Scan

January 29, 2017 · View on GitHub

$ malice scan befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408

=OR=

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
                -v `pwd`/data/samples:/malice/samples \
                -e MALICE_VT_API=$MALICE_VT_API \
                malice/engine scan befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408

File

FieldValue
Namebefb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408
Pathdata/samples/befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408
Size40.96 kB
MD5669f87f2ec48dce3a76386eec94d7e3b
SHA16b82f126555e7644816df5d4e4614677ee0bda5c
SHA256befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408
Mimeapplication/x-dosexec

VirusTotal

RatioLinkAPIScanned
85%linkPublic2016-02-15 11:47:03

#totalhash

FoundURL
:white_check_mark:link

NSRL Database

  • Not Found :grey_question:

ShadowServer

AntiVirus
  • FirstSeen: 11/03/2016 9:09AM
  • LastSeen: 11/08/2016 2:10AM
VendorSignature
QuickHealTrojanAPT.LecnaCBack.MUE.Z3
MicroWorldBackdoor.Lecna.AB
FortinetW32/Generic.AC.1FAF5A!tr
IkarusBackdoor.Win32.Lecna
EsetWin32/Lecna.W
ClamPUA.Win.Packer.AcprotectUltraprotect-1
DrWebBackDoor.Dizhi
SymantecW32.Lecna.D
AvastWin32:Lecna-I
McAfeeBackDoor-CSB
SophosTroj/Lecna-Q
ComodoBackdoor.Win32.Lecna.AB
AhnLabWin-Trojan/Lecna.61440
K7GWTrojan ( 00013a571 )
GDataBackdoor.Lecna.AB
TrendMicroBKDR_LECNA.SM
MicrosoftBackdoor:Win32/Lecna!dha
K7Trojan ( 00013a571 )
AviraWORM/Rbot.Gen
AuthentiumW32/Lecnac.A.gen!Eldorado
AVGWin32/DH{IIEXEx4XA2EICXwkIiU}
BitDefenderBackdoor.Lecna.AB
FProtW32/Trojan.AAWD

Yara

RuleDescriptionOffsetDataTags
Microsoft_Visual_Cpp_v50v60_MFCMicrosoft Visual C++ v5.0/v6.0 (MFC)5204U���
Borland_Delphi_v60__v70Borland Delphi v6.0 - v7.05204U��
dUP_v2x_Patcher__wwwdiablo2oo2cjbnetdUP v2.x Patcher --> www.diablo2oo2.cjb.net78This program cannot be run in DOS mo
Free_Pascal_v106Free Pascal v1.0614866���@O�k
Armadillo_v171Armadillo v1.7123110U��j�h b@h�[@d�

SSDeep

768:15jQ4nVHQaeO379u4XckKVCsknBN9A4hUnDxDiNZ957ZpK0IUUiM95Zdz:15jQ4nVHQaeO9uwckKuBN9A4UnDxcbFi

TRiD

  • 31.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 27.5% (.EXE) Win64 Executable (generic) (27638/28/4)
  • 26.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
  • 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 4.4% (.EXE) Win32 Executable (generic) (4508/7/1)

Exiftool

FieldValue
Special Build
Code Size20480
File Version6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Legal Trademarks
Product NameMicrosoft(R) Windows(R) Operating System
Machine TypeIntel 386 or later, and compatibles
PE TypePE32
File Version Number6.0.2930.2180
Character SetUnicode
Comments
MIME Typeapplication/octet-stream
Linker Version6.0
Product Version Number6.0.2930.2180
File FlagsPrivate build
File OSUnknown (0)
File DescriptionInternet Explorer
File Size40 kB
Object File TypeUnknown
Legal Copyright(C) Microsoft Corporation. All rights reserved.
Original File NameIEXPLORE.EXE
Uninitialized Data Size0
Image Version0.0
SubsystemWindows GUI
File Flags Mask0x003f
Company NameMicrosoft Corporation
Product Version6.00.2900.2180
Initialized Data Size20480
Entry Point0x5a46
OS Version4.0
File Subtype0
Language CodeNeutral
Internal Nameiexplore
File Type Extensionexe
File TypeWin32 EXE
Subsystem Version4.0
Private Build
ExifTool Version Number10.23

ClamAV

InfectedResultEngineUpdated
trueWin.Trojan.Backspace-10.99.220160919

Comodo

InfectedResultEngineUpdated
trueBackdoor.Win32.Lecna.AB1.1

F-Secure

InfectedResultEngineUpdated
trueBackdoor.Lecna.AB11.00 build 7920160919

F-PROT

InfectedResultEngineUpdated
false4.6.5.14120160919

Avast

InfectedResultEngineUpdated
trueWin32:Lecna-I [Trj]2.1.220170129

AVG

InfectedResultEngineUpdated
trueFound Win32/DH{YQMT?}13.0.311420160918

Bitdefender

InfectedResultEngineUpdated
trueBackdoor.Lecna.AB7.9012320160919

Sophos

InfectedResultEngineUpdated
trueTroj/Lecna-Q5.27.020160920

Floss

Decoded Strings

Location: 0x402830

  • ################################################################################################################################################################################################################################################################################################################################

Location: 0x401059

  • *lecnaC*
  • Software\Microsoft\CurrentNetInf
  • SYSTEM\CurrentControlSet\Control\Lsa
  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • MicrosoftZj
  • LhbqnrnesDwhs
  • MicrosoftHaveExit
  • LhbqnrnesGud@bj`
  • IEXPLORE.EXE
  • /ver.htm
  • /exe.htm
  • /app.htm
  • /myapp.htm
  • /hostlist.htm
  • .aj-gsl`
  • /SomeUpList.htm
  • /SomeUpVer.htm
  • www.flyeagles.com
  • www.km-nyc.com
  • /restore
  • /dizhi.gif
  • /connect.gif
  • \$NtUninstallKB900727$
  • \netsvc.exe
  • \netscv.exe
  • \netsvcs.exe
  • System Idle Process
  • Program Files
  • \Internet Exp1orer
  • forceguest
  • AudioPort
  • AudioPort.sys
  • SYSTEM\CurrentControlSet\Services
  • SYSTEM\ControlSet001\Services
  • SYSTEM\ControlSet002\Services
  • \drivers\
  • \DriverNum.dat

Location: 0x40511A

  • \A|{@

Location: 0x404DDE

  • SMBs
  • NTLMSSP
  • Windows 2000 2195
  • Windows 2000 5.0
  • SMBr
  • PC NETWORK PROGRAM 1.0
  • LANMAN1.0
  • Windows for Workgroups 3.1a
  • LM1.2X002
  • LANMAN2.1
  • NT LM 0.12

Location: 0x401047

  • Ie_nkokbpAtep
  • +^]g*dpi
  • Ie_nkokbpD]ra=_g
Stack Strings
  • \A|{@
  • CAAA\
  • cmd.exe