Edit tour

Windows Analysis Report
SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Overview

General Information

Sample name:	SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe
Analysis ID:	1378233
MD5:	3e72333ed6b6f8f358018d5094d94015
SHA1:	3a7b774335da37d40d4b3ac910f48793b01f2bec
SHA256:	6356588cf41f6af19c0fb4ea113736d9182933a59c261661da66e3f378e09fb5
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe (PID: 6940 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe MD5: 3E72333ED6B6F8F358018D5094D94015)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Virustotal: Detection: 11%

Perma Link

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Code function: 1_2_004011B0 #2818,#800,#800,#6877,#5683,#4277,#858,#800,#535,GetLastError,FormatMessageA,URLDownloadToFileA,GetLastError,FormatMessageA,LocalFree,#860,#800,#800,#800,

1_2_004011B0

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	String found in binary or memory: http://crl.wosign.com/WoSignCodeSigning.crl0G
Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	String found in binary or memory: http://crt.wosign.com/WoSignCodeSigning.crt0
Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	String found in binary or memory: http://www.comodogroup.com/repository0B
Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	String found in binary or memory: http://www.wosign.com/cps/0

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Code function: 1_2_004011B0 #2818,#800,#800,#6877,#5683,#4277,#858,#800,#535,GetLastError,FormatMessageA,URLDownloadToFileA,GetLastError,FormatMessageA,LocalFree,#860,#800,#800,#800,

1_2_004011B0

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Virustotal: Detection: 11%

Source: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	12%	Virustotal		Browse
SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.comodogroup.com/repository0B	0%	Avira URL Cloud	safe
http://www.comodogroup.com/repository0B	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wosign.com/cps/0	SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	false		high
http://www.comodogroup.com/repository0B	SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.wosign.com/WoSignCodeSigning.crl0G	SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	false		high
http://crt.wosign.com/WoSignCodeSigning.crt0	SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1378233
Start date and time:	2024-01-21 10:43:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, crl.usertrust.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.5567022388237546
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe
File size:	26'136 bytes
MD5:	3e72333ed6b6f8f358018d5094d94015
SHA1:	3a7b774335da37d40d4b3ac910f48793b01f2bec
SHA256:	6356588cf41f6af19c0fb4ea113736d9182933a59c261661da66e3f378e09fb5
SHA512:	2d4b9a90e3e2f1e4b97c5514b574459b4ec6021824c42fe3303cab27969d87577f7a27dd0f90ae066ba6990353413c4c6f8d5b29ff115ea508849f908ca53c0b
SSDEEP:	384:BGmKa8dNZY5xRbnu4n/2OLLvYH4pt74IVsDs1Y:BzX87ZY5r9n/PL44ptRas1Y
TLSH:	16C219C74F544992E6984EB065AED23A9E72D1964FB0C2EB536BC4DC2CE53E03D2610F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..X/l../l../l...p...l..@s..$l..@s..+l..VM..-l..VM..-l../l...l...d..(l..{O..+l...j...l..Rich/l..................PE..L...s.kK...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40174e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4B6BE573 [Fri Feb 5 09:31:31 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	474579095e30868736a4c7d83576b259

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=WoSign Code Signing Authority, O="WoSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/06/2009 02:00:00 24/06/2012 01:59:59
Subject Chain	CN=Beijing Lihuacheng Inc., OU=Class 3 - for Microsoft Authenticode Signing, O=Beijing Lihuacheng Inc., L=Beijing, S=Beijing, C=CN
Version:	3
Thumbprint MD5:	D9FAAA18CC10CF8B626670479C2F17F1
Thumbprint SHA-1:	18F81A97F817B498C613DFD76C094E52EA850CA1
Thumbprint SHA-256:	79D3AA4CCE2C97577C4136498BF63CD100B851E4241DC938B91E6D11FD979ED8
Serial:	008B040E8A264AFF096BB1DA2FDD7822B2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00402110h
push 00401886h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 20h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
and dword ptr [ebp-04h], 00000000h
push 00000001h
call dword ptr [004020A0h]
pop ecx
or dword ptr [00403180h], FFFFFFFFh
or dword ptr [00403184h], FFFFFFFFh
call dword ptr [0040209Ch]
mov ecx, dword ptr [00403178h]
mov dword ptr [eax], ecx
call dword ptr [00402098h]
mov ecx, dword ptr [00403174h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00402094h]
mov eax, dword ptr [eax]
mov dword ptr [0040317Ch], eax
call 00007F65E48897BEh
cmp dword ptr [00403090h], 00000000h
jne 00007F65E48896FEh
push 00401882h
call dword ptr [00402090h]
pop ecx
call 00007F65E488978Fh
push 00403018h
push 00403014h
call 00007F65E488977Ah
mov eax, dword ptr [00403170h]
mov dword ptr [ebp-28h], eax
lea eax, dword ptr [ebp-28h]
push eax
push dword ptr [0040316Ch]
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-2Ch]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00402088h]
push 00403010h
push 00403000h
call 00007F65E4889747h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21f4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x460	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5000	0x1618
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x967	0x1000	False	0.35302734375	data	3.9610741564887415	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x69e	0x1000	False	0.198486328125	data	2.5734263800710897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x188	0x1000	False	0.038330078125	data	0.3007637110337896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x460	0x1000	False	0.078857421875	data	0.5938149619502519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x4420	0x3e	data	Chinese	China	0.6290322580645161
RT_VERSION	0x40a0	0x37c	OpenPGP Public Key	Chinese	China	0.2600896860986547

Imports

DLL	Import
KERNEL32.dll	LocalFree, FormatMessageA, GetLastError, GetTempPathA, GetModuleHandleA, GetCommandLineA, GetTickCount
SHELL32.dll	ShellExecuteA
MFC42.DLL
MSVCRT.dll	__getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, __CxxFrameHandler, __dllonexit, __p___initenv, exit, _XcptFilter, _exit, _onexit
urlmon.dll	URLDownloadToFileA
MSVCP60.dll	?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??1_Winit@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0Init@ios_base@std@@QAE@XZ

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

• SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Click to jump to process

Target ID:	1
Start time:	10:44:21
Start date:	21/01/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe
Imagebase:	0x400000
File size:	26'136 bytes
MD5 hash:	3E72333ED6B6F8F358018D5094D94015
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Analysis Process: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exePID: 6940, Parent PID: 2592COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	26.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.7%
Total number of Nodes:	56
Total number of Limit Nodes:	1

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401420 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32(00000000), ref: 00401440
GetModuleHandleA.KERNEL32(00000000,00000000,00000000), ref: 0040144B
#1575.MFC42(00000000), ref: 00401452
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CCDA484,Fatal Error: MFC initialization failed,00000000), ref: 00401466
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040146D
#540.MFC42(00000000), ref: 00401484
#4160.MFC42 ref: 0040149A
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CCDA3D8,?), ref: 004014AB
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004014B2
#537.MFC42(00000000), ref: 004014DF
#6876.MFC42 ref: 004014F4
#5683.MFC42(0000002F), ref: 004014FF
#5683.MFC42(0000002F,0000002F), ref: 00401513
#4277.MFC42(?,00000001,0000002F,0000002F), ref: 00401523
GetTempPathA.KERNEL32(00000104,00000000,?,00000001,0000002F,0000002F), ref: 0040154F
#540.MFC42 ref: 00401559
#2818.MFC42(?,%s%s,00000000,?), ref: 0040157A
#535.MFC42(?,?,?,0000005C,0000002F,00000000), ref: 0040159F
#535.MFC42(?,?,?,?,?,0000005C,0000002F,00000000), ref: 004015B8
#537.MFC42(00403098,?,?,?,?,?,0000005C,0000002F,00000000), ref: 004015DB
#860.MFC42(?,00403098,?,?,?,?,?,0000005C,0000002F,00000000), ref: 004015F5

Strings

open, xrefs: 0040160B
Fatal Error: MFC initialization failed, xrefs: 00401460
%s%s, xrefs: 0040156C

Memory Dump Source

Source File: 00000001.00000002.1250233549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1250219707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250246671.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250271090.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250292056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@V?$basic_ostream@$#535#537#540#5683??6std@@?endl@std@@D@std@@@0@D@std@@@1@V10@V21@@$#1575#2818#4160#4277#6876#860CommandHandleLineModulePathTemp
String ID: %s%s$Fatal Error: MFC initialization failed$open
API String ID: 481738083-1011638941
Opcode ID: 1c87c32df4f1637bbbac0f14bee2dfa5a96544f7a28f09277a43691913853028
Instruction ID: c8449d78e0d7c7a06867ab01e35ead4327e72b2ccca9c2057bdc999da093029e
Opcode Fuzzy Hash: 1c87c32df4f1637bbbac0f14bee2dfa5a96544f7a28f09277a43691913853028
Instruction Fuzzy Hash: 2251A470108381AFD320EF64CD49B9BB7E8AB94704F444D2EF599632E1DB795508CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0040174E Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 0040177A
__p__fmode.MSVCRT ref: 0040178F
__p__commode.MSVCRT ref: 0040179D
__setusermatherr.MSVCRT ref: 004017CA
_initterm.MSVCRT ref: 004017E0
__getmainargs.MSVCRT ref: 00401803
_initterm.MSVCRT ref: 00401813
__p___initenv.MSVCRT ref: 00401818
exit.KERNELBASE ref: 00401838
_XcptFilter.MSVCRT ref: 0040184A

Memory Dump Source

Source File: 00000001.00000002.1250233549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1250219707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250246671.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250271090.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250292056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 167530163-0
Opcode ID: 0c09515d08699aaa630312d231e3b527d24169142d6137d742b3a86a80e5ec3f
Instruction ID: 99f38a7db86b8d4d5df617634712e2602d50772d3a082b728f51ba708c695d26
Opcode Fuzzy Hash: 0c09515d08699aaa630312d231e3b527d24169142d6137d742b3a86a80e5ec3f
Instruction Fuzzy Hash: E031FB75900304EFCB14AFA5DE49A997B78FB0D715F10413AF611B62F0DB795A40CB68

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004011B0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 122
filewindownetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#2818.MFC42(?,00403040,?,?,?), ref: 004011EB
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,00401886,00402110,000000FF), ref: 004011FC
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,00401886,00402110,000000FF), ref: 0040120D
#6877.MFC42(00403038,0040303C,?,?,?,?), ref: 0040123F
#5683.MFC42(0000002F,00403038,0040303C,?,?,?,?), ref: 0040124A
#4277.MFC42(80@<0@,00000001,0000002F,00403038,0040303C,?,?,?,?), ref: 0040125A
#858.MFC42(00000000,80@<0@,00000001,0000002F,00403038,0040303C,?,?,?,?), ref: 0040126B
#800.MFC42 ref: 00401279
#535.MFC42(?), ref: 00401287
URLDownloadToFileA.URLMON(00000000,<0@,?,00000000,?), ref: 004012BE
GetLastError.KERNEL32(00000400,80@<0@,00000000,00000000,?), ref: 004012D5
FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 004012DF
LocalFree.KERNEL32(<0@), ref: 004012E6
#860.MFC42(00403098,?), ref: 0040130A
#800.MFC42(00403098,?), ref: 00401318
#800.MFC42(00403098,?), ref: 00401326
#800.MFC42(00403098,?), ref: 00401337

Strings

80@<0@, xrefs: 00401255, 004012C9, 004012EF, 00401259, 004012CF
<0@, xrefs: 00401270, 00401283, 004012B4, 004012E1, 004012BB, 004012E5

Memory Dump Source

Source File: 00000001.00000002.1250233549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1250219707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250246671.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250271090.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250292056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: #800$#2818#4277#535#5683#6877#858#860DownloadErrorFileFormatFreeLastLocalMessage
String ID: 80@<0@$<0@
API String ID: 914754097-133393337
Opcode ID: 8583ed9570cdd994da0a4d2ff6ff646d047389021448643e0ee6bf3dcc7916f0
Instruction ID: 8b92307ed6699724502a85784eaf3c5cd5acff5f2c4c5e990e8a792077c65ea1
Opcode Fuzzy Hash: 8583ed9570cdd994da0a4d2ff6ff646d047389021448643e0ee6bf3dcc7916f0
Instruction Fuzzy Hash: C941A0715083409BD310EF55CC81F5BBBE8AB98754F840E2EF195632E1CB79A909CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#540.MFC42(?,?,?,00000000,004018AB,000000FF,0040158B,?,0000005C,0000002F,00000000), ref: 00401091
#540.MFC42(?,?,?,00000000,004018AB,000000FF,0040158B,?,0000005C,0000002F,00000000), ref: 0040109F
GetTickCount.KERNEL32 ref: 004010B4

Strings

@, xrefs: 004010A4

Memory Dump Source

Source File: 00000001.00000002.1250233549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1250219707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250246671.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250271090.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1250292056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: #540$CountTick
String ID: @
API String ID: 4209651111-124383662
Opcode ID: 479aa01cd732ac259bab5a52ff67bad4a5ff7ee9a8aa8d0d0001c6fc0089b2fa
Instruction ID: 3b2c3dd0629d319c8d59686ff1104edc2bb22d9829aa76580274167a0587e1fc
Opcode Fuzzy Hash: 479aa01cd732ac259bab5a52ff67bad4a5ff7ee9a8aa8d0d0001c6fc0089b2fa
Instruction Fuzzy Hash: DE0116B1800B009FC360CF0ACA41616FBF8FF94B20F408A2FE09692AA0C7B8A504CF41

Uniqueness

Uniqueness Score: -1.00%

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exePID: 6940, Parent PID: 2592

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Windows Analysis Report
SecuriteInfo.com.not-a-virus.Downloader.Win32.Agent.du.15761.28432.exe

Function 00401420 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 161
COMMON

Function 0040174E Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Function 004011B0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 122
filewindownetworkCOMMON

Function 00401070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
COMMON