Windows Analysis Report
SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Analysis ID: 1447597
MD5: 1295db15df2d7db394255d69e08d4b75
SHA1: e5b50acdc09fca94f7e9c0a7fc7e57ade9670607
SHA256: 1d679b6434ca87e87c226ff908f19221a09a885d1c0a33f8c868e5d45a440e7f
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Virustotal: Detection: 47% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe, 00000000.00000002.3272105198.00007FF7B34AF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_0a66293d-0
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Source: Binary string: C:\Users\Datahost\Desktop\Fantastic\x64\Release\Usermode.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B34008C0: DeviceIoControl, 0_2_00007FF7B34008C0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33F8840 0_2_00007FF7B33F8840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B34070A0 0_2_00007FF7B34070A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33D00B0 0_2_00007FF7B33D00B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33F2390 0_2_00007FF7B33F2390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33F77F0 0_2_00007FF7B33F77F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33DD800 0_2_00007FF7B33DD800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33DABB0 0_2_00007FF7B33DABB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33DFBD0 0_2_00007FF7B33DFBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33D1A90 0_2_00007FF7B33D1A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33CA230 0_2_00007FF7B33CA230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33D1650 0_2_00007FF7B33D1650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33EBEF0 0_2_00007FF7B33EBEF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33D6160 0_2_00007FF7B33D6160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33E0D80 0_2_00007FF7B33E0D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33C5530 0_2_00007FF7B33C5530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33C8940 0_2_00007FF7B33C8940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33F6DA0 0_2_00007FF7B33F6DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33ECDD0 0_2_00007FF7B33ECDD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: String function: 00007FF7B3403610 appears 32 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe, 00000000.00000002.3272105198.00007FF7B34AF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe, 00000000.00000000.1998743552.00007FF7B34AE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Binary string: \Device\Nal
Source: classification engine Classification label: mal60.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Virustotal: Detection: 47%
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: d3dx9_43.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Section loaded: wldp.dll Jump to behavior
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static file information: File size 1368576 > 1048576
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Source: Binary string: C:\Users\Datahost\Desktop\Fantastic\x64\Release\Usermode.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B34A9CDC memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF7B34A9CDC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B34A9CDC memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF7B34A9CDC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B33C5010 GetProcessHeap,_Init_thread_footer,_Init_thread_footer, 0_2_00007FF7B33C5010
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B34A8F58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7B34A8F58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe Code function: 0_2_00007FF7B34A9AD8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7B34A9AD8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447597 Sample: SecuriteInfo.com.Win64.Troj... Startdate: 26/05/2024 Architecture: WINDOWS Score: 60 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 6 SecuriteInfo.com.Win64.TrojanX-gen.8144.20316.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos