Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'crc32.exe

malicious

Threat Score: 19/100 AV Detection: 2% Labeled as: Trojan/TSGeneric

crc32.exe_zlyp1x8u

This report is generated from a file or URL submitted to this webservice on April 18th 2017 01:57:50 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v6.30 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Report False-Positive Request Report Deletion

Incident Response

Risk Assessment

Remote Access: Reads terminal service related keys (often RDP related)

Additional Context

Related Sandbox Artifacts

Associated SHA256s: 9fa7f73dd72eb1d44cb3ca00ef461d69cbb32a3f068b2a424db91bad0727edeb
8bf58e659377815be37e4fbca2fef58584c72ab2829033bf813936871b301c8c

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 2
External Systems
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  3/61 Antivirus vendors marked sample as malicious (4% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- The analysis spawned a process that was identified as malicious
  
  details
  
  3/84 Antivirus vendors marked spawned process "<Input Sample>" (PID: 2088) as malicious (classified as "Suspicious_GEN.F47V0222" with 3% detection rate)
  
  source
  
  Monitored Target
  
  relevance
  
  10/10

Suspicious Indicators 2
Remote Access Related
- Reads terminal service related keys (often RDP related)
  
  details
  
  "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
Unusual Characteristics
- Timestamp in PE header is very old or in the future
  
  details
  
  "5ABC.tmp.rar.exe.bin" claims program is from Thu Jan 1 00:00:00 1970
  
  source
  
  Static Parser
  
  relevance
  
  10/10

Informative 1
External Systems
- Sample was identified as clean by Antivirus engines
  
  details
  
  0/40 Antivirus vendors marked sample as malicious (0% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10

File Details

All Details:

crc32.exe_zlyp1x8u

Filename: crc32.exe_zlyp1x8u
Size: 3KiB (3072 bytes)
Type: peexe executable
Description: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Architecture
: WINDOWS
SHA256
: d9c72a8ceccb6d73dad98ef44495738286286e85102e033fe7f09069bc02fba2
MD5
: 682ac7bb084c88e73d628cdf57dff336
SHA1
: 652fb5d2fd9467f1ebf5bb3ba7a5daee87b62e0f
ssdeep
: 48:6AIf4mpNzwUl7HXInvTAaPMXLZFFuGY8bSgDg+q4:QrpX+TMNF4mpDg+q4
imphash
: c62e7d95805a40859204937c35ee3c22
authentihash
: 3d4098cb3521f51fc5c40a00b10dd351097f9d25ddb2bab8c5f95a2b402ad5da
PDB Pathway

Resources

Icon

Visualization

Input File (PortEx)

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5	Characteristics
Name .text Entropy 4.91289689444 Virtual Address 0x1000 Virtual Size 0x3e0 Raw Size 0x400 MD5 ef638336a03e54857a3d495ad071871f	.text	4.91289689444	0x1000	0x3e0	0x400	ef638336a03e54857a3d495ad071871f	-
Name .data Entropy 6.85389623233 Virtual Address 0x2000 Virtual Size 0x570 Raw Size 0x600 MD5 06a875b5fdcf84e5930acdce93de71ed	.data	6.85389623233	0x2000	0x570	0x600	06a875b5fdcf84e5930acdce93de71ed	-

File Imports

msvcrt.dll

__getmainargs

__set_app_type

_controlfp

_iob

exit

fclose

ferror

fopen

fprintf

fread

printf

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total (System Resource Monitor).

5ABC.tmp.rar.exe (PID: 2088) 3/84

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

Download All Memory Strings (483B)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

\RPC Control\console-0x000008B0-lpc-handle

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

__getmainargs

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

__set_app_type

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

_controlfp

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

CWDIllegalInDLLSearch

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

error closing file "%s"!

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error opening file "%s"!

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error reading file

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

msvcrt.dll

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

TransparentEnabled

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

TSAppCompat

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

TSUserEnabled

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

\RPC Control\console-0x000008B0-lpc-handle

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

__getmainargs

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error closing file "%s"!

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error opening file "%s"!

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error reading file

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

TSAppCompat

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

__getmainargs

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

__set_app_type

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

_controlfp

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error closing file "%s"!

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error opening file "%s"!

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

error reading file

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

msvcrt.dll

Ansi based on Memory/File Scan (5ABC.tmp.rar.exe.bin)

\RPC Control\console-0x000008B0-lpc-handle

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

CWDIllegalInDLLSearch

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

TransparentEnabled

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

TSAppCompat

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

TSUserEnabled

Unicode based on Runtime Data (5ABC.tmp.rar.exe )

Extracted Files

No significant files were extracted.

Notifications

Runtime

A process crash was detected during the runtime analysis

Community

Anonymous commented 1 year ago updated

Anti Virus alerted that it found this in AppData Temp on Windows 7. Clean install and updates.

You must be logged in to submit a comment.

crc32.exe_zlyp1x8u

Incident Response

Risk Assessment

Additional Context

Related Sandbox Artifacts

Indicators

Malicious Indicators 2

Suspicious Indicators 2

Informative 1

File Details

crc32.exe_zlyp1x8u

Resources

Visualization

File Sections

File Imports

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

HTTP Traffic

Extracted Strings

Extracted Files

Notifications

Runtime

Community

Anonymous commented 1 year ago updated

Latest News

Vetting required

Request Report Deletion

Link