Windows
Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
Overview
General Information
Detection
GO Backdoor
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected GO Backdoor
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Classification
- System is w10x64
loaddll32.exe (PID: 6860 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Win32. MalwareX-g en.27138.1 3961.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) conhost.exe (PID: 6892 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 6996 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Win32. MalwareX-g en.27138.1 3961.dll", #1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) rundll32.exe (PID: 7100 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.27138.13 961.dll",# 1 MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 7020 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Secur iteInfo.co m.Win32.Ma lwareX-gen .27138.139 61.dll,Mai nFunc MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 5480 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Secur iteInfo.co m.Win32.Ma lwareX-gen .27138.139 61.dll,_cg o_dummy_ex port MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 7132 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.27138.13 961.dll",M ainFunc MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 3060 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.27138.13 961.dll",_ cgo_dummy_ export MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security | ||
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security | ||
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 2024-08-09T19:28:49.448134+0200 |
SID: | 2855536 |
Severity: | 1 |
Source Port: | 49739 |
Destination Port: | 26395 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-08-09T19:28:49.429828+0200 |
SID: | 2855539 |
Severity: | 1 |
Source Port: | 26395 |
Destination Port: | 49739 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-08-09T19:29:19.090843+0200 |
SID: | 2855538 |
Severity: | 1 |
Source Port: | 26395 |
Destination Port: | 49739 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-08-09T19:29:18.867934+0200 |
SID: | 2855537 |
Severity: | 1 |
Source Port: | 49739 |
Destination Port: | 26395 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | TCP traffic: |
Source: | String found in binary or memory: |