Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 13:56:48 2020-06-05 14:04:36 468 seconds Show Options Show Log
route = tor
2020-05-13 09:12:05,391 [root] INFO: Date set to: 20200605T13:45:06, timeout set to: 200
2020-06-05 13:45:06,078 [root] DEBUG: Starting analyzer from: C:\tmp52sk_on6
2020-06-05 13:45:06,078 [root] DEBUG: Storing results at: C:\clCUBzq
2020-06-05 13:45:06,078 [root] DEBUG: Pipe server name: \\.\PIPE\ltJBRvMUvf
2020-06-05 13:45:06,078 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-05 13:45:06,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 13:45:06,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 13:45:06,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 13:45:06,125 [root] DEBUG: Imported analysis package "exe".
2020-06-05 13:45:06,125 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 13:45:06,125 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 13:45:07,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 13:45:07,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 13:45:07,531 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 13:45:07,750 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 13:45:07,750 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 13:45:07,781 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 13:45:07,781 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 13:45:07,781 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 13:45:07,781 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 13:45:07,812 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 13:45:07,812 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 13:45:07,828 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 13:45:07,828 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 13:45:07,828 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 13:45:07,828 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 13:45:07,828 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 13:45:07,828 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 13:45:07,828 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 13:45:07,828 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 13:45:07,890 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 13:45:07,906 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 13:45:13,718 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 13:45:13,859 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 13:45:13,984 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 13:45:13,984 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 13:45:14,000 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 13:45:14,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 13:45:14,031 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 13:45:14,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 13:45:14,078 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 13:45:14,078 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 13:45:14,078 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 13:45:14,078 [root] DEBUG: Started auxiliary module Browser
2020-06-05 13:45:14,078 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 13:45:14,078 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 13:45:14,078 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 13:45:14,078 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 13:45:14,078 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 13:45:14,093 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 13:45:14,093 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 13:45:14,093 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 13:45:14,656 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 13:45:14,656 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 13:45:14,671 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 13:45:14,671 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 13:45:14,671 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 13:45:14,671 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 13:45:14,687 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 13:45:14,687 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 13:45:14,687 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 13:45:14,687 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 13:45:14,703 [root] DEBUG: Started auxiliary module Human
2020-06-05 13:45:14,703 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 13:45:14,703 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 13:45:14,703 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 13:45:14,703 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 13:45:14,703 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 13:45:14,703 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 13:45:14,703 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 13:45:14,703 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 13:45:14,703 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 13:45:14,718 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 13:45:14,718 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 13:45:14,718 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 13:45:14,718 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 13:45:14,718 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 13:45:14,718 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 13:45:14,718 [root] DEBUG: Started auxiliary module Usage
2020-06-05 13:45:14,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 13:45:14,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 13:45:14,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 13:45:14,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 13:45:15,000 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\Rebecca\AppData\Local\Temp\4kbgoMSrRo.exe" with arguments "None" (Error: %1 is not a valid Win32 application (ERROR_BAD_EXE_FORMAT))
2020-06-05 13:45:15,000 [root] ERROR: Traceback (most recent call last):
  File "C:/tmp52sk_on6/analyzer.py", line 509, in run
    pids = self.package.start(self.target)
  File "C:\tmp52sk_on6\modules\packages\exe.py", line 37, in start
    return self.execute(path, args, path)
  File "C:\tmp52sk_on6\lib\common\abstracts.py", line 127, in execute
    raise CuckooPackageError("Unable to execute the initial process, "
lib.common.exceptions.CuckooPackageError: Unable to execute the initial process, analysis aborted.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:/tmp52sk_on6/analyzer.py", line 1504, in <module>
    success = analyzer.run()
  File "C:/tmp52sk_on6/analyzer.py", line 514, in run
    raise CuckooError("The package \"{0}\" start function raised an "
lib.common.exceptions.CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
Traceback (most recent call last):
  File "C:/tmp52sk_on6/analyzer.py", line 509, in run
    pids = self.package.start(self.target)
  File "C:\tmp52sk_on6\modules\packages\exe.py", line 37, in start
    return self.execute(path, args, path)
  File "C:\tmp52sk_on6\lib\common\abstracts.py", line 127, in execute
    raise CuckooPackageError("Unable to execute the initial process, "
lib.common.exceptions.CuckooPackageError: Unable to execute the initial process, analysis aborted.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:/tmp52sk_on6/analyzer.py", line 1504, in <module>
    success = analyzer.run()
  File "C:/tmp52sk_on6/analyzer.py", line 514, in run
    raise CuckooError("The package \"{0}\" start function raised an "
lib.common.exceptions.CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
2020-06-05 13:45:15,000 [root] WARNING: Folder at path "C:\clCUBzq\debugger" does not exist, skip.
2020-06-05 13:45:15,000 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-06-05 13:56:48 2020-06-05 14:04:36

