File yuan - fsg.exe

Size 5.5KB Resubmit sample
Type MS-DOS executable
MD5 3efad313425f6baf243c9aea75a3b7da
SHA1 2422abd0ecf08b8f15379fddc8fc7a0ab39883c8
SHA256 ccabb6b8257a8eed9c8ad4df148109d092b9e1036d6bf4005ddaf394eb571219
SHA512
c4737b18837e4d94ac8656f83c9e24a1fafac3b398f005c2b25102107d3652d3e10ea9742c4aae97eed73b7d5864da2864718e2694bf013e228082bf4de95517
CRC32 37D01236
ssdeep 96:53cGePRFMWlEPOr4gdjaumPgk+lAj5Q6aLQME14YWtQOSle1L5HuOHlYQJhW:tcGePRFMWSuHYPSbcMYhWOe1ltFYQJhW
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasModified_DOS_Message - DOS Message Check
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_00843_FSG_v2_0____bart_xt_ - [FSG v2.0 -> bart/xt]
  • PEiD_00844_FSG_v2_0_ - [FSG v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • FSGv20 -
  • maldoc_suspicious_strings -

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE March 13, 2019, 5:42 p.m. March 13, 2019, 5:47 p.m. 253 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-03-13 17:42:51 2019-03-13 17:47:05

Analyzer Log

2019-03-13 10:42:50,062 [analyzer] DEBUG: Starting analyzer from: C:\agnhsxvqa
2019-03-13 10:42:50,108 [analyzer] DEBUG: Pipe server name: \\.\PIPE\wGXjBQdPMrVrDpyLDvpEMc
2019-03-13 10:42:50,124 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\wLWDgPIgcswjNUHvZLeEHysFFpL
2019-03-13 10:42:52,713 [analyzer] DEBUG: Started auxiliary module Disguise
2019-03-13 10:42:53,088 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-03-13 10:42:53,088 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-03-13 10:42:53,088 [analyzer] DEBUG: Started auxiliary module Human
2019-03-13 10:42:53,088 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-03-13 10:42:53,088 [analyzer] WARNING: Cannot execute auxiliary module Reboot: [Errno 2] No such file or directory: 'C:\\agnhsxvqa\\reboot.json'
2019-03-13 10:42:53,431 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-03-13 10:42:53,431 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-03-13 10:42:53,431 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-03-13 10:42:53,431 [analyzer] INFO: No process IDs returned by the package, running for the full timeout.
2019-03-13 10:46:55,809 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-03-13 10:46:55,809 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-03-13 10:46:55,809 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-03-13 17:42:51,736 [lib.cuckoo.core.scheduler] INFO: File already exists at "/opt/cuckoo/storage/binaries/ccabb6b8257a8eed9c8ad4df148109d092b9e1036d6bf4005ddaf394eb571219"
2019-03-13 17:42:51,751 [lib.cuckoo.core.scheduler] INFO: Task #1662: acquired machine win7x64 (label=win7x64)
2019-03-13 17:42:51,781 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 7652 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1662/dump.pcap)
2019-03-13 17:42:57,764 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-03-13 17:43:12,738 [modules.auxiliary.reboot] ERROR: Reboot analysis is not backwards compatible with the Old Agent, please upgrade your target machine (<Machine('1','win7x64')>) to the New Agent to use the reboot analysis capabilities.
2019-03-13 17:47:04,515 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-03-13 17:47:05,695 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-03-13 17:47:06,835 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e083490>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 17:47:06,836 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e083290>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 17:47:06,837 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e083990>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 17:47:06,838 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937e083dd0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-13 17:47:06,838 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937e083dd0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937e083dd0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

