Windows
Analysis Report
SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe
Overview
General Information
Sample name: | SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe |
Analysis ID: | 1367881 |
MD5: | e26159f3d33e0a7e087881e92b9959af |
SHA1: | 33c2dd43cc789069948a19237cc7708ac5586524 |
SHA256: | 4aa9e283503100fe94c6516eca4ee0e3f7293a82f782412dfaca3409959d15d9 |
Tags: | exe |
Infos: | |
Errors
|
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe (PID: 5944 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.T rojan.TR.D ropper.Gen .13342.191 49.exe MD5: E26159F3D33E0A7E087881E92B9959AF)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | Code function: | 0_2_0001048C |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Classification label: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Binary or memory string: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | 1 Credential API Hooking | System Service Discovery | Remote Services | 1 Credential API Hooking | Exfiltration Over Other Network Medium | 1 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Abuse Accessibility Features | Acquire Infrastructure | Gather Victim Identity Information |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Application Layer Protocol | SIM Card Swap | Obtain Device Cloud Backups | Network Denial of Service | Domains | Credentials |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
16% | ReversingLabs | Win32.Trojan.Generic | ||
19% | Virustotal | Browse | ||
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
time.windows.com | unknown | unknown | false | high |
Joe Sandbox version: | 38.0.0 Ammolite |
Analysis ID: | 1367881 |
Start date and time: | 2023-12-29 01:12:05 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe |
Detection: | MAL |
Classification: | mal64.evad.winEXE@1/0@1/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Corrupt sample or wrongly sele
cted analyzer. Details: The %1 application cannot be run in Win32 mode.
- Exclude process from analysis
(whitelisted): dllhost.exe, Sg rmBroker.exe, MoUsoCoreWorker. exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 40.119.6.228 - Excluded domains from analysis
(whitelisted): twc.trafficman ager.net - Execution Graph export aborted
for target SecuriteInfo.com.T rojan.TR.Dropper.Gen.13342.191 49.exe, PID 5944 because there are no executed function
File type: | |
Entropy (8bit): | 7.218058874585358 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe |
File size: | 354'664 bytes |
MD5: | e26159f3d33e0a7e087881e92b9959af |
SHA1: | 33c2dd43cc789069948a19237cc7708ac5586524 |
SHA256: | 4aa9e283503100fe94c6516eca4ee0e3f7293a82f782412dfaca3409959d15d9 |
SHA512: | 4a19cf8282461d491e1ebdeff4f554dcfefaecd47e08c3c78022ffa6399b5e4491c0142611e6a6687d739a8e685346aee8bb67e1c3052a26a837581626ff187d |
SSDEEP: | 6144:qwjZBZHzhRvCCM5wBvbuV523wq6txm1XtCBofHBy4LzYfw1UF:hjZ7vLMKVZwHK1XQCfHByo+weF |
TLSH: | 6774D1E273F4D405F050CBB4948A4F122F79B97113A8E64EE9405B4EE973A92A321F5F |
File Content Preview: | MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$...................................................................................................................................... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x1048c |
Entrypoint Section: | INIT |
Digitally signed: | false |
Imagebase: | 0x10000 |
Subsystem: | native |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | NO_SEH |
Time Stamp: | 0x45B458CE [Mon Jan 22 06:25:18 2007 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | eedca3cd4d5f133b3c1ec5535d19ee00 |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 24h |
mov eax, dword ptr [ebp+0Ch] |
and dword ptr [ebp-20h], 00000000h |
and dword ptr [ebp-14h], 00000000h |
and dword ptr [ebp-10h], 00000000h |
mov dword ptr [ebp-1Ch], eax |
lea eax, dword ptr [ebp-24h] |
push eax |
push 000F003Fh |
lea eax, dword ptr [ebp+0Ch] |
push eax |
mov dword ptr [ebp-04h], 00000004h |
mov dword ptr [ebp-24h], 00000018h |
mov dword ptr [ebp-18h], 00000040h |
call dword ptr [00010404h] |
test eax, eax |
jl 00007F99011F44E8h |
push 00010480h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call dword ptr [00010400h] |
push 00000004h |
lea eax, dword ptr [ebp-04h] |
push eax |
push 00000004h |
push 00000000h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
push dword ptr [ebp+0Ch] |
call dword ptr [00010408h] |
xor eax, eax |
leave |
retn 0008h |
and al, 05h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
push 00000005h |
add al, 00h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ebp+eax+00h], al |
add byte ptr [ebp+eax+00h], bl |
add byte ptr [00000000h+eax], dh |
add byte ptr [eax], al |
imul eax, dword ptr [edx+ebx*2], 77h |
push ebx |
je 00007F99011F4519h |
popad |
insb |
jne 00007F99011F4527h |
dec ebx |
jns 00007F99011F44C3h |
add dx, word ptr [edx+74h] |
insb |
dec ecx |
outsb |
imul esi, dword ptr [ebp+edx*2+6Eh], 646F6369h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4fc | 0x28 | INIT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x580 | 0x10 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x410 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x400 | 0x10 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.rdata | 0x400 | 0x6d | 0x80 | False | 0.4453125 | data | 2.2580921893730874 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
INIT | 0x480 | 0xf6 | 0x100 | False | 0.78515625 | data | 4.643726141333676 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x580 | 0x18 | 0x80 | False | 0.203125 | GLS_BINARY_LSB_FIRST | 0.5274741106746463 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
ntoskrnl.exe | RtlInitUnicodeString, ZwOpenKey, ZwSetValueKey |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 29, 2023 01:13:05.953843117 CET | 57035 | 53 | 192.168.2.7 | 1.1.1.1 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 29, 2023 01:13:05.953843117 CET | 192.168.2.7 | 1.1.1.1 | 0x7d07 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 29, 2023 01:13:06.075613022 CET | 1.1.1.1 | 192.168.2.7 | 0x7d07 | No error (0) | twc.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 01:12:59 |
Start date: | 29/12/2023 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.13342.19149.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x10000 |
File size: | 354'664 bytes |
MD5 hash: | E26159F3D33E0A7E087881E92B9959AF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |