Windows Analysis Report SecuriteInfo.com.Variant.Strictor.47541.25845.4974

Antivirus detection for URL or domain

Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: www.vaicomfibra.com/c0my/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe

ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Found inlined nop instructions (likely shell or obfuscated code)

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 4x nop then pop edi

6_2_0040C7F4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.vaicomfibra.com/c0my/

Source: AVG.exe, 00000016.00000002.650727329.000000000144F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://go.mic

Creates a DirectInput object (often for capturing keystrokes)

Source: AVG.exe, 00000016.00000002.650529523.0000000001419000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FD5960	0_2_04FD5960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FE58D7	0_2_04FE58D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF0040	0_2_04FF0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF5728	0_2_04FF5728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FFAD08	0_2_04FFAD08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FD5959	0_2_04FD5959
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041D0E2	6_2_0041D0E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004090A0	6_2_004090A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041D15B	6_2_0041D15B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F12C10	22_2_02F12C10
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F18E08	22_2_02F18E08
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_056F5960	22_2_056F5960
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_057058D7	22_2_057058D7
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05710040	22_2_05710040
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05715728	22_2_05715728
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05715717	22_2_05715717
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05710007	22_2_05710007

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 0_2_04FFFB18 CreateProcessAsUserA,

0_2_04FFFB18

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418AA0 NtCreateFile,	6_2_00418AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418B50 NtReadFile,	6_2_00418B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418BD0 NtClose,	6_2_00418BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418C80 NtAllocateVirtualMemory,	6_2_00418C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418B4A NtReadFile,	6_2_00418B4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418BCA NtClose,	6_2_00418BCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418C7A NtAllocateVirtualMemory,	6_2_00418C7A

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463919139.0000000001CAF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.459441548.00000000017DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461772931.000000000198A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe

PE file contains strange resources

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AVG.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

ReversingLabs: Detection: 46%

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe" "C:\Users\user\AppData\Roaming\AVG\AVG.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AVG\AVG.exe C:\Users\user\AppData\Roaming\AVG\AVG.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe" "C:\Users\user\AppData\Roaming\AVG\AVG.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

File created: C:\Users\user\AppData\Roaming\AVG

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 0.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 0.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.5.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.3.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.9.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.7.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.2.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.1.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.1.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: AVG.exe.12.dr, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 22.2.AVG.exe.980000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 22.0.AVG.exe.980000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5100:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Binary or sample is protected by dotNetProtector

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000000.380802758.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000000.380802758.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000002.470003028.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000002.470003028.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.462689014.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.462689014.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: cmd.exe, 0000000C.00000003.468180583.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dotNetProtector
Source: cmd.exe, 0000000C.00000003.468180583.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: AVG.exe	String found in binary or memory: dotNetProtector
Source: AVG.exe, 00000016.00000002.649595255.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: AVG.exe, 00000016.00000002.649595255.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: AVG.exe, 00000016.00000000.576359044.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: AVG.exe, 00000016.00000000.576359044.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: AVG.exe.12.dr	String found in binary or memory: dotNetProtector
Source: AVG.exe.12.dr	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA879E push ss; retf	0_2_00AA879F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA3F9C pushad ; retf	0_2_00AA3F9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA496B pushad ; ret	0_2_00AA496C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA9363 push cs; retf	0_2_00AA9364
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FD4C8D pushfd ; ret	0_2_04FD4C8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FDA7C3 pushad ; ret	0_2_04FDA7C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FDDD75 push esp; iretd	0_2_04FDDD76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FDA512 pushad ; retf	0_2_04FDA535
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FFF2E5 push ds; retf	0_2_04FFF2E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF505D push esp; ret	0_2_04FF505E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF4FAD push ebp; retn 0040h	0_2_04FF4FB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004151EA push es; iretd	6_2_00415209
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004151F0 push es; iretd	6_2_00415209
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004159A1 pushad ; ret	6_2_004159C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004155C3 push edx; iretd	6_2_004155DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041D5CA push edi; ret	6_2_0041D617
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BDF2 push eax; ret	6_2_0041BDF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BDFB push eax; ret	6_2_0041BE62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BDA5 push eax; ret	6_2_0041BDF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BE5C push eax; ret	6_2_0041BE62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA496B pushad ; ret	6_2_00AA496C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA9363 push cs; retf	6_2_00AA9364
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA879E push ss; retf	6_2_00AA879F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA3F9C pushad ; retf	6_2_00AA3F9D
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_00983F9C pushad ; retf	22_2_00983F9D
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_0098879E push ss; retf	22_2_0098879F
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_0098496B pushad ; ret	22_2_0098496C
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_00989363 push cs; retf	22_2_00989364
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F1E795 push 0000005Eh; iretd	22_2_02F1E7DE
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F1E79D push 0000005Eh; iretd	22_2_02F1E7DE
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_0571AC73 push eax; retf	22_2_0571AC7D

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\AVG\AVG.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	RDTSC instruction interceptor: First address: 0000000000408A34 second address: 0000000000408A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	RDTSC instruction interceptor: First address: 0000000000408DCE second address: 0000000000408DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe TID: 6448	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe TID: 6448	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe TID: 6264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe TID: 412	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe TID: 412	Thread sleep time: -45000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 6_2_00408D00 rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Thread delayed: delay time: 922337203685477

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Anti Debugging

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe

Code function: 22_2_02F1EE60 CheckRemoteDebuggerPresent,

22_2_02F1EE60

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 6_2_00408D00 rdtsc

Checks if the current process is being debugged

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe" "C:\Users\user\AppData\Roaming\AVG\AVG.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Queries volume information: C:\Users\user\AppData\Roaming\AVG\AVG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Found malware configuration

Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.vaicomfibra.com/c0my/	true	Avira URL Cloud: malware	low

AV Detection

Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

ReversingLabs: Detection: 46%

Antivirus detection for URL or domain

Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: www.vaicomfibra.com/c0my/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe

ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Found inlined nop instructions (likely shell or obfuscated code)

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 4x nop then pop edi

6_2_0040C7F4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.vaicomfibra.com/c0my/

Source: AVG.exe, 00000016.00000002.650727329.000000000144F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://go.mic

Creates a DirectInput object (often for capturing keystrokes)

Source: AVG.exe, 00000016.00000002.650529523.0000000001419000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FD5960	0_2_04FD5960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FE58D7	0_2_04FE58D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF0040	0_2_04FF0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF5728	0_2_04FF5728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FFAD08	0_2_04FFAD08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FD5959	0_2_04FD5959
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041D0E2	6_2_0041D0E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004090A0	6_2_004090A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041D15B	6_2_0041D15B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F12C10	22_2_02F12C10
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F18E08	22_2_02F18E08
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_056F5960	22_2_056F5960
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_057058D7	22_2_057058D7
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05710040	22_2_05710040
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05715728	22_2_05715728
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05715717	22_2_05715717
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_05710007	22_2_05710007

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 0_2_04FFFB18 CreateProcessAsUserA,

0_2_04FFFB18

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418AA0 NtCreateFile,	6_2_00418AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418B50 NtReadFile,	6_2_00418B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418BD0 NtClose,	6_2_00418BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418C80 NtAllocateVirtualMemory,	6_2_00418C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418B4A NtReadFile,	6_2_00418B4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418BCA NtClose,	6_2_00418BCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00418C7A NtAllocateVirtualMemory,	6_2_00418C7A

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463919139.0000000001CAF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.459441548.00000000017DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461772931.000000000198A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Strictor.47541.25845.exe

PE file contains strange resources

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AVG.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

ReversingLabs: Detection: 46%

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe" "C:\Users\user\AppData\Roaming\AVG\AVG.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AVG\AVG.exe C:\Users\user\AppData\Roaming\AVG\AVG.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe" "C:\Users\user\AppData\Roaming\AVG\AVG.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

File created: C:\Users\user\AppData\Roaming\AVG

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 0.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 0.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.5.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.3.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.9.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.7.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.2.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.1.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.aa0000.1.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: AVG.exe.12.dr, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 22.2.AVG.exe.980000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='
Source: 22.0.AVG.exe.980000.0.unpack, KeyedHashAlgorithm.cs	Base64 encoded string: 'xcJN4TIiiYqdyNQ8B6m7sTq+iNZvblOT7jJW5PjcDsR/IL7H/rFzllXQ4jHfWkFxJ0C6ZvrWUis='

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5100:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Binary or sample is protected by dotNetProtector

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.461030211.000000000186B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463435341.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.463142441.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000003.458927009.00000000016C6000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000000.380802758.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000000.380802758.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000002.470003028.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000000.00000002.470003028.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.462689014.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe, 00000006.00000002.462689014.0000000000AA2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: cmd.exe, 0000000C.00000003.468180583.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dotNetProtector
Source: cmd.exe, 0000000C.00000003.468180583.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: AVG.exe	String found in binary or memory: dotNetProtector
Source: AVG.exe, 00000016.00000002.649595255.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: AVG.exe, 00000016.00000002.649595255.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: AVG.exe, 00000016.00000000.576359044.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: AVG.exe, 00000016.00000000.576359044.0000000000982000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: dotNetProtector
Source: SecuriteInfo.com.Variant.Strictor.47541.25845.exe	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr
Source: AVG.exe.12.dr	String found in binary or memory: dotNetProtector
Source: AVG.exe.12.dr	String found in binary or memory: z(rGet_IsMethodVarFirstGregorianTableYearGetCharInternalGetNextCharSet_ImageCor20HeaderGet_ManagedNativeHeaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerAsAnyMarshalerMarkHelperIsFunctionPointerget_IsPointerRecursionCounterBitConverterGet_IsGetterGetTokenForFloorset_RedirectStandardErrorThreadSafeListCreatorM_directorySeparatorInitializeTypeEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA879E push ss; retf	0_2_00AA879F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA3F9C pushad ; retf	0_2_00AA3F9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA496B pushad ; ret	0_2_00AA496C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_00AA9363 push cs; retf	0_2_00AA9364
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FD4C8D pushfd ; ret	0_2_04FD4C8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FDA7C3 pushad ; ret	0_2_04FDA7C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FDDD75 push esp; iretd	0_2_04FDDD76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FDA512 pushad ; retf	0_2_04FDA535
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FFF2E5 push ds; retf	0_2_04FFF2E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF505D push esp; ret	0_2_04FF505E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 0_2_04FF4FAD push ebp; retn 0040h	0_2_04FF4FB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004151EA push es; iretd	6_2_00415209
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004151F0 push es; iretd	6_2_00415209
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004159A1 pushad ; ret	6_2_004159C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_004155C3 push edx; iretd	6_2_004155DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041D5CA push edi; ret	6_2_0041D617
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BDF2 push eax; ret	6_2_0041BDF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BDFB push eax; ret	6_2_0041BE62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BDA5 push eax; ret	6_2_0041BDF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_0041BE5C push eax; ret	6_2_0041BE62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA496B pushad ; ret	6_2_00AA496C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA9363 push cs; retf	6_2_00AA9364
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA879E push ss; retf	6_2_00AA879F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Code function: 6_2_00AA3F9C pushad ; retf	6_2_00AA3F9D
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_00983F9C pushad ; retf	22_2_00983F9D
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_0098879E push ss; retf	22_2_0098879F
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_0098496B pushad ; ret	22_2_0098496C
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_00989363 push cs; retf	22_2_00989364
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F1E795 push 0000005Eh; iretd	22_2_02F1E7DE
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_02F1E79D push 0000005Eh; iretd	22_2_02F1E7DE
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Code function: 22_2_0571AC73 push eax; retf	22_2_0571AC7D

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\AVG\AVG.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	RDTSC instruction interceptor: First address: 0000000000408A34 second address: 0000000000408A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	RDTSC instruction interceptor: First address: 0000000000408DCE second address: 0000000000408DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe TID: 6448	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe TID: 6448	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe TID: 6264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe TID: 412	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe TID: 412	Thread sleep time: -45000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 6_2_00408D00 rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Thread delayed: delay time: 922337203685477

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Anti Debugging

Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe

Code function: 22_2_02F1EE60 CheckRemoteDebuggerPresent,

22_2_02F1EE60

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Code function: 6_2_00408D00 rdtsc

Checks if the current process is being debugged

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe" "C:\Users\user\AppData\Roaming\AVG\AVG.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\AVG\AVG.exe'" /f	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Queries volume information: C:\Users\user\AppData\Roaming\AVG\AVG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AVG\AVG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Strictor.47541.25845.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Variant.Strictor.47541.25845.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.457149612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.456611448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.462583682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.653036222.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.471647276.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality