Windows Analysis Report
putty1.exe

Overview

General Information

Sample name: putty1.exe
Analysis ID: 1525210
MD5: f43852a976edcab5a7c82d248ce242d2
SHA1: 446ac2bb76e472c185f56b2b1246910a4438246d
SHA256: 4a38db0744930e1f5bfc0a82f63c907f7dc94270b930a3950e6a0abbc903c47f
Tags: exeuser-timnet
Infos:

Detection

Score: 10
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: putty1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: putty1.exe Static PE information: certificate valid
Source: putty1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E2A160 GetProcAddress,FindFirstFileA,CloseHandle, 0_2_00E2A160
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E9AF52 FindFirstFileExW, 0_2_00E9AF52
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E9B003 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00E9B003
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E09240 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId, 0_2_00E09240
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E595D0 FindFirstFileA,FindClose,FindWindowA, 0_2_00E595D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E35590 FindFirstFileA,FindClose, 0_2_00E35590
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movzx eax, cl 0_2_00E1E140
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then call 00E1B740h 0_2_00E2A2E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov dword ptr [esp+0Ch], edx 0_2_00E60290
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then add esp, 04h 0_2_00E3E200
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 0_2_00E1A4A0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+ebp] 0_2_00E5E480
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov eax, dword ptr [edi+ebx*4+04h] 0_2_00E02470
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov edi, edx 0_2_00E4A440
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then cmp dword ptr [ecx], eax 0_2_00E105F0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then cmp dword ptr [ecx], eax 0_2_00E105F0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ecx, dword ptr [edi+04h] 0_2_00E4A560
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov byte ptr [eax+esi*4+07h], 00000004h 0_2_00DE48D7
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ebx, dword ptr [ebp+edi*4+00h] 0_2_00E408D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ecx, dword ptr [esp+eax*8] 0_2_00E6E800
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then sub esi, 03h 0_2_00E529E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push 00000000h 0_2_00E649A0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push dword ptr [edi+10h] 0_2_00E44A90
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push ecx 0_2_00E18B80
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov esi, 00000000h 0_2_00E50C00
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov edx, ecx 0_2_00DF2D51
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov esi, 00000000h 0_2_00E50D20
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov dword ptr [esp+04h], ecx 0_2_00E5ED20
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then sub edx, 01h 0_2_00DFAF90
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push 00000001h 0_2_00E2CF90
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movzx eax, byte ptr [ebp+edi+01h] 0_2_00E1D000
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push ebx 0_2_00E65280
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push 00000000h 0_2_00E395E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov dword ptr [esp+04h], ecx 0_2_00E5F5F0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+edx+00000220h] 0_2_00DF9500
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then add edi, 01h 0_2_00DF76B0
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov eax, dword ptr [edi+ebp*4+04h] 0_2_00E03620
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ecx, edx 0_2_00E1B790
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ecx, dword ptr [eax-08h] 0_2_00E05720
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then cmp byte ptr [edi+ebx], 0000002Ch 0_2_00E2D700
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push esi 0_2_00E75820
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push ebx 0_2_00E13960
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movzx ebp, byte ptr [edi] 0_2_00E4BA80
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov eax, dword ptr [esi+1Ch] 0_2_00E1FA50
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov edi, dword ptr [ecx+18h] 0_2_00DEFA10
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push ecx 0_2_00E45B60
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov eax, dword ptr [00EE3768h] 0_2_00DE5B50
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movzx ebx, word ptr [ecx+edx*2] 0_2_00E67C30
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ecx, esi 0_2_00DEFD30
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then mov ecx, ebp 0_2_00E51D10
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then lea ecx, dword ptr [eax+01h] 0_2_00E61E40
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then push dword ptr [edi-4Ch] 0_2_00E33E10
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movsx edi, si 0_2_00E59F80
Source: C:\Users\user\Desktop\putty1.exe Code function: 4x nop then movzx edi, word ptr [ecx+edx*2] 0_2_00E67F20
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E16E00 recv,accept,WSAGetLastError,closesocket,recv,ioctlsocket,WSAGetLastError,recv,WSAGetLastError, 0_2_00E16E00
Source: putty1.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: putty1.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: putty1.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: putty1.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: putty1.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: putty1.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: putty1.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: putty1.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: putty1.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: putty1.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: putty1.exe String found in binary or memory: https://sectigo.com/CPS0
Source: putty1.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: putty1.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE6150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree, 0_2_00DE6150
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE6150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree, 0_2_00DE6150
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE7490 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree,SendMessageA, 0_2_00DE7490
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE9D30 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard, 0_2_00DE9D30
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DEA960 GetKeyboardState, 0_2_00DEA960
Detected potential crypto function
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DF2070 0_2_00DF2070
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E44000 0_2_00E44000
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E0A1F0 0_2_00E0A1F0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DFA2E0 0_2_00DFA2E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E402A0 0_2_00E402A0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E60290 0_2_00E60290
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7C3E0 0_2_00E7C3E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E8839B 0_2_00E8839B
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E3E480 0_2_00E3E480
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E02470 0_2_00E02470
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4E410 0_2_00E4E410
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E00580 0_2_00E00580
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4C530 0_2_00E4C530
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E68530 0_2_00E68530
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DF2070 0_2_00DF2070
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DF6630 0_2_00DF6630
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DFE7C0 0_2_00DFE7C0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5E7B0 0_2_00E5E7B0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E62740 0_2_00E62740
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E408D0 0_2_00E408D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5E9B0 0_2_00E5E9B0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE8920 0_2_00DE8920
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E6EA90 0_2_00E6EA90
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E68A60 0_2_00E68A60
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4EA70 0_2_00E4EA70
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E1AA30 0_2_00E1AA30
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5AB50 0_2_00E5AB50
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5EB30 0_2_00E5EB30
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E00CE0 0_2_00E00CE0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7CCF0 0_2_00E7CCF0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E80CF0 0_2_00E80CF0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4ACA0 0_2_00E4ACA0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DF0C00 0_2_00DF0C00
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4ADE0 0_2_00E4ADE0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4CDA0 0_2_00E4CDA0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7ED80 0_2_00E7ED80
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5ED20 0_2_00E5ED20
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E84D17 0_2_00E84D17
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E60E80 0_2_00E60E80
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E44FF0 0_2_00E44FF0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DECFE0 0_2_00DECFE0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E68FA0 0_2_00E68FA0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DFAF90 0_2_00DFAF90
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5EF30 0_2_00E5EF30
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5F0F0 0_2_00E5F0F0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E6B0C0 0_2_00E6B0C0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4D070 0_2_00E4D070
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E51020 0_2_00E51020
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5B03E 0_2_00E5B03E
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7F010 0_2_00E7F010
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E691D0 0_2_00E691D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5B182 0_2_00E5B182
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5B124 0_2_00E5B124
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE1130 0_2_00DE1130
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5F2D0 0_2_00E5F2D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E67310 0_2_00E67310
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE7490 0_2_00DE7490
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E69460 0_2_00E69460
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE5400 0_2_00DE5400
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E395E0 0_2_00E395E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5F5F0 0_2_00E5F5F0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5F550 0_2_00E5F550
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4B500 0_2_00E4B500
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7D7B0 0_2_00E7D7B0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E6B780 0_2_00E6B780
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E1B790 0_2_00E1B790
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00EA175F 0_2_00EA175F
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4B700 0_2_00E4B700
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4F710 0_2_00E4F710
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E558C0 0_2_00E558C0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4B8D0 0_2_00E4B8D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DEB8A0 0_2_00DEB8A0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E49840 0_2_00E49840
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E8583C 0_2_00E8583C
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5F800 0_2_00E5F800
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7F9E0 0_2_00E7F9E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5F9D0 0_2_00E5F9D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5B9B0 0_2_00E5B9B0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E77920 0_2_00E77920
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E35AD0 0_2_00E35AD0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E67AB0 0_2_00E67AB0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E4BA80 0_2_00E4BA80
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E87A40 0_2_00E87A40
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E59B90 0_2_00E59B90
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E61B20 0_2_00E61B20
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E6DB30 0_2_00E6DB30
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E6FCA0 0_2_00E6FCA0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E75C30 0_2_00E75C30
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E71DE0 0_2_00E71DE0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE9D80 0_2_00DE9D80
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5FD10 0_2_00E5FD10
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E49EC0 0_2_00E49EC0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE1E56 0_2_00DE1E56
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DEFE10 0_2_00DEFE10
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7DE30 0_2_00E7DE30
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E59F80 0_2_00E59F80
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E83F44 0_2_00E83F44
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E5FF00 0_2_00E5FF00
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E056D0 appears 44 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E806F0 appears 49 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E8F403 appears 678 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E18D90 appears 380 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E19340 appears 57 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E29AA0 appears 85 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E291A0 appears 39 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E49C90 appears 62 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E28C60 appears 32 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E48510 appears 40 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E48520 appears 38 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E13F60 appears 111 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E1EF00 appears 81 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E4AB20 appears 43 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00DE6A00 appears 51 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E92D70 appears 69 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E14030 appears 78 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E28DB0 appears 87 times
Source: C:\Users\user\Desktop\putty1.exe Code function: String function: 00E199E0 appears 37 times
Sample file is different than original file name gathered from version info
Source: putty1.exe, 00000000.00000000.1398037989.0000000000EEA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePuTTYd" vs putty1.exe
Source: putty1.exe Binary or memory string: OriginalFilenamePuTTYd" vs putty1.exe
Uses 32bit PE files
Source: putty1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean10.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E1D3E0 FormatMessageA,_strlen,GetLastError, 0_2_00E1D3E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E04450 CoCreateInstance,CoCreateInstance,CoCreateInstance,_strlen,CoCreateInstance,_strlen,CoCreateInstance, 0_2_00E04450
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DEB280 GetProcAddress,FreeLibrary,FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00DEB280
Source: putty1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\putty1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: putty1.exe String found in binary or memory: config-serial-stopbits
Source: putty1.exe String found in binary or memory: source-address
Source: putty1.exe String found in binary or memory: config-ssh-portfwd-address-family
Source: putty1.exe String found in binary or memory: config-address-family
Source: putty1.exe String found in binary or memory: config-address-family
Source: putty1.exe String found in binary or memory: config-ssh-portfwd-address-family
Source: putty1.exe String found in binary or memory: [200~}||{zconfig-proxyUnable to parse auth header from HTTP proxyConnection/Proxysshttypermit-ptyconfig-ssh-ptyServer refused to allocate ptyAllocated ptyReset scrollback on display activityidentityconfig-ssh-xauthorityPublic key of certification authoritySelect public key file of certification authorityconfig-serial-parityConfiguring %s paritySerialParityFontQualityValidityAddDllDirectoryOut of memoryCryptProtectMemoryArgon2-MemoryUnable to load any WinSock libraryprimaryconfig-selection-autocopyMouseAutocopyconfig-rtfcopyWindow/Selection/Copy&CopyFlush log file frequentlyApplyReceived invalid elliptic curve point in ECDH replyReceived invalid elliptic curve point in GSSAPI ECDH replyconfig-altonlyKey file contains public key onlyUse font in OEM mode onlyAltOnlyForwarded port opened successfullyDisconnect if authentication succeeds triviallyconfig-address-familyconfig-ssh-portfwd-address-familyNetwork error: Address family not supported by protocol familyAddressFamilyForbid resizing completelyHandles SSH-2 key re-exchange badlyValid hosts this key is trusted to certifyModifyconfig-ssh-privkey-hostkeyconfig-telnetkeyconfig-ssh-kex-rekeyconfig-ssh-bug-rekeyGssapiRekeypublickeypubkeycert_ca_keyerrors-cant-load-keyputty-private-key-file-mac-keycross-certifying new host keyNoninteractive SSH proxy cannot confirm host keyNoninteractive SSH proxy cannot confirm weak cached host keyNo validity expression configured for this keyServer refused our keyuser authentication keyEncrypted session keyssh.com SSH-2 private keynot a PuTTY SSH-2 private keynot a public key or a PuTTY SSH-2 private keySSH-1 private keyAltGr acts as Compose keyunable to identify algorithm of base keyThe Backspace keyAdd keyFull text of host's public keyOffered public keySSH-1 public keyFingerprint of signing CA keyHostKeyTelnetKeyScrollOnKeyComposeKeyPublicKeySteadycleanup after downstream went awayDisable bidirectional text displayX authority file for local displayX11Displayconfig-nodelayTCPNoDelaypublic_affine_ypublic_yLinuxaux-demo-config-boxPuTTYConfigBoxunixdisplay name '%s' has no ':number' suffixgssapi-keyexLocal\putty-connshare-mutexNTRU Prime / Curve25519 hybrid kexServer's host key did not match any used in previous GSS kexConnection/SSH/Kexhhctrl.ocxprivate_xpublic_affine_xFlashWindowExToUnicodeExPageantRequest%08x%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x%s%02x\'%02x0x-x%xunknown reason code %#x-pwconfig-sharrowANSI Yellowconfig-serial-flowOptions controlling %s's windowConfigure the behaviour of %s's windowConfigure the appearance of %s's windowHide mouse pointer when typing in windowPrint proxy diagnostics in the terminal windowFont used in the terminal windowWarn before closing windowControl the scrollback in the windowSet the size of the windowMonitorFromWindowPuTTY key format too newWriting newCourier Newconfig-utf8linedrawUTF8linedrawconfig-linedrawRaw
Source: putty1.exe String found in binary or memory: config-serial-stopbits
Source: putty1.exe String found in binary or memory: source-address
Source: putty1.exe String found in binary or memory: /config-address-family.html
Source: putty1.exe String found in binary or memory: /config-serial-stopbits.html
Source: putty1.exe String found in binary or memory: j'/config-ssh-portfwd-address-family.html
Source: putty1.exe String found in binary or memory: /faq-startmax.html
Source: putty1.exe String found in binary or memory: /faq-startsess.html
Source: putty1.exe String found in binary or memory: /faq-startssh.html
Source: putty1.exe String found in binary or memory: /feedback-address.html
Source: putty1.exe String found in binary or memory: /pageant-mainwin-addkey.html
Source: putty1.exe String found in binary or memory: /pageant-start.html
Source: putty1.exe String found in binary or memory: /plink-starting.html
Source: putty1.exe String found in binary or memory: /pscp-starting.html
Source: putty1.exe String found in binary or memory: /psftp-cmd-help.html
Source: putty1.exe String found in binary or memory: /psftp-starting.html
Source: C:\Users\user\Desktop\putty1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\putty1.exe Window detected: Number of UI elements: 20
Source: putty1.exe Static PE information: certificate valid
Source: putty1.exe Static file information: File size 1490208 > 1048576
Source: putty1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: putty1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: putty1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: putty1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: putty1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: putty1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: putty1.exe Static PE information: section name: .00cfg
Source: putty1.exe Static PE information: section name: .voltbl
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E9B9A3 push ecx; ret 0_2_00E9B9B6
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE8280 IsIconic,SetWindowTextW,SetWindowTextA, 0_2_00DE8280
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE83E0 IsIconic,ShowWindow, 0_2_00DE83E0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE8330 IsIconic,SetWindowTextW,SetWindowTextA, 0_2_00DE8330
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00DE4740 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize,MessageBoxA, 0_2_00DE4740
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\putty1.exe API coverage: 4.0 %
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E2A160 GetProcAddress,FindFirstFileA,CloseHandle, 0_2_00E2A160
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E9AF52 FindFirstFileExW, 0_2_00E9AF52
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E9B003 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00E9B003
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E09240 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId, 0_2_00E09240
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E595D0 FindFirstFileA,FindClose,FindWindowA, 0_2_00E595D0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E35590 FindFirstFileA,FindClose, 0_2_00E35590
Source: putty1.exe, 00000000.00000002.2645566446.000000000167E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E9612D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E9612D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E8C4A2 mov ecx, dword ptr fs:[00000030h] 0_2_00E8C4A2
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E97CE0 mov eax, dword ptr fs:[00000030h] 0_2_00E97CE0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E97CAF mov eax, dword ptr fs:[00000030h] 0_2_00E97CAF
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E97D24 mov eax, dword ptr fs:[00000030h] 0_2_00E97D24
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E94FE1 GetProcessHeap, 0_2_00E94FE1
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E9612D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E9612D
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E8050E SetUnhandledExceptionFilter, 0_2_00E8050E
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E8051A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E8051A
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E7FEBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00E7FEBD
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E1CBD0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree, 0_2_00E1CBD0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E1CD70 DeleteObject,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError, 0_2_00E1CD70
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E80735 cpuid 0_2_00E80735
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\putty1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E9A27B
Source: C:\Users\user\Desktop\putty1.exe Code function: EnumSystemLocalesW, 0_2_00E9A4D1
Source: C:\Users\user\Desktop\putty1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E9A56C
Source: C:\Users\user\Desktop\putty1.exe Code function: EnumSystemLocalesW, 0_2_00E9A7BF
Source: C:\Users\user\Desktop\putty1.exe Code function: GetLocaleInfoW, 0_2_00E94777
Source: C:\Users\user\Desktop\putty1.exe Code function: GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,PeekMessageW,IsWindow,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA, 0_2_00DE48D7
Source: C:\Users\user\Desktop\putty1.exe Code function: EnumSystemLocalesW, 0_2_00E9A8F3
Source: C:\Users\user\Desktop\putty1.exe Code function: GetLocaleInfoW, 0_2_00E9A81E
Source: C:\Users\user\Desktop\putty1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00E9A9E5
Source: C:\Users\user\Desktop\putty1.exe Code function: GetLocaleInfoW, 0_2_00E9A93E
Source: C:\Users\user\Desktop\putty1.exe Code function: GetLocaleInfoW, 0_2_00E9AAEB
Source: C:\Users\user\Desktop\putty1.exe Code function: EnumSystemLocalesW, 0_2_00E94EC5
Source: C:\Users\user\Desktop\putty1.exe Code function: GetLocaleInfoA,DefWindowProcW, 0_2_00DE1B3F
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E70910 ___from_strstr_to_strchr,CreateNamedPipeA,CreateEventA,GetLastError, 0_2_00E70910
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E803CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00E803CC
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E48350 GetProcAddress,___from_strstr_to_strchr,GetUserNameA,GetUserNameA, 0_2_00E48350
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00EA5AE6 GetTimeZoneInformation, 0_2_00EA5AE6
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E1D2F0 GetVersionExA,GetProcAddress, 0_2_00E1D2F0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E164C0 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError, 0_2_00E164C0
Source: C:\Users\user\Desktop\putty1.exe Code function: 0_2_00E169B0 socket,SetHandleInformation,_strncpy,setsockopt,inet_addr,htonl,htonl,getaddrinfo,htons,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError, 0_2_00E169B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1525210 Sample: putty1.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 10 4 putty1.exe 2->4         started       
No contacted IP infos