Windows Analysis Report
HOEcO4nqCT.exe

Overview

General Information

Sample name: HOEcO4nqCT.exe
renamed because original name is a hash value
Original sample name: 3440a4c64bffc46be468e3f133c66234.exe
Analysis ID: 1579675
MD5: 3440a4c64bffc46be468e3f133c66234
SHA1: 32b1a91457601c12e5c3ce1cedb93673e0144c69
SHA256: 4ff71208155418ffa9e22eec6d28f3582ced6a5a681b6776e691684ce42fe69b
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: HOEcO4nqCT.exe ReversingLabs: Detection: 23%
Source: HOEcO4nqCT.exe Virustotal: Detection: 32% Perma Link
Source: HOEcO4nqCT.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: HOEcO4nqCT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_00767C80 FindFirstFileExW,FindClose, 0_2_00767C80
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077D920 FindFirstFileExW, 0_2_0077D920
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_007671B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_007671B0
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_007680F0 0_2_007680F0
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_00768950 0_2_00768950
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077F990 0_2_0077F990
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_00785981 0_2_00785981
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_007713DF 0_2_007713DF
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0076AC61 0_2_0076AC61
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077FE3B 0_2_0077FE3B
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077173E 0_2_0077173E
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: String function: 0076B900 appears 52 times
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: String function: 00762340 appears 49 times
Source: HOEcO4nqCT.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_00762690 GetLastError,FormatMessageW,MessageBoxW, 0_2_00762690
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Command line argument: @{y 0_2_00761000
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Command line argument: @{y 0_2_00761000
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Command line argument: @{y 0_2_00761000
Source: HOEcO4nqCT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: HOEcO4nqCT.exe ReversingLabs: Detection: 23%
Source: HOEcO4nqCT.exe Virustotal: Detection: 32%
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe File read: C:\Users\user\Desktop\HOEcO4nqCT.exe Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Section loaded: wintypes.dll Jump to behavior
Source: HOEcO4nqCT.exe Static file information: File size 11045840 > 1048576
Source: HOEcO4nqCT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HOEcO4nqCT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HOEcO4nqCT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HOEcO4nqCT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HOEcO4nqCT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HOEcO4nqCT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: HOEcO4nqCT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: HOEcO4nqCT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HOEcO4nqCT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HOEcO4nqCT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HOEcO4nqCT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HOEcO4nqCT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HOEcO4nqCT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_007860C3 push ecx; ret 0_2_007860D6
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_00764C70 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00764C70
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe API coverage: 6.3 %
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_00767C80 FindFirstFileExW,FindClose, 0_2_00767C80
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077D920 FindFirstFileExW, 0_2_0077D920
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_007671B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_007671B0
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077724D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0077724D
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077ED70 GetProcessHeap, 0_2_0077ED70
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0076B82C SetUnhandledExceptionFilter, 0_2_0076B82C
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0077724D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0077724D
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0076B21A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0076B21A
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0076B69F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0076B69F
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_0076B58E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0076B58E
Source: C:\Users\user\Desktop\HOEcO4nqCT.exe Code function: 0_2_00781A52 GetTimeZoneInformation, 0_2_00781A52
No contacted IP infos