Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe
Analysis ID:	1547563
MD5:	d8188612b8eaf56cebceae7c54c12426
SHA1:	c82a28a4954ea5e11a221f89747c03c3c5f5d2ea
SHA256:	33e83e77afd9dbcf216839f46d32803571c3242a03680f6b7e40892cd530b49d
Tags:	exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe" MD5: D8188612B8EAF56CEBCEAE7C54C12426)

conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7396 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826833456.0000000140313000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_f9152404-d

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1827005249.000000014162A000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1827005249.000000014162A000.00000040.00000001.01000000.00000003.sdmp

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: dullwave.ru
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/?format=text
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org?format=text
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org?format=texte
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orglDrive0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826833456.0000000140313000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1734957483.0000000002410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dullwave.ru/dlw_filebase/rust/check.php
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1771490979.000000000058C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1771446487.0000000000589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dullwave.ru/dlw_filebase/rust/check.php?
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dullwave.ru/dlw_filebase/rust/check.php?file=Bootstrup.exe&hash=D8188612B8EAF56CEBCEAE7C54C1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Static PE information: Number of sections : 13 > 10

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: Section: ZLIB complexity 0.997327302631579
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal80.evad.winEXE@4/1@2/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Section loaded: schannel.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Static file information: File size 22509072 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x17f200
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x135a400

Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1827005249.000000014162A000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1827005249.000000014162A000.00000040.00000001.01000000.00000003.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name: .bhnb
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Static PE information: section name: .boot

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Window searched: window name: RegmonClass	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1804741986.00000000005E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1804741986.00000000005E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROC_ANALYZER.EXE
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826342529.000000000260D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1771446487.0000000000589000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Process queried: DebugObjectHandle	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	NtSetInformationThread: Indirect: 0x1400BF795	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	NtQueryInformationProcess: Indirect: 0x1418034B1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	NtQueryInformationProcess: Indirect: 0x1417F9DA2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	NtSetInformationThread: Indirect: 0x1417BA3CD	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	NtCreateThreadEx: Indirect: 0x1400C0BD2	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	NtQuerySystemInformation: Indirect: 0x141800781	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826342529.000000000260D000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: Wireshark.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	33 Virtualization/Sandbox Evasion	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Process Injection	LSASS Memory	33 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		unknown
dullwave.ru	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org?format=text	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.ipify.org	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org?format=texte	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dullwave.ru/dlw_filebase/rust/check.php?	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1771490979.000000000058C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1771446487.0000000000589000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.ipify.org/?format=text	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dullwave.ru/dlw_filebase/rust/check.php	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dullwave.ru/dlw_filebase/rust/check.php?file=Bootstrup.exe&hash=D8188612B8EAF56CEBCEAE7C54C1	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/http-cookies.html	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826833456.0000000140313000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000003.1734957483.0000000002410000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.orglDrive0	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe, 00000000.00000002.1826121439.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547563
Start date and time:	2024-11-02 17:33:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@4/1@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	TROODOS AIR PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	SecureMessageATT.html	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	kill.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	w9ap9yNeCb.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ae713827-e32c-f66b-fbdb-5405db450711.eml	Get hash	malicious	Unknown	Browse	104.26.13.205
	kill.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://parrots-run-fjh.craft.me/kKsdDph47M82kH	Get hash	malicious	Unknown	Browse	104.16.40.28
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	m66Mwr3koh.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	m66Mwr3koh.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.GenericKD.74442994.24259.8937.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	Reservation Detail Booking.com ID4336.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	104.18.86.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.FileRepMalware.12632.12594.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.FileRepMalware.8628.17723.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Iyto7FYCJO.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.65143144403424
Encrypted:	false
SSDEEP:	3:7AeTABFReHLLmzRcPLStA3YEIAeeSAZQ68AeTABFReHLLmzRz6zX6AbQZ/Mj9GXY:YoLLmRM0A3YhveVQ6PoLLmRzMqI
MD5:	0C486B471EC0CB8315A78D385BA87320
SHA1:	1C4541DC73F4636AEBE6013D18D23FA1253A1BFC
SHA-256:	72B2E02B178A0DCAC14DC894A874FA7753EBE6B8224393DD7AF6F95CB45FAB58
SHA-512:	82C3C3AC8F2AC3C4D37EEA19B0FEBD4A36DD681EEBE882929AC6E7880D3663F1A99C133570781F7E0FEF5F29B050FCFDA2490B1AF1639CD5F9BF579219763085
Malicious:	false
Reputation:	low
Preview:	[DullWave] Failed to send GET request: Couldn't resolve host name...[DullWave] Auth.......[DullWave] Failed to send GET request: SSL connect error.....[DullWave] Connection not established.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.969478726781011
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe
File size:	22'509'072 bytes
MD5:	d8188612b8eaf56cebceae7c54c12426
SHA1:	c82a28a4954ea5e11a221f89747c03c3c5f5d2ea
SHA256:	33e83e77afd9dbcf216839f46d32803571c3242a03680f6b7e40892cd530b49d
SHA512:	a73eb049c2a4d767a018be7094e8c192b22c2490c34295cdab7bf45b44be2c83165f0b2c3003d37da53703c71e48d119eabac58268ac006ac90bb47d3a1ac81d
SSDEEP:	393216:uGmEP/TbVLYeJvFTXqVPTQmbTz6Um6TJjo8mBeH4fqNEed6/b/SuTt:uq5YeZF7yMSz6Umqo8UeYfuEed67Sq
TLSH:	3837333428C37E2AEAB597B58FF7148D8630AA1546DF69C76B4F30474A5731F4BB2208
File Content Preview:	MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......Z.....w...w...w.U.t...w.U.r...w.U.s...w...s...w...s.v.w...r.=.w...t...w.-.s...w.......w.x.....w.L.s...w.L.t...w.L.r.~.w...s...w

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1423f7058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x67207A0F [Tue Oct 29 06:00:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4c217a11cb1e73ae3df30fb8b8c95892

Entrypoint Preview

Instruction
call 00007F0A44DA7C77h
inc ecx
push edx
dec ecx
mov edx, esp
inc ecx
push edx
dec ecx
mov esi, dword ptr [edx+10h]
dec ecx
mov edi, dword ptr [edx+20h]
cld
mov dl, 80h
mov al, byte ptr [esi]
dec eax
inc esi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F0A44DA7AD6h
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F0A44DA7B50h
xor eax, eax
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F0A44DA7BF8h
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
je 00007F0A44DA7AFBh
push edi
mov eax, eax
dec eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
jmp 00007F0A44DA7A7Ah
mov eax, 00000001h
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F0A44DA7AF9h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jc 00007F0A44DA7AD8h
sub eax, ebx
mov ebx, 00000001h
jne 00007F0A44DA7B20h
mov ecx, 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b40e4	0x160	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b6000	0x1e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2383200	0x359b8	.bhnb
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3752000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b5018	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x3117bf	0x17f200	90584633929883ccf7bd949847b5f933	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x313000	0x131fe6	0x64200	3ce3e6a2b665a0cba7543ab346ea701e	False	0.9884494967228464	data	7.967722916173756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x445000	0x39590	0x1ee00	8b4722ff9bde9def87c7c9db204e2dac	False	0.997327302631579	data	7.980826378015273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x47f000	0x27c00	0x15a00	ae39fca3d4d336ec4b89bef282fa4da1	False	0.9357952492774566	OpenPGP Public Key	7.639174288639525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x4a7000	0xf4	0x200	43705aebb240ab792fe8de0b0e267a8f	False	0.30859375	data	2.6102546981887302	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x4a8000	0x1e8	0x200	f900991f0e5afd193bd87a37ce42f60b	False	0.578125	data	4.796281619111505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x4a9000	0xa164	0x4400	2a5e604efc34ebb33ea6959f3baa4340	False	0.9507697610294118	data	7.869525233927884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x4b4000	0x1000	0x400	20634607a89b9b499059f8c447c8ac0f	False	0.2626953125	data	2.2499948325101418	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x4b5000	0x1000	0x200	3ef58f471990ed2fd6b612d91337872c	False	0.0625	data	0.28456851570206254	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4b6000	0x1000	0x200	e692f3880af66948bf9886847bb6c35e	False	0.53515625	data	4.772037401703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bhnb	0x4b7000	0x1f40000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x23f7000	0x135a400	0x135a400	948440173498d1792157d4696e2a79b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x3752000	0x1000	0x10	7031894b7c72147c48baad4bf437a25a	False	1.5	GLS_BINARY_LSB_FIRST	2.474601752714581	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4b6058	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
WS2_32.dll	ioctlsocket
USER32.dll	MessageBoxA
ADVAPI32.dll	CryptCreateHash
SHELL32.dll	ShellExecuteW
bcrypt.dll	BCryptGenRandom
ntdll.dll	VerSetConditionMask
CRYPT32.dll	CertOpenStore
WLDAP32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 17:34:14.177484035 CET	49738	443	192.168.2.4	104.26.12.205
Nov 2, 2024 17:34:14.177544117 CET	443	49738	104.26.12.205	192.168.2.4
Nov 2, 2024 17:34:14.177623034 CET	49738	443	192.168.2.4	104.26.12.205
Nov 2, 2024 17:34:14.350873947 CET	49738	443	192.168.2.4	104.26.12.205
Nov 2, 2024 17:34:14.350900888 CET	443	49738	104.26.12.205	192.168.2.4
Nov 2, 2024 17:34:14.971205950 CET	443	49738	104.26.12.205	192.168.2.4
Nov 2, 2024 17:34:14.971276045 CET	49738	443	192.168.2.4	104.26.12.205
Nov 2, 2024 17:34:16.049856901 CET	49738	443	192.168.2.4	104.26.12.205
Nov 2, 2024 17:34:16.049887896 CET	443	49738	104.26.12.205	192.168.2.4
Nov 2, 2024 17:34:16.049983978 CET	49738	443	192.168.2.4	104.26.12.205
Nov 2, 2024 17:34:16.050106049 CET	443	49738	104.26.12.205	192.168.2.4
Nov 2, 2024 17:34:16.050162077 CET	49738	443	192.168.2.4	104.26.12.205

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 17:34:12.453196049 CET	62665	53	192.168.2.4	1.1.1.1
Nov 2, 2024 17:34:12.476638079 CET	53	62665	1.1.1.1	192.168.2.4
Nov 2, 2024 17:34:13.679858923 CET	56542	53	192.168.2.4	1.1.1.1
Nov 2, 2024 17:34:13.687139988 CET	53	56542	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 2, 2024 17:34:12.453196049 CET	192.168.2.4	1.1.1.1	0xc1b3	Standard query (0)	dullwave.ru	A (IP address)	IN (0x0001)	false
Nov 2, 2024 17:34:13.679858923 CET	192.168.2.4	1.1.1.1	0xc6b7	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 2, 2024 17:34:13.687139988 CET	1.1.1.1	192.168.2.4	0xc6b7	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 2, 2024 17:34:13.687139988 CET	1.1.1.1	192.168.2.4	0xc6b7	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 2, 2024 17:34:13.687139988 CET	1.1.1.1	192.168.2.4	0xc6b7	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exePID: 7284, Parent PID: 2580

General

Target ID:	0
Start time:	12:34:07
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe"
Imagebase:	0x140000000
File size:	22'509'072 bytes
MD5 hash:	D8188612B8EAF56CEBCEAE7C54C12426
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7292, Parent PID: 7284

General

Target ID:	1
Start time:	12:34:07
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7396, Parent PID: 7284

General

Target ID:	2
Start time:	12:34:11
Start date:	02/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff6e1af0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe