Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe |
| Analysis ID: | 1645704 |
| MD5: | fa21bcb264226c07d923d31a1642af8d |
| SHA1: | 4bda85546017addd5943f924e1ab34b3729408a1 |
| SHA256: | b662b694630f0b54c92dc2567e00390492d90d6cea5a50efc231e8b4b227ec69 |
| Tags: | exeuser-SecuriteInfoCom |
| Infos: |  |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Joe Sandbox ML detected suspicious sample
Sigma detected: Potentially Suspicious Malware Callback Communication
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe (PID: 7692 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Win32.Troj an.Agent.Q WCKHW.3143 3.26307.ex e" MD5: FA21BCB264226C07D923D31A1642AF8D) 
conhost.exe (PID: 7700 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004100CC | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00401564 | |
| Source: | Binary or memory string: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_0040116C | |
| Source: | Code function: | 0_2_00401160 | |
| Source: | Code function: | 0_2_004013C1 | |
| Source: | Code function: | 0_2_0040199C | |
| Source: | Code function: | 0_2_004019A0 | |
| Source: | Code function: | 0_2_004011A3 | |
| Source: | Code function: | 0_2_004018E0 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 3 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 30% | Virustotal | Browse | ||
| 39% | ReversingLabs | |||
| 100% | Avira | HEUR/AGEN.1319913 |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 176.65.138.157 | unknown | Germany | 12975 | PALTEL-ASPALTELAutonomousSystemPS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1645704 |
| Start date and time: | 2025-03-22 08:23:14 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 4s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe |
| Detection: | MAL |
| Classification: | mal64.winEXE@2/1@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, S IHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 23.204.23.20, 204. 79.197.222, 4.175.87.197 - Excluded domains from analysis
(whitelisted): fp.msedge.net, fs.microsoft.com, slscr.updat e.microsoft.com, ctldl.windows update.com, fe3cr.delivery.mp. microsoft.com - Not all processes where analyz
ed, report is missing behavior information
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| PALTEL-ASPALTELAutonomousSystemPS | Get hash | malicious | RedLine | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DarkCloud | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Stealerium | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 19 |
| Entropy (8bit): | 3.6818808028034042 |
| Encrypted: | false |
| SSDEEP: | 3:ljR/a2n:ljBn |
| MD5: | 62A7BE59CA4EC4DC0E7EF3474A410A68 |
| SHA1: | 45C87A259B3F7D75206B4868E9DC0E8B8B7FC9DD |
| SHA-256: | D62C958EF5607905CFB4B9B785F526544F78A1BC36EFADBB9931FAE34CF2036C |
| SHA-512: | 3D01752A9C1B3ADD0A4628F6507180F7D7130D1003182DA93EC2B1195833B703BDF6A30362AAC4385D8D95658AE36AB7F1A502025F490D9591020C04B8795BF8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.9108799652157735 |
| TrID: |
|
| File name: | SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe |
| File size: | 293'842 bytes |
| MD5: | fa21bcb264226c07d923d31a1642af8d |
| SHA1: | 4bda85546017addd5943f924e1ab34b3729408a1 |
| SHA256: | b662b694630f0b54c92dc2567e00390492d90d6cea5a50efc231e8b4b227ec69 |
| SHA512: | 4f041dbb346d69e4f79fc450a192e67833dbb4d035ac48b3eed614bfce8d19bd9fa020a9331cf38eca4f6ad0c40623daf38427584cc5d791e697d1953f5ea90a |
| SSDEEP: | 6144:x2xqq80/1MW1WqElmz3dWG63acJf2ypi1WqPCTVtq3:A1qHHILgxq+OBQHTvQ |
| TLSH: | 2E542AA0F696FDBAE9558FBD14F11309429EE2C0E71DEB333860FD380159A5C46B364A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g....j..........".....0...............0....@........................................... ............................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4014c0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x67DE0784 [Sat Mar 22 00:42:44 2025 UTC] |
| TLS Callbacks: | 0x401a80, 0x401a30 |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b8150e1626853a10621ac84308be19b5 |
| Instruction |
|---|
| sub esp, 0Ch |
| mov dword ptr [00405494h], 00000000h |
| call 00007F6ACD0DBC03h |
| add esp, 0Ch |
| jmp 00007F6ACD0DB47Bh |
| lea esi, dword ptr [esi+00000000h] |
| sub esp, 1Ch |
| mov eax, dword ptr [esp+20h] |
| mov dword ptr [esp], eax |
| call 00007F6ACD0DCBC6h |
| test eax, eax |
| sete al |
| add esp, 1Ch |
| movzx eax, al |
| neg eax |
| ret |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| sub esp, 18h |
| mov dword ptr [esp], 00401520h |
| call 00007F6ACD0DB7C3h |
| leave |
| ret |
| lea esi, dword ptr [esi+00000000h] |
| lea esi, dword ptr [esi+00h] |
| nop |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| sub esp, 28h |
| lea eax, dword ptr [ebp+14h] |
| mov dword ptr [ebp-10h], eax |
| mov eax, dword ptr [ebp-10h] |
| mov dword ptr [esp+0Ch], eax |
| mov eax, dword ptr [ebp+10h] |
| mov dword ptr [esp+08h], eax |
| mov eax, dword ptr [ebp+0Ch] |
| mov dword ptr [esp+04h], eax |
| mov eax, dword ptr [ebp+08h] |
| mov dword ptr [esp], eax |
| call 00007F6ACD0DCAD9h |
| mov dword ptr [ebp-0Ch], eax |
| mov eax, dword ptr [ebp-0Ch] |
| leave |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 48h |
| lea eax, dword ptr [ebp-2Ch] |
| mov dword ptr [esp], eax |
| mov eax, dword ptr [00406154h] |
| call eax |
| sub esp, 04h |
| movzx eax, word ptr [ebp-2Ch] |
| cmp ax, 0009h |
| jne 00007F6ACD0DB7F9h |
| mov eax, 00404000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6000 | 0x664 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x40b0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x6138 | 0xe8 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1964 | 0x1a00 | 6040c077c01269cd24c30d33a0757a41 | False | 0.5593449519230769 | data | 5.870853919191518 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x3000 | 0x30 | 0x200 | d57819111cd7c312e4b58d71f1ef1650 | False | 0.08984375 | data | 0.5781491419435547 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x4000 | 0x694 | 0x800 | b1c92641f76728a04adeff41dc55e7a0 | False | 0.26513671875 | data | 4.711862879033733 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x5000 | 0x4e8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x6000 | 0x664 | 0x800 | f320d04965b1f446c16c295481f4d31e | False | 0.35888671875 | data | 3.9846482031717056 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x7000 | 0x34 | 0x200 | 8260687f18135aef8fc3d7ab41206c16 | False | 0.072265625 | Matlab v4 mat-file (little endian) \300\030@, numeric, rows 4198688, columns 0 | 0.2748254782599745 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x8000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| /4 | 0x9000 | 0x2d8 | 0x400 | c1f06c32bb4ff70774a0fc4ffba7f689 | False | 0.2412109375 | Matlab v4 mat-file (little endian) \375\004, rows 2, columns 262144 | 1.747536435918311 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /19 | 0xa000 | 0x35732 | 0x35800 | 6fbdf31957df435a69ab0c0ef4863958 | False | 0.2899888653621495 | data | 6.013009488695018 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /31 | 0x40000 | 0x229e | 0x2400 | 7494e2dd1ed7f7b3b372245d126dd653 | False | 0.1806640625 | data | 4.587488917350296 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /45 | 0x43000 | 0x2c77 | 0x2e00 | 2d561cf00ccda35526126a03f45aa6c4 | False | 0.33755095108695654 | data | 5.346475771934375 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /57 | 0x46000 | 0x748 | 0x800 | 7e1dc8bec09e8a0a96fc1d1ab4ea6b8e | False | 0.40380859375 | data | 4.424167454921425 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /70 | 0x47000 | 0x4ee | 0x600 | b8e844e565f9c1616a0d5869b094ecd3 | False | 0.3678385416666667 | data | 4.366683744454898 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /81 | 0x48000 | 0x11e2 | 0x1200 | c2ca0570b995d66695092059bc4994f2 | False | 0.3276909722222222 | data | 3.027796683635334 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /92 | 0x4a000 | 0x250 | 0x400 | 7fb4be62f4f9a0a0930b93c770d68c97 | False | 0.2509765625 | Matlab v4 mat-file (little endian) \340, rows 16, columns 19, imaginary | 1.6779866419342222 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetStartupInfoA, GetSystemInfo, GetSystemTimeAsFileTime, GetTickCount, GlobalMemoryStatusEx, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery |
| msvcrt.dll | __getmainargs, __initenv, __lconv_init, __p__acmdln, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, _iob, _onexit, _vsnprintf, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, puts, signal, strlen, strncmp, vfprintf |
| WS2_32.dll | WSACleanup, WSAStartup, closesocket, connect, htons, inet_addr, send, socket |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 22, 2025 08:24:14.308125973 CET | 49720 | 1443 | 192.168.2.4 | 176.65.138.157 |
| Mar 22, 2025 08:24:14.479149103 CET | 1443 | 49720 | 176.65.138.157 | 192.168.2.4 |
| Mar 22, 2025 08:24:14.994534969 CET | 49720 | 1443 | 192.168.2.4 | 176.65.138.157 |
| Mar 22, 2025 08:24:15.161294937 CET | 1443 | 49720 | 176.65.138.157 | 192.168.2.4 |
| Mar 22, 2025 08:24:15.680692911 CET | 49720 | 1443 | 192.168.2.4 | 176.65.138.157 |
| Mar 22, 2025 08:24:15.847839117 CET | 1443 | 49720 | 176.65.138.157 | 192.168.2.4 |
| Mar 22, 2025 08:24:16.353871107 CET | 49720 | 1443 | 192.168.2.4 | 176.65.138.157 |
| Mar 22, 2025 08:24:16.522495031 CET | 1443 | 49720 | 176.65.138.157 | 192.168.2.4 |
| Mar 22, 2025 08:24:17.025846958 CET | 49720 | 1443 | 192.168.2.4 | 176.65.138.157 |
| Mar 22, 2025 08:24:17.191742897 CET | 1443 | 49720 | 176.65.138.157 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:24:12 |
| Start date: | 22/03/2025 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Agent.QWCKHW.31433.26307.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 293'842 bytes |
| MD5 hash: | FA21BCB264226C07D923D31A1642AF8D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 03:24:12 |
| Start date: | 22/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62fc20000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
| Execution Coverage: | 8.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 33.1% |
| Total number of Nodes: | 357 |
| Total number of Limit Nodes: | 1 |
Graph
Callgraph
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
