HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP connection was made to an IP address rather than domain name |
| network_anomaly | http://67.176.238.209/ |
Performs some HTTP requests Show sources
| network_url | http://67.176.238.209/ |
The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .rdata, entropy: 7.18, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00017000, virtual_size: 0x00016f4c |
Anomalous binary characteristics Show sources
| static_pe_anomaly | Actual checksum does not match that reported in PE header |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Deletes its original binary from disk Show sources
| file_delete | c:\users\user\appdata\local\temp\d03dcbba9a7aeefdee2f433f4333d678a3efa87f.exe |
Installs itself for autorun at Windows startup Show sources
| service_create | lanesviewer |
| service_create | "C:\Windows\SysWOW64\lanesviewer.exe" -538 -2315 |
Created a service that was not started Show sources
| service_start | lanesviewer |
Mimics the system's user agent string for its own requests Show sources
| stealth_mimics | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |