Analysis

Category Package Started Completed Duration Log
FILE exe 2020-05-23 00:17:21 2020-05-23 00:23:17 356 seconds Show Log
2020-05-13 09:31:04,610 [root] INFO: Date set to: 20200523T00:10:47, timeout set to: 200
2020-05-23 00:10:47,093 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-05-23 00:10:47,109 [root] DEBUG: Storing results at: C:\WJwLMqznTe
2020-05-23 00:10:47,109 [root] DEBUG: Pipe server name: \\.\PIPE\FbEhPOky
2020-05-23 00:10:47,109 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-05-23 00:10:47,109 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-05-23 00:10:47,109 [root] INFO: Automatically selected analysis package "exe"
2020-05-23 00:10:47,109 [root] DEBUG: Trying to import analysis package "exe"...
2020-05-23 00:10:47,125 [root] DEBUG: Imported analysis package "exe".
2020-05-23 00:10:47,125 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-05-23 00:10:47,125 [root] DEBUG: Initialized analysis package "exe".
2020-05-23 00:10:47,609 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-05-23 00:10:47,609 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-05-23 00:10:47,609 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-05-23 00:10:48,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-05-23 00:10:48,031 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-05-23 00:10:48,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-05-23 00:10:48,062 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-05-23 00:10:48,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-05-23 00:10:48,078 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-05-23 00:10:48,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-05-23 00:10:48,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-05-23 00:10:48,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-05-23 00:10:48,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-05-23 00:10:48,125 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-05-23 00:10:48,125 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-05-23 00:10:48,125 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-05-23 00:10:48,125 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-05-23 00:10:48,125 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-05-23 00:10:48,125 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-05-23 00:10:48,218 [lib.api.screenshot] DEBUG: Importing 'math'
2020-05-23 00:10:48,218 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-05-23 00:10:51,015 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-05-23 00:10:51,046 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-05-23 00:10:51,140 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-05-23 00:10:51,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-05-23 00:10:51,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-05-23 00:10:51,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-05-23 00:10:51,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-05-23 00:10:51,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-05-23 00:10:51,171 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-05-23 00:10:51,171 [root] DEBUG: Initialized auxiliary module "Browser".
2020-05-23 00:10:51,171 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-05-23 00:10:51,187 [root] DEBUG: Started auxiliary module Browser
2020-05-23 00:10:51,187 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-05-23 00:10:51,187 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-05-23 00:10:51,187 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-05-23 00:10:51,187 [root] DEBUG: Started auxiliary module Curtain
2020-05-23 00:10:51,187 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-05-23 00:10:51,187 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-05-23 00:10:51,187 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-05-23 00:10:51,187 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-05-23 00:11:06,484 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2020-05-23 00:11:06,484 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-05-23 00:11:06,500 [root] DEBUG: Started auxiliary module DigiSig
2020-05-23 00:11:06,500 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-05-23 00:11:06,500 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-05-23 00:11:06,500 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-05-23 00:11:06,531 [root] DEBUG: Started auxiliary module Disguise
2020-05-23 00:11:06,531 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-05-23 00:11:06,546 [root] DEBUG: Initialized auxiliary module "Human".
2020-05-23 00:11:06,546 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-05-23 00:11:06,546 [root] DEBUG: Started auxiliary module Human
2020-05-23 00:11:06,546 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-05-23 00:11:06,562 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-05-23 00:11:06,562 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-05-23 00:11:06,562 [root] DEBUG: Started auxiliary module Procmon