The executable has PE anomalies (could be a false positive) (1 event)
section
File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)
MicroWorld-eScan Gen:Trojan.Heur.aiedsaRIXllb
CMC Packed.Win32.TDSS!O
Cylance Unsafe
BitDefender Gen:Trojan.Heur.aiedsaRIXllb
K7GW Trojan ( 005376ae1 )
K7AntiVirus Trojan ( 005376ae1 )
F-Prot W32/Heuristic-162!Eldorado
GData Gen:Trojan.Heur.aiedsaRIXllb
AegisLab Trojan.Win32.Agent.ldG6
Rising Trojan.Zpevdo!8.F912/N3#93% (RDM+:cmRtazrgF/lgm1NRYpttjb7w3Kyl)
Ad-Aware Gen:Trojan.Heur.aiedsaRIXllb
Sophos Mal/Behav-160
Comodo TrojWare.Win32.Patched.KSU@5t5qg6
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Generic.zh
Trapmine malicious.high.ml.score
Emsisoft Gen:Trojan.Heur.aiedsaRIXllb (B)
SentinelOne static engine - malicious
Cyren W32/Heuristic-162!Eldorado
Avira TR/Crypt.FKM.Gen
Microsoft Trojan:Win32/Fuerboos.C!cl
Endgame malicious (high confidence)
SUPERAntiSpyware Trojan.Agent/Gen-FSG
Acronis suspicious
MAX malware (ai score=87)
Arcabit Trojan.Heur.aiedsaRIXllb
Yandex Packed/FSG
eGambit Unsafe.AI_Score_99%
Cybereason malicious.3425f6
CrowdStrike malicious_confidence_100% (D)
Qihoo-360 Win32/Trojan.a64

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

No static analysis available.
KERNEL32.dll
R&k!d}
$My TES
|,$%P5
L}F560QP
icture1
J9FInJ6f
(B+7%
chs.dql
oIkI|*xC
C:\Prosg
am Files
x86)\M
etRandomvM
vb9aV1r
yEWdP?O
mC.l4p
4$Q#HM
V#$:"x4<e
$%F|3<
d!d~LM
9Bu-60>
CIc*os
m)64tMb
16j"yrY
ZlGas^
LoadLibraryA
GetProcAddress
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
080404B0
CompanyName
Microsoft
ProductName
FileVersion
ProductVersion
InternalName
OriginalFilename
Antivirus Signature
Bkav Clean
K7AntiVirus Trojan ( 005376ae1 )
MicroWorld-eScan Gen:Trojan.Heur.aiedsaRIXllb
CMC Packed.Win32.TDSS!O
CAT-QuickHeal Clean
McAfee Clean
Cylance Unsafe
SUPERAntiSpyware Trojan.Agent/Gen-FSG
TheHacker Clean
Alibaba Clean
K7GW Trojan ( 005376ae1 )
Trustlook Clean
Arcabit Trojan.Heur.aiedsaRIXllb
Invincea heuristic
Baidu Clean
NANO-Antivirus Clean
F-Prot W32/Heuristic-162!Eldorado
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
BitDefender Gen:Trojan.Heur.aiedsaRIXllb
Babable Clean
AegisLab Trojan.Win32.Agent.ldG6
Tencent Clean
Ad-Aware Gen:Trojan.Heur.aiedsaRIXllb
Emsisoft Gen:Trojan.Heur.aiedsaRIXllb (B)
Comodo TrojWare.Win32.Patched.KSU@5t5qg6
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition BehavesLike.Win32.Generic.zh
Trapmine malicious.high.ml.score
Sophos Mal/Behav-160
Paloalto Clean
Cyren W32/Heuristic-162!Eldorado
Jiangmin Clean
Webroot Clean
Avira TR/Crypt.FKM.Gen
Antiy-AVL Clean
Kingsoft Clean
Endgame malicious (high confidence)
Microsoft Trojan:Win32/Fuerboos.C!cl
ViRobot Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Gen:Trojan.Heur.aiedsaRIXllb
TACHYON Clean
AhnLab-V3 Clean
Acronis suspicious
VBA32 Clean
ALYac Clean
MAX malware (ai score=87)
Malwarebytes Clean
Zoner Clean
Rising Trojan.Zpevdo!8.F912/N3#93% (RDM+:cmRtazrgF/lgm1NRYpttjb7w3Kyl)
Yandex Packed/FSG
SentinelOne static engine - malicious
eGambit Unsafe.AI_Score_99%
Fortinet Clean
AVG Clean
Cybereason malicious.3425f6
Panda Clean
CrowdStrike malicious_confidence_100% (D)
Qihoo-360 Win32/Trojan.a64

Process Tree


Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 1662
Mongo ID 5c897a5a11d30812ab72179b
Cuckoo release 2.0-dev