Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe
Analysis ID:	839551
MD5:	dbd54cc3bc1cc66c02a06766cd9083fb
SHA1:	5a98f16b3a77675e867d284ad1dbf67209190468
SHA256:	96712c7c0bcba8b255094e3379955b803cab3ed4263798072dacd4dfac271b1e
Tags:	exe

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Program does not show much activity (idle)

PE file does not import any functions

Classification

×

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe (PID: 6156 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe MD5: DBD54CC3BC1CC66C02A06766CD9083FB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Avira: detected

Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gdroot.crl0K
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://certificates.godaddy.com/repository0
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://certificates.godaddy.com/repository100.
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://crl.godaddy.com/gds2-0.crl0S
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl02
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://ocsp.godaddy.com0F
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	String found in binary or memory: http://www.MobileNetSwitch.com0

Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe, 00000000.00000002.254289260.000000000048A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 Input Capture	1 System Information Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	5%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	3%	Virustotal		Browse
SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.MobileNetSwitch.com0	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://certificates.godaddy.com/repository100.	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://crl.thawte.com/ThawteCodeSigningCA.crl02	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://www.MobileNetSwitch.com0	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawtePremiumServerCA.crl0	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://certificates.godaddy.com/repository/gd_intermediate.crt0	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://certificates.godaddy.com/repository/0	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://crl.godaddy.com/gds2-0.crl0S	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://ocsp.thawte.com0	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false	URL Reputation: safe	unknown
http://certificates.godaddy.com/repository0	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://certificates.godaddy.com/repository/gdroot.crl0K	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high
http://crl.thawte.com/ThawteCodeSigningCA.crl0	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	839551
Start date and time:	2023-04-02 18:09:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): fs.microsoft.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.403971418526932
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe
File size:	32256
MD5:	dbd54cc3bc1cc66c02a06766cd9083fb
SHA1:	5a98f16b3a77675e867d284ad1dbf67209190468
SHA256:	96712c7c0bcba8b255094e3379955b803cab3ed4263798072dacd4dfac271b1e
SHA512:	fa7694fb5a2856fc27075d2e7a48bd6cd34c1ce6bd296b7a0d81a67c7b765c9f5f0d51d630f8a5b07c755beffae402bc675ca43b91dcc1b4cd281991cc30d395
SSDEEP:	768:jlMhYfT0MwswHwmgv77hOneaYm1RC29LiCzrO:jlMhuIMwswHwTUneaYK3B
TLSH:	E9E21A83CB057413EAD74B3096B6D631CEB26D561E51021B72AEF18D3FB13A52289DCE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......3.....................&............... ....@..........................p....................................... ..5..

File Icon


Icon Hash:	cec9e6e498a6c8ce

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x33FDB6AE [Fri Aug 22 15:56:30 1997 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
xor eax, eax
retn 0010h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2000	0x35	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3000	0x20c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5	0x200	False	0.033203125	data	0.08153941234324169	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x35	0x200	False	0.08984375	data	0.47299244622245973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3000	0x20c4	0x2200	False	0.3650045955882353	data	5.365792573196254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	False	0.03515625	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3160	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_ICON	0x3448	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x3730	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x3fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_GROUP_ICON	0x5080	0x14	data	English	United States
RT_GROUP_ICON	0x5094	0x30	data	English	United States

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

Statistics

CPU Usage

• SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exePID: 6156, Parent PID: 3320

General

Target ID:	0
Start time:	18:10:32
Start date:	02/04/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Dropper.Gen.3168.32098.exe
Imagebase:	0x400000
File size:	32256 bytes
MD5 hash:	DBD54CC3BC1CC66C02A06766CD9083FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly