Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe
Analysis ID:	1664727
MD5:	56e0434188f95dc35a87159a1645b262
SHA1:	db7812aeb58b3d076965fdd6cf40d6474f7d9d58
SHA256:	26fd65f096bf2b904f775c7d895ff9c07b46baa9e997f2a414ee16fe8b4a2427
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

SheetRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected SheetRat

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture screen (.Net source)

Joe Sandbox ML detected suspicious sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe" MD5: 56E0434188F95DC35A87159A1645B262)

cleanup

Malware Configuration

Threatname: SheetRat

{
  "C2 urls": [
    "italy-fence.gl.at.ply.gg:36402"
  ]
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.binstr	JoeSecurity_SheetRat	Yara detected SheetRat	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: italy-fence.gl.at.ply.gg:36402

Avira URL Cloud: Label: malware

Found malware configuration

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Malware Configuration Extractor: SheetRat {"C2 urls": ["italy-fence.gl.at.ply.gg:36402"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Virustotal: Detection: 45%			Perma Link
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	ReversingLabs: Detection: 41%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 90.7%

Sample uses string decryption to hide its real strings

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Ts0cj
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: ,
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Win32_VideoController
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Name
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: dd.MM.yyyy
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Win32_Processor
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Admin
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: User
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: true
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: italy-fence.gl.at.ply.gg:36402
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: PlsHelpMeImMental ILL
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: 1.8
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: @mfgg%70#kra6hqm4b7rib0h^
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: false
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: k@pd+ps*p6riztkag
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: vmd^xsi@fk*ug3zw4oizi5d&)&
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: 97&i)1#i5ptbi7)y&a
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: 26(y5_6
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Yu--$SZ$Y
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: n(olf515rw(s_kr%(i$a
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: 1ul&+t(%ow1jacxrwq(_dxgs!tnp
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: cy&57^clyui+0%!r^+5+43kgw)swj
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: v&m!^%7vu4ag%^bay3g_gx_5t^k+
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: ^*rsn&vi+sf1pns0x
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: bepklsju7vxotoc
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: t5qcnjo_#g+9!+#dn)0fva!
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: mzdkho3cz3s
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Connect
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: @
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SbieDll.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: snxhk.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: cmdvrt32.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Sf2.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SxIn.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Select * from Win32_CacheMemory
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Select * from CIM_Memory
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: virtual
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: innotek gmbh
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: tpvcgateway
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: VMXh
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: tpautoconnsvc
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: vbox
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: vmbox
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: vmware
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: virtualbox
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: box
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: thinapp
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: root\CIMV2
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SELECT * FROM Win32_ComputerSystem
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Model
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Manufacturer
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: :\
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: drivers
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: balloon.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: netkvm.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: pvpanic.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: viofs.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: viogpudo.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: vioinput.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: viorng.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: vioser.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: viostor.sys
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: qemu-ga
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SPICE Guest Tools
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: sandbox
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: amsi.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: AmsiScanBuffer
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: ntdll.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: EtwEventWrite
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: avast
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Error
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Invoke
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SaveInvoke
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Pong
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Exit
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Restart
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: cmd
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /k timeout 5 > NUL && "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: runas
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Uninstall
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Update
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: .exe
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /k timeout 10 > NUL && "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: StubUpdate
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: kernel32.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: GetModuleHandleA
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SetThreadExecutionState
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: user32.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: GetForegroundWindow
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: GetWindowTextA
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: GetDiskFreeSpaceEx
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: NtProtectVirtualMemory
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor:
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: &u^I$y`.M;z(5aW]9<LH8,'CY#d:0bNi6\|O{[Vj=~}cSw!7k+o2KgAPFZh4*@Xs_ f"/vqr?Rm>B1pDJ%3ETt)enx\G-UlQ
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: AR-0tM\|:YL>8,Jdg1}6Gp5;~%<nwlC3V)B`QFXe7=9sK'hH 4"@SrkZviymju?a_Uc{TD*/E\Pq&I+W^(z]fx2[.$!NoO#b
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Hwid
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: x2
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Win32_DiskDrive
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: WindowsControl
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %Windows%\xdwd.dll
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SOFTWARE
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Microsoft
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Windows NT
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: CurrentVersion
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Windows
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: AppInit_DLLs
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: LoadAppInit_DLLs
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: RequireSignedAppInit_DLLs
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /C taskkill /im explorer.exe /f && TimeOut 2 && start explorer.exe
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: .bat
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: timeout 10 > NUL
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: CD "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: DEL "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: " /f /q
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: CMD
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: netsh advfirewall firewall add rule name="
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: " dir=in action=allow program="
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: " enable=yes & exit
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Tasks
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /c schtasks /deleTe /F /Tn "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: " & exit
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: & exit
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /c schtasks /run /i /tn "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /c schtasks /create /f /sc minute /mo
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /tn "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: " /tr "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: "
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: /RL HIGHEST
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Userinit
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: C:\Windows\System32\userinit.exe,
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: C:\Windows\System32\userinit.exe
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Caption
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor:
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: OSArchitecture
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Error Get Version
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SELECT * FROM
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: \\
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: \root\SecurityCenter2
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Select * from AntivirusProduct
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: displayName
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: ;
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: N/A
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Unknown
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: [Idle]
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: None
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: image/jpeg
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %Windows%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %ProgramFiles%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %ApplicationData%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %UserProfile%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %MyDocuments%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %Cookies%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %CommonPictures%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %LocalApplicationData%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %CommonDocuments%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %Templates%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %MyMusic%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: %MyVideos%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Ping
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: GetDLL
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Plugin.Plugin
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Run
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Load error:
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: System
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: TrustedInsraller
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: 147.45.45.218
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: 12345
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: getupdate
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: kkn
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: root\Microsoft\Windows\Defender
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: SELECT * FROM MSFT_MpPreference
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: ComputerID
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: MSFT_MpPreference.ComputerID='
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: '
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: Add
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String decryptor: ExclusionPath

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: italy-fence.gl.at.ply.gg:36402

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.27 ports 0,2,3,4,6,36402

Source: global traffic

TCP traffic: 192.168.2.5:49695 -> 147.185.221.27:36402

Source: Joe Sandbox View

IP Address: 147.185.221.27 147.185.221.27

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: italy-fence.gl.at.ply.gg

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, 00000000.00000002.2540049464.0000000003F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, Methods.cs

.Net Code: CaptureResizeReduceQuality

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Code function: 0_2_00007FF7C7DA897C NtProtectVirtualMemory,

0_2_00007FF7C7DA897C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Code function: 0_2_00007FF7C7DA82C0	0_2_00007FF7C7DA82C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Code function: 0_2_00007FF7C7DA4F71	0_2_00007FF7C7DA4F71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Code function: 0_2_00007FF7C7DA5D21	0_2_00007FF7C7DA5D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Code function: 0_2_00007FF7C7DA82AD	0_2_00007FF7C7DA82AD

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, 00000000.00000000.1293143842.0000000000C7E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZeroTrace Stealer.exeD vs SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Binary or memory string: OriginalFilenameZeroTrace Stealer.exeD vs SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, SecrityHidden.cs	Security API names: File.GetAccessControl
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, SecrityHidden.cs	Security API names: File.SetAccessControl
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, SecrityHidden.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, Config.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, Config.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Mutant created: \Sessions\1\BaseNamedObjects\@mfgg%70#kra6hqm4b7rib0h^

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Virustotal: Detection: 45%
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, PluginLoader.cs	.Net Code: Load System.AppDomain.Load(byte[])
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, PluginLoader.cs	.Net Code: Load
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, AsmiAndETW.cs	.Net Code: AggresivAmsiActivate System.Reflection.Assembly.Load(byte[])
Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, Updater.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Code function: 0_2_00007FF7C7DA00BD pushad ; iretd		0_2_00007FF7C7DA00C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Code function: 0_2_00007FF7C7DA9245 pushad ; iretd		0_2_00007FF7C7DA926D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Memory allocated: 14A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	Memory allocated: 1BF60000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, 00000000.00000002.2543794798.000000001D780000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle="c0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, 00000000.00000002.2543794798.000000001D730000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected SheetRat

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected SheetRat

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	32 Virtualization/Sandbox Evasion	OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	32 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	213 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	46%	Virustotal		Browse
SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
italy-fence.gl.at.ply.gg:36402	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
italy-fence.gl.at.ply.gg	147.185.221.27	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
italy-fence.gl.at.ply.gg:36402	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe, 00000000.00000002.2540049464.0000000003F61000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.27	italy-fence.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1664727
Start date and time:	2025-04-14 17:34:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.76.34.6, 4.245.163.56, 150.171.27.254
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.27	ZCAZR_XClient.exe	Get hash	malicious	XWorm	Browse
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse
	Fatality.exe	Get hash	malicious	SheetRat	Browse
	Extreme Injector v3.1.exe	Get hash	malicious	Dracula Stealer, SheetRat	Browse
	dc.exe	Get hash	malicious	XWorm	Browse
	XClient.bat	Get hash	malicious	XWorm	Browse
	roblox.exe	Get hash	malicious	XWorm	Browse
	cheatstandoff2.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	Spicetify.bat	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	ZCAZR_XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.27
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse	147.185.221.27
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse	147.185.221.27
	9lBc54z9La.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.22
	BootstrapperNew.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Njrat, Rags Stealer	Browse	147.185.221.19
	Fatality.exe	Get hash	malicious	SheetRat	Browse	147.185.221.27
	Extreme Injector v3.1.exe	Get hash	malicious	Dracula Stealer, SheetRat	Browse	147.185.221.27
	fatality.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	MemesenseCrackByPugCheat!.exe	Get hash	malicious	SheetRat, XWorm	Browse	147.185.221.20
	MinecraftLauncher.exe	Get hash	malicious	Unknown	Browse	147.185.221.26

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.2296110752509115
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe
File size:	54'928 bytes
MD5:	56e0434188f95dc35a87159a1645b262
SHA1:	db7812aeb58b3d076965fdd6cf40d6474f7d9d58
SHA256:	26fd65f096bf2b904f775c7d895ff9c07b46baa9e997f2a414ee16fe8b4a2427
SHA512:	e18ab4bf0d83814d2f83d46867b551bdf4614cafdc15303b32fc48cea630d520587737348dc4c10f523ae69f371937669a1246c3e209576332e3d878a9963c3f
SSDEEP:	768:OsegLg+8qF21xEHUzPcF/CTervkRBObyCmwwQSRG1911wZYBxk2DVRlubEA:OseVVEHQa/pg3OblxwlG19bwax1pK
TLSH:	AC337C407B884A52CDAF4EBEA39A52099630D3338983C74B7CDB8DF566877C19B40DD6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0.................. .....@..... ....................................@...@......@............... .....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CCF161 [Mon Aug 26 21:19:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/09/2019 04:45:17 10/09/2022 04:45:17
Subject Chain	CN="GIGA-BYTE TECHNOLOGY CO., LTD.", O="GIGA-BYTE TECHNOLOGY CO., LTD.", L=New Taipei, S=New Taipei, C=TW
Version:	3
Thumbprint MD5:	056A1542A1C0082487E191B797928604
Thumbprint SHA-1:	119773603D061409C5317676EA023AD976F4F48C
Thumbprint SHA-256:	A050EF89BA6921F1283BB80E3A8A1D0D950E128BF87EF8486E004A30C87F52A7
Serial:	4FD3DFBE31A46854DE5720DE

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x5e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb400	0x2290
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabac	0xac00	eced0f4c447d70f05060f66e1286b64f	False	0.4988190406976744	data	5.872214917324844	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x5e8	0x600	704a1992ac8828f0d1a9463795f31c44	False	0.4303385416666667	data	4.320799370389766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x35c	data			0.4011627906976744
RT_MANIFEST	0xe3fc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	ZeroTrace Stealer
FileVersion	1.0.0.0
InternalName	ZeroTrace Stealer.exe
LegalCopyright	Copyright 2024
LegalTrademarks
OriginalFilename	ZeroTrace Stealer.exe
ProductName	ZeroTrace Stealer
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 56
• 36402 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2025 17:35:04.075189114 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:04.194808006 CEST	36402	49695	147.185.221.27	192.168.2.5
Apr 14, 2025 17:35:04.197977066 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:04.275212049 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:04.651354074 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:05.029181957 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:05.760509968 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:07.229401112 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:08.697997093 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:10.166738033 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:13.088689089 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:18.932302952 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:30.619988918 CEST	49695	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:30.876183033 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:30.995356083 CEST	36402	49699	147.185.221.27	192.168.2.5
Apr 14, 2025 17:35:30.995501995 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:31.003362894 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:31.385488987 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:31.771763086 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:32.510473967 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:33.994796991 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:36.947938919 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:42.838754892 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:54.619786024 CEST	49699	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:54.825059891 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:54.944364071 CEST	36402	49700	147.185.221.27	192.168.2.5
Apr 14, 2025 17:35:54.944751978 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:54.945018053 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:55.307267904 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:55.666615009 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:56.369760036 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:35:57.775978088 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:00.590749979 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:06.198014021 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:17.400918007 CEST	49700	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:17.607178926 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:17.726447105 CEST	36402	49702	147.185.221.27	192.168.2.5
Apr 14, 2025 17:36:17.726578951 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:17.726990938 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:18.088416100 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:18.447825909 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:19.166553020 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:20.588500977 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:23.432183027 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:29.120439053 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:40.494649887 CEST	49702	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:40.699939966 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:40.819188118 CEST	36402	49703	147.185.221.27	192.168.2.5
Apr 14, 2025 17:36:40.819354057 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:40.820015907 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:41.182167053 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:41.541510105 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:42.244622946 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:43.651154995 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:46.463378906 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:36:52.072724104 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:37:03.275846004 CEST	49703	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:37:03.480654955 CEST	49704	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:37:04.494621992 CEST	49704	36402	192.168.2.5	147.185.221.27
Apr 14, 2025 17:37:06.510250092 CEST	49704	36402	192.168.2.5	147.185.221.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2025 17:35:03.586165905 CEST	59491	53	192.168.2.5	1.1.1.1
Apr 14, 2025 17:35:04.070338964 CEST	53	59491	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 14, 2025 17:35:03.586165905 CEST	192.168.2.5	1.1.1.1	0xa444	Standard query (0)	italy-fence.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 14, 2025 17:35:04.070338964 CEST	1.1.1.1	192.168.2.5	0xa444	No error (0)	italy-fence.gl.at.ply.gg		147.185.221.27	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	11:35:01
Start date:	14/04/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe"
Imagebase:	0xc70000
File size:	54'928 bytes
MD5 hash:	56E0434188F95DC35A87159A1645B262
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	23.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FF7C7DA897C Relevance: 1.7, APIs: 1, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF7C7DA8A44

