Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
| Analysis ID: | 1501354 |
| MD5: | eabff7dae883de9e09b5d6aa09e17c45 |
| SHA1: | 46de72f4c3fcbefdb8f8d0a21ae56f3f60bf56b3 |
| SHA256: | d0205b46514ea3f19b4fea79f9e897c3cf84c8775e9917c04dd41cb39a3ae06c |
| Tags: | exe |
 | |
Errors
| |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Contains functionality to call native functions
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Classification
- System is w10x64
SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe (PID: 516 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Malw areX-gen.7 830.14981. exe" MD5: EABFF7DAE883DE9E09B5D6AA09E17C45)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 1_2_00007FF71C821388 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
⊘No Mitre Att&ck techniques found
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 45% | ReversingLabs | Win64.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1501354 |
| Start date and time: | 2024-08-29 19:28:15 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 35s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com
- Execution Graph export aborted for target SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe, PID 516 because there are no executed function
- VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.4458538012317 |
| TrID: |
|
| File name: | SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
| File size: | 17'728 bytes |
| MD5: | eabff7dae883de9e09b5d6aa09e17c45 |
| SHA1: | 46de72f4c3fcbefdb8f8d0a21ae56f3f60bf56b3 |
| SHA256: | d0205b46514ea3f19b4fea79f9e897c3cf84c8775e9917c04dd41cb39a3ae06c |
| SHA512: | f4a1a90f972f59c15c508339882f9672240ed1b0c18991511499a276b0a57699407ea7ff1fbf5adc7cf549617848da8c32af1795e511c69b9455ecae25e89c58 |
| SSDEEP: | 192:rrXTtpwJnCjYcfUpBJJIvNyTuTiPtuQcXky2sE9jBF3A5K+om+Izru:rrjtOJCj5fyTeNyKTiJ8E9VF3AM+oMS |
| TLSH: | 16827CF257212DC1EE8A987862CC986EFD34F3872B5185DB4259C0200F42BD57F7D265 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...1...1...1...0...1...0...1...2...1...5...1...4...1...3...1.Rich..1.........................PE..d......f.........."....(... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x140001000 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x140000000 |
| Subsystem: | native |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| Time Stamp: | 0x66A2D0EE [Thu Jul 25 22:25:50 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 10 |
| OS Version Minor: | 0 |
| File Version Major: | 10 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 10 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d122cc6d92ff620a7df9854ce31e386c |
| Signature Valid: | false |
| Signature Issuer: | C=US, O=Apple Inc., OU=G3, CN=Apple Worldwide Developer Relations Certification Authority |
| Signature Validation Error: | A certificate chain could not be built to a trusted root authority |
| Error Number: | -2146762486 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 6BD938E0DDA78E2C7158F638BD0C1D09 |
| Thumbprint SHA-1: | 4E6C64CBE7830868632BA356DC030027EFB6A729 |
| Thumbprint SHA-256: | EBCDD58042E3A06B3FA2A4D7CC90CFA478E44D151D9C460EB9BC4302D54AC7C3 |
| Serial: | 67AC7496E8E30A5E21DEB73C555849FF |
| Instruction |
|---|
| dec eax |
| lea edx, dword ptr [00000549h] |
| xor ecx, ecx |
| jmp 00007FBE5CFC061Fh |
| int3 |
| int3 |
| inc eax |
| push ebp |
| push ebx |
| push esi |
| push edi |
| inc ecx |
| push ebp |
| inc ecx |
| push esi |
| inc ecx |
| push edi |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 40h |
| dec eax |
| cmp dword ptr [0000103Eh], 00000000h |
| dec esp |
| mov edi, ecx |
| je 00007FBE5CFBFF02h |
| dec eax |
| mov ecx, dword ptr [0000102Eh] |
| dec esp |
| lea eax, dword ptr [000010AFh] |
| inc ecx |
| mov ecx, 00000010h |
| inc ecx |
| lea edx, dword ptr [ecx+10h] |
| call 00007FBE5CFBFEFDh |
| dec eax |
| test eax, eax |
| je 00007FBE5CFBFEDCh |
| dec eax |
| mov eax, dword ptr [eax+10h] |
| dec eax |
| and dword ptr [ebp+48h], 00000000h |
| dec eax |
| and eax, FFFFF000h |
| dec eax |
| mov dword ptr [00001FC1h], eax |
| call dword ptr [00000FE3h] |
| dec eax |
| mov ebx, eax |
| dec eax |
| cmp dword ptr [eax], 00000000h |
| je 00007FBE5CFBFEB3h |
| dec eax |
| mov esi, eax |
| inc ecx |
| mov ebp, 00000001h |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| dec eax |
| test eax, eax |
| je 00007FBE5CFBFE9Dh |
| dec eax |
| mov edi, dword ptr [ebx] |
| dec eax |
| cdq |
| and edx, 00000FFFh |
| inc ebp |
| xor esi, esi |
| dec eax |
| add eax, edx |
| dec eax |
| sar eax, 0Ch |
| dec eax |
| test eax, eax |
| jng 00007FBE5CFBFE6Eh |
| dec eax |
| mov eax, dword ptr [00001F73h] |
| dec esp |
| mov eax, edi |
| dec ecx |
| shr eax, 0Ch |
| dec ebx |
| lea ecx, dword ptr [eax+eax*2] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5000 | 0x28 | INIT |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x4000 | 0xb4 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2200 | 0x2340 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6000 | 0x24 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2240 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2100 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x98 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xcf2 | 0xe00 | e44c60c533941d9358472976012b19bb | False | 0.5694754464285714 | data | 5.829110028385894 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2000 | 0x53c | 0x600 | 099183e4c34719de8ea2a13412b5db0e | False | 0.400390625 | data | 3.370351767525391 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
| .data | 0x3000 | 0x40 | 0x200 | 387d3cec6641bcedbf49389f4d198e83 | False | 0.037109375 | Non-ISO extended-ASCII text, with no line terminators | 0.12227588125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x4000 | 0xb4 | 0x200 | 64d4f0c246a9fb02bc70c222aa4a24b7 | False | 0.279296875 | PEX Binary Archive | 1.5605181693091348 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
| INIT | 0x5000 | 0x266 | 0x400 | 45a8d4e5590d8e7b40e330b55c3f03ea | False | 0.37109375 | data | 3.229878810838546 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .reloc | 0x6000 | 0x24 | 0x200 | 50ce1dea0b05988793d173c8511a392f | False | 0.099609375 | data | 0.528762138688122 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| ntoskrnl.exe | RtlInitUnicodeString, ExAllocatePool, ExFreePoolWithTag, MmUnmapIoSpace, MmMapIoSpaceEx, IofCompleteRequest, IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, ObfDereferenceObject, MmGetPhysicalMemoryRanges, MmCopyMemory, MmGetVirtualForPhysical, PsLookupProcessByProcessId, IoCreateDriver, PsGetProcessSectionBaseAddress, ZwQuerySystemInformation |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
| Target ID: | 1 |
| Start time: | 13:29:07 |
| Start date: | 29/08/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff71c820000 |
| File size: | 17'728 bytes |
| MD5 hash: | EABFF7DAE883DE9E09B5D6AA09E17C45 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exePID: 516, Parent PID: 4004COMMON
Function 00007FF71C821388 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68memorynativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF71C821550 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|