|
Analyzing...
|
File Name: Script bypass fusion.exe
SHA1: a20e594938588d48cd39e4ae5b42526625ce1b1b
MD5: 68d8eef6f880056104565f29ab689db6
First Seen Date: 2016-12-17 19:39:07.009386 ( )
Number of Clients Seen: 6
Last Analysis Date: 2017-03-25 11:43:23.472725 ( )
Human Expert Analysis Date: 2017-03-24 17:51:21.104902 ( )Human Expert Analysis Result: Malware
Analysis Summary
| Analysis Type | Date | Verdict | |
|---|---|---|---|
| Signature Based Detection | 2017-03-25 11:43:23.472725 | Malware | |
| Static Analysis Overall Verdict | 2017-03-25 11:43:23.472725 | Highly Suspicious | |
| Dynamic Analysis Overall Verdict | 2017-03-25 11:43:23.472725 | Highly Suspicious | |
| Precise Detectors Overall Verdict | 2017-03-25 11:43:23.472725 | No Match | help |
| Human Expert Analysis Overall Verdict | 2017-03-24 17:51:21.104902 | Malware | |
Static Analysis
| Static Analysis Overall Verdict | Result |
|---|---|
| Highly Suspicious |
| Detector | Result | |
|---|---|---|
| Optional Header LoaderFlags field is valued illegal | Clean | |
| Non-ascii or empty section names detected | Clean | |
| Illegal size of optional Header | Clean | |
| Packer detection on signature database | Unknown | help |
| Based on the sections entropy check! file is possibly packed | Suspicious | |
| Timestamp value suspicious | Clean | |
| Header Checksum is zero! | Suspicious | |
| Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
| Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
| Anti-vm present | Clean | |
| The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
| TLS callback functions array detected | Clean | |
Packer detection on signature database
Microsoft Visual C# / Basic .NET
.NET executable
Dynamic Analysis
| Dynamic Analysis Overall Verdict | Result |
|---|---|
| Highly Suspicious |
| Suspicious Behaviors | |
|---|---|
| Operation successfully finished. | |
Behavioral Information
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\[uScript bypass fusion.exe]
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
file
InstallRoot
CLRLoadLogDir
OnlyUseLatestCLR
GCStressStart
GCStressStartAtJit
DisableConfigCache
CacheLocation
DownloadCacheQuotaInKB
EnableLog
LoggingLevel
ForceLog
LogFailures
VersioningLog
LogResourceBinds
UseLegacyIdentityFormat
DisableMSIPeek
NoClientChecks
DevOverrideEnable
LatestIndex
NIUsageMask
ILUsageMask
DisplayName
ConfigMask
ConfigString
MVID
EvalationData
Status
ILDependencies
NIDependencies
MissingDependencies
Modules
SIG
LastModTime
mscorlib
Latest
index1
LegacyPolicyTimeStamp
Microsoft.VisualBasic
System
System.Xml
System.Configuration
System.Web
System.Management
System.Runtime.Remoting
System.Deployment
System.Drawing
System.Windows.Forms
Software\Microsoft\Fusion\GACChangeNotification\Default
C:\[uScript bypass fusion.exe].config
C:\[uScript bypass fusion.exe]
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c2.dat
C:\Windows\system32\l_intl.nls
C:\Windows\assembly\pubpol1.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Software\Microsoft\.NETFramework\Policy\
v2.0
Software\Microsoft\.NETFramework
Upgrades
Standards
AppPatch
Software\Microsoft\.NETFramework\Policy\Standards
v2.0.50727
Software\Microsoft\Fusion
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[uScript bypass fusion.exe]
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
Internet
LocalIntranet
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3979321414-2393373014-2172761192-1000
Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
index1c2
NI\181938c6\7950e2c5
NI\181938c6\7950e2c5\16
IL\7950e2c5\4b5f28af\5f
NI\43834a04\65f74e35
Software\Microsoft\StrongName
Software\Microsoft\Fusion\PublisherPolicy\Default
policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
NI\1c22df2f\4f99a7c9
NI\1c22df2f\4f99a7c9\66
IL\c991064\5086dba8\51
IL\6dc7d4c0\c47ad54\56
IL\3ced59c5\48d69eb2\54
IL\f6e8397\628bc3e2\47
IL\2b1a4e4\3822b536\f
IL\24bf93f6\708deaf7\46
IL\4f99a7c9\191b956f\66
NI\30bc7c4f\3f50fe4f\18
IL\424bd4d8\324708cb\5c
IL\19ab8d57\c91dbb2\5e
IL\3f50fe4f\265c633d\60
policy.2.0.System__b77a5c561934e089
policy.2.0.System.Xml__b77a5c561934e089
policy.2.0.System.Configuration__b03f5f7f11d50a3a
policy.2.0.System.Web__b03f5f7f11d50a3a
policy.2.0.System.Management__b03f5f7f11d50a3a
policy.2.0.System.Runtime.Remoting__b77a5c561934e089
policy.2.0.System.Deployment__b03f5f7f11d50a3a
policy.2.0.System.Drawing__b03f5f7f11d50a3a
policy.2.0.System.Windows.Forms__b77a5c561934e089
SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
NI\46fa1d9b\38e6ae57
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3979321414-2393373014-2172761192-1000\Installer\Assemblies\C:|[uScript bypass fusion.exe]
Software\Microsoft\Installer\Assemblies\C:|[uScript bypass fusion.exe]
SOFTWARE\Classes\Installer\Assemblies\C:|[uScript bypass fusion.exe]
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3979321414-2393373014-2172761192-1000\Installer\Assemblies\Global
Software\Microsoft\Installer\Assemblies\Global
SOFTWARE\Classes\Installer\Assemblies\Global
NI\46fa1d9b\f291795
NI\3cca06a0\6dc7d4c0
NI\3cca06a0\6dc7d4c0\b
<NULL>
Global\CLR_CASOFF_MUTEX
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
ADVAPI32.dll
SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
mscoree.dll
ntdll
advapi32.dll
shell32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
ole32.dll
kernel32.dll
AdvApi32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\12dc10e5c0e8d176cf21a16a6fc5fc3b\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5a401fd2a7689ff13fb54182953f9c40\System.Drawing.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2944.59968
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2944.59968
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2944.59984
ReadProcessMemory
WriteProcessMemory
CreateProcessA
GetThreadContext
SetThreadContext
Precise Detectors Analysis Results
| Detector Name | Date | Verdict | Reason | |
|---|---|---|---|---|
| Static Precise PUA Detector 1 | 2017-03-25 11:44:37.881614 | No Match | help | NotDetected |
| Precise URL Detector | 2017-03-25 11:45:19.432338 | No Match | help | Can not found url connection in data |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date: 2017-03-23 13:29:04.119160 ( )
Analysis End Date: 2017-03-24 17:51:21.104902 ( )
File Upload Date: 2017-03-23 12:29:18.647927 ( )
Update Date: 2017-03-24 17:51:21.109425 ( )
Human Expert Analyst Feedback: Malware
Verdict: Malware
Malware Family: TrojWare.Win32.Agent
Malware Type: Trojan Generic
Additional File Information
| Property | Value |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
|---|