Memory Dump Source

Source File: 00000000.00000002.2544632537.00007FF7C7DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c7da0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f61edb804657afdbe7e1bb382ddc53308e7ad00657f3c7a22df5d44ea22f1dda
Instruction ID: 4912541ceab4a9f9b24c6d61aaf032b3c16546ac487b6c1b311e6c11a2aa93c6
Opcode Fuzzy Hash: f61edb804657afdbe7e1bb382ddc53308e7ad00657f3c7a22df5d44ea22f1dda
Instruction Fuzzy Hash: 7751F731A1CB484FDB19EB2C9C057E9BBE1FB99321F0042AFD449C3292CE74684587C2

Function 00007FF7C7DA82C0 Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2544632537.00007FF7C7DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c7da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301c22b3b47870fc37978733c75651942b499ea60d2d620926c910eb00a284db
Instruction ID: 01fcb068c17f07c1308e802e2ae040d5eb68e116d5345f01cb58922210533d06
Opcode Fuzzy Hash: 301c22b3b47870fc37978733c75651942b499ea60d2d620926c910eb00a284db
Instruction Fuzzy Hash: F3E13631E1CA494FE31DAB29A8552B5B7D1FF95320F54027ED48AC3297DD2878438391

Function 00007FF7C7DA4F71 Relevance: .4, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2544632537.00007FF7C7DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c7da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3962dea701ed6f4e1a0a43e1e090b2c9d5995bc6a430fed23ad420489559815b
Instruction ID: 9078b3a6b40c19a157a466343af4e0b07a0f7387013c86baf2036fb4477f6034
Opcode Fuzzy Hash: 3962dea701ed6f4e1a0a43e1e090b2c9d5995bc6a430fed23ad420489559815b
Instruction Fuzzy Hash: 43D17030918A4D8FEBA8EF28C8557E977E1FB54320F50427AE80EC7395DF74A9458B81

Function 00007FF7C7DA5D21 Relevance: .4, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2544632537.00007FF7C7DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c7da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17dc37fc8770347c10e2abd842f10a5edf729da572ffa88fb4a56d5fae72fb8d
Instruction ID: b12657c26384e482ab96c5719f14a305af10892d5911c44b46a4de1470a01b15
Opcode Fuzzy Hash: 17dc37fc8770347c10e2abd842f10a5edf729da572ffa88fb4a56d5fae72fb8d
Instruction Fuzzy Hash: E3D16030918A4E8FEBA8EF28C8557E977D1FB54320F54833AD80EC7295DF74A9458B81

Function 00007FF7C7DA82AD Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544632537.00007FF7C7DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c7da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11220683485c745cf977884d3f0eb028a254ac90cf3d517bb3d9f572ac0a621
Instruction ID: 920cd80b5f741ff66d6f692b6dd9e361fd346258eeb7c0877d2ec1fe9443dd27
Opcode Fuzzy Hash: c11220683485c745cf977884d3f0eb028a254ac90cf3d517bb3d9f572ac0a621
Instruction Fuzzy Hash: E851D031D18A098BE71DFB2598461FAB3E1FF95320F44447ED88BC3592ED38B4478681

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SheetRat

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoad4.16832.20289.2228.exe

Function 00007FF7C7DA897C Relevance: 1.7, APIs: 1, Instructions: 167
nativeCOMMON

Function 00007FF7C7DA82C0 Relevance: .5, Instructions: 545
COMMON

Function 00007FF7C7DA4F71 Relevance: .4, Instructions: 396
COMMON

Function 00007FF7C7DA5D21 Relevance: .4, Instructions: 379
COMMON