valkyrie logo
valkyrie logo
  • Download Threat Hunter Assessment Tool
DASHBOARD
  • Unknown File Hunter Scans
STATISTICS
SETTINGS
  • Summary
  • Static Analysis
  • Dynamic Analysis
  • Precise Detectors
  • Human Expert Analysis
  • File Details
Analyzing...
File Name:   Servidor.exe
SHA1:   96ee36b80ad6918ccd1e5568ab9522c27cdeced7
MD5:   1ba88acd9206b22b8b55e903f86db7b6
First Seen Date:  2024-11-24 15:41:49.121276 ( 2024-11-24 15:41:49.121276 )
Number of Clients Seen:   2
Last Analysis Date:  2024-11-25 07:17:01.412483 ( 2024-11-25 07:17:01.412483 )
Human Expert Analysis Date:  2024-11-25 07:17:00.158457 ( 2024-11-25 07:17:00.158457 )
Human Expert Analysis Result:   Malware

Analysis Summary

Analysis Type Date Verdict
Signature Based Detection 2024-11-24 16:04:30.383658 Malware
Static Analysis Overall Verdict 2024-11-25 07:17:01.412483 No Threat Found help
Dynamic Analysis Overall Verdict 2024-11-25 07:17:01.412483 Highly Suspicious
Precise Detectors Overall Verdict 2024-11-25 07:17:01.412483 No Match help
Human Expert Analysis Overall Verdict 2024-11-25 07:17:00.158457 Malware

Static Analysis

Static Analysis Overall Verdict Result
No Threat Found help
Detector Result
Optional Header LoaderFlags field is valued illegal Clean
Non-ascii or empty section names detected Clean
Illegal size of optional Header Clean
Packer detection on signature database Unknown help
Based on the sections entropy check! file is possibly packed Clean
Timestamp value suspicious Clean
Header Checksum is zero! Suspicious
Enrty point is outside the 1st(.code) section! Binary is possibly packed Clean
Optional Header NumberOfRvaAndSizes field is valued illegal Clean
Anti-vm present Clean
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger Clean
TLS callback functions array detected Clean

Packer detection on signature database

Microsoft Visual C# / Basic .NET

.NET executable

Dynamic Analysis

Dynamic Analysis Overall Verdict Result
Highly Suspicious
Suspicious Behaviors
Creates a child process
Writes to address space of another process
Uses a function clandestinely
Reads memory of another process
Opens a file in a system directory
Has no visible windows

Servidor.exe tried to connect to some addresses pinned on the map below (click pins for more details):

Behavioral Information

LoadLibrary

ADVAPI32.dll

SHLWAPI.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

mscoree.dll

ntdll

advapi32.dll

shell32.dll

C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll

ole32.dll

kernel32.dll

AdvApi32.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll

C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\12dc10e5c0e8d176cf21a16a6fc5fc3b\Microsoft.VisualBasic.ni.dll

C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5a401fd2a7689ff13fb54182953f9c40\System.Drawing.ni.dll

C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6949c4470a81970ec3de0a575d93babc\System.Windows.Forms.ni.dll

shfolder.dll

kernel32

Secur32.dll

API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0.DLL

SHELL32.dll

api-ms-win-downlevel-advapi32-l2-1-0.dll

OLEAUT32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Security-LSALookup-L1-1-0.dll

CRYPTBASE.dll

LowerChar

file

CreateProcess

netsh firewall add allowedprogram "C:\Users\win7\Desktop\server.exe" "server.exe" ENABLE

"C:\Users\win7\Desktop\server.exe"

ReadFile

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config

DeleteFile

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.1660.1240093

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.1660.1240093

C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1660.1240093

OpenMutex

Global\CLR_CASOFF_MUTEX

CreateMutex

<NULL>

Local\ZonesCacheCounterMutex

Local\ZonesLockedCacheCounterMutex

QueryFilePath

C:\Windows\SYSTEM32\MSCOREE.DLL

C:\Users\win7\Desktop\server.exe

C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

C:\Servidor.exe

OpenRegistryKey

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\M

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Micro

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index1c2

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFra

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework

\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NE

\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

QueryProcessAddress

CreateProcess

CreateProcessW

CreateRegistryKey

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default

Precise Detectors Analysis Results

Detector Name Date Verdict Reason
Static Precise PUA Detector 1 2024-11-24 15:41:45.888157 No Match help NotDetected
Static Precise PUA Detector 4 2024-11-24 15:41:45.911479 No Match help NotDetected
Static Precise NI Detector 3 2024-11-24 15:41:46.008417 No Match help NotDetected
Static Precise PUA Detector 5 2024-11-24 15:41:46.056714 No Match help NotDetected
Static Precise Trojan Detector 1 2024-11-24 15:41:46.069178 No Match help NotDetected
Static Precise Trojan Detector 3 2024-11-24 15:41:46.065178 No Match help NotDetected
Static Precise PUA Detector 6 2024-11-24 15:41:46.117267 No Match help NotDetected
Static Precise Trojan Detector 12 2024-11-24 15:41:46.146572 No Match help NotDetected
Static Precise Virus Detector 1 2024-11-24 15:41:46.192637 No Match help NotDetected
Static Precise Virus Detector 2 2024-11-24 15:41:46.220795 No Match help NotDetected
Static Precise Trojan Detector 13 2024-11-24 15:41:46.242577 No Match help NotDetected
Static Precise PUA Detector 2 2024-11-24 15:41:46.228295 No Match help NotDetected

Advance Heuristics

No Advanced Heuristic Analysis Result Received

Detector Result

Human Expert Analysis Results

Analysis Start Date:   2024-11-25 05:49:35.106853 ( 2024-11-25 05:49:35.106853 )
Analysis End Date:  2024-11-25 07:17:00.158457 ( 2024-11-25 07:17:00.158457 )
File Upload Date:  2024-11-24 15:41:38.144037 ( 2024-11-24 15:41:38.144037 )
Update Date:  2024-11-25 07:17:01.068902 ( 2024-11-25 07:17:01.068902 )
Human Expert Analyst Feedback:  
Verdict:   Malware
Malware Family:  
Malware Type:   Worm

Additional File Information

Vendor Validation

Certificate Validation

PE Headers

Property Value

File Paths

File Path on Client Seen Count
Servidor.exe 1

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy MD5

PE Imports

PE Exports

PE Resources

© Verdict Cloud, Xcitium, Inc. 2025. All rights reserved. v1.49.0-72-ENT
 
 
 
 
Loading...