2020-05-23 00:11:06,562 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-05-23 00:11:06,562 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-05-23 00:11:06,562 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-05-23 00:11:06,562 [root] DEBUG: Started auxiliary module Screenshots
2020-05-23 00:11:06,562 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-05-23 00:11:06,562 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-05-23 00:11:06,562 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-05-23 00:11:06,578 [root] DEBUG: Started auxiliary module Sysmon
2020-05-23 00:11:06,578 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-05-23 00:11:06,578 [root] DEBUG: Initialized auxiliary module "Usage".
2020-05-23 00:11:06,578 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-05-23 00:11:06,578 [root] DEBUG: Started auxiliary module Usage
2020-05-23 00:11:06,578 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-05-23 00:11:06,578 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-05-23 00:11:06,578 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-05-23 00:11:06,578 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-05-23 00:11:06,656 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\file.exe" with arguments "" with pid 4804
2020-05-23 00:11:06,656 [lib.api.process] INFO: Monitor config for process 4804: C:\tmplodztmkc\dll\4804.ini
2020-05-23 00:11:06,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\QjUsDo.dll, loader C:\tmplodztmkc\bin\aNMKihQ.exe
2020-05-23 00:11:06,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\FbEhPOky.
2020-05-23 00:11:06,734 [root] DEBUG: Loader: Injecting process 4804 (thread 4720) with C:\tmplodztmkc\dll\QjUsDo.dll.
2020-05-23 00:11:06,734 [root] DEBUG: Error 2 (0x2) - Loader: Failed to call named pipe \\.\PIPE\FbEhPOky: The system cannot find the file specified.
2020-05-23 00:11:06,734 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\QjUsDo.dll.
2020-05-23 00:11:06,734 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 00:11:06,750 [root] DEBUG: Error 2 (0x2) - Loader: Failed to call named pipe \\.\PIPE\FbEhPOky: The system cannot find the file specified.
2020-05-23 00:11:06,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4804
2020-05-23 00:11:08,750 [lib.api.process] INFO: Successfully resumed process with pid 4804
2020-05-23 00:11:08,843 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 00:11:08,843 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 00:11:08,859 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 00:11:08,875 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4804 at 0x70e90000, image base 0x400000, stack from 0x286000-0x290000
2020-05-23 00:11:08,875 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\file.exe".
2020-05-23 00:11:08,937 [root] INFO: Disabling sleep skipping.
2020-05-23 00:11:08,937 [root] INFO: Disabling sleep skipping.
2020-05-23 00:14:28,750 [root] INFO: Analysis timeout hit, terminating analysis.
2020-05-23 00:14:28,750 [lib.api.process] INFO: Terminate event set for process 4804
2020-05-23 00:14:28,750 [root] DEBUG: Terminate Event: Attempting to dump process 4804
2020-05-23 00:14:28,750 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-05-23 00:14:28,750 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-05-23 00:14:28,750 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-05-23 00:14:28,765 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001160.
2020-05-23 00:14:28,765 [root] INFO: b'C:\\WJwLMqznTe\\CAPE\\4804_13617951022814623652020|4804|0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\file.exe;?'
2020-05-23 00:14:28,765 [root] INFO: cape
2020-05-23 00:14:28,781 [root] INFO: ('dump_file', 'C:\\WJwLMqznTe\\CAPE\\4804_13617951022814623652020', b'0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\file.exe;?', ['4804'], 'procdump')
2020-05-23 00:14:28,796 [root] INFO: ('dump_file', 'C:\\WJwLMqznTe\\CAPE\\4804_13617951022814623652020', '', False, 'files')
2020-05-23 00:14:28,796 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x7e00.
2020-05-23 00:14:28,812 [lib.api.process] INFO: Termination confirmed for process 4804
2020-05-23 00:14:28,812 [root] INFO: Terminate event set for process 4804.
2020-05-23 00:14:28,812 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 4804
2020-05-23 00:14:28,812 [root] INFO: Created shutdown mutex.
2020-05-23 00:14:29,812 [root] INFO: Shutting down package.
2020-05-23 00:14:29,812 [root] INFO: Stopping auxiliary modules.
2020-05-23 00:14:29,937 [lib.common.results] WARNING: File C:\WJwLMqznTe\bin\procmon.xml doesn't exist anymore
2020-05-23 00:14:29,937 [root] INFO: Finishing auxiliary modules.
2020-05-23 00:14:29,937 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-05-23 00:14:29,937 [root] WARNING: Folder at path "C:\WJwLMqznTe\debugger" does not exist, skip.
2020-05-23 00:14:29,937 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-05-23 00:17:21 2020-05-23 00:23:17

