5f076e8fcf6ed495_Filesample.dll Malicious

Dynamic Link Library

File header First 32 bytes of this file

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00

The determination of a file type is done with a signature or magic-numbers. Files are identified using by comparing the first set of bytes in the file header. Using this method type of files are recognised no matter the extension used. This information is useful to for example recognise executable files cloaked as images or movies.

No malicious code found

Agics makes een analysis of the source code of the file. We look for comparisons with known malicious source code. This is a good way to detect new malicious files which are in fact variations of existing, and known malicious files.

Scan results:

SSDEEP

Context Triggered Piecewise Hashing, also called Fuzzy Hashing, can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length. Comparing a fuzzyhash is a good way to detect morphing malware. Malware which include random code in every copy to change its properties. Agics uses ssdeep to make create a fuzzyhash.

SSDEEP: 3072:HxIBtQnE7OhssdWJ5jy392aCmCbBq/XIbeYql7ccXgqKVMuxCbE451y:Mqvhssdu5jyYaCmCQ/XI8ycXg3V5CIh

Detection ration:

Available on virusshare.com

Not on the nsrl list

Sandbox behaviour analysis:

The file is executed in a safe environment to track its behaviour. The behaviour analysis can help with detecting new malware which is not recognized by virusscanners yet. However it has a high chance on a false-positive, especially with installers, uninstallers and virusscanners.

Detects Avast Antivirus through the presence of a library

Creates and runs a batch file to remove the original binary

The file dropped a dangerous file

Detects the presence of Wine emulator

Yara hit: Advapi_Hash_API - Looks for advapi API functions

Repeatedly searches for a not-found process.

Yara hit: CRC32_poly_Constant - Look for CRC32 [poly]

Checks for the presence of known windows from debuggers and forensic tools

Creates a suspicious process

One or more processes crashed

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Executed a process and injected code into it, probably while unpacking

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

Allocates read-write-execute memory (usually to unpack itself)

Performs some HTTP requests

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)

Connects to safe servers

Host not responding

TCP

DNS

Imphash 65e9607e6f28a7852bb41a6e2e439a92

Fingerprinting files can be done in various way. One way is to make a hash of the PE Imports. PE Imports are relative unique and this is a great way to find new variants of existing malware. The chance of false-positives is relative high. The resulting hash is often called an imphash.

Statistic analysis of the file

	Similar to other files with the same name
	File version is 0.0.0.0
	The certificate can not be determined
	This is a very common file

Analysis: Malicious

A neural network is a type of artificial intelligence. It recognized patterns nog clear for a human viewer. Our neural network is surprisingly accurate in recognizing dangerous files. The value below is the predicted chance the file is malicious.

Read feedback on this file from other users. Help other users by providing feedback yourself.

You can earn reputation points !

You are currently not logged in. Login, or Create an account

Feedback users: