Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe
Analysis ID: 1532114
MD5: f32e47eeab5658904b67a491c4c08a39
SHA1: 11661085721eaa76651e7132f4e4ff36722f7ea4
SHA256: 0bda73349659b682a08172de94196235b902784d74457d3cd837aa47f16144f8
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Virustotal: Detection: 61% Perma Link
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe ReversingLabs: Detection: 52%
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0066ACCE FindFirstFileExA, 0_2_0066ACCE
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065B9F6 0_2_0065B9F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_006601C0 0_2_006601C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065B1A9 0_2_0065B1A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065AC00 0_2_0065AC00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065DCD3 0_2_0065DCD3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065ACAD 0_2_0065ACAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065B5C1 0_2_0065B5C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065BE2B 0_2_0065BE2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00664EE8 0_2_00664EE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_006696B9 0_2_006696B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00657768 0_2_00657768
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0066EFCD 0_2_0066EFCD
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: String function: 00658900 appears 44 times
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@4/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Command line argument: ^-g 0_2_00672CB0
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Virustotal: Detection: 61%
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c pause
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c pause Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Section loaded: apphelp.dll Jump to behavior
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00658946 push ecx; ret 0_2_00658959
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_006583E8 push ecx; ret 0_2_006583FB
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00657768 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00657768
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe API coverage: 6.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0066ACCE FindFirstFileExA, 0_2_0066ACCE
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065CDC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0065CDC7
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_006611A5 mov eax, dword ptr fs:[00000030h] 0_2_006611A5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00666DB1 GetProcessHeap, 0_2_00666DB1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_006588A0 SetUnhandledExceptionFilter, 0_2_006588A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065895B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0065895B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_0065CDC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0065CDC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00658782 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00658782
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c pause Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_006585D8 cpuid 0_2_006585D8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: GetLocaleInfoW, 0_2_0066E026
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0066E0F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: GetLocaleInfoW, 0_2_006669DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: EnumSystemLocalesW, 0_2_0066DA7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: EnumSystemLocalesW, 0_2_0066DA33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: EnumSystemLocalesW, 0_2_0066DB19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0066DBA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: EnumSystemLocalesW, 0_2_00666577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: GetLocaleInfoW, 0_2_0066DDF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0066DF1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_0066D7BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00658B5A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00658B5A
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00651F60 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_00651F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe Code function: 0_2_00651F00 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_00651F00
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532114 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 12/10/2024 Architecture: WINDOWS Score: 56 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 6 SecuriteInfo.com.Win32.Trojan-gen.8494.11198.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 cmd.exe 1 6->10         started       
No contacted IP infos