File Details

File Name file
File Size 44728 bytes
File Type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
PE timestamp 2010-12-20 11:38:55
MD5 168be24eecde5abae2c0b157b7d59ff6
SHA1 751a9cbffec28b22105cdcaf073a371de255f176
SHA256 975b3f17c4e06136f5d0f3db074bea78326a6d8ffbf0c7971056845a3daa7ffb
SHA512 25d34942fb69817ede7cf120e537dca8b752a4b40874fa1ebeb3209413a40b09b563fdf1d1c5779e8c64bbc66bc2aa84162d5c402371d7f77f6a451a01f48d59
CRC32 CCDAA7B0
Ssdeep 768:uyMPVzXjrEX3wVdvEs/immkrYKocNeZxireZxiq:vMPdrEGdvfamnnTNePirePiq
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Presents an Authenticode digital signature
md5_fingerprint: 2d6c7daaa332f680bd2f8b367bc91985
sha1_fingerprint: 745eac99e03232763f98fb6099f575dfc7bdfaa3
sha256_fingerprint: 7844bfab38a6bcdab858f0f2ab389fa0f20d1bf7cc878a9d754285432cc433d0
serial_number: 256320681369938449024579388848354989876
not_before: 2017-05-10T00:00:00
not_after: 2020-05-09T23:59:59
subject_countryName: TR
subject_postalCode: 34394
subject_stateOrProvinceName: TURKEY
subject_localityName: Istanbul (Europe)
subject_streetAddress: PROPA PLAZA KAT:8, 4­6 ESENTEPE MAHALLESI
subject_organizationName: NFINITY GAMES BILISIM ANONIM SIRKET
subject_commonName: NFINITY GAMES BILISIM ANONIM SIRKET
issuer_countryName: GB
issuer_stateOrProvinceName: Greater Manchester
issuer_localityName: Salford
issuer_organizationName: COMODO CA Limited
issuer_commonName: COMODO RSA Code Signing CA
extensions_authorityKeyIdentifier: b'KZFg/4pN+uv5pmq4z/nmS71JzhI='
extensions_subjectKeyIdentifier: b'aSR0eeM2IcSuGPLwG1akWKyMXac='
extensions_certificatePolicies_0: https://secure.comodo.net/CPS
extensions_cRLDistributionPoints_0: http://crl.comodoca.com/COMODORSACodeSigningCA.crl
extensions_authorityInfoAccess_caIssuers: http://crt.comodoca.com/COMODORSACodeSigningCA.crt
extensions_authorityInfoAccess_OCSP: http://ocsp.comodoca.com
extensions_subjectAltName_0: [email protected]
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: WinVerifyTrust returned error 0x800B0101 A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\file
File has been identified by 36 Antiviruses on VirusTotal as malicious
Bkav: W32.RatND.Spyware
DrWeb: Tool.Netcat.395
CAT-QuickHeal: HackTool.Netcat.E1
McAfee: NetCat
Zillya: Adware.BrowseFox.Win32.194079
Alibaba: Trojan:Win32/Shelma.b7ea243b
K7GW: Hacktool ( 000047b11 )
K7AntiVirus: Hacktool ( 000047b11 )
Invincea: heuristic
Symantec: NetCat
ESET-NOD32: a variant of Win32/RemoteAdmin.NetCat.AM potentially unsafe
Paloalto: generic.ml
NANO-Antivirus: Riskware.Win32.Netcat.ebbxjp
Sophos: Generic PUA HF (PUA)
TrendMicro: TROJ_FRS.0NA103EL20
McAfee-GW-Edition: NetCat
FireEye: Generic.mg.168be24eecde5aba
Jiangmin: RemoteAdmin.NetCat.s
Antiy-AVL: Trojan/Win32.SGeneric
Microsoft: Trojan:Win32/Casdet!rfn
Endgame: malicious (high confidence)
AegisLab: Trojan.Win32.Shelma.4!c
GData: Win32.Application.Agent.N215CZ
MAX: malware (ai score=60)
VBA32: Trojan.Shelma
Cylance: Unsafe
TrendMicro-HouseCall: TROJ_FRS.0NA103EL20
Tencent: Win32.Trojan.Shelma.Dygx
Yandex: Riskware.RemoteAdmin!
Ikarus: PUA.Tool
Fortinet: Riskware/RemoteAdmin_NetCat
Webroot: Pua.Remoteadmin.Netcat
AVG: FileRepMalware
Panda: Trj/CI.A
Qihoo-360: Win32/Trojan.da3

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x00401160 0x00013060 0x00013060 4.0 2010-12-20 11:38:55 98ce7b6533cbd67993e36dafb4e95946

Digital Signers

Certificate Common Name NFINITY GAMES BILISIM ANONIM SIRKET
Subject Organization Name NFINITY GAMES BILISIM ANONIM SIRKET
Subject Organization Unit Name
Subject Street Address PROPA PLAZA KAT:8, 4­6 ESENTEPE MAHALLESI
Subject Locality Istanbul (Europe)
Subject State or Province TURKEY
Subject Postal Code 34394
Subject Country TR
Issuer Common Name COMODO RSA Code Signing CA
Issuer Organization Name COMODO CA Limited
Issuer Organization Unit Name
Issuer Locality Salford
Issuer State or Province Greater Manchester
Issuer Country GB
Serial Number 256320681369938449024579388848354989876
SHA256 Fingerprint 7844bfab38a6bcdab858f0f2ab389fa0f20d1bf7cc878a9d754285432cc433d0
SHA1 Fingerprint 745eac99e03232763f98fb6099f575dfc7bdfaa3
MD5 Fingerprint 2d6c7daaa332f680bd2f8b367bc91985
Not valid before 2017-05-10T00:00:00
Not valid after 2020-05-09T23:59:59

Microsoft Certificate Validation (Sign Tool)

SHA1 Timestamp Valid Error
None None
No
WinVerifyTrust returned error 0x800B0101 A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\file
Chain Certificate Chain 1
Issued to AddTrust External CA Root
Issued by AddTrust External CA Root
Expires 5/30/2020 44838 AM
SHA1 Hash 02faf3e291435468607857694df5e45b68851868
Chain Certificate Chain 2
Issued to COMODO RSA Certification Authority
Issued by AddTrust External CA Root
Expires 5/30/2020 44838 AM
SHA1 Hash f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0
Chain Certificate Chain 3
Issued to COMODO RSA Code Signing CA
Issued by COMODO RSA Certification Authority
Expires 5/8/2028 55959 PM
SHA1 Hash b69e752bbe88b4458200a7c0f4f5b3cce6f35b47
Chain Certificate Chain 4
Issued to NFINITY GAMES BILISIM ANONIM SIRKET
Issued by COMODO RSA Code Signing CA
Expires 5/9/2020 55959 PM
SHA1 Hash 745eac99e03232763f98fb6099f575dfc7bdfaa3

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x00005234 0x00005400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_16BYTES 5.79
.data 0x00005800 0x00007000 0x0000005c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 1.18
.rdata 0x00005a00 0x00008000 0x00001050 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 4.97
.bss 0x00000000 0x0000a000 0x0000019c 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 0.00
.idata 0x00006c00 0x0000b000 0x00000b50 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 4.65
.CRT 0x00007800 0x0000c000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.11
.tls 0x00007a00 0x0000d000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.22

