Windows Analysis Report
SecuriteInfo.com.FileRepPup.14501.9091.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepPup.14501.9091.exe
Analysis ID: 1394267
MD5: dc41e011e5a84694bc8559f323f76935
SHA1: f7c39a8a970ebf491fdbba2818a1de205dd751ed
SHA256: 8e81a843acfadfe1295c60d51ed249a022f8dae87f787880ae3fedd402c0a88e
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
Machine Learning detection for sample
Contains functionality to dynamically determine API calls
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe ReversingLabs: Detection: 45%
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Virustotal: Detection: 32% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe, 00000000.00000000.1689290004.000000014005F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_097b2f5c-d
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe String found in binary or memory: https://cdn.2take1.menu/versions/
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe String found in binary or memory: https://cdn.2take1.menu/versions/wbDownload
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014001D040 0_2_000000014001D040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_0000000140009CB0 0_2_0000000140009CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014000A0C0 0_2_000000014000A0C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014000A590 0_2_000000014000A590
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_0000000140015A30 0_2_0000000140015A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_0000000140008710 0_2_0000000140008710
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: String function: 000000014000B1F0 appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: String function: 0000000140014290 appears 40 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe, 00000000.00000000.1689333143.00000001400D7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUpdater.exe@ vs SecuriteInfo.com.FileRepPup.14501.9091.exe
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Binary or memory string: OriginalFilenameUpdater.exe@ vs SecuriteInfo.com.FileRepPup.14501.9091.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: classification engine Classification label: mal56.evad.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_0000000140031F10 GetLastError,_errno,__sys_nerr,strerror,strncpy,FormatMessageA,strrchr,strrchr,_errno,_errno,GetLastError,SetLastError, 0_2_0000000140031F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_0000000140007630 CoInitialize,CoCreateInstance,_local_unwind,_local_unwind,_local_unwind,_local_unwind,_local_unwind,CoUninitialize, 0_2_0000000140007630
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe File created: C:\Users\user\Desktop\updater.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe ReversingLabs: Detection: 45%
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Virustotal: Detection: 32%
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe String found in binary or memory: Can't add itself as a subpart!; boundary=Content-Type: %s%s%s.gifimage/gif.jpgimage/jpeg.jpeg.pngimage/png.svgimage/svg+xml.txttext/plain.htmtext/html.html.pdfapplication/pdf.xmlapplication/xmlmultipart/mixedapplication/octet-streamContent-Dispositionmultipart/attachment"; filename="; name="Content-Disposition: %s%s%s%s%s%s%sContent-Transfer-EncodingContent-Transfer-Encoding: %smultipart/form-dataform-dataiphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryConnection #%ld to host %s left intactIn state %d with no conn, bail out!
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Static file information: File size 2981118 > 1048576
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Static PE information: Raw size of .vlizer is bigger than: 0x100000 < 0x2036fe
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014000FF50 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 0_2_000000014000FF50
PE file contains sections with non-standard names
Source: SecuriteInfo.com.FileRepPup.14501.9091.exe Static PE information: section name: .vlizer
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_00000001400060DE push rax; ret 0_2_00000001400060DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014000557E push rdx; retf 0_2_000000014000557F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014000460E push rsi; retf 0_2_000000014000461C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_0000000140005230 push B7C7E254h; ret 0_2_0000000140005236
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_00000001400046D3 push 0000002Dh; retf 0_2_00000001400046DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_0000000140003F93 push rsp; iretd 0_2_0000000140003F96
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe API coverage: 6.2 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014000FF50 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 0_2_000000014000FF50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14501.9091.exe Code function: 0_2_000000014005CA90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_000000014005CA90
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1394267 Sample: SecuriteInfo.com.FileRepPup... Startdate: 19/02/2024 Architecture: WINDOWS Score: 56 11 Multi AV Scanner detection for submitted file 2->11 13 Machine Learning detection for sample 2->13 6 SecuriteInfo.com.FileRepPup.14501.9091.exe 2 2->6         started        process3 signatures4 15 Found API chain indicative of debugger detection 6->15 9 conhost.exe 6->9         started        process5
No contacted IP infos