Analyzing...
|
File Name:   139.exe
SHA1:   53238d4c00983af70e1de11b4486b17d0658aaf5
MD5:   0877d70d47a2c6c275eb044869912d60
First Seen Date:  2017-09-27 02:12:33.282302 ( )
Number of Clients Seen:   4
Last Analysis Date:  2017-09-27 02:12:33.282302 ( )
Human Expert Analysis Date:  2017-10-05 09:51:27.765118 ( )Human Expert Analysis Result:   Malware
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2017-09-27 02:12:33.282302 | Malware | |
Static Analysis Overall Verdict | 2017-09-27 02:12:33.282302 | No Threat Found | help |
Precise Detectors Overall Verdict | 2017-09-27 02:12:33.282302 | No Match | help |
Human Expert Analysis Overall Verdict | 2017-10-05 09:51:27.765118 | Malware |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Clean | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Clean | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Suspicious Behaviors | |
---|---|
Opens a file in a system directory |
Behavioral Information
1a4
1c0
1c4
cc
1c8
180
1cc
15c
164
1e8
C:\139.exe
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll
C:\Windows\syswow64\MSCTF.dll
C:\Windows\syswow64\USER32.dll
BadProxyExpiresTime
WpadSearchAllDomains
WarnOnZoneCrossing
DnsCacheEntries
ConnectRetries
DisableReadRange
DisableKeepAlive
ServerInfoTimeout
Plane4
Plane5
Plane6
Plane7
Plane1
Plane2
Plane3
ProxyHttp1.1
SqmHttpStreamRandomUploadPoolSize
Plane8
Plane9
WarnOnPostRedirect
SendExtraCRLF
ConnectTimeOut
DisableBranchCache
AlwaysDrainOnRedirect
DnsCacheEnabled
WpadOverride
ScavengeCacheLowerBound
DontUseDNSLoadBalancing
DisableBasicOverClearChannel
DisableNTLMPreAuth
Disable
ShareCredsWithWinHttp
FrameTabWindow
CertCacheNoValidate
MaxHttpRedirects
DataFilePath
IdnEnabled
SecureProtocols
EnableSpdyDebugAsserts
AutoProxyDetectType
PreConnectLimit
LeashLegacyCookies
WarnAlwaysOnPost
Plane16
MaxConnectionsPer1_0Server
Plane14
Plane15
Plane12
Plane13
Plane10
Plane11
UseFirstAvailable
MaxConnectionsPerProxy
ScavengeCacheFileLifeTime
FEATURE_CLIENTAUTHCERTFILTER
KeepAliveTimeout
MaxConnectionsPerServer
FrameMerging
TcpAutotuning
FtpDefaultExpiryTimeSecs
TabProcGrowth
SocketReceiveBufferLength
EnableNegotiate
WarnOnBadCertRecving
EnableHttp1_1
WarnOnHTTPSToHTTPRedirect
SocketSendBufferLength
HttpDefaultExpiryTimeSecs
ClientAuthBuiltInUI
SendTimeOut
PreResolveLimit
CacheMode
ReceiveTimeOut
FromCacheTimeout
ScavengeCacheFileLimit
EnforceP3PValidity
DisableFalseStartBlocklist
WarnOnPost
SyncMode5
DuoProtocols
AdminTabProcs
CombineFalseStartData
SessionMerging
DnsCacheTimeout
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "33f718", "dwOptions": "0", "lpClass": "<NULL>", "phkResult": "33f71c", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"dwCreationDisposition": "3", "path": "C:\\139.exe", "dwDesiredAccess": "80", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\WINDOWS\\FONTS\\ARIALI.TTF", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\WINDOWS\\FONTS\\ARIAL.TTF", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat", "dwDesiredAccess": "c0000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "\\\\.\\Nsi", "dwDesiredAccess": "0", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\GDIPFONTCACHEV1.DAT", "dwDesiredAccess": "c0000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\WINDOWS\\FONTS\\ARIALBD.TTF", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\WINDOWS\\FONTS\\ARIALBI.TTF", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\Fonts\\staticcache.dat", "dwDesiredAccess": "80000000", "dwShareMode": "5"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_SCH_SEND_AUX_RECORD_KB_2618444"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_INCLUDE_PORT_IN_SPN_KB908209"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_BUFFERBREAKING_818408"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_USE_CNAME_FOR_SPN_KB911149"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "164", "phkResult": "0", "lpSubKey": "Tahoma"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_MIME_HANDLING"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477"}
{"hKey": "1a0", "phkResult": "0", "lpSubKey": "FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\PeerDist\\Service"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service"}
Global\Thistle_{580D1956-62F4-40D8-B3A0-E2C1B7334726}
Local\MSCTF.Asm.MutexDefault1
imm32.dll
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll
ADVAPI32.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
OLEAUT32.dll
SHLWAPI.dll
ole32.dll
WindowsCodecs.dll
C:\Windows\system32\ole32.dll
C:\Windows\syswow64\MSCTF.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
Secur32.dll
SHELL32.dll
api-ms-win-downlevel-advapi32-l2-1-0.dll
api-ms-win-downlevel-ole32-l1-1-0.dll
WS2_32.dll
winhttp.dll
OLEAUT32.DLL
IPHLPAPI.DLL
Precise Detectors Analysis Results
Detector Name | Date | Verdict | Reason | |
---|---|---|---|---|
Static Precise Trojan Detector 2 | 2017-09-27 02:12:30.065105 | No Match | help | NotDetected |
Static Precise Trojan Detector 3 | 2017-09-27 02:12:30.065014 | No Match | help | NotDetected |
Static Precise Adware InstallCore Detector 1 | 2017-09-27 02:12:30.096158 | No Match | help | NotDetected |
Static Precise Trojan Generic Cryptor Detector 1 | 2017-09-27 02:12:30.089353 | No Match | help | NotDetected |
Static Precise PUA Detector 1 | 2017-09-27 02:12:30.111669 | No Match | help | NotDetected |
Static Precise Virus Detector | 2017-09-27 02:12:30.112590 | No Match | help | NotDetected |
Static Precise Trojan Detector | 2017-09-27 02:12:30.136550 | No Match | help | NotDetected |
Static Precise Virus Detector 2 | 2017-09-27 02:12:30.166409 | No Match | help | NotDetected |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date:   2017-10-05 09:49:15.163085 ( )
Analysis End Date:  2017-10-05 09:51:27.765118 ( )
File Upload Date:  2017-10-05 09:47:01.938962 ( )
Update Date:  2017-10-05 09:51:27.807342 ( )
Human Expert Analyst Feedback:   Malware
Verdict:   Malware
Malware Family:   Trojware.Win32.Agent
Malware Type:   Trojan Generic
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|