Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.PUA.Win32.Presenoker.25612

Overview

General Information

Sample Name:	SecuriteInfo.com.PUA.Win32.Presenoker.25612 (renamed file extension from 25612 to exe)
Analysis ID:	334154
MD5:	706ca89ed31bf43bdfcc0d3aca8c9af4
SHA1:	012da89db7ff6a6ed7136a910b340faaab70b3f1
SHA256:	c0522052999f973d3bd24ac557945bb710291f019d4d8b8b76c87625a2f12389
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Classification

Startup

System is w10x64

SecuriteInfo.com.PUA.Win32.Presenoker.exe (PID: 4828 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe' MD5: 706CA89ED31BF43BDFCC0D3ACA8C9AF4)

conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Virustotal: Detection: 15%			Perma Link
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	ReversingLabs: Detection: 14%

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346543224.000000C000008000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346605059.000000C00003E000.00000004.00000001.sdmp, SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346577815.000000C00002C000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signature
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346605059.000000C00003E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signatureAvail
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346661687.000000C00006B000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signatureC
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346661687.000000C00006B000.00000004.00000001.sdmp, SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346577815.000000C00002C000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signatureC:
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346543224.000000C000008000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/master/docs/CHANGELOG.mdC:
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	String found in binary or memory: https://github.com/urfave/cli/blob/master/docs/CHANGELOG.mdreflect:

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe

Static PE information: Number of sections : 22 > 10

Source: classification engine

Classification label: mal52.spyw.winEXE@2/4@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe

File created: C:\Users\user\Desktop\results

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_01

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.344739479.0000000000C0A000.00000002.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.344739479.0000000000C0A000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.344739479.0000000000C0A000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.344739479.0000000000C0A000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.344739479.0000000000C0A000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.344739479.0000000000C0A000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.344739479.0000000000C0A000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Virustotal: Detection: 15%
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	ReversingLabs: Detection: 14%

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe

String found in binary or memory: bufio.Scanner: SplitFunc returns advance count beyond inputhttps://github.com/urfave/cli/blob/master/docs/CHANGELOG.mdreflect: indirection through nil pointer to embedded structsync/atomic: store of inconsistently typed value into Valuesync: WaitGroup is reused before previous Wait has returnedtype of SQlite aggregator Step() return value must be errorunsupported Scan, storing driver.Value type %T into type %T/AppData/Roaming/Mozilla/Firefox/Profiles/*.default-release/addr range base and limit are not in the same memory segmentbytes.Reader.UnreadRune: previous operation was not ReadRuneinvalid context to convert cursor rows, missing parent *Rowsruntime: GetQueuedCompletionStatusEx returned invalid mode= runtime: netpoll: PostQueuedCompletionStatus failed (errno= 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZfound bad pointer in Go heap (incorrect use of unsafe or cgo?)runtime: internal error: misuse of lockOSThread/unlockOSThreadstrings.Reader.UnreadRune: previous operation was not ReadRune&([a-zA-Z]{2,31}[0-9]{0,2}|#([0-9]{1,7}|[xX][0-9a-fA-F]{1,6}));<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" Invalid _locking_mode: %v, expecting value of 'NORMAL EXCLUSIVEinput [security find-generic-password -wa 'Chrome'] in terminal/AppData/Local/BraveSoftware/Brave-Browser/User Data/Local StateABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_compileCallback: expected function with one uintptr-sized resultdriver ColumnConverter error converted %T to unsupported type %Tflate: invalid compression level %d: want value in range [-2, 9]json: invalid number literal, trying to unmarshal %q into Numberruntime.SetFinalizer: pointer not at beginning of allocated blockstrconv: internal error: extFloat.FixedDecimal called with n == 0 <meta name="GENERATOR" content="Blackfriday Markdown Processor vSELECT id, url, last_visit_date, title, visit_count FROM moz_placesbig: invalid 2nd argument to Int.Jacobi: need odd integer but got %sruntime:greyobject: checkmarks finds unexpected unmarked object obj=bytes.Buffer: UnreadByte: previous operation was not a successful readsecond return value of SQLite aggregator Done() function must be errorjson: invalid use of ,string struct tag, trying to unmarshal %q into %vtoo many concurrent operations on a single file or socket (max 1048575)Missing '_auth_pass' while user authentication was requested with '_auth'Missing '_auth_user' while user authentication was requested with '_auth'Invalid _auto_vacuum: %v, expecting value of '0 NONE 1 FULL 2 INCREMENTAL'bytes.Buffer: UnreadRune: previous operation was not a successful ReadRuneSELECT origin_url, username_value, password_value, date_created FROM loginsInvalid _synchronous: %v, expecting value of '0 OFF 1 NORMAL 2 FULL 3 EXTRA'runtime: found space for saved base pointer, but no framepointer experiment

