MalScore
100/100
MalFamily
Malicious

systool.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 48/72 Related 2244
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 1266.57 KB (1296968 bytes)
Compile time: 2011-09-25 13:01:00
MD5: 74df64c06fb6b983b9753d4c1ee20970
SHA1: 34503e0abedc8ed7907db114030bc4fd6feeaafb
SHA256: 95ee39719531099cbbb759d99cb28fa2367f26601c618b99b494e79bc7e32e28
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 4 import resource relocation security
First submission: 2019-01-12 07:30:16
Last submission: 2019-01-12 07:30:16
Filename detected: - systool.exe (1)
URL file hosting
hXXp://deeperwants.com/ph/systool.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-12-29 19:02:18 [48/72] VirusTotal
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0xddc74 908800 6fa627970086f276baa84799ac398e09 1e99cb87901c0374b0a69cd50ecbb8444a1ad94b
.rsrc 0xe0000 0x5ad10 372224 530f2d4d7df4c1a3eeaa10a5dbd8f319 32580c093599edbd51f04dd065a84208d42f4ed8
.reloc 0x13c000 0xc 512 7990aaabc1fda88429c8dc766cbf5f07 2d66759e1560660fb85ed2f654b9d16a64a547c1
Meta Info
No Meta found in this file
XOR
No XOR informations found in this file.
Signature
MD5: 77d7c6221c0e08e7db698834fb7242f3
SHA1: 557f1748a4c34205386320b7c375ddea993fb694
Block Size: 14920
Virtual Address: 1282048
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
16.13.7.2
URL(s)
http://s.symcb.com/universal-root.crl0
https://www.globalsign.com/repository/0
http://s1.symcb.com/pca3-g5.crl0
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
http://s2.symcb.com0
https://d.symcb.com/cps0%
http://sv.symcb.com/sv.crl0a
http://s.symcd.com06
http://ts-ocsp.ws.symantec.com0;
https://d.symcb.com/rpa0@
http://crl.globalsign.net/root.crl0
https://d.symcb.com/rpa0
http://sv.symcb.com/sv.crt0
http://sv.symcd.com0&
http://www.symauth.com/cps0(
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
https://www.globalsign.com/repository/03
https://d.symcb.com/rpa0.
http://www.symauth.com/rpa00
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01_64 Seven01_64 VirtualBox 2019-01-12 07:25:32 2019-01-12 07:28:29 177

3 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01_64 Seven01_64 VirtualBox 2019-01-12 07:25:32 2019-01-12 07:28:29 177

0 Summary items with data

Files

Nothing to display

Read Files

Nothing to display

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

Nothing to display

Read Keys

Nothing to display

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

Nothing to display

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01_64 Seven01_64 VirtualBox 2019-01-12 07:25:32 2019-01-12 07:28:29 177

7 HTTP Request(s) detected

http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
  • Hostname: s2.symcb.com
  • IP Address: 23.50.155.27
  • Port: 80
  • Count: 1

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com

http://s2.symcb.com/
  • Hostname: s2.symcb.com
  • IP Address: 23.50.155.27
  • Port: 80
  • Count: 1

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 83
Host: s2.symcb.com

http://s1.symcb.com/pca3-g5.crl
  • Hostname: s1.symcb.com
  • IP Address: 93.184.220.29
  • Port: 80
  • Count: 1

GET /pca3-g5.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s1.symcb.com

http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEFpBTLvCJB9AMpxLFmkj6V4%3D
  • Hostname: sv.symcd.com
  • IP Address: 23.50.155.27
  • Port: 80
  • Count: 1

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEFpBTLvCJB9AMpxLFmkj6V4%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com

http://sv.symcd.com/
  • Hostname: sv.symcd.com
  • IP Address: 23.50.155.27
  • Port: 80
  • Count: 1

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 83
Host: sv.symcd.com

http://sv.symcb.com/sv.crl
  • Hostname: sv.symcb.com
  • IP Address: 93.184.220.29
  • Port: 80
  • Count: 1

GET /sv.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcb.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • Hostname: www.download.windowsupdate.com
  • IP Address: 205.185.216.10
  • Port: 80
  • Count: 1

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

#infosec #automation

TheSystem Itself @ 2019-01-12 07:30:19

Detected family: #Malicious

TheSystem Itself @ 2019-01-12 07:34:02