Overlay

Offset 0x00007c00
Size 0x000032b8

Imports

0x40b228 CloseHandle
0x40b22c CreatePipe
0x40b230 CreateProcessA
0x40b234 CreateThread
0x40b23c DisconnectNamedPipe
0x40b240 DuplicateHandle
0x40b248 ExitProcess
0x40b24c ExitThread
0x40b250 FreeConsole
0x40b254 FreeLibrary
0x40b258 GetCurrentProcess
0x40b25c GetLastError
0x40b260 GetModuleHandleA
0x40b264 GetProcAddress
0x40b268 GetStdHandle
0x40b274 LoadLibraryA
0x40b278 PeekNamedPipe
0x40b27c ReadFile
0x40b284 Sleep
0x40b288 TerminateProcess
0x40b28c TerminateThread
0x40b290 TlsGetValue
0x40b294 VirtualProtect
0x40b298 VirtualQuery
0x40b2a0 WriteFile
0x40b2a8 _close
0x40b2ac _dup
0x40b2b0 _itoa
0x40b2b4 _kbhit
0x40b2b8 _open
0x40b2bc _read
0x40b2c0 _strcmpi
0x40b2c4 _strnicmp
0x40b2c8 _write
0x40b2d0 __getmainargs
0x40b2d4 __p__environ
0x40b2d8 __p__fmode
0x40b2dc __set_app_type
0x40b2e0 _cexit
0x40b2e4 _errno
0x40b2e8 _iob
0x40b2ec _isatty
0x40b2f0 _onexit
0x40b2f4 _setjmp
0x40b2f8 _setmode
0x40b2fc _sleep
0x40b300 _winmajor
0x40b304 abort
0x40b308 atexit
0x40b30c atoi
0x40b310 calloc
0x40b314 exit
0x40b318 fflush
0x40b31c fprintf
0x40b320 fputc
0x40b324 free
0x40b328 fwrite
0x40b32c getenv
0x40b330 gets
0x40b334 longjmp
0x40b338 malloc
0x40b33c memcmp
0x40b340 memcpy
0x40b344 memset
0x40b348 rand
0x40b34c signal
0x40b350 sprintf
0x40b354 srand
0x40b358 strcat
0x40b35c strchr
0x40b360 strcmp
0x40b364 strcpy
0x40b368 strlen
0x40b36c strncmp
0x40b370 strncpy
0x40b374 time
0x40b378 vfprintf
0x40b380 WSACleanup
0x40b384 WSAGetLastError
0x40b388 WSASetLastError
0x40b38c WSAStartup
0x40b390 __WSAFDIsSet
0x40b394 accept
0x40b398 bind
0x40b39c closesocket
0x40b3a0 connect
0x40b3a4 gethostbyaddr
0x40b3a8 gethostbyname
0x40b3ac getservbyname
0x40b3b0 getservbyport
0x40b3b4 getsockname
0x40b3b8 htons
0x40b3bc inet_addr
0x40b3c0 inet_ntoa
0x40b3c4 listen
0x40b3c8 ntohs
0x40b3cc recv
0x40b3d0 recvfrom
0x40b3d4 select
0x40b3d8 send
0x40b3dc setsockopt
0x40b3e0 shutdown
0x40b3e4 socket