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe 'C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe

Static file information: File size 16128584 > 1048576

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x322400
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x230a00
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: Raw size of /51 is bigger than: 0x100000 < 0x2a2800
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: Raw size of /113 is bigger than: 0x100000 < 0x3d1a00

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe

Static PE information: real checksum: 0xf6a167 should be:

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /35
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /51
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /63
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /77
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /89
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /102
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /113
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /124
Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe	Static PE information: section name: /138

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.348026490.0000021189A83000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation	Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping1	Security Software Discovery1	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	System Information Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.PUA.Win32.Presenoker.exe	16%	Virustotal		Browse
SecuriteInfo.com.PUA.Win32.Presenoker.exe	15%	ReversingLabs	Win64.Infostealer.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/urfave/cli/blob/master/docs/CHANGELOG.mdreflect:	SecuriteInfo.com.PUA.Win32.Presenoker.exe	false	high
https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signatureAvail	SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346605059.000000C00003E000.00000004.00000001.sdmp	false	high
https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md	SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346543224.000000C000008000.00000004.00000001.sdmp	false	high
https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signatureC:	SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346661687.000000C00006B000.00000004.00000001.sdmp, SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346577815.000000C00002C000.00000004.00000001.sdmp	false	high
https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signatureC	SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346661687.000000C00006B000.00000004.00000001.sdmp	false	high
https://github.com/urfave/cli/blob/master/docs/CHANGELOG.md#deprecated-cli-app-action-signature	SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346605059.000000C00003E000.00000004.00000001.sdmp, SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346577815.000000C00002C000.00000004.00000001.sdmp	false	high
https://github.com/urfave/cli/blob/master/docs/CHANGELOG.mdC:	SecuriteInfo.com.PUA.Win32.Presenoker.exe, 00000000.00000002.346543224.000000C000008000.00000004.00000001.sdmp	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	334154
Start date:	26.12.2020
Start time:	12:41:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.PUA.Win32.Presenoker.25612 (renamed file extension from 25612 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.spyw.winEXE@2/4@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\Cookies Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\History Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	0.4589067735369779
Encrypted:	false
SSDEEP:	48:TXYBfHNPM5ETQTbKPHBsRkOLkRf+z4QHItYysX0uhnHu132RUioVeINUravDLjY/:UWU+bDoYysX0uhnydVjN9DLjGQLBE3u
MD5:	89CE01DCB0DC182AFF651E0094A2A7A2
SHA1:	DBFC15F5503780095741421FCC662D72460D804A
SHA-256:	1A0599ED2576D1224FDE5E4B512BF36AA0D322765C8F83ADDF9487D6D4E511E0
SHA-512:	86E16B4D227056BB75D51F4D01F69E8585626664401E14C1F052C8C9F6D6F4BF5C3FAB041FCDB33E9D8EBB82785D9B382E97FBBBCD0550BA49776C14934079EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\Login Data Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\results\chrome_cookie.csv Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	362
Entropy (8bit):	5.771550006160671
Encrypted:	false
SSDEEP:	6:lrbwqto4CyiBdg8vc7AZ7XoX51TbDgivd4YMrd71DLE7XGsTQ4D7lfBIXWo//Io6:JbwWo4mg807CXop1Tt4YYd7JL8h3vlJV
MD5:	78F412AEA7CA20287BCBD4F5713C4260
SHA1:	324652BA893BE62889108598F0F3ACA5190C8542
SHA-256:	D3E6BA3C71BA5DB058FE05E1A4869E94DEBB5049DDDC5B39B9CAF9CF79C92743
SHA-512:	DDF3FAD77D1D27D4D77D01E894143478B596086A442649E6E04FA935D493A2A5BFB945BD1FEE8E4446691D33CB105D9EFB5071CF3652C926B85494CB4D84827C
Malicious:	false
Reputation:	low
Preview:	.Host,Path,KeyName,Value,IsSecure,IsHTTPOnly,HasExpire,IsPersistent,CreateDate,ExpireDate..google.com,/,NID,204=XlJ-cT9Xg8DDNcFChe-nUGbxxEez8DRPGzgzUdZjP1JdN2YiNhfyRKFYdvFacUiguPGJxNZQxNzSiNVBcKqtq4ja7gbbvS3qQExvrcATH8SyD8dfy7IhIXh65vwy9wvzcYGB8MPR2c8HHGKEWDbc9DczP4qY4Ggc7D8ZFucZfEc,true,true,true,true,2020-09-30T15:22:32.814034Z,2021-04-01T15:22:32.814034Z.

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.490746762743521
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.PUA.Win32.Presenoker.exe
File size:	16128584
MD5:	706ca89ed31bf43bdfcc0d3aca8c9af4
SHA1:	012da89db7ff6a6ed7136a910b340faaab70b3f1
SHA256:	c0522052999f973d3bd24ac557945bb710291f019d4d8b8b76c87625a2f12389
SHA512:	daa4581420095acb91b8aee1768bf1b4b850d3e70c081950a75f1cbe272d41b093740d52f287c38badc990184ff08b7f0fa5ebe387d9a16c3025e8bff9fafc4d
SSDEEP:	98304:MtEfGgb4e5c8lDDSfJ9dMvCRmwj1YJ39UqDWIsymoaTrTAdBMuJICql:MtEOgb4e5cbJ9KvC3OszCJE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......_.....8....&......$2..._...............@..............................@......g.....`... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4014e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5FCE0BB8 [Mon Dec 7 11:02:16 2020 UTC]
TLS Callbacks:	0x719fe0
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	22c96a94a1d71cb6fbd5097c4874e51e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00578FD5h]
mov dword ptr [eax], 00000000h
call 00007FA48067767Fh
call 00007FA48035EA2Ah
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax+00h]
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
call 00007FA480678E6Ch
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
lea ecx, dword ptr [00000015h]
pop ebp
jmp 00007FA48035ED74h
nop dword ptr [eax+eax+00h]
nop word ptr [eax+eax+00000000h]
push ebp
dec eax
mov ebp, esp
pop ebp
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and dh, byte ptr [48736752h]
imul eax, dword ptr [ebp+ebp+74h], 38h
push ebp
xor al, 2Dh
dec ecx
je 00007FA48035EE0Bh
cmp byte ptr [ebx+53h], ch
push 4647652Fh
jp 00007FA48035EDF3h
push eax
inc esi
imul ebx, dword ptr [ecx+4Bh], 2D765955h
jbe 00007FA48035EE0Ch
dec esi
push 0000004Fh
das
dec ecx
dec edi
inc ebx
jbe 00007FA48035EDF9h
js 00007FA48035EDF7h
jp 00007FA48035EE09h
sub eax, 00645676h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5c0000	0x5d365	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61e000	0x1698	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x57b000	0x54a8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x622000	0x198e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x57a020	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x61e50c	0x4d0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x322280	0x322400	unknown	unknown	unknown	unknown	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0x324000	0x25060	0x25200	False	0.366115582912	data	4.30306727092	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0x34a000	0x230910	0x230a00	unknown	unknown	unknown	unknown	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.pdata	0x57b000	0x54a8	0x5600	False	0.506268168605	data	5.81223809454	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.xdata	0x581000	0x58f0	0x5a00	False	0.133333333333	data	4.38047769652	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0x587000	0x38d80	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.edata	0x5c0000	0x5d365	0x5d400	False	0.270950276475	data	6.00652676402	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x61e000	0x1698	0x1800	False	0.298014322917	data	4.37126596025	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT	0x620000	0x68	0x200	False	0.076171875	data	0.280401167659	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls	0x621000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.reloc	0x622000	0x198e0	0x19a00	False	0.286070884146	data	5.43823664342	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/4	0x63c000	0x680	0x800	False	0.26611328125	data	1.95337602316	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/19	0x63d000	0x11f6e	0x12000	False	0.256971571181	data	5.41767186239	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/35	0x64f000	0x272db	0x27400	False	0.200879528264	data	5.50517907022	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/51	0x677000	0x2a2660	0x2a2800	unknown	unknown	unknown	unknown	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/63	0x91a000	0x2439	0x2600	False	0.271792763158	data	4.75715823172	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/77	0x91d000	0xd9d3f	0xd9e00	False	0.52933385327	data	6.22494233684	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/89	0x9f7000	0x5c278	0x5c400	False	0.249769753557	TIM image, (3088,2055)	4.37271088559	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/102	0xa54000	0x2e63	0x3000	False	0.435546875	data	4.87664561577	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/113	0xa57000	0x3d1971	0x3d1a00	unknown	unknown	unknown	unknown	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/124	0xe29000	0xe9730	0xe9800	False	0.17447951519	data	2.57617936781	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/138	0xf13000	0x22	0x200	False	0.076171875	data	0.6216517742	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

AddVectoredExceptionHandler, AreFileApisANSI, CloseHandle, CreateEventA, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateMutexW, CreateThread, CreateWaitableTimerA, DeleteCriticalSection, DeleteFileA, DeleteFileW, DuplicateHandle, EnterCriticalSection, ExitProcess, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileSize, GetFullPathNameA, GetFullPathNameW, GetLastError, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetThreadContext, GetTickCount, GetVersionExA, GetVersionExW, HeapAlloc, HeapCompact, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, LockFile, LockFileEx, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, OutputDebugStringW, PostQueuedCompletionStatus, ProcessIdToSessionId, QueryFullProcessImageNameA, QueryPerformanceCounter, ReadFile, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsGetValue, TryEnterCriticalSection, UnhandledExceptionFilter, UnlockFile, UnlockFileEx, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

__getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _endthreadex, _errno, _fmode, _initterm, _localtime64, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, qsort, realloc, signal, strcmp, strcspn, strlen, strncmp, strrchr, vfprintf

Exports

Name	Ordinal	Address
_cgo_c73858d9e6d6_Cfunc__Cmalloc	1	0x66ddc0
_cgo_c73858d9e6d6_Cfunc__sqlite3_bind_blob	2	0x66e1a0
_cgo_c73858d9e6d6_Cfunc__sqlite3_bind_text	3	0x66e1f0
_cgo_c73858d9e6d6_Cfunc__sqlite3_create_function	4	0x66e240
_cgo_c73858d9e6d6_Cfunc__sqlite3_limit	5	0x66e2a0
_cgo_c73858d9e6d6_Cfunc__sqlite3_open_v2	6	0x66e2e0
_cgo_c73858d9e6d6_Cfunc__sqlite3_prepare_v2_internal	7	0x66e320
_cgo_c73858d9e6d6_Cfunc__sqlite3_result_blob	8	0x66df20
_cgo_c73858d9e6d6_Cfunc__sqlite3_result_text	9	0x66df30
_cgo_c73858d9e6d6_Cfunc__sqlite3_step_internal	10	0x66e370
_cgo_c73858d9e6d6_Cfunc__sqlite3_step_row_internal	11	0x66e3a0
_cgo_c73858d9e6d6_Cfunc_free	12	0x66de00
_cgo_c73858d9e6d6_Cfunc_my_result_blob	13	0x66eca0
_cgo_c73858d9e6d6_Cfunc_my_result_text	14	0x66ecc0
_cgo_c73858d9e6d6_Cfunc_sqlite3_aggregate_context	15	0x66e410
_cgo_c73858d9e6d6_Cfunc_sqlite3_backup_finish	16	0x66de10
_cgo_c73858d9e6d6_Cfunc_sqlite3_backup_init	17	0x66de40
_cgo_c73858d9e6d6_Cfunc_sqlite3_backup_pagecount	18	0x66de80
_cgo_c73858d9e6d6_Cfunc_sqlite3_backup_remaining	19	0x66deb0
_cgo_c73858d9e6d6_Cfunc_sqlite3_backup_step	20	0x66dee0
_cgo_c73858d9e6d6_Cfunc_sqlite3_bind_double	21	0x66e450
_cgo_c73858d9e6d6_Cfunc_sqlite3_bind_int	22	0x66e490
_cgo_c73858d9e6d6_Cfunc_sqlite3_bind_int64	23	0x66e4d0
_cgo_c73858d9e6d6_Cfunc_sqlite3_bind_null	24	0x66e510
