Analyzing...
|
File Name:   updatemolo.exe
SHA1:   8a397aaf4d1b15d51bc5b7383421c151f42d33a4
MD5:   f8af9b8b54de954db0d00931422f0051
First Seen Date:  2016-07-24 17:35:32.845530 ( )
Number of Clients Seen:   6
Last Analysis Date:  2016-07-24 17:35:32.845530 ( )
Human Expert Analysis Result:   No human expert analysis verdict given to this sample yet.
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2016-07-24 17:35:32.845530 | Clean | |
Static Analysis Overall Verdict | 2016-07-24 17:35:32.845530 | Highly Suspicious | |
Dynamic Analysis Overall Verdict | 2016-07-24 17:35:32.845530 | Highly Suspicious |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Clean | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Packer detection on signature database
Microsoft Visual C# / Basic .NET
.NET executable
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Suspicious Behaviors | |
---|---|
Opens a file in a system directory | |
Uses a function clandestinely | |
Has no visible windows |
Behavioral Information
C:\sample
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\system32\RichEd20.dll
C:\Windows\syswow64\CRYPT32.dll
C:\Windows\system32\cryptnet.dll
http
InstallRoot
CLRLoadLogDir
OnlyUseLatestCLR
GCStressStart
GCStressStartAtJit
DisableConfigCache
CacheLocation
DownloadCacheQuotaInKB
EnableLog
LoggingLevel
ForceLog
LogFailures
VersioningLog
LogResourceBinds
UseLegacyIdentityFormat
DisableMSIPeek
NoClientChecks
DevOverrideEnable
LatestIndex
NIUsageMask
ILUsageMask
DisplayName
ConfigMask
ConfigString
MVID
EvalationData
Status
ILDependencies
NIDependencies
MissingDependencies
Modules
SIG
LastModTime
mscorlib
Software\Microsoft\Fusion\GACChangeNotification\Default
C:\sample.config
C:\sample
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c2.dat
C:\Windows\system32\rsaenh.dll
\\.\Nsi
C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BCC5425735D67C042376F8936CB8126
Software\Microsoft\.NETFramework\Policy\
v2.0
Software\Microsoft\.NETFramework
Upgrades
Standards
AppPatch
Software\Microsoft\.NETFramework\Policy\Standards
v2.0.50727
Software\Microsoft\Fusion
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sample
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
Internet
LocalIntranet
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3979321414-2393373014-2172761192-1000
Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
index1c2
NI\181938c6\7950e2c5
NI\181938c6\7950e2c5\16
IL\7950e2c5\4b5f28af\5f
Software\Microsoft\Cryptography\Wintrust\Config
System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
<NULL>
Global\CLR_CASOFF_MUTEX
ADVAPI32.dll
SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
mscoree.dll
ntdll
advapi32.dll
shell32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
imm32.dll
RichEd20.dll
mscorsec.dll
CRYPTSP.dll
CRYPTBASE.dll
WINTRUST.DLL
C:\Windows\syswow64\CRYPT32.dll
imagehlp.dll
USER32.dll
ncrypt.dll
C:\Windows\SysWOW64\bcryptprimitives.dll
bcrypt.dll
USERENV.dll
API-MS-Win-Security-SDDL-L1-1-0.dll
cryptnet.dll
C:\Windows\system32\cryptnet.dll
SensApi.dll
WINHTTP.dll
winhttp.dll
WS2_32.dll
kernel32.dll
SspiCli.dll
RPCRT4.dll
IPHLPAPI.DLL
ntdll.dll
ole32.dll
NSI.dll
CFGMGR32.dll
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-Management-L2-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
profapi.dll
DNSAPI.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|