Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe

Overview

General Information

Sample Name: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe
Analysis ID: 884365
MD5: 043bc8ab5c7cb681e812648f3b6727cf
SHA1: a126814ee7865d2131388c0fa0f48ee63cdbcbbd
SHA256: 83d9788dddfef0809379d87976f80887d0e4718ca6b1529d88058efcae5f3a02
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
PE file has nameless sections
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Virustotal: Detection: 8% Perma Link
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: D:\Source\PortTalk\Porttalk\i386\Porttalk.pdb source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.0000000000F8A000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000003.802274897.0000000002FA8000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 4x nop then push esi 0_2_00406320
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.godrpg.com.tw/gamedoc/newplayer.html
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.000000000077A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.iugame.com.tw/prod_mall_list.php?pid=PP_000010
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Binary or memory string: DirectDrawCreateEx

System Summary

barindex
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: section name:
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: section name:
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: section name:
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.0000000000FCE000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.0000000000FCE000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSV vs SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000003.795231626.0000000001200000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000003.795231626.0000000001200000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSV vs SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_004140B0 0_2_004140B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_005F5390 0_2_005F5390
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_005A3385 0_2_005A3385
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_00410470 0_2_00410470
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_00417580 0_2_00417580
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_0059C6E0 0_2_0059C6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_00420790 0_2_00420790
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_005B8800 0_2_005B8800
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_00538890 0_2_00538890
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_0060CAC0 0_2_0060CAC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: String function: 0059BCA0 appears 60 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: String function: 0042F0C0 appears 72 times
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: Section: ZLIB complexity 1.000476925872093
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: Section: .rsrc ZLIB complexity 0.9967809606481481
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Virustotal: Detection: 8%
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Mutant created: \Sessions\1\BaseNamedObjects\GodWar
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe File created: C:\Users\user\Desktop\Missing.log Jump to behavior
Source: classification engine Classification label: mal52.winEXE@1/1@0/0
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static file information: File size 1264640 > 1048576
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Source\PortTalk\Porttalk\i386\Porttalk.pdb source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.0000000000F8A000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000003.802274897.0000000002FA8000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_0059F118 push eax; ret 0_2_0059F136
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_0059D340 push eax; ret 0_2_0059D36E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_00437D4F push esp; ret 0_2_00437D59
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: section name:
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: section name:
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: section name:
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Static PE information: section name: .adata
Source: initial sample Static PE information: section name: entropy: 7.995235132499249
Source: initial sample Static PE information: section name: .rsrc entropy: 7.992408716199913
Source: initial sample Static PE information: section name: .data entropy: 7.783796048584397
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe API coverage: 4.7 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_005D8200 GetSystemInfo,GetVersionExA, 0_2_005D8200
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5846788606.000000000128E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000003.801919523.0000000002FB3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.000000000076F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (%08X)%2hx%2hx%2hx%2hx%2hx%2hxSOFTWARE\Description\Microsoft\Rpc\UuidTemporaryDataNetworkAddress.\Txt\BRUSHSCI.TTFGodWarLoadLoadMenuGodWar Has Already Been RunningWARNINGGodWarFullScreenShell_traywnd.\Bitmaps\Login\login03.jpg.\Bitmaps\Login\login02.jpg.\Bitmaps\Login\login01.jpg.\Bitmaps\Login\NotBig5\login00.jpg.\Bitmaps\Login\login00.jpgQuery gamma control error!Create surface error!Create back surface error TEX!Create back surface error BCK!Create clipper error!Create primary surface error!txwsWind_OnlyOnetxwsFeng_OnlyOne.\BMPCaptureSuitEquip.txt.\Txt\Npcbackmusic.txt.\Txt\Npcputmonster.txt.\Txt\citywartime.txt.\Txt\mercenary.txt.\maps\commondata.ifl.\Music\Interface.ogg.\Bitmaps\InterfaceWSA\NotBig5\pingdao.wsa.\Bitmaps\InterfaceWSA\pingdao.wsa.\Bitmaps\InterfaceWSA\z-001.wsa.\Bitmaps\InterfaceWSA\warp\shujinmen.WSA.\Bitmaps\InterfaceWSA\money\coin-5.WSA.\Bitmaps\InterfaceWSA\money\coin-4.WSA.\Bitmaps\InterfaceWSA\money\coin-3.WSA.\Bitmaps\InterfaceWSA\money\coin-2.WSA.\Bitmaps\InterfaceWSA\money\coin-1.WSA.\Bitmaps\Cursor\chengzuqi.WSA.\Bitmaps\Cursor\clanAssi1.WSA.\Bitmaps\Cursor\clanAssi2.WSA.\Bitmaps\Cursor\claner1.WSA.\Bitmaps\Cursor\claner2.WSA.\Bitmaps\Cursor\captain-f.wsa.\Bitmaps\Cursor\captain.wsa.\Bitmaps\Cursor\follow-t.WSA.\Bitmaps\Cursor\follow.WSA.\Bitmaps\InterfaceWSA\screenalpha.wsa.\Bitmaps\Cursor\mg-mouse-08.wsa.\Bitmaps\Cursor\Head-green.WSA.\Bitmaps\Cursor\gongjiyoubiao-002.WSA.\Bitmaps\Cursor\gongjiyoubiao.WSA.\Bitmaps\Cursor\Head-red.WSA.\Bitmaps\InterfaceWSA\light.alp.\Bitmaps\InterfaceWSA\rains.wsa.\Bitmaps\InterfaceWSA\digit.wsa.\Bitmaps\InterfaceWSA\tools.wsa.\Bitmaps\InterfaceWSA\lightmap.alp.\Bitmaps\InterfaceWSA\dyslight.alpInitial OGG sound system failure!.\bitmaps\cursor\select_er.ani.\bitmaps\cursor\uplevel.ani.\bitmaps\cursor\ruhun.ani.\bitmaps\cursor\cursor-point.cur.\bitmaps\cursor\repair.ani.\bitmaps\cursor\sale.ani.\bitmaps\cursor\cursor-talk.ani.\bitmaps\cursor\cursor-pickup.ani.\bitmaps\cursor\cursor-stop.cur.\bitmaps\cursor\cursor-attack.ani.\bitmaps\cursor\cursor-magic_attack.ani.\bitmaps\cursor\cursor-normal_light.ani.\bitmaps\cursor\cursor-normal.ani.\bitmaps\cursor\login.aniSet diaplay mode error!Set cooperative level error!Initial direct draw device failure!Initial new window failure!This game must have DirectX Version 6.0 or above!NewClientMar 2 201218:17:21.\Txt\MonWsa.txt.\Txt\NpcWsa.txt.\Txt\dialog.txtrbcouldn't create directory %s
Source: SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000003.801919523.0000000002FB3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe, 00000000.00000002.5841201842.000000000076F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Shell_traywnd
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: GetLocaleInfoA, 0_2_005AB0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_005FC5BE cpuid 0_2_005FC5BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_005D8200 GetSystemInfo,GetVersionExA, 0_2_005D8200
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Download.9620.18212.exe Code function: 0_2_0042EB00 GetLocalTime, 0_2_0042EB00
No contacted IP infos