Windows Analysis Report
SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe
Analysis ID: 1446232
MD5: 0313d8be33d8d352e3b7b6a24dd71943
SHA1: 59f4008aee2f98560b2155f03cc1da34fd7fa789
SHA256: 978aae287c78d11d1e0d76a35d78554b97039a26bf96b21f59de7112f4176a19
Tags: exe
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names

Classification

Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 4x nop then mov r8, 0000800000000000h 0_2_00438B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 4x nop then sub rbx, qword ptr [rax+18h] 0_2_0042F380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 4x nop then mov rsi, r9 0_2_00439FE0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe String found in binary or memory: https://www.wangsu.com/product/1810
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00474BC0 SetWaitableTimer,NtWaitForSingleObject, 0_2_00474BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00474B80 NtWaitForSingleObject, 0_2_00474B80
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00435800 0_2_00435800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00447000 0_2_00447000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00415020 0_2_00415020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_004330C0 0_2_004330C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_004848C0 0_2_004848C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0041D880 0_2_0041D880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0044A080 0_2_0044A080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0045C140 0_2_0045C140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00469940 0_2_00469940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0047F140 0_2_0047F140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00415900 0_2_00415900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_004301C0 0_2_004301C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0041F1E0 0_2_0041F1E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_004161E0 0_2_004161E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0042F980 0_2_0042F980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00442980 0_2_00442980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0045C980 0_2_0045C980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00424A40 0_2_00424A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0044DA40 0_2_0044DA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00452A40 0_2_00452A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00435200 0_2_00435200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0046D200 0_2_0046D200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_004362E0 0_2_004362E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0041C280 0_2_0041C280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00482340 0_2_00482340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0042CB60 0_2_0042CB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00482B60 0_2_00482B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00438B20 0_2_00438B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0047F320 0_2_0047F320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00422BC0 0_2_00422BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00429BC0 0_2_00429BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_004293C0 0_2_004293C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00425B80 0_2_00425B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0043EB80 0_2_0043EB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0047CB80 0_2_0047CB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0047BC60 0_2_0047BC60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00425C05 0_2_00425C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0042D4C0 0_2_0042D4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0041CCDC 0_2_0041CCDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00444CE0 0_2_00444CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0044F4A0 0_2_0044F4A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00426D20 0_2_00426D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00432D20 0_2_00432D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0041F5E0 0_2_0041F5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0042E5E0 0_2_0042E5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00419DA0 0_2_00419DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0046FDA9 0_2_0046FDA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00484E20 0_2_00484E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_004256E0 0_2_004256E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00455EE0 0_2_00455EE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00416680 0_2_00416680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00423E80 0_2_00423E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00439FE0 0_2_00439FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0047CFE0 0_2_0047CFE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00429F80 0_2_00429F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00438F80 0_2_00438F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00446780 0_2_00446780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0044CFA0 0_2_0044CFA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: String function: 00445DC0 appears 481 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: String function: 004475C0 appears 51 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: String function: 00447E40 appears 547 times
PE file contains more sections than normal
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: clean5.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe File created: C:\Users\log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe File opened: C:\Windows\system32\08cf37e04f1bdb675838ac7928d447fddd6868b31ca70ab35e9de315bf3e68a9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Section loaded: umpdc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static file information: File size 3909440 > 1048576
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14de00
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x100600
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x15ae00
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: real checksum: 0x3ba7a0 should be: 0x3bb076
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00472D80 rdtsc 0_2_00472D80
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe API coverage: 5.3 %
Source: SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe, 00000000.00000002.1499256624.0000025D78B5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00472D80 rdtsc 0_2_00472D80
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_00411180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA, 0_2_00411180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0081D464 SetUnhandledExceptionFilter,VirtualAlloc,VirtualFree, 0_2_0081D464
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe Code function: 0_2_0055D5D0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0055D5D0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1446232 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 23/05/2024 Architecture: WINDOWS Score: 5 4 SecuriteInfo.com.Trojan.WinGo.Agent.10211.5558.exe 2 2->4         started       
No contacted IP infos