Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe
Analysis ID: 1543710
MD5: 803d402767279864bebd70d810cc7461
SHA1: faed2f5ec54739b4e751295b28a366ddc5902833
SHA256: b8ee29a158040d128d74d25483b85d69f1125bf615e7862fec4cb5bd7e86aa47
Tags: exe
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe String found in binary or memory: http://www.pcnet123.cn
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe String found in binary or memory: http://www.pcnet123.cnOpenU
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0045B050 0_2_0045B050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0047B0D0 0_2_0047B0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_004752F4 0_2_004752F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0045554C 0_2_0045554C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: String function: 0040441C appears 87 times
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 232
PE file does not import any functions
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI
Source: classification engine Classification label: mal64.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6668
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\31237557-8088-4f8d-aa31-4c1b8aef9af8 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Section loaded: apphelp.dll Jump to behavior
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .clam01
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam01
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam02
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam03
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam04
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam05
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam06
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam07
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Static PE information: section name: .clam08
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0047E04C push 0047E078h; ret 0_2_0047E070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00468074 push 004680A0h; ret 0_2_00468098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00456004 push 0045606Fh; ret 0_2_00456067
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0047E014 push 0047E040h; ret 0_2_0047E038
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00468010 push 00468036h; ret 0_2_0046802E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0040E0C4 push 0040E240h; ret 0_2_0040E238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0047E084 push 0047E0B0h; ret 0_2_0047E0A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0047E0BC push 0047E0E8h; ret 0_2_0047E0E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0041E178 push ecx; mov dword ptr [esp], edx 0_2_0041E17A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0047E12C push 0047E158h; ret 0_2_0047E150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_004841F8 push 00484224h; ret 0_2_0048421C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0044E1FC push 0044E228h; ret 0_2_0044E220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0047E184 push 0047E1B0h; ret 0_2_0047E1A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00498184 push 004981B0h; ret 0_2_004981A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0040E242 push 0040E2B3h; ret 0_2_0040E2AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0040E244 push 0040E2B3h; ret 0_2_0040E2AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0042A2C0 push 0042A390h; ret 0_2_0042A388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0040E322 push 0040E350h; ret 0_2_0040E348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0040E324 push 0040E350h; ret 0_2_0040E348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_004843D4 push 00484400h; ret 0_2_004843F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00464460 push ecx; mov dword ptr [esp], ecx 0_2_00464465
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00420438 push ecx; mov dword ptr [esp], edx 0_2_0042043D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_004664D8 push 0046651Bh; ret 0_2_00466513
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0042A4A0 push 0042A4CCh; ret 0_2_0042A4C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_004164B4 push ecx; mov dword ptr [esp], eax 0_2_004164B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0042C554 push 0042C595h; ret 0_2_0042C58D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00486538 push 00486564h; ret 0_2_0048655C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0046653C push 00466588h; ret 0_2_00466580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0042C5D8 push 0042C610h; ret 0_2_0042C608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00466594 push 004665C0h; ret 0_2_004665B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_0042C5A0 push 0042C5CCh; ret 0_2_0042C5C4
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00484230 rdtsc 0_2_00484230
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe Code function: 0_2_00484230 rdtsc 0_2_00484230
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543710 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 28/10/2024 Architecture: WINDOWS Score: 64 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 16 AI detected suspicious sample 2->16 6 SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe 2->6         started        process3 process4 8 WerFault.exe 21 16 6->8         started       
No contacted IP infos