!This program cannot be run in DOS mode.
.text
P`.data
.rdata
.idata
<[^_]
(UNKNOWN)
sent %d, rcvd %d
0123456789abcdef
libgcj-11.dll
_Jv_RegisterClasses
POSIXLY_CORRECT
%s: option `%s' is ambiguous
%s: option `--%s' doesn't allow an argument
%s: option `%c%s' doesn't allow an argument
%s: option `%s' requires an argument
%s: unrecognized option `--%s'
%s: unrecognized option `%c%s'
%s: illegal option -- %c
%s: invalid option -- %c
%s: option requires an argument -- %c
Failed to create shell stdout pipe, error = %s
Failed to create shell stdin pipe, error = %s
Failed to execute shell
Failed to create ReadShell session thread, error = %s
WaitForMultipleObjects error: %s
Failed to execute shell, error = %s
SessionReadShellThreadFn exitted, error = %s
INTR
BADF
ACCES
FAULT
INVAL
MFILE
WOULDBLOCK
INPROGRESS
ALREADY
NOTSOCK
DESTADDRREQ
MSGSIZE
PROTOTYPE
NOPROTOOPT
PROTONOSUPPORT
SOCKTNOSUPPORT
OPNOTSUPP
PFNOSUPPORT
AFNOSUPPORT
ADDRINUSE
ADDRNOTAVAIL
NETDOWN
NETUNREACH
NETRESET
CONNABORTED
CONNRESET
NOBUFS
ISCONN
NOTCONN
SHUTDOWN
TOOMANYREFS
TIMEDOUT
connection refused
LOOP
NAMETOOLONG
HOSTDOWN
HOSTUNREACH
NOTEMPTY
PROCLIM
USERS
DQUOT
STALE
REMOTE
DISCON
SYSNOTREADY
VERNOTSUPPORTED
NOTINITIALISED
HOST_NOT_FOUND
TRY_AGAIN
NO_RECOVERY
NO_DATA
unknown socket error
punt!
spurious timer interrupt!
Hmalloc %d failed
DNS fwd/rev mismatch: %s != %s
gethostpoop fuxored
Can't parse %s as an IP address
%s: forward host lookup failed: h_errno %d
Warning: inverse host lookup failed for %s: h_errno %d
%s: inverse host lookup failed: h_errno %d
Warning: forward host lookup failed for %s: h_errno %d
Warning: port-bynum mismatch, %d != %d
loadports: no block?!
loadports: bogus values %d, %d
Can't get socket
nnetfd reuseaddr failed
retrying local %s:%d
Can't grab %s:%d with bind
Warning: source routing unavailable on this machine, ignoring
UDP listen needs -p arg
local listen fuxored
local getsockname failed
listening on [
] %d ...
post-rcv getsockname failed
invalid connection to [%s] from %s [%s] %d
connect to [%s] from %s [%s] %d
udptest first write failed?! errno %d
oprint called with no open fd?!
%8.8x
ofd write err
select fuxored
net timeout
Preposterous Pointers: %d, %d
too many output retries
Cmd line:
wrong
all-A-records NIY
invalid hop pointer %d, must be multiple of 4 <= 28
too many -g hops
invalid interval time %s
invalid local port %s
invalid wait-time %s
nc -h for help
ade:g:G:hi:lLno:p:rs:tuvw:z
can't open %s
invalid port %s
no connection
no destination
no port[s] to connect to
%s [%s] %d (%s) open
%s [%s] %d (%s)
sent %d, rcvd %d
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere:
nc [-options] hostname port[s] [ports] ...
listen for inbound:
nc -l -p port [options] [hostname] [port]
options:
detach from console, background mode
-e prog
inbound program to exec [dangerous!!]
-g gateway
source-routing hop point[s], up to 8
-G num
source-routing pointer: 4, 8, 12, ...
this cruft
-i secs
delay interval for lines sent, ports scanned
listen mode, for inbound connects
listen harder, re-listen on socket close
numeric-only IP addresses, no DNS
-o file
hex dump of traffic
-p port
local port number
randomize local and remote ports
-s addr
local source address
answer TELNET negotiation
UDP mode
verbose [use twice to be more verbose]
-w secs
timeout for connects and final net reads
zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]
mingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
Mingw runtime failure:
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
CloseHandle
CreatePipe
CreateProcessA
CreateThread
DeleteCriticalSection
DisconnectNamedPipe
DuplicateHandle
EnterCriticalSection
ExitProcess
ExitThread
FreeConsole
FreeLibrary
GetCurrentProcess
GetLastError
GetModuleHandleA
GetProcAddress
GetStdHandle
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
PeekNamedPipe
ReadFile
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TerminateThread
TlsGetValue
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WriteFile
_close
_itoa
_kbhit
_open
_read
_strcmpi
_strnicmp
_write
__getmainargs
__p__environ
__p__fmode
__set_app_type
_cexit
_errno
_isatty
_onexit
_setjmp
_setmode
_sleep
_winmajor
abort
atexit
calloc
fflush
fprintf
fputc
fwrite
getenv
longjmp
malloc
memcmp
memcpy
memset
signal
sprintf
srand
strcat
strchr
strcmp
strcpy
strlen
strncmp
strncpy
vfprintf
WSACleanup
WSAGetLastError
WSASetLastError
WSAStartup
__WSAFDIsSet
accept
closesocket
connect
gethostbyaddr
gethostbyname
getservbyname
getservbyport
getsockname
htons
inet_addr
inet_ntoa
listen
ntohs
recvfrom
select
setsockopt
shutdown
socket
KERNEL32.dll
msvcrt.dll
msvcrt.dll
WSOCK32.DLL
Washington1
Redmond1
Microsoft Corporation1)0'
Microsoft Code Verification Root0
130815202630Z
230815203630Z0o1
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
mA_rZq
N0L0J
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
A07JW
:mlFK
zNjoD
O'y'=PsAL
C?FU&
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
000530104838Z
200530104838Z0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
HCgNr*
|3WA<
1\:jG
=0;09
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
)0'0%
http://ocsp.usertrust.com0
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
170510000000Z
200509235959Z0
343941
TURKEY1
Istanbul (Europe)1
ZINCIRLIKUYU - SISLI1301
*PROPA PLAZA KAT:8, 4
6 ESENTEPE MAHALLESI1,0*
#NFINITY GAMES BILISIM ANONIM SIRKET1,0*
#NFINITY GAMES BILISIM ANONIM SIRKET0
OZ;G\e
?0=0;
https://secure.comodo.net/CPS0C
<0:08
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
h0f0>
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
fT."jkEl
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
:3FPs
E0C0A
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
e0c0;
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
www.tamgame.com 0
ShqMY
Washington1
Redmond1
Microsoft Corporation1)0'
Microsoft Code Verification Root0
130815202630Z
230815203630Z0o1
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
mA_rZq
N0L0J
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
A07JW
:mlFK
zNjoD
O'y'=PsAL
C?FU&
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
000530104838Z
200530104838Z0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
HCgNr*
|3WA<
1\:jG
=0;09
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
)0'0%
http://ocsp.usertrust.com0
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
170510000000Z
200509235959Z0
343941
TURKEY1
Istanbul (Europe)1
ZINCIRLIKUYU - SISLI1301
*PROPA PLAZA KAT:8, 4
6 ESENTEPE MAHALLESI1,0*
#NFINITY GAMES BILISIM ANONIM SIRKET1,0*
#NFINITY GAMES BILISIM ANONIM SIRKET0
OZ;G\e
?0=0;
https://secure.comodo.net/CPS0C
<0:08
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
h0f0>
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
fT."jkEl
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
:3FPs
E0C0A
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
e0c0;
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
w5-.T
C]G]|
www.tamgame.com 0
+)VjH)
TAMGAME Ltd,
TAMGAME Ltd,

