Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exe
Analysis ID:1668996
MD5:c2a2873b168f44f9fb8cd7c3c046352e
SHA1:7ea353322e6b3c17af620016a924a25ae902b5b7
SHA256:d022885f7d44bcbabb47a402cfa22005588b01efcd1a77b98bc6be19bcb296cd
Tags:exeuser-SecuriteInfoCom
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:21
Range:0 - 100
Confidence:60%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
PE file overlay found
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: Data appended to the last section found
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: Section: .data ZLIB complexity 1.0012048192771084
Source: classification engineClassification label: sus21.evad.winEXE@0/0@0/0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x12ce00
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Malware Analysis System Evasion

barindex
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeBinary or memory string: PROCMON.EXE
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeBinary or memory string: XENSERVICE.EXE
Source: SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exeBinary or memory string: MpVmp32EntryCoInitializeSecurityWriteProcessMemoryFreeLibraryLsaOpenPolicyAuditQuerySystemPolicyFlashWindowExAdjustWindowRectExGlobalMemoryStatusExCoInitializeExVirtualAllocExDestroyWindowShowWindowAnimateWindowUpdateWindowWSARecvCryptEncryptCryptDecryptUiaRaiseAutomationEventContinueDebugEventIsDebuggerPresentCheckRemoteDebuggerPresentCoImpersonateClientCoSetProxyBlanketWaitForSingleObjectAssignProcessToJobObjectGetWindowRectGetSystemPowerStatusQueryServiceStatusSetServiceStatusSetFocusGetProcAddressExitProcessOpenProcessDebugActiveProcessSetWindowPosGetCursorPosAdjustTokenPrivilegesGetSystemMetricsGetLastErrorQueryPerformanceCounterSetUnhandledExceptionFilterDrawMenuBarWSAStartupWSACleanupBeepGetNativeSystemInfoRaiseExceptionWow64DisableWow64FsRedirectionInitializeCriticalSectionOpenProcessTokenWSAIoctlDeviceIoControlSetSecurityDescriptorDaclWindowsCreateStringUiaClientsAreListeningRoInitializevmtoolsd.exeGetKeyStateGetAsyncKeyStateSetThreadExecutionStateSetSuspendStateSetCaptureGetSystemTimegethostbynameWriteFileReadFileTranslateMessageVirtualFreeLocalFreeGetErrorModeRoActivateInstanceCoCreateInstanceControlServiceEmptyClipboardOpenClipboardUiaHostProviderFromHwndbindCreateRemoteThreadCreateThreadGetCurrentProcessIdHeapAllocCoTaskMemAllocVirtualAllocGlobalAllocIsProcessInJobCryptProtectDataSetClipboardDatalstrcpyWRegDeleteKeyWMessageBoxWCreateMutexWLoadLibraryExWRegOpenKeyExWCreateWindowExWFindWindowExWGetVersionExWRegQueryValueExWRegSetValueExWCryptAcquireContextWDrawTextWCreateEventWCreateJobObjectWlstrcatWCreateProcessWLoadCursorWLogonUserWRegisterServiceCtrlHandlerWStartServiceCtrlDispatcherWOpenSCManagerWDialogBoxParamWSHGetFolderPathWOutputDebugStringWCreateFileMappingWwsprintfWLookupPrivilegeValueWShellExecuteWGetComputerNameWFindFirstFileWEncryptFileWDecryptFileWDeleteFileWCreateFileWPostMessageWGetMessageWFormatMessageWPeekMessageWDispatchMessageWSendMessageWStartServiceWQueryDosDeviceWCredReadWSystemFunction036GetTickCount64
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Virtualization/Sandbox Evasion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Software Packing
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1668996 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 19/04/2025 Architecture: WINDOWS Score: 21 5 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1668996
Start date and time:2025-04-19 03:47:26 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exe
Detection:SUS
Classification:sus21.evad.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.735764911672064
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Trojan.Win32.Crypt.22572.26909.exe
File size:47'530 bytes
MD5:c2a2873b168f44f9fb8cd7c3c046352e
SHA1:7ea353322e6b3c17af620016a924a25ae902b5b7
SHA256:d022885f7d44bcbabb47a402cfa22005588b01efcd1a77b98bc6be19bcb296cd
SHA512:8b4824c462c79280bf2cd600dd87cfb03eee5bbb7825d5b89fc53ebff2ee30ddf2581611573ce1f8f7b3e2ebaa5811a85d11a8d8015c090353994fa49cabbed4
SSDEEP:768:q1z1i2eu330yPgSy/PSODatVu6rADF++vDweBt9F5cS9aCuhkNMFxzD1mTUq72mz:qt1idu3kyPgSyBY1AFTXBLD7ugMb/0jz
TLSH:42233B047FCB94E5F49AB9F11A36D30409F7B832AB15D4EF9483A3380C566E19B39359
File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....h.g.................t...z......@t............@..........................0............@.................................,...<..
Icon Hash:90cececece8e8eb0
Entrypoint:0x407440
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x67FD68A3 [Mon Apr 14 19:57:23 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:53a679a74b50ca6693c944730be5236d
Instruction
push ebx
push edi
push esi
sub esp, 44h
mov dword ptr [esp], 00000000h
call 00007F3B094E7523h
mov eax, 000000E9h
add eax, dword ptr [00462BF8h]
mov dword ptr [00462C08h], eax
mov eax, 00000022h
cmp dword ptr [00462B98h], 2E5B3788h
jnbe 00007F3B094ED2ECh
movzx eax, byte ptr [00462BE8h]
movzx ecx, word ptr [00462B84h]
sub eax, ecx
mov dword ptr [00462BD0h], eax
mov eax, 00000001h
cmp dword ptr [00462C10h], 00000000h
jle 00007F3B094ED2DEh
imul eax, dword ptr [00462BF0h]
mov dword ptr [00462BC4h], eax
mov esi, dword ptr [00462C0Ch]
cmp esi, 2C62466Eh
jc 00007F3B094ED2F1h
mov ecx, dword ptr [00462BD0h]
test ecx, ecx
je 00007F3B094ED2DDh
mov eax, 1C2E975Dh
xor edx, edx
div ecx
jmp 00007F3B094ED2D7h
mov eax, 00000001h
mov dword ptr [00462BE0h], eax
mov edi, dword ptr [00462BA8h]
mov ecx, dword ptr [00462BA0h]
mov ebx, 0AF9EDA1h
cmp edi, ecx
jnl 00007F3B094ED2EAh
test edi, edi
je 00007F3B094ED2E1h
movsx eax, word ptr [00462BC0h]
cdq
idiv edi
movsx ebx, ax
jmp 00007F3B094ED2D7h
mov ebx, 00000001h
mov eax, 000095D6h
xor eax, dword ptr [00462BB0h]
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xa42c0x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x12ccb0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1910000x11ac.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xa5d80x170.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x72430x740040fbdb03b0dd29c6e6e78cebe72d03a5False0.5846578663793104data6.395706926056336IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x90000x1dd60x1e0002b8be4a82aedaa0914de825a5073a17False0.4016927083333333data4.397245403311926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xb0000x5841a0x57c0054d34f4210e26fa3ad12757642b304d9False1.0012048192771084data7.9771232822981295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x640000x12ccb00x12ce00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x1910000x11ac0x1200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
DLLImport
KERNEL32.dllCloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetTickCount, GetTimeFormatW, GetUserDefaultLCID, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, InterlockedFlushSList, InterlockedPushEntrySList, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, OutputDebugStringW, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, RtlUnwind, SetConsoleCtrlHandler, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrcmpiW
USER32.dllDestroyIcon, EndDialog
No network behavior found
No statistics
No system behavior
No disassembly