Analyzing...
|
File Name:   xHypeBot.exe
SHA1:   788fb5118edda2e3aea788ff3578ee1c082110f8
MD5:   75b8fd1d23484270e08975711969f10f
First Seen Date:  2016-02-08 14:12:12.732283 ( )
Number of Clients Seen:   7
Last Analysis Date:  2016-02-08 14:12:12.732340 ( )
Human Expert Analysis Date:  2016-02-09 10:50:56.380593 ( )Human Expert Analysis Result:   Malware
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2016-02-08 14:12:12.732340 | Malware | |
Static Analysis Overall Verdict | 2016-02-08 14:12:12.732340 | Highly Suspicious | |
Dynamic Analysis Overall Verdict | 2016-02-08 14:12:12.732340 | Highly Suspicious | |
Human Expert Analysis Overall Verdict | 2016-02-09 10:50:56.380593 | Malware |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Clean | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Packer detection on signature database | Unknown | help |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Packer detection on signature database
Microsoft Visual C# / Basic .NET
.NET executable
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Suspicious Behaviors | |
---|---|
Injects code to another process | |
Modifies context of another process | |
Creates a child process | |
Writes to address space of another process | |
Uses a function clandestinely | |
Reads memory of another process | |
Opens a file in a system directory | |
Has no visible windows |
Behavioral Information
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
C:\sample
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\SYSTEM32\MSCOREE.DLL
file
InstallRoot
DisplayName
SIG
System.Management
MissingDependencies
EvalationData
UseLegacyIdentityFormat
EnableLog
LogFailures
NIDependencies
index1
ConfigString
Status
LastModTime
LatestIndex
LegacyPolicyTimeStamp
System.Windows.Forms
ForceLog
System.Runtime.Remoting
MVID
ConfigMask
System.Xml
System.Web
CacheLocation
DownloadCacheQuotaInKB
ILDependencies
GCStressStartAtJit
System.Configuration
Modules
System.Runtime.Serialization.Formatters.Soap
NIUsageMask
System.Drawing
VersioningLog
DevOverrideEnable
DisableMSIPeek
System
Microsoft.VisualBasic
CLRLoadLogDir
DisableConfigCache
System.Security
Latest
NoClientChecks
System.Deployment
ILUsageMask
LogResourceBinds
OnlyUseLatestCLR
mscorlib
LoggingLevel
GCStressStart
Accessibility
Software\Microsoft\Fusion\GACChangeNotification\Default
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
C:\sample.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\sample
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
C:\Windows\system32\l_intl.nls
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Windows\assembly\pubpol1.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c2.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Software\Microsoft\Installer\Assemblies\C:|sample
NI\61e7e666\c991064
IL\41c04c7e\4bf62c79\50
Software\Microsoft\.NETFramework
SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
Software\Microsoft\.NETFramework\Policy\Standards
NI\181938c6\7950e2c5
policy.2.0.System.Security__b03f5f7f11d50a3a
Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
IL\c991064\5086dba8\51
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
NI\1c22df2f\4f99a7c9
LocalIntranet
policy.2.0.System.Web__b03f5f7f11d50a3a
NI\61e7e666\c991064\a
Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
NI\7f2c1104\29310904
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sample
policy.2.0.System.Xml__b77a5c561934e089
Standards
v2.0
IL\2dd6ac50\553abeb3\58
NI\30bc7c4f\3f50fe4f\18
Software\Microsoft\Fusion
IL\4f99a7c9\191b956f\66
policy.2.0.System.Drawing__b03f5f7f11d50a3a
SOFTWARE\Classes\Installer\Assemblies\C:|sample
NI\cfa321b\669ff7e4
policy.2.0.System.Deployment__b03f5f7f11d50a3a
index1c2
Upgrades
policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
IL\424bd4d8\324708cb\5c
IL\24bf93f6\708deaf7\46
IL\19ab8d57\c91dbb2\5e
IL\3ced59c5\48d69eb2\54
IL\2b1a4e4\3822b536\f
Software\Microsoft\.NETFramework\Policy\
NI\181938c6\7950e2c5\16
policy.2.0.System.Windows.Forms__b77a5c561934e089
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3979321414-2393373014-2172761192-1000\Installer\Assemblies\C:|sample
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3979321414-2393373014-2172761192-1000\Installer\Assemblies\Global
IL\475dce40\1c022996\5b
SOFTWARE\Classes\Installer\Assemblies\Global
NI\3cca06a0\6dc7d4c0\b
policy.2.0.System.Runtime.Remoting__b77a5c561934e089
Software\Microsoft\Installer\Assemblies\Global
NI\cfa321b\5ab90a07
Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
policy.2.0.Accessibility__b03f5f7f11d50a3a
Software\Microsoft\Fusion\PublisherPolicy\Default
policy.2.0.System__b77a5c561934e089
Internet
IL\7950e2c5\4b5f28af\5f
IL\f6e8397\628bc3e2\47
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3979321414-2393373014-2172761192-1000
policy.2.0.System.Management__b03f5f7f11d50a3a
NI\1c22df2f\4f99a7c9\66
IL\3f50fe4f\265c633d\60
Software\Microsoft\StrongName
policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
v2.0.50727
policy.2.0.System.Configuration__b03f5f7f11d50a3a
IL\6dc7d4c0\c47ad54\56
AppPatch
<NULL>
Global\CLR_CASOFF_MUTEX
"C:\sample"
ole32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6949c4470a81970ec3de0a575d93babc\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
SHLWAPI.dll
kernel32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
mscoree.dll
advapi32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\12dc10e5c0e8d176cf21a16a6fc5fc3b\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
ntdll
shell32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5a401fd2a7689ff13fb54182953f9c40\System.Drawing.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
AdvApi32.dll
ADVAPI32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1852.590984
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.1852.590984
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.1852.590984
SetThreadContext
CreateProcessW
ReadProcessMemory
CreateProcess
WriteProcessMemory
GetThreadContext
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date:   2016-02-08 14:12:48.206170 ( )
Analysis End Date:  2016-02-09 10:50:56.380593 ( )
File Upload Date:  2016-02-08 14:12:19.693198 ( )
Update Date:  2016-02-09 10:50:56.380599 ( )
Human Expert Analyst Feedback:  
Verdict:   Malware
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|