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.RatND.Spyware DrWeb Tool.Netcat.395 MicroWorld-eScan Clean
CMC Clean CAT-QuickHeal HackTool.Netcat.E1 McAfee NetCat
Malwarebytes Clean Zillya Adware.BrowseFox.Win32.194079 Sangfor Clean
CrowdStrike Clean Alibaba Trojan:Win32/Shelma.b7ea243b K7GW Hacktool ( 000047b11 )
K7AntiVirus Hacktool ( 000047b11 ) Invincea heuristic BitDefenderTheta Clean
Cyren Clean Symantec NetCat ESET-NOD32 a variant of Win32/RemoteAdmin.NetCat.AM potentially unsafe
APEX Clean Paloalto generic.ml ClamAV Clean
Kaspersky Clean BitDefender Clean NANO-Antivirus Riskware.Win32.Netcat.ebbxjp
ViRobot Clean SUPERAntiSpyware Clean Avast Clean
Rising Clean Ad-Aware Clean Sophos Generic PUA HF (PUA)
Comodo [email protected] F-Secure Clean Baidu Clean
VIPRE Clean TrendMicro TROJ_FRS.0NA103EL20 McAfee-GW-Edition NetCat
Trapmine Clean FireEye Generic.mg.168be24eecde5aba Emsisoft Clean
SentinelOne Clean F-Prot Clean Jiangmin RemoteAdmin.NetCat.s
eGambit Clean Avira Clean Antiy-AVL Trojan/Win32.SGeneric
Kingsoft Clean Microsoft Trojan:Win32/Casdet!rfn Endgame malicious (high confidence)
Arcabit Clean AegisLab Trojan.Win32.Shelma.4!c ZoneAlarm Clean
Avast-Mobile Clean GData Win32.Application.Agent.N215CZ TACHYON Clean
AhnLab-V3 Clean Acronis Clean ALYac Clean
MAX malware (ai score=60) VBA32 Trojan.Shelma Cylance Unsafe
Zoner Clean TrendMicro-HouseCall TROJ_FRS.0NA103EL20 Tencent Win32.Trojan.Shelma.Dygx
Yandex Riskware.RemoteAdmin! Ikarus PUA.Tool MaxSecure Clean
Fortinet Riskware/RemoteAdmin_NetCat Webroot Pua.Remoteadmin.Netcat AVG FileRepMalware
Cybereason Clean Panda Trj/CI.A Qihoo-360 Win32/Trojan.da3
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.9 51751 1.1.1.1 53
192.168.1.9 53599 1.1.1.1 53
192.168.1.9 54609 1.1.1.1 53
192.168.1.9 55233 1.1.1.1 53
192.168.1.9 55319 1.1.1.1 53
192.168.1.9 59058 1.1.1.1 53
192.168.1.9 59225 1.1.1.1 53
192.168.1.9 63630 1.1.1.1 53
192.168.1.9 64674 1.1.1.1 53
192.168.1.9 137 192.168.1.255 137
192.168.1.9 51751 8.8.8.8 53
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 54609 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 55319 8.8.8.8 53
192.168.1.9 59058 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 63630 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name file.exe
PID 4804
Dump Size 32256 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\file.exe
Type PE image: 32-bit executable
PE timestamp 2010-12-20 11:38:55
MD5 0bda2ba5d3c04e7e8322549c1d1ddce5
SHA1 429f40907d51b25240a0bb6054b3a72092494090
SHA256 4aca7d8284e0c53f5934c18c0aff268c16f5042c76e09a7ebfa684c9df3186ec
CRC32 B850D8BF
Ssdeep 384:VsN9KPAP+zX8kr2zmEBr+ep5BAPnRRD5BuC5CePVEtEEodfVWl8DgDmq1m1m9GrZ:VyMPVzXjrEX3wVdvEs/immkrYjM3oc
Dump Filename 4aca7d8284e0c53f5934c18c0aff268c16f5042c76e09a7ebfa684c9df3186ec
Download Download Zip

