Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Overview

General Information

Sample name: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe
Analysis ID: 1467950
MD5: 0e570d20533d55b18cd26885fdb6a5a6
SHA1: 924fc50d17bac3b46eee68a00ec2b7c2b08ebe19
SHA256: 914fb029425c442aaaa942e74f57b48c9c3d0366232e9d57d5661e4a52c0bc14
Tags: exe
Infos:

Detection

Score: 29
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Contains functionality to detect sleep reduction / modifications
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: .PDBU source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004095D4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_004095D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004096B0 FindFirstFileA,GetLastError, 0_2_004096B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00405D5C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405D5C
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://nitton.pl/tomseditor/index.php
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://tomseditor.com/blog/Projector.exe
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://tomseditor.com/blog/viewer
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://tomseditor.com/blog/viewer_update.php?v=
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://tomseditor.com/blog/vieweropen
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://tomseditor.com/blog/vieweropenS
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://tomseditor.com/blog/vieweropenSV
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://tomseditor.com/blog/youtube_thumb.php?url=
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004320D0 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 0_2_004320D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004320D0 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 0_2_004320D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00436080 SetClipboardData,SetClipboardData, 0_2_00436080
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004361A4 SetClipboardData, 0_2_004361A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00435FFC SetClipboardData,SetClipboardData, 0_2_00435FFC
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00436150 GetClipboardData, 0_2_00436150
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00446708 GetKeyboardState,KiUserCallbackDispatcher, 0_2_00446708
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00449684 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher, 0_2_00449684
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00463DC0 NtdllDefWindowProc_A, 0_2_00463DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00464568 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00464568
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00464618 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00464618
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0043504C NtdllDefWindowProc_A, 0_2_0043504C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004590EC GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_004590EC
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0049A010 0_2_0049A010
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004CE0A4 0_2_004CE0A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004CA1B4 0_2_004CA1B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004A4248 0_2_004A4248
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E22D0 0_2_004E22D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0045E2B8 0_2_0045E2B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004B83EC 0_2_004B83EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004DA40C 0_2_004DA40C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004A44FC 0_2_004A44FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004AC49C 0_2_004AC49C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004C659C 0_2_004C659C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E07A8 0_2_004E07A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0046E87C 0_2_0046E87C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E6978 0_2_004E6978
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0040E930 0_2_0040E930
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004CC990 0_2_004CC990
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004DAAF4 0_2_004DAAF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00498D38 0_2_00498D38
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004C8DDC 0_2_004C8DDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0048EDA4 0_2_0048EDA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0048ADBC 0_2_0048ADBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004ACEF8 0_2_004ACEF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0048AEF4 0_2_0048AEF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004D0F40 0_2_004D0F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004CEF68 0_2_004CEF68
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004EAFE8 0_2_004EAFE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004590EC 0_2_004590EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004F1088 0_2_004F1088
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004D91D0 0_2_004D91D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00467270 0_2_00467270
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004DB344 0_2_004DB344
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004AD420 0_2_004AD420
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00473430 0_2_00473430
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E5694 0_2_004E5694
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004F7760 0_2_004F7760
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004F17D4 0_2_004F17D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004B99D4 0_2_004B99D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004A1A50 0_2_004A1A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00493A18 0_2_00493A18
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00473D64 0_2_00473D64
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004A3DB8 0_2_004A3DB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004C7EBC 0_2_004C7EBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004D3F28 0_2_004D3F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004DDFC8 0_2_004DDFC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00493FB8 0_2_00493FB8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: String function: 00404740 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: String function: 00404B4C appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: String function: 00406DA4 appears 61 times
Uses 32bit PE files
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Static PE information: Section: UPX1 ZLIB complexity 0.9981084408967391
Source: classification engine Classification label: sus29.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0048CC3C GetLastError,FormatMessageA, 0_2_0048CC3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00409996 GetDiskFreeSpaceA, 0_2_00409996
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0041A3B0 FindResourceA, 0_2_0041A3B0
Source: Yara match File source: 0.2.SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Section loaded: wintypes.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: .PDBU source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00450608 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00450608
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00450C54 push 00450CE1h; ret 0_2_00450CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0046A05C push 0046A088h; ret 0_2_0046A080
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E407C push 004E41D5h; ret 0_2_004E41CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0048807C push 004880A8h; ret 0_2_004880A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00430078 push 004300A4h; ret 0_2_0043009C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00486018 push ecx; mov dword ptr [esp], ecx 0_2_0048601C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00430018 push 00430044h; ret 0_2_0043003C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0042E020 push 0042E04Ch; ret 0_2_0042E044
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004D60E4 push 004D61E1h; ret 0_2_004D61D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004300E8 push 00430114h; ret 0_2_0043010C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004DC090 push 004DC2B5h; ret 0_2_004DC2AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004D80A4 push 004D8150h; ret 0_2_004D8148
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004300B0 push 004300DCh; ret 0_2_004300D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E80B4 push 004E81B6h; ret 0_2_004E81AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004660B8 push 00466112h; ret 0_2_0046610A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004D8158 push 004D820Dh; ret 0_2_004D8205
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00430120 push 0043014Ch; ret 0_2_00430144
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00416138 push 00416164h; ret 0_2_0041615C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E81C0 push 004E82C2h; ret 0_2_004E82BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004701E4 push 0047021Ch; ret 0_2_00470214
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004301E4 push 00430210h; ret 0_2_00430208
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00430194 push 004301C0h; ret 0_2_004301B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004841B4 push 004841E0h; ret 0_2_004841D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004D8218 push 004D831Ah; ret 0_2_004D8312
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0043021C push 00430248h; ret 0_2_00430240
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E82CC push 004E83CEh; ret 0_2_004E83C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0046A2E0 push 0046A30Ch; ret 0_2_0046A304
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004E02F4 push 004E03F9h; ret 0_2_004E03F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00416288 push ecx; mov dword ptr [esp], ecx 0_2_0041628B
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004162A8 push ecx; mov dword ptr [esp], ecx 0_2_004162AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0046A2A8 push 0046A2D4h; ret 0_2_0046A2CC
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00460E70 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00460E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00463E48 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_00463E48
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00464568 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00464568
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00464618 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00464618
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0042CA48 MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0042CA48
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0044ADA8 IsIconic,GetCapture, 0_2_0044ADA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0044B65C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0044B65C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0044BF80 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_0044BF80
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00450608 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00450608

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0043FC20 0_2_0043FC20
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_004633B8
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe API coverage: 6.3 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0043FC20 0_2_0043FC20
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004095D4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_004095D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004096B0 FindFirstFileA,GetLastError, 0_2_004096B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00405D5C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405D5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004261D8 GetSystemInfo, 0_2_004261D8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00450608 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00450608
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_004662E4 cpuid 0_2_004662E4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405F14
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: GetLocaleInfoA, 0_2_0040C44C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: GetLocaleInfoA, 0_2_0040C498
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: GetLocaleInfoA, 0_2_0040680A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: GetLocaleInfoA, 0_2_0040680C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040DB1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_0040ADE8 GetLocalTime, 0_2_0040ADE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00406DEA GetTimeZoneInformation, 0_2_00406DEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe Code function: 0_2_00450C54 GetVersion, 0_2_00450C54
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1467950 Sample: SecuriteInfo.com.BScope.Tro... Startdate: 05/07/2024 Architecture: WINDOWS Score: 29 4 SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe 2->4         started        signatures3 7 Contains functionality to detect sleep reduction / modifications 4->7
No contacted IP infos