Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe
Analysis ID:1528571
MD5:d7ac63e3468ddff02053b07159fcfa68
SHA1:1c13031d4e88fba83d5f729da439ae453116b707
SHA256:9da7b0e53e31f6f106564155221b0eeb5dfbe67385cc4e37bb3a0b32840cb4bf
Tags:exe
Infos:

Detection

DarkMe
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected DarkMe
AI detected suspicious sample
Machine Learning detection for sample
Detected potential crypto function
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkMeNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkme

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeJoeSecurity_DarkMeYara detected DarkMeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2107913476.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DarkMeYara detected DarkMeJoe Security
      00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DarkMeYara detected DarkMeJoe Security
        Process Memory Space: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe PID: 1804JoeSecurity_DarkMeYara detected DarkMeJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe.400000.0.unpackJoeSecurity_DarkMeYara detected DarkMeJoe Security
            0.2.SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe.400000.0.unpackJoeSecurity_DarkMeYara detected DarkMeJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeAvira: detected
              Multi AV Scanner detection for submitted file
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeReversingLabs: Detection: 76%
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeVirustotal: Detection: 81%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.4% probability
              Machine Learning detection for sample
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeJoe Sandbox ML: detected
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004061690_2_00406169
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004042400_2_00404240
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004063D70_2_004063D7
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe, 00000000.00000002.3348930492.0000000000416000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename656.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeBinary or memory string: OriginalFilename656.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal72.troj.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeMutant created: NULL
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeReversingLabs: Detection: 76%
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeVirustotal: Detection: 81%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: msvbvm60.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: vb6zz.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: vb6es.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: vb6es.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeSection loaded: mswsock.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeStatic PE information: real checksum: 0x1e602 should be: 0x24594
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00406169 push 00000007h; retf 0_2_004063D6
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403042 push 00401246h; ret 0_2_00403055
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403444 push 00401246h; ret 0_2_00403457
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405C48 push 00401246h; ret 0_2_00405C5B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403056 push 00401246h; ret 0_2_00403069
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403458 push 00401246h; ret 0_2_0040346B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405C5C push 00401246h; ret 0_2_00405C6F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_0040346C push 00401246h; ret 0_2_0040347F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405C70 push 00401246h; ret 0_2_00405C83
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_0040387C push 00401246h; ret 0_2_0040388F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403006 push 00401246h; ret 0_2_00403019
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_0040301A push 00401246h; ret 0_2_0040302D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_0040341C push 00401246h; ret 0_2_0040342F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_0040302E push 00401246h; ret 0_2_00403041
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403430 push 00401246h; ret 0_2_00403443
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405CC0 push 00401246h; ret 0_2_00405CD3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004038CC push 00401246h; ret 0_2_004038DF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405CD4 push 00401246h; ret 0_2_00405CE7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004038E0 push 00401246h; ret 0_2_004038F3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405CE8 push 00401246h; ret 0_2_00405CFB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004038F4 push 00401246h; ret 0_2_00403907
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405CFC push 00401246h; ret 0_2_00405D0F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403480 push 00401246h; ret 0_2_00403493
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405C84 push 00401246h; ret 0_2_00405C97
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403890 push 00401246h; ret 0_2_004038A3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00403494 push 00401246h; ret 0_2_004034A7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405C98 push 00401246h; ret 0_2_00405CAB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004038A4 push 00401246h; ret 0_2_004038B7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004034A8 push 00401246h; ret 0_2_004034BB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_00405CAC push 00401246h; ret 0_2_00405CBF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeCode function: 0_2_004038B8 push 00401246h; ret 0_2_004038CB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe, 00000000.00000002.3349046085.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Stealing of Sensitive Information

              barindex
              Yara detected DarkMe
              Source: Yara matchFile source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2107913476.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe PID: 1804, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected DarkMe
              Source: Yara matchFile source: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2107913476.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe PID: 1804, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Obfuscated Files or Information              		LSASS Memory1
              System Information Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe76%ReversingLabsWin32.Trojan.Multiverze
              SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe82%VirustotalBrowse
              SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe100%AviraTR/Dropper.Gen
              SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious

              Private

              IP
              127.0.0.1

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1528571
              Start date and time:2024-10-08 02:21:11 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 3m 46s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe
              Detection:MAL
              Classification:mal72.troj.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              20:22:03API Interceptor2559x Sleep call for process: SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):4.649966818538418
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe
              File size:86'016 bytes
              MD5:d7ac63e3468ddff02053b07159fcfa68
              SHA1:1c13031d4e88fba83d5f729da439ae453116b707
              SHA256:9da7b0e53e31f6f106564155221b0eeb5dfbe67385cc4e37bb3a0b32840cb4bf
              SHA512:8a3c0318eba61b0e3d6366eff6329665db3fd174c12d9030febbba27cbcfb8308edcc28b4799b79fb679f4d1e0eed15343708683541067f294be6705c3d3744a
              SSDEEP:768:P0cBEDl8mtcoRPO+YuX1Ayf3EgkOqwLevxPIcvAkM8/eVnpc89dPdtWW96D//TR9:P0a0PO/Ujf3OnwevbVfo9dPdb96r/Tcw
              TLSH:7683182FF79249E1E6461A310AB5C2E95773BCA66FC7821F7640322D1C36EA20C4576F
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L.....ob.................0...................@....@........................

              File Icon

              Icon Hash:00869eb0b230201f

              Static PE Info

              General

              Entrypoint:0x4012c4
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:
              Time Stamp:0x626F048F [Sun May 1 22:07:11 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:3e847ec4ad926dd89c2f4cb28d036c11

              Entrypoint Preview

              Instruction
              push 00401AE4h
              call 00007F0F90800255h
              add byte ptr [eax], al
              dec eax
              add byte ptr [eax], al
              add byte ptr [eax], dh
              add byte ptr [eax], al
              add byte ptr [eax+00h], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              jl 00007F0F908001F4h
              mov dword ptr [1984C9B5h], eax
              inc esp
              lodsb
              jmp 00007F0F9080023Eh
              jmp 00007F0F908002C7h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x12e140x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000xba8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2200x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x11c.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x120580x13000281f248310b16e0a17d0d9cb1b8d7a51False0.3662366365131579data4.77406274711687IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .data0x140000x1f2c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x160000xba80x10009d5fa5370b3a9dcea514fdf3d3cca543False0.24755859375data4.322327796423399IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              CUSTOM0x162600x9ASCII text, with no line terminators1.6666666666666667
              CUSTOM0x1626c0x4ASCII text, with no line terminators3.0
              CUSTOM0x162700x3ASCII text, with no line terminators3.6666666666666665
              RT_ICON0x162740x130Device independent bitmap graphic, 32 x 64 x 1, image size 2560.3223684210526316
              RT_ICON0x163a40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.19623655913978494
              RT_ICON0x1668c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.4155405405405405
              RT_GROUP_ICON0x167b40x30data1.0
              RT_VERSION0x167e40x1ccdata0.5108695652173914
              RT_MANIFEST0x169b00x1f6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.49203187250996017

              Imports

              DLLImport
              MSVBVM60.DLLEVENT_SINK_GetIDsOfNames, MethCallEngine, EVENT_SINK_Invoke, Zombie_GetTypeInfo, EVENT_SINK_AddRef, DllFunctionCall, Zombie_GetTypeInfoCount, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, ProcCallEngine

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:20:22:03
              Start date:07/10/2024
              Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen28.43392.13729.12160.exe"
              Imagebase:0x400000
              File size:86'016 bytes
              MD5 hash:D7AC63E3468DDFF02053B07159FCFA68
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DarkMe, Description: Yara detected DarkMe, Source: 00000000.00000000.2107913476.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DarkMe, Description: Yara detected DarkMe, Source: 00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:4.4%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:4
                Total number of Limit Nodes:1
                execution_graph 750 4012c4 751 4012c7 #100 750->751 752 4012e2 751->752 753 401274 #308 751->753 752->751 753->750

                Executed Functions

                Function 00406169 Relevance: 5.7, Strings: 4, Instructions: 741COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3348852155.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348906260.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348930492.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: $g@$HA$|f@$|f@
                • API String ID: 0-3543863206
                • Opcode ID: 6a6b14718818b5dddd7ff72c8c61edfea650d5ea229bac93a4ec7911c67a38f8
                • Instruction ID: fb8b5301ce807253b714995e0700c4edd3551c0aa2f57c66e5814f15ea9bee59
                • Opcode Fuzzy Hash: 6a6b14718818b5dddd7ff72c8c61edfea650d5ea229bac93a4ec7911c67a38f8
                • Instruction Fuzzy Hash: 0922426004E3C05FD7178B745D6A5963FB0AE03204B1B44EBD882EF1F3D26D996AC76A
                Function 004012C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 179 4012c4 180 4012c7-4012e0 #100 179->180 181 4012e2-4012e9 180->181 182 401274-40127c #308 180->182 181->180 182->179
                APIs
                • #100.MSVBVM60(VB5!6&VB6ES.DLL), ref: 004012C9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3348852155.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348906260.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348930492.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID: #100
                • String ID: VB5!6&VB6ES.DLL
                • API String ID: 1341478452-1434749051
                • Opcode ID: 2c779be0c884e5448fe18097169dc83a83a8fe5300dd20a87c125446790657a5
                • Instruction ID: dd026026d34b38e6a4ed7aad05ddaa59880ee43e65303cc35a76a7c4acc26a4b
                • Opcode Fuzzy Hash: 2c779be0c884e5448fe18097169dc83a83a8fe5300dd20a87c125446790657a5
                • Instruction Fuzzy Hash: 0AE09952A4E3C19FC70317A048A59803FB4981739130A41EB84C6EA0F3D26C088AC72A

                Non-executed Functions

                Function 00404240 Relevance: 4.3, Strings: 1, Instructions: 3031COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 183 404240-4059b4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3348852155.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348906260.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348930492.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 4
                • API String ID: 0-4088798008
                • Opcode ID: 9afebb9aeaa31ff0bf1e735df4ef639358a6a9bfd353b16a301e2c01d213f402
                • Instruction ID: a50c9e4f59e28a0ff66013c90dcc5576421e980b19b108ec53bb06552cf7f973
                • Opcode Fuzzy Hash: 9afebb9aeaa31ff0bf1e735df4ef639358a6a9bfd353b16a301e2c01d213f402
                • Instruction Fuzzy Hash: E3626A5158E7D25FC3174BB418B95A0BFB0AD0712A32E91DBC1E6CE4A3D28D849BC763
                Function 004063D7 Relevance: .3, Instructions: 256COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3348882578.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3348852155.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348906260.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3348930492.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a71f38f796dedf2284a97dd22274a84299b011fd68e8c97a49a062e0ed4c016
                • Instruction ID: 882a3372ff278864a02619dcc1f0f9b16a106b58d7367eb0733fc2ed8076507d
                • Opcode Fuzzy Hash: 1a71f38f796dedf2284a97dd22274a84299b011fd68e8c97a49a062e0ed4c016
                • Instruction Fuzzy Hash: C191896004E3D06FCB178B349D6649A7FB49E43304B1A04EBD882AF1F3D12D5929C76B