_cgo_c73858d9e6d6_Cfunc_sqlite3_bind_parameter_count	25	0x66e550
_cgo_c73858d9e6d6_Cfunc_sqlite3_bind_parameter_index	26	0x66e580
_cgo_c73858d9e6d6_Cfunc_sqlite3_busy_timeout	27	0x66e5c0
_cgo_c73858d9e6d6_Cfunc_sqlite3_clear_bindings	28	0x66e600
_cgo_c73858d9e6d6_Cfunc_sqlite3_close_v2	29	0x66e630
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_blob	30	0x66e660
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_bytes	31	0x66e6a0
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_count	32	0x66e6e0
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_decltype	33	0x66e710
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_double	34	0x66e750
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_int64	35	0x66e790
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_name	36	0x66e7d0
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_text	37	0x66e810
_cgo_c73858d9e6d6_Cfunc_sqlite3_column_type	38	0x66e850
_cgo_c73858d9e6d6_Cfunc_sqlite3_commit_hook	39	0x66e890
_cgo_c73858d9e6d6_Cfunc_sqlite3_create_collation	40	0x66e8d0
_cgo_c73858d9e6d6_Cfunc_sqlite3_db_filename	41	0x66e920
_cgo_c73858d9e6d6_Cfunc_sqlite3_enable_load_extension	42	0x66ed10
_cgo_c73858d9e6d6_Cfunc_sqlite3_errcode	43	0x66e960
_cgo_c73858d9e6d6_Cfunc_sqlite3_errmsg	44	0x66e990
_cgo_c73858d9e6d6_Cfunc_sqlite3_errstr	45	0x66e120
_cgo_c73858d9e6d6_Cfunc_sqlite3_exec	46	0x66e9d0
_cgo_c73858d9e6d6_Cfunc_sqlite3_extended_errcode	47	0x66ea20
_cgo_c73858d9e6d6_Cfunc_sqlite3_finalize	48	0x66ea50
_cgo_c73858d9e6d6_Cfunc_sqlite3_free	49	0x66ed50
_cgo_c73858d9e6d6_Cfunc_sqlite3_get_autocommit	50	0x66ea80
_cgo_c73858d9e6d6_Cfunc_sqlite3_interrupt	51	0x66eab0
_cgo_c73858d9e6d6_Cfunc_sqlite3_libversion	52	0x66eac0
_cgo_c73858d9e6d6_Cfunc_sqlite3_libversion_number	53	0x66eaf0
_cgo_c73858d9e6d6_Cfunc_sqlite3_load_extension	54	0x66ed60
_cgo_c73858d9e6d6_Cfunc_sqlite3_reset	55	0x66eb20
_cgo_c73858d9e6d6_Cfunc_sqlite3_result_double	56	0x66df40
_cgo_c73858d9e6d6_Cfunc_sqlite3_result_error	57	0x66df50
_cgo_c73858d9e6d6_Cfunc_sqlite3_result_error_toobig	58	0x66ece0
_cgo_c73858d9e6d6_Cfunc_sqlite3_result_int	59	0x66ecf0
_cgo_c73858d9e6d6_Cfunc_sqlite3_result_int64	60	0x66df60
_cgo_c73858d9e6d6_Cfunc_sqlite3_result_null	61	0x66df70
_cgo_c73858d9e6d6_Cfunc_sqlite3_result_zeroblob	62	0x66ed00
_cgo_c73858d9e6d6_Cfunc_sqlite3_rollback_hook	63	0x66eb50
_cgo_c73858d9e6d6_Cfunc_sqlite3_set_authorizer	64	0x66eb90
_cgo_c73858d9e6d6_Cfunc_sqlite3_sourceid	65	0x66ebd0
_cgo_c73858d9e6d6_Cfunc_sqlite3_system_errno	66	0x66ec00
_cgo_c73858d9e6d6_Cfunc_sqlite3_threadsafe	67	0x66ec30
_cgo_c73858d9e6d6_Cfunc_sqlite3_update_hook	68	0x66ec60
