Size | 18.0KB |
---|---|
Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5 | 3fb8f4cdcb4d1d48be2e473fd8727239 |
SHA1 | 0ba62c41592ae7b306b395d5507522fccf463327 |
SHA256 | 1fad1fd0a49b4677b6648008f8ddc8c8dc6483ee3c797e938d3637eb8b4ce3b4 |
SHA512 |
2a90364ea514ee789da28f38ce2c9902fa04dc4033bdae5f419b0ef5e69d10e7d4ac7469dd9a8d6215d833f46ba33a51ac127e36fe3e9731209420409720efbb
|
CRC32 | A758E34D |
ssdeep | None |
Yara |
|
This file is very suspicious, with a score of 10 out of 10!
Please notice: The scoring system is currently still in development and should be considered an alpha feature.
Expecting different results? Send us this analysis and we will inspect it. Click here
Category | Started | Completed | Duration | Routing | Logs |
---|---|---|---|---|---|
FILE | April 13, 2024, 1:28 p.m. | April 13, 2024, 1:29 p.m. | 40 seconds | internet |
Show Analyzer Log Show Cuckoo Log |
2024-04-13 12:42:52,062 [analyzer] DEBUG: Starting analyzer from: C:\tmp4w2pkt 2024-04-13 12:42:52,078 [analyzer] DEBUG: Pipe server name: \??\PIPE\rjPmdpaksUxIHpAOnMKH 2024-04-13 12:42:52,078 [analyzer] DEBUG: Log pipe server name: \??\PIPE\ZeFtHUkvAUxqhNziUDMd 2024-04-13 12:42:52,312 [analyzer] DEBUG: Started auxiliary module Curtain 2024-04-13 12:42:52,328 [analyzer] DEBUG: Started auxiliary module DbgView 2024-04-13 12:42:52,687 [analyzer] DEBUG: Started auxiliary module Disguise 2024-04-13 12:42:52,937 [analyzer] DEBUG: Loaded monitor into process with pid 508 2024-04-13 12:42:52,937 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2024-04-13 12:42:52,937 [analyzer] DEBUG: Started auxiliary module Human 2024-04-13 12:42:52,937 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2024-04-13 12:42:52,953 [analyzer] DEBUG: Started auxiliary module Reboot 2024-04-13 12:42:53,030 [analyzer] DEBUG: Started auxiliary module RecentFiles 2024-04-13 12:42:53,046 [analyzer] DEBUG: Started auxiliary module Screenshots 2024-04-13 12:42:53,046 [analyzer] DEBUG: Started auxiliary module Sysmon 2024-04-13 12:42:53,046 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2024-04-13 12:42:53,125 [lib.api.process] ERROR: Failed to execute process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\1fad1fd0a49b4677b6648008f8ddc8c8dc6483ee3c797e938d3637eb8b4ce3b4.exe' with arguments ['bin\\inject-x86.exe', '--app', u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\1fad1fd0a49b4677b6648008f8ddc8c8dc6483ee3c797e938d3637eb8b4ce3b4.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp'] (Error: Command '['bin\\inject-x86.exe', '--app', u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\1fad1fd0a49b4677b6648008f8ddc8c8dc6483ee3c797e938d3637eb8b4ce3b4.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp']' returned non-zero exit status 1)
2024-04-13 13:28:26,108 [cuckoo.core.scheduler] INFO: Task #4663468: acquired machine win7x6423 (label=win7x6423) 2024-04-13 13:28:26,109 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.223 for task #4663468 2024-04-13 13:28:26,574 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 618767 (interface=vboxnet0, host=192.168.168.223) 2024-04-13 13:28:26,926 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6423 2024-04-13 13:28:28,188 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6423 to vmcloak 2024-04-13 13:28:39,874 [cuckoo.core.guest] INFO: Starting analysis #4663468 on guest (id=win7x6423, ip=192.168.168.223) 2024-04-13 13:28:40,879 [cuckoo.core.guest] DEBUG: win7x6423: not ready yet 2024-04-13 13:28:45,896 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6423, ip=192.168.168.223) 2024-04-13 13:28:45,979 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6423, ip=192.168.168.223, monitor=latest, size=6660546) 2024-04-13 13:28:47,279 [cuckoo.core.resultserver] DEBUG: Task #4663468: live log analysis.log initialized. 2024-04-13 13:28:48,165 [cuckoo.core.resultserver] DEBUG: Task #4663468 is sending a BSON stream 2024-04-13 13:28:49,469 [cuckoo.core.resultserver] DEBUG: Task #4663468: File upload for 'shots/0001.jpg' 2024-04-13 13:28:49,495 [cuckoo.core.resultserver] DEBUG: Task #4663468 uploaded file length: 133495 2024-04-13 13:28:49,804 [cuckoo.core.guest] WARNING: win7x6423: analysis #4663468 caught an exception Traceback (most recent call last): File "C:/tmp4w2pkt/analyzer.py", line 824, in <module> success = analyzer.run() File "C:/tmp4w2pkt/analyzer.py", line 673, in run pids = self.package.start(self.target) File "C:\tmp4w2pkt\modules\packages\exe.py", line 34, in start return self.execute(path, args=shlex.split(args)) File "C:\tmp4w2pkt\lib\common\abstracts.py", line 205, in execute "Unable to execute the initial process, analysis aborted." CuckooPackageError: Unable to execute the initial process, analysis aborted. 2024-04-13 13:28:49,817 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks 2024-04-13 13:28:49,878 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2024-04-13 13:28:50,935 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6423 to path /srv/cuckoo/cwd/storage/analyses/4663468/memory.dmp 2024-04-13 13:28:50,937 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6423 2024-04-13 13:29:05,401 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.223 for task #4663468 2024-04-13 13:29:05,406 [cuckoo.core.resultserver] DEBUG: Cancel <Context for LOG> for task 4663468 2024-04-13 13:29:06,140 [cuckoo.core.scheduler] DEBUG: Released database task #4663468 2024-04-13 13:29:06,161 [cuckoo.core.scheduler] INFO: Task #4663468: analysis procedure completed
description | COMMENT PANDA RAT | rule | CrowdStrike_CSIT_13052_01 | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_files_operation |
packer | Armadillo v1.xx - v2.xx |
G Data Antivirus (Windows) | Virus: Generic.Dacic.FF6D009F.A.D9B35A97 (Engine A) |
Avast Core Security (Linux) | Win32:Trojan-gen |
C4S ClamAV (Linux) | Win.Trojan.Agent-474351 |
F-Secure Antivirus (Linux) | Trojan.TR/Spy.Gen [Aquarius] |
Windows Defender (Windows) | Backdoor:Win32/Likseput.B |
Microsoft Defender ATP (Linux) | Backdoor:Win32/Likseput.B |
Sophos Anti-Virus (Linux) | Mal/Generic-S |
eScan Antivirus (Linux) | Generic.Dacic.FF6D009F.A.D9B35A97(DB) |
ESET Security (Windows) | a variant of Win32/Agent.OIG trojan |
McAfee CLI scanner (Linux) | BackDoor-FALR |
DrWeb Antivirus (Linux) | Trojan.DownLoad3.30917 |
ClamAV (Linux) | Win.Trojan.Agent-474351 |
Bitdefender Antivirus (Linux) | Generic.Dacic.FF6D009F.A.D9B35A97 |
Kaspersky Standard (Windows) | Backdoor.Win32.Likseput.f |
Lionic | Trojan.Win32.Dacic.m!c |
Cynet | Malicious (score: 100) |
Skyhigh | BehavesLike.Win32.Injector.lh |
ALYac | Generic.Dacic.FF6D009F.A.D9B35A97 |
Cylance | unsafe |
VIPRE | Generic.Dacic.FF6D009F.A.D9B35A97 |
Sangfor | Suspicious.Win32.Save.ins |
CrowdStrike | win/malicious_confidence_100% (W) |
BitDefender | Generic.Dacic.FF6D009F.A.D9B35A97 |
K7GW | Trojan ( 0055e3dd1 ) |
K7AntiVirus | Trojan ( 0055e3dd1 ) |
Arcabit | Generic.Dacic.FF6D009F.A.D9B35A97 |
VirIT | Trojan.Win32.Generic.JNG |
Symantec | Backdoor.Trojan |
Elastic | malicious (high confidence) |
ESET-NOD32 | a variant of Win32/Agent.OIG |
McAfee | BackDoor-FALR!3FB8F4CDCB4D |
Avast | Win32:Trojan-gen |
ClamAV | Win.Trojan.Agent-474351 |
Kaspersky | Backdoor.Win32.Likseput.f |
Alibaba | Backdoor:Win32/Likseput.afb1173f |
NANO-Antivirus | Trojan.Win32.Agent.cuclw |
MicroWorld-eScan | Generic.Dacic.FF6D009F.A.D9B35A97 |
Rising | Backdoor.Likseput!8.10FC (TFE:5:KHdS5UKR64Q) |
Emsisoft | Generic.Dacic.FF6D009F.A.D9B35A97 (B) |
F-Secure | Trojan.TR/Spy.Gen |
DrWeb | Trojan.DownLoad3.30917 |
Zillya | Trojan.Agent.Win32.157776 |
TrendMicro | TROJ_GEN.R06CC0CBQ24 |
FireEye | Generic.mg.3fb8f4cdcb4d1d48 |
Sophos | Mal/Generic-S |
Ikarus | Trojan.Win32.Agent |
Jiangmin | TrojanDownloader.Agent.cmik |
Detected | |
Avira | TR/Spy.Gen |
MAX | malware (ai score=100) |
Antiy-AVL | Trojan[Downloader]/Win32.Agent |
Kingsoft | malware.kb.a.1000 |
Xcitium | TrojWare.Win32.Downloader.Agent.eqre@4pwfzp |
Microsoft | Backdoor:Win32/Likseput.B |
ViRobot | Trojan.Win32.Z.Agent.18432.TA |
ZoneAlarm | Backdoor.Win32.Likseput.f |
GData | Generic.Dacic.FF6D009F.A.D9B35A97 |
Varist | W32/Agent.CFQ.gen!Eldorado |
AhnLab-V3 | Trojan/Win32.HDC.C106742 |
BitDefenderTheta | Gen:NN.ZedlaF.36802.bu8@ai77Scki |
TACHYON | Trojan/W32.Small.18432.EE |
DeepInstinct | MALICIOUS |
VBA32 | TrojanDownloader.Agent |
Panda | Trj/Genetic.gen |