Analyzing...
|
File Name:   Ares.exe
SHA1:   16a405a9a594260aa931a7a4eb2b503945e0d2d6
MD5:   77ead082317714ea4ca0693ed1c8585b
First Seen Date:  2017-08-03 01:19:11.501338 ( )
Number of Clients Seen:   9
Last Analysis Date:  2017-11-11 02:13:29.280356 ( )
Human Expert Analysis Date:  2017-11-11 03:23:23.119994 ( )Human Expert Analysis Result:   PUA
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2017-11-11 02:13:29.280356 | Malware | |
Static Analysis Overall Verdict | 2017-11-11 02:13:29.280356 | No Threat Found | help |
Precise Detectors Overall Verdict | 2017-11-11 02:13:29.280356 | No Match | help |
Human Expert Analysis Overall Verdict | 2017-11-11 03:23:23.119994 | PUA |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Suspicious | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Suspicious | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Suspicious | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Suspicious Behaviors | |
---|---|
Has no visible windows |
Behavioral Information
RegCloseKey(b8)
RegCloseKey() -> 0
RegCloseKey(b4)
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Ares.exe
RegQueryValueExW(b8,InstallRoot,0,20ec44,0,20ec48)
RegQueryValueExW(,,,,,) -> 0
RegQueryValueExW(b8,InstallRoot,0,0,429018,20ec48)
RegQueryValueExW(b8,InstallRoot,0,0,429048,20ec48)
RegQueryValueExW(b4,InstallRoot,0,20eee8,0,20eeec)
RegQueryValueExW(b4,InstallRoot,0,0,429048,20eeec)
RegQueryValueExW(b4,InstallRoot,0,20e848,0,20e84c)
RegQueryValueExW(b4,InstallRoot,0,0,429018,20e84c)
RegQueryValueExW(b4,CLRLoadLogDir,0,20e22c,0,20e230)
RegQueryValueExW(,,,,,) -> 2
RegQueryValueExW(b4,OnlyUseLatestCLR,0,20e604,20e60c,20e608)
RegQueryValueExW(b8,InstallRoot,0,20dadc,0,20dae0)
RegQueryValueExW(b8,InstallRoot,0,0,429048,20dae0)
RegQueryValueExW(b8,NoGuiFromShim,0,20db8c,20db88,20db7c)
b4
b8
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework\Policy\,0,20019,20f554)
RegOpenKeyExW(,,,,) -> 0
RegOpenKeyExW(b4,v2.0,0,20019,20f550)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework,0,20019,20ec4c)
RegOpenKeyExW(b4,Upgrades,0,20019,20f550)
RegOpenKeyExW(b4,Standards,0,20019,20f550)
RegOpenKeyExW(b4,AppPatch,0,20019,20f550)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework,0,20019,20eef0)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework,0,20019,20e850)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework,0,20019,20e234)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework,0,20019,20e5f4)
RegOpenKeyExW(80000001,Software\Microsoft\.NETFramework\Policy\Standards,0,20019,20e5ec)
RegOpenKeyExW(,,,,) -> 2
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework\Policy\Standards,0,20019,20e5ec)
RegOpenKeyExW(b8,v4.0.30319,0,20019,20e5cc)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework,0,20019,20dae4)
RegOpenKeyExW(80000001,Software\Microsoft\.NETFramework\Policy\Upgrades,0,20019,20e5d0)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework\Policy\Upgrades,0,20019,20e5d0)
RegOpenKeyExW(80000001,Software\Microsoft\.NETFramework,0,20019,20dba8)
RegOpenKeyExW(80000002,Software\Microsoft\.NETFramework,0,20019,20db84)
ADVAPI32.dll
SHLWAPI.dll
{"dwCreationDisposition": "3", "path": "C:\\Ares.exe.config", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Ares.exe", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
Precise Detectors Analysis Results
Detector Name | Date | Verdict | Reason | |
---|---|---|---|---|
Static Precise PUA Detector 1 | 2017-11-11 02:13:19.554062 | No Match | help | NotDetected |
Static Precise Virus Detector | 2017-11-11 02:13:19.542504 | No Match | help | NotDetected |
Static Precise Trojan Detector | 2017-11-11 02:13:19.590578 | No Match | help | NotDetected |
Static Precise Adware InstallCore Detector 1 | 2017-11-11 02:13:19.613187 | No Match | help | NotDetected |
Static Precise Trojan Detector 2 | 2017-11-11 02:13:19.620382 | No Match | help | NotDetected |
Static Precise Trojan Detector 3 | 2017-11-11 02:13:19.627147 | No Match | help | NotDetected |
Static Precise Trojan Generic Cryptor Detector 1 | 2017-11-11 02:13:19.629952 | No Match | help | NotDetected |
Static Precise Virus Detector 2 | 2017-11-11 02:13:19.634640 | No Match | help | NotDetected |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date:   2017-11-11 02:22:22.183082 ( )
Analysis End Date:  2017-11-11 03:23:23.119994 ( )
File Upload Date:  2017-11-11 02:11:19.924254 ( )
Update Date:  2017-11-11 02:22:22.183114 ( )
Human Expert Analyst Feedback:   PUA
Verdict:   PUA
Malware Family:  
Malware Type:   Pua
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|