_cgo_c73858d9e6d6_Cfunc_sqlite3_user_data	69	0x66df80
_cgo_c73858d9e6d6_Cfunc_sqlite3_value_blob	70	0x66dfc0
_cgo_c73858d9e6d6_Cfunc_sqlite3_value_bytes	71	0x66e000
_cgo_c73858d9e6d6_Cfunc_sqlite3_value_double	72	0x66e030
_cgo_c73858d9e6d6_Cfunc_sqlite3_value_int64	73	0x66e070
_cgo_c73858d9e6d6_Cfunc_sqlite3_value_text	74	0x66e0b0
_cgo_c73858d9e6d6_Cfunc_sqlite3_value_type	75	0x66e0f0
_cgo_get_context_function	76	0x719b80
_cgo_init	77	0x73b9e0
_cgo_is_runtime_initialized	78	0x719a20
_cgo_maybe_run_preinit	79	0x719960
_cgo_notify_runtime_init_done	80	0x73b9e8
_cgo_panic	81	0x5a4c80
_cgo_preinit_init	82	0x719900
_cgo_release_context	83	0x7198d0
_cgo_sys_thread_start	84	0x719c70
_cgo_thread_start	85	0x73b9f0
_cgo_topofstack	86	0x46b960
_cgo_wait_runtime_init_done	87	0x719a50
_cgo_yield	88	0x979fa0
_cgoexp_c73858d9e6d6_authorizerTrampoline	89	0x5c3a40
_cgoexp_c73858d9e6d6_callbackTrampoline	90	0x5c37a0
_cgoexp_c73858d9e6d6_commitHookTrampoline	91	0x5c3920
_cgoexp_c73858d9e6d6_compareTrampoline	92	0x5c38c0
_cgoexp_c73858d9e6d6_doneTrampoline	93	0x5c3860
_cgoexp_c73858d9e6d6_preUpdateHookTrampoline	94	0x5c3aa0
_cgoexp_c73858d9e6d6_rollbackHookTrampoline	95	0x5c3980
_cgoexp_c73858d9e6d6_stepTrampoline	96	0x5c3800
_cgoexp_c73858d9e6d6_updateHookTrampoline	97	0x5c39e0
_sqlite3_create_function	98	0x66e190
_sqlite3_result_blob	99	0x66e180
_sqlite3_result_text	100	0x66e160

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• SecuriteInfo.com.PUA.Win32.Presenoker.exe
• conhost.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.PUA.Win32.Presenoker.exe
• conhost.exe

Click to jump to process

Behavior

• SecuriteInfo.com.PUA.Win32.Presenoker.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.PUA.Win32.Presenoker.exe PID: 4828 Parent PID: 5944

Function Logs

General

Start time:	12:42:38
Start date:	26/12/2020
Path:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.PUA.Win32.Presenoker.exe'
Imagebase:	0x8c0000
File size:	16128584 bytes
MD5 hash:	706CA89ED31BF43BDFCC0D3ACA8C9AF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Analysis Process: conhost.exe PID: 4696 Parent PID: 4828

Function Logs

General

Start time:	12:42:39
Start date:	26/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Memory Activities

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.PUA.Win32.Presenoker.25612

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.PUA.Win32.Presenoker.exe PID: 4828 Parent PID: 5944

General

File Activities

File Opened

File Created

File Deleted

File Written

File Read

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows