Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| Analysis ID: | 1390445 |
| MD5: | c9a36a7e0bf431dafe139b1cc18609ed |
| SHA1: | 4d77f0d31e994d3baeba164238634cadaf95fb77 |
| SHA256: | 7e33dd313ed09a15c81af55ee0997031caa3da8fba8c31c3859bc95e52559ff3 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe (PID: 6348 cmdline: C:\Users\u ser\Deskto p\Securite Info.com.T rojan-PSW. Agent.2601 6.7220.exe MD5: C9A36A7E0BF431DAFE139B1CC18609ED) 
conhost.exe (PID: 6364 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 6908 cmdline: wmic cpu g et name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - WMIC.exe (PID: 6940 cmdline:
wmic path win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Code function: | 0_3_00000195CAFE9399 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Software Packing | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 13 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | ReversingLabs | |||
| 30% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ipinfo.io | 34.117.186.192 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 34.117.186.192 | ipinfo.io | United States | 139070 | GOOGLE-AS-APGoogleAsiaPacificPteLtdSG | false |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1390445 |
| Start date and time: | 2024-02-11 21:28:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 28s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| Detection: | MAL |
| Classification: | mal52.spyw.winEXE@6/10@1/1 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Execution Graph export aborted
for target SecuriteInfo.com.T rojan-PSW.Agent.26016.7220.exe , PID 6348 because there are n o executed function - Not all processes where analyz
ed, report is missing behavior information
| Time | Type | Description |
|---|---|---|
| 21:29:03 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 34.117.186.192 | Get hash | malicious | XClient Stealer | Browse |
| |
| Get hash | malicious | XClient Stealer | Browse |
| ||
| Get hash | malicious | XClient Stealer | Browse |
| ||
| Get hash | malicious | XClient Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ipinfo.io | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Amadey, RedLine, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Xmrig | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| GOOGLE-AS-APGoogleAsiaPacificPteLtdSG | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Amadey, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Amadey, RedLine, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Xmrig | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3308 |
| Entropy (8bit): | 5.837392962472899 |
| Encrypted: | false |
| SSDEEP: | 96:jJfsoO2j8cRhAZFJaRJSztv3uGkyUBFn5s5HwPR2cvsdc:N5dRSRKeoP |
| MD5: | B19EC0DEAEE5949DE17ECF3443819B98 |
| SHA1: | 24EDD6FE835B6FF8C597A21A459E16016936C218 |
| SHA-256: | 0F11DDDE75E50C35CAE2D9BAB63282A352B878C134D5FB2BBDBE8A62570CB76E |
| SHA-512: | 7EA513D2D9F96E63BB4D9DB0689FDD28BD47A98DD60E51B2A1C942FC71D195EF0C439FAE84838EF621CD0BE36D4C017369779DC3B329C73D38947E7F255D520D |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 114688 |
| Entropy (8bit): | 0.9746603542602881 |
| Encrypted: | false |
| SSDEEP: | 192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn |
| MD5: | 780853CDDEAEE8DE70F28A4B255A600B |
| SHA1: | AD7A5DA33F7AD12946153C497E990720B09005ED |
| SHA-256: | 1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3 |
| SHA-512: | E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 49152 |
| Entropy (8bit): | 0.8180424350137764 |
| Encrypted: | false |
| SSDEEP: | 96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG |
| MD5: | 349E6EB110E34A08924D92F6B334801D |
| SHA1: | BDFB289DAFF51890CC71697B6322AA4B35EC9169 |
| SHA-256: | C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A |
| SHA-512: | 2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 106496 |
| Entropy (8bit): | 1.1358696453229276 |
| Encrypted: | false |
| SSDEEP: | 192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544 |
| MD5: | 28591AA4E12D1C4FC761BE7C0A468622 |
| SHA1: | BC4968A84C19377D05A8BB3F208FBFAC49F4820B |
| SHA-256: | 51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9 |
| SHA-512: | 5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28672 |
| Entropy (8bit): | 2.5793180405395284 |
| Encrypted: | false |
| SSDEEP: | 96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz |
| MD5: | 41EA9A4112F057AE6BA17E2838AEAC26 |
| SHA1: | F2B389103BFD1A1A050C4857A995B09FEAFE8903 |
| SHA-256: | CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB |
| SHA-512: | 29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 106496 |
| Entropy (8bit): | 1.1358696453229276 |
| Encrypted: | false |
| SSDEEP: | 192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544 |
| MD5: | 28591AA4E12D1C4FC761BE7C0A468622 |
| SHA1: | BC4968A84C19377D05A8BB3F208FBFAC49F4820B |
| SHA-256: | 51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9 |
| SHA-512: | 5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 114688 |
| Entropy (8bit): | 0.9746603542602881 |
| Encrypted: | false |
| SSDEEP: | 192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn |
| MD5: | 780853CDDEAEE8DE70F28A4B255A600B |
| SHA1: | AD7A5DA33F7AD12946153C497E990720B09005ED |
| SHA-256: | 1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3 |
| SHA-512: | E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 40960 |
| Entropy (8bit): | 0.8553638852307782 |
| Encrypted: | false |
| SSDEEP: | 48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil |
| MD5: | 28222628A3465C5F0D4B28F70F97F482 |
| SHA1: | 1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14 |
| SHA-256: | 93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4 |
| SHA-512: | C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 514 |
| Entropy (8bit): | 4.796492444994601 |
| Encrypted: | false |
| SSDEEP: | 6:GkiLAMp3XhFHiAFQUhh2AFQ9WLrVE9/y6BThbXEzUwWc6Ju8n:0b3XTHP/h2oQ98ENTBhWWc6JBn |
| MD5: | 5F7CDF12190E75006BA6CA3B56941905 |
| SHA1: | 399419A6109A477195033AE9F443A582C59A953D |
| SHA-256: | F47CDF3A25D3FE0B18F913613916742CAD2CA006801EF0BECC676CDF2560BFF8 |
| SHA-512: | 86110200DDCAB359271EB2A8019AA1B4B38327B7BA2B206386E34507CA1AEBE7278AC9E8673E7EAC2F67ED22489D3CD0FD181C5CA459C70615C7CDCE60FEFC2B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 160 |
| Entropy (8bit): | 4.438743916256937 |
| Encrypted: | false |
| SSDEEP: | 3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty |
| MD5: | E467C82627F5E1524FDB4415AF19FC73 |
| SHA1: | B86E3AA40E9FBED0494375A702EABAF1F2E56F8E |
| SHA-256: | 116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540 |
| SHA-512: | 2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.927689440686909 |
| TrID: |
|
| File name: | SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| File size: | 4'371'968 bytes |
| MD5: | c9a36a7e0bf431dafe139b1cc18609ed |
| SHA1: | 4d77f0d31e994d3baeba164238634cadaf95fb77 |
| SHA256: | 7e33dd313ed09a15c81af55ee0997031caa3da8fba8c31c3859bc95e52559ff3 |
| SHA512: | 1cdc8cf07dc0b3d83d5f07e1de8bc60a9b5f0f568087f0cc740cc64492eb609e171c4f93eaad37abd9e4f018ed7983f2cdfe991309f6797572d9ee45fa0b8b96 |
| SSDEEP: | 98304:6PSzwcdHYUcyX4eHU0hU/cSuijBf1ULKPQ1w9VOO6GQgjIkU:WS0cJ59U0hUkx6f1g1w9CGQ2I |
| TLSH: | 7A163387D022763AF4D4533CBA34590A7AA8507B5469E205491BC3ACD378CD2B3F67BB |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..B.........pj.........@..........................................`... ............................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x140c76a70 |
| Entrypoint Section: | UPX1 |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x40c76cc0, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 9aebf3da4677af9275c461261e5abde3 |
| Instruction |
|---|
| push ebx |
| push esi |
| push edi |
| push ebp |
| dec eax |
| lea esi, dword ptr [FFBD55AAh] |
| dec eax |
| lea edi, dword ptr [esi-0084B025h] |
| dec eax |
| lea eax, dword ptr [edi+00C4314Ch] |
| push dword ptr [eax] |
| mov dword ptr [eax], 82E71B5Eh |
| push eax |
| push edi |
| xor ebx, ebx |
| xor ecx, ecx |
| dec eax |
| or ebp, FFFFFFFFh |
| call 00007F1B40FC4CB5h |
| add ebx, ebx |
| je 00007F1B40FC4C64h |
| rep ret |
| mov ebx, dword ptr [esi] |
| dec eax |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| mov dl, byte ptr [esi] |
| rep ret |
| dec eax |
| lea eax, dword ptr [edi+ebp] |
| cmp ecx, 05h |
| mov dl, byte ptr [eax] |
| jbe 00007F1B40FC4C83h |
| dec eax |
| cmp ebp, FFFFFFFCh |
| jnbe 00007F1B40FC4C7Dh |
| sub ecx, 04h |
| mov edx, dword ptr [eax] |
| dec eax |
| add eax, 04h |
| sub ecx, 04h |
| mov dword ptr [edi], edx |
| dec eax |
| lea edi, dword ptr [edi+04h] |
| jnc 00007F1B40FC4C51h |
| add ecx, 04h |
| mov dl, byte ptr [eax] |
| je 00007F1B40FC4C72h |
| dec eax |
| inc eax |
| mov byte ptr [edi], dl |
| sub ecx, 01h |
| mov dl, byte ptr [eax] |
| dec eax |
| lea edi, dword ptr [edi+01h] |
| jne 00007F1B40FC4C52h |
| rep ret |
| cld |
| inc ecx |
| pop ebx |
| jmp 00007F1B40FC4C6Ah |
| dec eax |
| inc esi |
| mov byte ptr [edi], dl |
| dec eax |
| inc edi |
| mov dl, byte ptr [esi] |
| add ebx, ebx |
| jne 00007F1B40FC4C6Ch |
| mov ebx, dword ptr [esi] |
| dec eax |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| mov dl, byte ptr [esi] |
| jc 00007F1B40FC4C48h |
| lea eax, dword ptr [ecx+01h] |
| jmp 00007F1B40FC4C69h |
| dec eax |
| inc ecx |
| call ebx |
| adc eax, eax |
| inc ecx |
| call ebx |
| adc eax, eax |
| add ebx, ebx |
| jne 00007F1B40FC4C6Ch |
| mov ebx, dword ptr [esi] |
| dec eax |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| mov dl, byte ptr [esi] |
| jnc 00007F1B40FC4C46h |
| sub eax, 03h |
| jc 00007F1B40FC4C7Bh |
| shl eax, 08h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xc45000 | 0x159 | UPX1 |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc774ec | 0xd0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc77000 | 0x4ec | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xbcf000 | 0x63e4 | UPX1 |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc775bc | 0x14 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc76ce8 | 0x28 | UPX1 |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| UPX0 | 0x1000 | 0x84b000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| UPX1 | 0x84c000 | 0x42b000 | 0x42ae00 | 61da2d5b454b0681f9eca67a87c07a67 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc77000 | 0x1000 | 0x600 | 86d4797b5a0b275e634ad1838d1bb959 | False | 0.419921875 | data | 5.1751574627310495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0xc7705c | 0x48f | XML 1.0 document, ASCII text | 0.40102827763496146 |
| DLL | Import |
|---|---|
| KERNEL32.DLL | LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect |
| msvcrt.dll | exit |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
- Total Packets: 6
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 11, 2024 21:29:06.435049057 CET | 49730 | 80 | 192.168.2.4 | 34.117.186.192 |
| Feb 11, 2024 21:29:06.537482977 CET | 80 | 49730 | 34.117.186.192 | 192.168.2.4 |
| Feb 11, 2024 21:29:06.537815094 CET | 49730 | 80 | 192.168.2.4 | 34.117.186.192 |
| Feb 11, 2024 21:29:06.538331032 CET | 49730 | 80 | 192.168.2.4 | 34.117.186.192 |
| Feb 11, 2024 21:29:06.640691996 CET | 80 | 49730 | 34.117.186.192 | 192.168.2.4 |
| Feb 11, 2024 21:29:06.667196035 CET | 80 | 49730 | 34.117.186.192 | 192.168.2.4 |
| Feb 11, 2024 21:29:06.709777117 CET | 49730 | 80 | 192.168.2.4 | 34.117.186.192 |
| Feb 11, 2024 21:29:07.921459913 CET | 49730 | 80 | 192.168.2.4 | 34.117.186.192 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 11, 2024 21:29:06.309216022 CET | 59445 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 11, 2024 21:29:06.427495003 CET | 53 | 59445 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Feb 11, 2024 21:29:06.309216022 CET | 192.168.2.4 | 1.1.1.1 | 0x8bd0 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Feb 11, 2024 21:29:06.427495003 CET | 1.1.1.1 | 192.168.2.4 | 0x8bd0 | No error (0) | 34.117.186.192 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 34.117.186.192 | 80 | 6348 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Feb 11, 2024 21:29:06.538331032 CET | 90 | OUT | |
| Feb 11, 2024 21:29:06.667196035 CET | 693 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 21:29:00 |
| Start date: | 11/02/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61a2f0000 |
| File size: | 4'371'968 bytes |
| MD5 hash: | C9A36A7E0BF431DAFE139B1CC18609ED |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Go lang |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 21:29:00 |
| Start date: | 11/02/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 21:29:03 |
| Start date: | 11/02/2024 |
| Path: | C:\Windows\System32\wbem\WMIC.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6c03b0000 |
| File size: | 576'000 bytes |
| MD5 hash: | C37F2F4F4B3CD128BDABCAEB2266A785 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 21:29:04 |
| Start date: | 11/02/2024 |
| Path: | C:\Windows\System32\wbem\WMIC.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6c03b0000 |
| File size: | 576'000 bytes |
| MD5 hash: | C37F2F4F4B3CD128BDABCAEB2266A785 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
⊘No disassembly
