File name: | xvirus-setup.exe |
Full analysis: | https://app.any.run/tasks/31b04fcf-16b8-41ec-b07e-0d487740d6bc |
Verdict: | Malicious activity |
Analysis date: | October 13, 2019, 23:33:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | EE826A11EEC5F15201AA12168AB8F6B1 |
SHA1: | DE92D7E6C70439E283801A592FF200EAE0CA781F |
SHA256: | C0E2E1E4D71C468132BAB2CB332F3BF7B16AAA2A032E47CA88065E05FF7E2724 |
SSDEEP: | 24576:opoqmGUNhs+VxEB8dwyGrI2SsMOaCNBOU6J0RyVHihL:19GUyBk2SsMO9B5l |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (35.6) |
---|---|---|
.exe | | | InstallShield setup (20.9) |
.exe | | | Win32 Executable MS Visual C++ (generic) (15.1) |
.exe | | | Win64 Executable (generic) (13.4) |
.scr | | | Windows screen saver (6.3) |
AssemblyVersion: | 7.0.5.0 |
---|---|
ProductVersion: | 7.0.5.0 |
ProductName: | Xvirus Installer |
OriginalFileName: | Xvirus Installer.exe |
LegalTrademarks: | Xvirus |
LegalCopyright: | Copyright © Xvirus 2017 |
InternalName: | Xvirus Installer.exe |
FileVersion: | 7.0.5.0 |
FileDescription: | Xvirus Anti-Malware Installer |
CompanyName: | Xvirus |
Comments: | Xvirus Installer |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 7.0.5.0 |
FileVersionNumber: | 7.0.5.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x2d13fe |
UninitializedDataSize: | - |
InitializedDataSize: | 37376 |
CodeSize: | 2946560 |
LinkerVersion: | 11 |
PEType: | PE32 |
TimeStamp: | 2017:06:04 17:32:30+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 04-Jun-2017 15:32:30 |
Comments: | Xvirus Installer |
CompanyName: | Xvirus |
FileDescription: | Xvirus Anti-Malware Installer |
FileVersion: | 7.0.5.0 |
InternalName: | Xvirus Installer.exe |
LegalCopyright: | Copyright © Xvirus 2017 |
LegalTrademarks: | Xvirus |
OriginalFilename: | Xvirus Installer.exe |
ProductName: | Xvirus Installer |
ProductVersion: | 7.0.5.0 |
Assembly Version: | 7.0.5.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 04-Jun-2017 15:32:30 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x002CF404 | 0x002CF600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.66269 |
.sdata | 0x002D2000 | 0x00000138 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.673107 |
.rsrc | 0x002D4000 | 0x00008DC8 | 0x00008E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.08004 |
.reloc | 0x002DE000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.04075 | 2861 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 2.78667 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 2.35678 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 2.54287 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 2.08832 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 2.68598 | 62 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
940 | "C:\Users\admin\AppData\Local\Temp\xvirus-setup.exe" | C:\Users\admin\AppData\Local\Temp\xvirus-setup.exe | — | explorer.exe |
User: admin Company: Xvirus Integrity Level: MEDIUM Description: Xvirus Anti-Malware Installer Exit code: 3221226540 Version: 7.0.5.0 | ||||
2916 | "C:\Users\admin\AppData\Local\Temp\xvirus-setup.exe" | C:\Users\admin\AppData\Local\Temp\xvirus-setup.exe | explorer.exe | |
User: admin Company: Xvirus Integrity Level: HIGH Description: Xvirus Anti-Malware Installer Exit code: 0 Version: 7.0.5.0 | ||||
2356 | "C:\Program Files\Xvirus Anti-Malware\Xvirus Anti-Malware.exe" | C:\Program Files\Xvirus Anti-Malware\Xvirus Anti-Malware.exe | xvirus-setup.exe | |
User: admin Company: Xvirus Integrity Level: HIGH Description: Xvirus Anti-Malware Version: 7.0.5.0 | ||||
3856 | SchTasks /Create /F /XML "C:\xvirus\startup.xml" /TN "Xvirus startup" | C:\Windows\system32\SchTasks.exe | — | Xvirus Anti-Malware.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | Contact |
Value: | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\Xvirus Anti-Malware\Unin.exe,0 | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | DisplayName |
Value: Xvirus Anti-Malware | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | DisplayVersion |
Value: 7.0.5.0 | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | HelpLink |
Value: http://www.xvirus.net | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | Publisher |
Value: Xvirus | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | URLInfoAbout |
Value: http://www.xvirus.net | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xvirus Anti-Malware |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files\Xvirus Anti-Malware\Unin.exe | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2916) xvirus-setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\shellfile.exe | executable | |
MD5:D291CD2D33AD06E8A85C8539DC8BF08B | SHA256:0E520551C75B61FC9B25CEB55B81D78D3A0A906491FE1A2EE8CE1B8B877D755D | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\shellfolder.exe | executable | |
MD5:EE7B8FC1EBD5EB794FB034DC5E6B41B0 | SHA256:840C63C719009A7E5F19903B1416555E0F698345840948E7023BADC691BE67F2 | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\language\Estonian (Eesti).lng | text | |
MD5:FF5807B4FF9415DEB120AE8C146B25BB | SHA256:08B43342C17013B28F0EB760CB6887D5474E5F54B5FA8A47CEDF7AF9ED296714 | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\language\Polish (polski).lng | text | |
MD5:5CBA159EA3F7E1B54BC43BA68D32F1B3 | SHA256:3293CC31440C634FC3CD2358A6133A9294FDE79F7512DBE94F2A8C96EE250C35 | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\VoodooAi.dll | executable | |
MD5:932245B4C89AFFE71E684A859DE72587 | SHA256:B2F25716AAA37FA7454A0CDA7DD73BE80C1EEC179D94DC8CC0EE50AA56D41D58 | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\xvirusstart.exe | executable | |
MD5:3BD1D71482C05A466AD251F2A51E1734 | SHA256:2907720A31FAF7BACFC571E60A39B32D52609C81800675CB9FEC9DD5BF56FBDE | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\Xvirus Anti-Malware.exe | executable | |
MD5:C2860B112891395493D548EB362A4619 | SHA256:6D4D5525E6CB7626CF689698C14E9284C32FF15AF23DD3AE332CCF87C2BAA998 | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\database\whitelist.xdb | text | |
MD5:F45A7438E0546268FD78FC24766635D2 | SHA256:FEBC534E8E9EBC8F0522354C4CA059562E0627D251AB47093B8BAFB4EE3857A7 | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\Features.dll | executable | |
MD5:AC02D28A8E9BA8376758C0C8B87819B9 | SHA256:08730788D074BAD92E1795BF78E3023F67C398387C208D111EF3F273DB81F86E | |||
2916 | xvirus-setup.exe | C:\Program Files\Xvirus Anti-Malware\language\Indonesian (Bahasa Indonesia).lng | text | |
MD5:A244D94E495EC138BCCECDF06FD6B797 | SHA256:E7D2772057FD980734CCC32B77C63F1BC12A55E522BC142FD8E18F07A94F1DB8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2356 | Xvirus Anti-Malware.exe | GET | 200 | 193.70.91.28:80 | http://cloud.xvirus.net/database/maindb.txt | FR | text | 5 b | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | 200 | 193.70.91.28:80 | http://cloud.xvirus.net/database/heurdb.txt | FR | text | 3 b | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | 200 | 193.70.91.28:80 | http://cloud.xvirus.net/database/dailywv.txt | FR | text | 2 b | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | 200 | 193.70.91.28:80 | http://cloud.xvirus.net/database/compv.txt | FR | binary | 1 b | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | — | 193.70.91.28:80 | http://cloud.xvirus.net/database/heurlist.txt | FR | — | — | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | — | 193.70.91.28:80 | http://cloud.xvirus.net/database/whitelist.txt | FR | — | — | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | — | 193.70.91.28:80 | http://cloud.xvirus.net/database/reglist.txt | FR | — | — | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | 200 | 193.70.91.28:80 | http://xvirus.net/download/amv.txt | FR | text | 7 b | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | 200 | 193.70.91.28:80 | http://cloud.xvirus.net/database/wv.txt | FR | text | 3 b | suspicious |
2356 | Xvirus Anti-Malware.exe | GET | 200 | 193.70.91.28:80 | http://cloud.xvirus.net/database/dailydb.txt | FR | text | 4 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2356 | Xvirus Anti-Malware.exe | 193.70.91.28:80 | xvirus.net | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
xvirus.net |
| suspicious |
cloud.xvirus.net |
| suspicious |