BinGraph Download graph

Defense Evasion
  • T1116 - Code Signing
    • Signature - static_authenticode

    Processing ( 7.92 seconds )

    • 5.222 Suricata
    • 0.83 NetworkAnalysis
    • 0.656 Static
    • 0.588 peid
    • 0.427 VirusTotal
    • 0.109 Deduplicate
    • 0.042 CAPE
    • 0.021 AnalysisInfo
    • 0.01 TargetInfo
    • 0.007 ProcDump
    • 0.004 Debug
    • 0.003 BehaviorAnalysis
    • 0.001 Strings

    Signatures ( 0.05 seconds )

    • 0.009 ransomware_files
    • 0.006 antiav_detectreg
    • 0.005 ransomware_extensions
    • 0.005 territorial_disputes_sigs
    • 0.003 persistence_autorun
    • 0.003 antiav_detectfile
    • 0.003 infostealer_ftp
    • 0.002 antianalysis_detectfile
    • 0.002 infostealer_bitcoin
    • 0.002 infostealer_im
    • 0.001 kibex_behavior
    • 0.001 tinba_behavior
    • 0.001 antianalysis_detectreg
    • 0.001 antivm_vbox_files
    • 0.001 geodo_banking_trojan
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 infostealer_mail
    • 0.001 masquerade_process_name
    • 0.001 revil_mutexes

    Reporting ( 1.6969999999999998 seconds )

    • 1.64 BinGraph
    • 0.052 MITRE_TTPS
    • 0.005 PCAP2CERT