware_extensions
    • 0.001 antianalysis_detectfile
    • 0.001 antianalysis_detectreg
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 infostealer_bitcoin
    • 0.001 infostealer_im
    • 0.001 infostealer_mail

    Reporting ( 0.7 seconds )

    • 0.637 BinGraph
    • 0.029 MaecReport
    • 0.025 MITRE_TTPS
    • 0.009 JsonDump
    Task ID 12802
    Mongo ID 5e46a2c071fb3667b8667291
    Cuckoo release 1.3-CAPE
    Delete