Windows
Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe
Overview
General Information
Sample name: | SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
Analysis ID: | 1501354 |
MD5: | eabff7dae883de9e09b5d6aa09e17c45 |
SHA1: | 46de72f4c3fcbefdb8f8d0a21ae56f3f60bf56b3 |
SHA256: | d0205b46514ea3f19b4fea79f9e897c3cf84c8775e9917c04dd41cb39a3ae06c |
Tags: | exe |
Errors
|
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe (PID: 516 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Malw areX-gen.7 830.14981. exe" MD5: EABFF7DAE883DE9E09B5D6AA09E17C45)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 1_2_00007FF71C821388 |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Classification label: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
45% | ReversingLabs | Win64.Trojan.Generic |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1501354 |
Start date and time: | 2024-08-29 19:28:15 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
Detection: | MAL |
Classification: | mal48.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com
- Execution Graph export aborted for target SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe, PID 516 because there are no executed function
- VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe
File type: | |
Entropy (8bit): | 6.4458538012317 |
TrID: |
|
File name: | SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
File size: | 17'728 bytes |
MD5: | eabff7dae883de9e09b5d6aa09e17c45 |
SHA1: | 46de72f4c3fcbefdb8f8d0a21ae56f3f60bf56b3 |
SHA256: | d0205b46514ea3f19b4fea79f9e897c3cf84c8775e9917c04dd41cb39a3ae06c |
SHA512: | f4a1a90f972f59c15c508339882f9672240ed1b0c18991511499a276b0a57699407ea7ff1fbf5adc7cf549617848da8c32af1795e511c69b9455ecae25e89c58 |
SSDEEP: | 192:rrXTtpwJnCjYcfUpBJJIvNyTuTiPtuQcXky2sE9jBF3A5K+om+Izru:rrjtOJCj5fyTeNyKTiJ8E9VF3AM+oMS |
TLSH: | 16827CF257212DC1EE8A987862CC986EFD34F3872B5185DB4259C0200F42BD57F7D265 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...1...1...1...0...1...0...1...2...1...5...1...4...1...3...1.Rich..1.........................PE..d......f.........."....(... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x140001000 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | native |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
Time Stamp: | 0x66A2D0EE [Thu Jul 25 22:25:50 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | d122cc6d92ff620a7df9854ce31e386c |
Signature Valid: | false |
Signature Issuer: | C=US, O=Apple Inc., OU=G3, CN=Apple Worldwide Developer Relations Certification Authority |
Signature Validation Error: | A certificate chain could not be built to a trusted root authority |
Error Number: | -2146762486 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 6BD938E0DDA78E2C7158F638BD0C1D09 |
Thumbprint SHA-1: | 4E6C64CBE7830868632BA356DC030027EFB6A729 |
Thumbprint SHA-256: | EBCDD58042E3A06B3FA2A4D7CC90CFA478E44D151D9C460EB9BC4302D54AC7C3 |
Serial: | 67AC7496E8E30A5E21DEB73C555849FF |
Instruction |
---|
dec eax |
lea edx, dword ptr [00000549h] |
xor ecx, ecx |
jmp 00007FBE5CFC061Fh |
int3 |
int3 |
inc eax |
push ebp |
push ebx |
push esi |
push edi |
inc ecx |
push ebp |
inc ecx |
push esi |
inc ecx |
push edi |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 40h |
dec eax |
cmp dword ptr [0000103Eh], 00000000h |
dec esp |
mov edi, ecx |
je 00007FBE5CFBFF02h |
dec eax |
mov ecx, dword ptr [0000102Eh] |
dec esp |
lea eax, dword ptr [000010AFh] |
inc ecx |
mov ecx, 00000010h |
inc ecx |
lea edx, dword ptr [ecx+10h] |
call 00007FBE5CFBFEFDh |
dec eax |
test eax, eax |
je 00007FBE5CFBFEDCh |
dec eax |
mov eax, dword ptr [eax+10h] |
dec eax |
and dword ptr [ebp+48h], 00000000h |
dec eax |
and eax, FFFFF000h |
dec eax |
mov dword ptr [00001FC1h], eax |
call dword ptr [00000FE3h] |
dec eax |
mov ebx, eax |
dec eax |
cmp dword ptr [eax], 00000000h |
je 00007FBE5CFBFEB3h |
dec eax |
mov esi, eax |
inc ecx |
mov ebp, 00000001h |
dec eax |
mov eax, dword ptr [ebx+08h] |
dec eax |
test eax, eax |
je 00007FBE5CFBFE9Dh |
dec eax |
mov edi, dword ptr [ebx] |
dec eax |
cdq |
and edx, 00000FFFh |
inc ebp |
xor esi, esi |
dec eax |
add eax, edx |
dec eax |
sar eax, 0Ch |
dec eax |
test eax, eax |
jng 00007FBE5CFBFE6Eh |
dec eax |
mov eax, dword ptr [00001F73h] |
dec esp |
mov eax, edi |
dec ecx |
shr eax, 0Ch |
dec ebx |
lea ecx, dword ptr [eax+eax*2] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5000 | 0x28 | INIT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x4000 | 0xb4 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2200 | 0x2340 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6000 | 0x24 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2240 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2100 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x98 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xcf2 | 0xe00 | e44c60c533941d9358472976012b19bb | False | 0.5694754464285714 | data | 5.829110028385894 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0x53c | 0x600 | 099183e4c34719de8ea2a13412b5db0e | False | 0.400390625 | data | 3.370351767525391 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0x40 | 0x200 | 387d3cec6641bcedbf49389f4d198e83 | False | 0.037109375 | Non-ISO extended-ASCII text, with no line terminators | 0.12227588125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x4000 | 0xb4 | 0x200 | 64d4f0c246a9fb02bc70c222aa4a24b7 | False | 0.279296875 | PEX Binary Archive | 1.5605181693091348 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
INIT | 0x5000 | 0x266 | 0x400 | 45a8d4e5590d8e7b40e330b55c3f03ea | False | 0.37109375 | data | 3.229878810838546 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x6000 | 0x24 | 0x200 | 50ce1dea0b05988793d173c8511a392f | False | 0.099609375 | data | 0.528762138688122 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
ntoskrnl.exe | RtlInitUnicodeString, ExAllocatePool, ExFreePoolWithTag, MmUnmapIoSpace, MmMapIoSpaceEx, IofCompleteRequest, IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, ObfDereferenceObject, MmGetPhysicalMemoryRanges, MmCopyMemory, MmGetVirtualForPhysical, PsLookupProcessByProcessId, IoCreateDriver, PsGetProcessSectionBaseAddress, ZwQuerySystemInformation |
Target ID: | 1 |
Start time: | 13:29:07 |
Start date: | 29/08/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff71c820000 |
File size: | 17'728 bytes |
MD5 hash: | EABFF7DAE883DE9E09B5D6AA09E17C45 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Analysis Process: SecuriteInfo.com.Win64.MalwareX-gen.7830.14981.exePID: 516, Parent PID: 4004COMMON
Function 00007FF71C821388 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68memorynativeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF71C821550 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|