File Details

File Name 4kbgoMSrRo
File Size 110148 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2014-03-14 13:46:08
MD5 a397a4921acad7076418aad03c41f064
SHA1 5f2897ca6cfe66f6acc9eb63ee9110699d1ca51a
SHA256 22211ec0d564f5c870ba9a8144fc3ca042b5d5b9e1844d452b37dd74db114e3b
SHA512 3fb9ca6ff72ca47a7681d62c0390b21bf3b4bdb7c43a285d393bf06b1bc210960fe936f847fc4004e773c836e0e54a66344273ff03673ac58251b00ebfa04a47
CRC32 C9A37A6B
Ssdeep 1536:XKHKcCiry1eWdPA6gKQ5CFYSUXFu4FEb:6NCsyHgCFYSU0
Download Download ZIP Resubmit sample

Signatures

Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Unconventionial language used in binary resources: Chinese (Traditional)
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\4kbgoMSrRo
File has been identified by 38 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Trojan.GenericKD.43244250
FireEye: Generic.mg.a397a4921acad707
ALYac: Trojan.GenericKD.43244250
Sangfor: Malware
K7AntiVirus: Trojan ( 005675f81 )
K7GW: Trojan ( 005675f81 )
Cybereason: malicious.a6cfe6
Arcabit: Trojan.Generic.D293DADA
F-Prot: W32/VBKrypt.ALP.gen!Eldorado
Symantec: Trojan.Gen.MBT
APEX: Malicious
Avast: Win32:Malware-gen
ClamAV: Win.Packed.Nanocore-7908967-0
BitDefender: Trojan.GenericKD.43244250
Ad-Aware: Trojan.GenericKD.43244250
Emsisoft: Trojan.GenericKD.43244250 (B)
DrWeb: Trojan.DownLoader33.47007
McAfee-GW-Edition: BehavesLike.Win32.Trojan.cz
Fortinet: W32/GuLoader.VHIT!tr
Trapmine: malicious.high.ml.score
Sophos: Mal/FareitVB-AE
Cyren: W32/VBKrypt.ALP.gen!Eldorado
MAX: malware (ai score=80)
Antiy-AVL: Trojan/Win32.Injector
Endgame: malicious (high confidence)
Microsoft: PWS:Win32/Fareit.W!MTB
AhnLab-V3: Trojan/Win32.VBKrypt.R338180
McAfee: Fareit-FST!A397A4921ACA
VBA32: Trojan.Downloader
Malwarebytes: Trojan.MalPack.VB
ESET-NOD32: a variant of Win32/Injector.EMCN
Rising: Trojan.VBKrypt!8.5C0 (TFE:dGZlOgQjv0IrWzwVEQ)
Ikarus: Trojan.Win32.Krypt
eGambit: Unsafe.AI_Score_99%
GData: Trojan.GenericKD.43244250
AVG: Win32:Malware-gen
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_80% (D)
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x004013d0 0x00029766 0x000295aa 4.0 2014-03-14 13:46:08 17e9ee1b5e07ec1e5519f27b839c076c

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x000170fc 0x00018000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.73
.data 0x00019000 0x00019000 0x000013d0 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0001a000 0x0001b000 0x000008f4 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.15

Overlay

Offset 0x0001a8f4
Size 0x00000550

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x0001b3b4 0x00000128 LANG_NEUTRAL SUBLANG_NEUTRAL 2.07 None
RT_ICON 0x0001b3b4 0x00000128 LANG_NEUTRAL SUBLANG_NEUTRAL 2.07 None
RT_ICON 0x0001b3b4 0x00000128 LANG_NEUTRAL SUBLANG_NEUTRAL 2.07 None
RT_GROUP_ICON 0x0001b384 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 2.98 None
RT_VERSION 0x0001b150 0x00000234 LANG_CHINESE SUBLANG_CHINESE_TRADITIONAL 3.24 None

Imports

0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaVarMove
0x401010 None
0x401014 __vbaFreeVar
0x401018 __vbaFreeVarList
0x40101c _adj_fdiv_m64
0x401020 None
0x401024 _adj_fprem1
0x401028 None
0x40102c __vbaStrCat
0x401030 None
0x401038 None
0x40103c None
0x401040 _adj_fdiv_m32
0x401044 __vbaAryDestruct
0x401048 __vbaLateMemSt
0x40104c None
0x401050 None
0x401054 _adj_fdiv_m16i
0x401058 __vbaObjSetAddref
0x40105c _adj_fdivr_m16i
0x401060 None
0x401064 None
0x401068 __vbaFPFix
0x40106c __vbaFpR8
0x401070 _CIsin
0x401074 __vbaErase
0x401078 __vbaChkstk
0x40107c EVENT_SINK_AddRef
0x401080 __vbaStrCmp
0x401084 __vbaVarTstEq
0x401088 __vbaObjVar
0x40108c None
0x401090 None
0x401094 _adj_fpatan
0x401098 None
0x40109c __vbaRedim
0x4010a0 EVENT_SINK_Release
0x4010a4 __vbaUI1I2
0x4010a8 _CIsqrt
0x4010b0 __vbaExceptHandler
0x4010b4 _adj_fprem
0x4010b8 _adj_fdivr_m64
0x4010bc None
0x4010c0 __vbaFPException
0x4010c4 None
0x4010c8 __vbaStrVarVal
0x4010cc None
0x4010d0 _CIlog
0x4010d4 __vbaNew2
0x4010d8 __vbaR8Str
0x4010dc None
0x4010e0 _adj_fdiv_m32i
0x4010e4 _adj_fdivr_m32i
0x4010e8 __vbaStrCopy
0x4010ec __vbaFreeStrList
0x4010f0 _adj_fdivr_m32
0x4010f4 _adj_fdiv_r
0x4010f8 None
0x4010fc None
0x401100 __vbaVarDup
0x401104 None
0x401108 __vbaLateMemCallLd
0x40110c _CIatan
0x401110 __vbaStrMove
0x401114 None
0x401118 None
0x40111c _allmul
0x401120 None
0x401124 _CItan
0x401128 _CIexp
0x40112c __vbaFreeObj
0x401130 __vbaFreeStr

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
Skopudsernes7
TRYKKEFR
vinosulp
vinosulp
sadeltagetstan
urethrallyone
Bimbosunisepa
URKOKKENREKT
Vestiskov
maysttripps
Impossib
Udliciteri
Excludingdobbelt8
Agrementfole4
Reckonerss
Troveskombineri1
Bronzemodel6
overskyll
lsgngernevietcon
specialeffekt
Indlrerlogika5
physostigma
Vogneneplum6
Reformeringsa
ublidesteno
aagerkarleklern
AFGIFTSGRUNDL
Afbryden6
Jenmakeuppenya9
Toxylonendure8
Besvrliggjorde
Agitation4
CRESCENTI
taskeszooma
ENERGINI
Sepulchralsprog
uninductiveba
overdiversifyi
BARROOMRAPTU
Kejserpingvinemb
fralagtesst
Fjerhotellerchi4
Applaussma
klinikkerautoma
Semifeuda6
MAYHAPSIECLESRES
Adverbierss3
fllesboe
Anastomosedst
agraphia
Longestilmel
Afgiftaarvaagenh
gluttoness
SUBPUNCHFORHERL
swineryhomebrewm
polarombytt
disputternespos
logarithmh
bastanteska
Examinepee
VERSALSKRI
Preofferunsews
Eksotismensl4
matzohschitar
Enteroparesism6
THORACOABDOMINA
Magnetisrfiskes
BESKFTIGELSESM
Gaasenarnestede
PROGRAMEDIT
DRAGERNE
accrualstr
indladestumblero
Stassaniseringe2
Hjulbrsst
blaastemp
Programatic7
INTERFACESKELLI
Arbejdspladsv8
AFKODNINGER
Tophyperidro7
indbagningo
Enokskunstmuseer9
vrdistignin
SOCIALPO
CONCIERGESPSEU
UNLOVEABLENIFTI
DRJETBLIND
Sapphist4
BUDGETOVERSL
Bonnerupsa
Brynhildnskeligh9
Untortious8
OPAHSSOLFA
Forskudsbetali7
Narkocool
buegangeskamg
LEASINGERNE
Viscosimetrep1
DEATHBEDTAMPENSM
Aggravato
Inseminateshart
centralerneshinw
Unadaptedly
LEDELINJE
Etherifiesmultic
skbnestrykma
subcasinossaute
Programbibl
Svrtbevb
hjssonernescr
TEMPORALIZED
Outsailingha
tilranevirkende
Smilehuller4
teacuppindehugge
ACONTIUSPR
resynchronize
FANEBLADE
Forundrendes7
Leadplantadg7
LNTRINETSHYOS
cavatinaspantani
Resterilizes5
HALMLUDNINGERNE
Abstinenseren
Supranatura
chrematist
Tautsunlugubri3
Forvissendetr8
heteroclital
Bogtrykk
approbati
Ticementtel9
UNHARBOUR
Ngstelservisc5
slappestic
Sideordnede
nonprescientun
Vetosknhedsdr3
oppebrendepattab
Nsketnkninger
Degnenealmeng8
HYPERPHAGIA
Denotativeses5
afryddernes
CEINTURECLIMAT
WATHSTEADGA
Fiskefrika
Airsicknesseshjs
brsservice
Clemensentil1
VIDENSKABSK
PLAINTLESSVAR
SNOWINGPRESSEAK
temabaser
FORTRINSSTILLI
Intraindustrym
TRAMETESS
Laagenmidtv6
Rakerbauxit4
Enhedsfronte3
Trvlekronenslnk7
ARBEJDSKOPIERSF
stiflersunderg
Elaeissporu7
flkksessvaleurts
KIRKEMINISTR
selvangivels
GUISERSANDWI
MISAPPREHENDIN
Overmundenscle
DECRETISTETTALS
HAANDVRKSB
Overnorm
retemptsatanistb
WIREHAIRANKOM
Vingerhoedn
HOLDERNESB
Risttyskeexpre
Snerterne
LONGLICKUTRADI
krigsstisbitters
Regeringsbesl
Eftersgs7
Mangfoldigg6
ankelledetmeal
Stutteriimmateri
KALKBILLSTICK
Cambertrichech
STBERIARB
imitativetgenevi
Bambusserne
direktionsse
Meritspoils
CATGUTMUDDER
Fgetfjantedescha1
Runkelro2
INSURREC
Gangsternesar2
Undisheveledlang6
ENFEVERINGCH
Skadeser
BLDEBRSTNING
fishmenslngtesfa
Gamilyopblomstr4
Abrachiast8
Fremstillelsens9
HJERTEKRAMPEDR
Metataticpod4
Efterladenskab6
plateauetin
Arbejdsmarkedsp
Aeginetica
PENTACARB
Lagthingpectina
Blokpoli
trappeddepicteds
Themtallish9
Coriandrumocean
Yderigvenenif5
abidegen
senatorensb
HULLOAEDBL
Bunkhouserealind
cylindricu
Kvivalentseri
Hoppledommersd4
tilvantesga
Inclusakomman
TEMPORIZAT
SINGULTUSESSKRF
Sottergeneticism8
Palpebra
Panderizespa1
Ligningschefenmu
onychopa
transitvarer
Indianacr
=qpe_
I2C'NEk
&7p?,
fKW\bd
M/fb?T&
XN0nI
@bdHD)Lx
Z[joD
XN0nI
@bdHD)Lx
Z[joD
XN0nI
VB5!6&*
Lidflowertidaa9
Skopudsernes7
Skopudsernes7
Skopudsernes7
TRYKKEFR
Quezoneudemo4
Hurrierop
UMENNESKE
Undefensiblyko
Draphavreneurobi
Crakegltnedkm5
HOMEOPLASIAL
NYLASTBAKKEKAMME
Hedeselska
Mattedness7
Cachazaflerbru
Nyskabels
Perliness4
Emotionis
SPEJLGLASRUDER
Sonedkke
ingrandiz
Oysterhoodsand6
Optllendes9
durskalaerrin
Electrocys3
lyristunm
FETERITASFUNCT
Nullipennes
fejemaskin
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Denotativeses5
HOLDERNESB
Anastomosedst
brsservice
ACONTIUSPR
Blokpoli
senatorensb
stiflersunderg
hjssonernescr
Degnenealmeng8
Yderigvenenif5
Semifeuda6
LEDELINJE
Snerterne
krigsstisbitters
Overnorm
centralerneshinw
Supranatura
Bonnerupsa
Adverbierss3
nonprescientun
Impossib
Gaasenarnestede
TRAMETESS
Bimbosunisepa
VIDENSKABSK
Bambusserne
skbnestrykma
Sapphist4
Programatic7
PENTACARB
Applaussma
slappestic
Hjulbrsst
UNLOVEABLENIFTI
Indlrerlogika5
Meritspoils
buegangeskamg
Tautsunlugubri3
sadeltagetstan
Forskudsbetali7
Themtallish9
Vestiskov
UNHARBOUR
SNOWINGPRESSEAK
VERSALSKRI
approbati
Sottergeneticism8
fishmenslngtesfa
Eksotismensl4
lsgngernevietcon
HALMLUDNINGERNE
INSURREC
Excludingdobbelt8
Magnetisrfiskes
ENERGINI
KALKBILLSTICK
bastanteska
Fgetfjantedescha1
Undisheveledlang6
Efterladenskab6
Enteroparesism6
Abrachiast8
Viscosimetrep1
Fiskefrika
Arbejdsmarkedsp
fralagtesst
Leadplantadg7
Trvlekronenslnk7
uninductiveba
Longestilmel
gluttoness
cavatinaspantani
Tophyperidro7
FANEBLADE
DRAGERNE
SOCIALPO
Enokskunstmuseer9
CEINTURECLIMAT
Bronzemodel6
Eftersgs7
MISAPPREHENDIN
flkksessvaleurts
Smilehuller4
FORTRINSSTILLI
Reckonerss
ankelledetmeal
Vogneneplum6
Rakerbauxit4
indladestumblero
tilvantesga
ublidesteno
Aggravato
Untortious8
CRESCENTI
Skadeser
TEMPORIZAT
Programbibl
Bunkhouserealind
Panderizespa1
selvangivels
BARROOMRAPTU
HJERTEKRAMPEDR
Arbejdspladsv8
WIREHAIRANKOM
onychopa
Jenmakeuppenya9
Besvrliggjorde
DECRETISTETTALS
swineryhomebrewm
Kvivalentseri
disputternespos
oppebrendepattab
Indianacr
AFGIFTSGRUNDL
STBERIARB
Outsailingha
heteroclital
DEMOKRATISERES
redningstjenesternes
tvivlere
linealernes
RUMFANGET
Polyelectrolyte5
VBA6.DLL
__vbaAryDestruct
__vbaErase
__vbaVarMove
__vbaRedim
__vbaStrCmp
__vbaStrVarVal
__vbaFreeStrList
__vbaR8Str
__vbaFPFix
__vbaFpR8
__vbaStrCopy
__vbaUI1I2
__vbaVarTstEq
__vbaLateMemSt
__vbaFreeVarList
__vbaFreeStr
__vbaStrCat
__vbaLateMemCallLd
__vbaObjVar
__vbaObjSetAddref
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
__vbaStrMove
__vbaFreeVar
__vbaVarDup
Train5
NONAPPEALINGLY
Wingedness2
rvens
Redigeringsproces5
indekshaandteringens
DEMINERALIZING
Distanceringerne
UDFALDSVINKLEN
Uenigheders9
Bibbas
Reconfirmations7
Bombende
ironbush
Acquisited5
Kaert5
optrykt
PARKERINGSLYGTER
staunching
Aricine6
Uundvrligst3
udrringer
nonintegrated
SMAABORGERLIGSTE
profilens
Overmtningens5
Grafikbilleder8
kusimanse
preentitling
LAVVRGE
retouchpensel
MOTORCAB
Belone
Ficaries
Phantasiast4
aareladninger
Priestly
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaFreeVarList
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaLateMemSt
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFPFix
__vbaFpR8
_CIsin
__vbaErase
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaObjVar
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaStrVarVal
_CIlog
__vbaNew2
__vbaR8Str
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
__vbaLateMemCallLd
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
TextB
STORBRITANNIENS
Regeringsmagters1
Visible
uomtvisteligheds
Befale
Minutise3
BUSTERMINALERNES
Pokeransigtets
IDRTSHAL
Decisionsmodellen
Allans7
coreveler
Skotters4
VB.HscrollB
mellemtings
Stroemmen3
f str
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040404B0
Comments
Field 2020
ProductName
Skopudsernes7
FileVersion
ProductVersion
InternalName
Lidflowertidaa9
OriginalFilename
Lidflowertidaa9.exe

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Trojan.GenericKD.43244250 FireEye Generic.mg.a397a4921acad707
CAT-QuickHeal Clean ALYac Trojan.GenericKD.43244250 Cylance Clean
VIPRE Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Trojan ( 005675f81 ) Alibaba Clean K7GW Trojan ( 005675f81 )
Cybereason malicious.a6cfe6 Arcabit Trojan.Generic.D293DADA Invincea Clean
BitDefenderTheta Clean F-Prot W32/VBKrypt.ALP.gen!Eldorado Symantec Trojan.Gen.MBT
TotalDefense Clean Baidu Clean APEX Malicious
Avast Win32:Malware-gen ClamAV Win.Packed.Nanocore-7908967-0 Kaspersky Clean
BitDefender Trojan.GenericKD.43244250 NANO-Antivirus Clean Paloalto Clean
ViRobot Clean Tencent Clean Ad-Aware Trojan.GenericKD.43244250
Emsisoft Trojan.GenericKD.43244250 (B) Comodo Clean F-Secure Clean
DrWeb Trojan.DownLoader33.47007 Zillya Clean TrendMicro Clean
McAfee-GW-Edition BehavesLike.Win32.Trojan.cz Fortinet W32/GuLoader.VHIT!tr Trapmine malicious.high.ml.score
CMC Clean Sophos Mal/FareitVB-AE SentinelOne Clean
Cyren W32/VBKrypt.ALP.gen!Eldorado Jiangmin Clean Webroot Clean
Avira Clean MAX malware (ai score=80) Antiy-AVL Trojan/Win32.Injector
Kingsoft Clean Endgame malicious (high confidence) Microsoft PWS:Win32/Fareit.W!MTB
AegisLab Clean ZoneAlarm Clean Avast-Mobile Clean
AhnLab-V3 Trojan/Win32.VBKrypt.R338180 Acronis Clean McAfee Fareit-FST!A397A4921ACA
TACHYON Clean VBA32 Trojan.Downloader Malwarebytes Trojan.MalPack.VB
Zoner Clean ESET-NOD32 a variant of Win32/Injector.EMCN TrendMicro-HouseCall Clean
Rising Trojan.VBKrypt!8.5C0 (TFE:dGZlOgQjv0IrWzwVEQ) Yandex Clean Ikarus Trojan.Win32.Krypt
eGambit Unsafe.AI_Score_99% GData Trojan.GenericKD.43244250 AVG Win32:Malware-gen
Panda Trj/GdSda.A CrowdStrike win/malicious_confidence_80% (D) Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.4 51228 1.1.1.1 53
192.168.1.4 62350 1.1.1.1 53
192.168.1.4 137 192.168.1.255 137

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:00:22.647 192.168.1.4 [VT] 49177 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:00:22.768 192.168.1.4 [VT] 49177 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.4 49177 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 0.9059999999999999 seconds )

    • 0.38 Suricata
    • 0.206 VirusTotal
    • 0.122 Static
    • 0.083 NetworkAnalysis
    • 0.047 CAPE
    • 0.031 Deduplicate
    • 0.016 AnalysisInfo
    • 0.012 TargetInfo
    • 0.004 peid
    • 0.003 Debug
    • 0.002 Strings

    Signatures ( 0.04900000000000001 seconds )

    • 0.009 ransomware_files
    • 0.006 antiav_detectreg
    • 0.006 ransomware_extensions
    • 0.003 persistence_autorun
    • 0.003 antiav_detectfile
    • 0.003 infostealer_ftp
    • 0.003 territorial_disputes_sigs
    • 0.002 antianalysis_detectfile
    • 0.002 infostealer_bitcoin
    • 0.002 infostealer_im
    • 0.001 kibex_behavior
    • 0.001 tinba_behavior
    • 0.001 antianalysis_detectreg
    • 0.001 antivm_vbox_files
    • 0.001 geodo_banking_trojan
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 infostealer_mail
    • 0.001 masquerade_process_name
    • 0.001 revil_mutexes

    Reporting ( 0.808 seconds )

    • 0.773 BinGraph
    • 0.033 MITRE_TTPS
    • 0.002 PCAP2CERT