Windows Analysis Report
SecuriteInfo.com.Heur.31042.29735.exe

Overview

General Information

Sample name: SecuriteInfo.com.Heur.31042.29735.exe
Analysis ID: 1532750
MD5: cb4903c1c4f23b021905da634c002f04
SHA1: c2ccf3a1e5037c6e540b94a59e2c367ba8cd9090
SHA256: 49945b5eb3f80e6bb9dba81c6c6f643245bb0831ce2f6e5abf4db12ab6709b76
Tags: exe
Infos:

Detection

PureLog Stealer, zgRAT
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Machine Learning detection for sample
Source: SecuriteInfo.com.Heur.31042.29735.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Demon Lookup.pdb source: SecuriteInfo.com.Heur.31042.29735.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_02FB0910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_056A82F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_056A9940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh 0_2_056A9A4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh 0_2_056A9A58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov esp, ebp 0_2_09582CF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov esp, ebp 0_2_09582CEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch] 0_2_09D9E158
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch] 0_2_09D9D88C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch] 0_2_09D9D880

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
Source: SecuriteInfo.com.Heur.31042.29735.exe String found in binary or memory: Demon Toolsshttps://www.youtube.com/channel/UCYARbqAHQhZjOeS-Jn_5ubw?%Segoe UI Semilight equals www.youtube.com (Youtube)
Source: SecuriteInfo.com.Heur.31042.29735.exe String found in binary or memory: http://ip-api.com/line/
Source: SecuriteInfo.com.Heur.31042.29735.exe String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Heur.31042.29735.exe String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: SecuriteInfo.com.Heur.31042.29735.exe String found in binary or memory: https://www.youtube.com/channel/UCYARbqAHQhZjOeS-Jn_5ubw?%Segoe
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_09582618 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_09582618
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_02FB0C78 0_2_02FB0C78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_02FB0FBA 0_2_02FB0FBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_02FB0C6A 0_2_02FB0C6A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_02FB1018 0_2_02FB1018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_02FB100C 0_2_02FB100C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_056A8AE0 0_2_056A8AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_056A8AF0 0_2_056A8AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_094468C8 0_2_094468C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_0944AD2F 0_2_0944AD2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_094468B7 0_2_094468B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_0944BA70 0_2_0944BA70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_0944BFC8 0_2_0944BFC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Code function: 0_2_09D9BEB0 0_2_09D9BEB0
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2668999337.00000000013DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Heur.31042.29735.exe
Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDemon Lookup.exe8 vs SecuriteInfo.com.Heur.31042.29735.exe
Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDemon Lookup.exe8 vs SecuriteInfo.com.Heur.31042.29735.exe
Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2670117964.0000000003248000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs SecuriteInfo.com.Heur.31042.29735.exe
Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2670117964.0000000003248000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.31042.29735.exe
Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2670117964.0000000003248000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $gq,\\StringFileInfo\\040904B0\\OriginalFilename vs SecuriteInfo.com.Heur.31042.29735.exe
Source: SecuriteInfo.com.Heur.31042.29735.exe Binary or memory string: OriginalFilenameDemon Lookup.exe8 vs SecuriteInfo.com.Heur.31042.29735.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.cs Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.cs Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Mutant created: NULL
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Heur.31042.29735.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: mscorjit.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Heur.31042.29735.exe Static file information: File size 2200064 > 1048576
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x211800
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Demon Lookup.pdb source: SecuriteInfo.com.Heur.31042.29735.exe

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.cs .Net Code: Type.GetTypeFromHandle(nla1WKOGMY5oN5nImw.YLTPhkyqLF6F9(16777922)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(nla1WKOGMY5oN5nImw.YLTPhkyqLF6F9(16777319)),Type.GetTypeFromHandle(nla1WKOGMY5oN5nImw.YLTPhkyqLF6F9(16777307))})
Binary contains a suspicious time stamp
Source: SecuriteInfo.com.Heur.31042.29735.exe Static PE information: 0xC37D13F1 [Wed Dec 6 02:50:25 2073 UTC]
Source: SecuriteInfo.com.Heur.31042.29735.exe, XmlDeserializer.cs High entropy of concatenated method names: 'AShxtKNgpRu', 'JphxtDpp9ZN', 'U32xtZfmmca', 'pwpxthD16wC', 'XNhxtQgkNHU', 'ADixt3qGeuH', 'GK9xxt7adJW', 'fS9xxYij6Bj', 'oEcxxrIjElC', 'rIMxxMrPNk7'
Source: SecuriteInfo.com.Heur.31042.29735.exe, JsonSerializerInternalReader.cs High entropy of concatenated method names: 'B5PEjXG5Xl', 'AXxEfX2uad', 'tsHEaMxpd4', 'DsvEnkfYjQ', 'mWhE5Ei3R8', 'Populate', 'aXcjZGErTb', 'Deserialize', 'kKojhYbUAI', 'QJ6jQabmqQ'
Source: SecuriteInfo.com.Heur.31042.29735.exe, JsonSerializerInternalWriter.cs High entropy of concatenated method names: 'Serialize', 'SKly85pJff', 'u2dybPOxw8', 'b5Wy4KdUOg', 'IgKyXisRU7', 'yAnyGmbC2e', 'RfEydedQhd', 'crwyjmHn3J', 'NPoyyXg9ED', 'JDNyfCe3T9'
Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.cs High entropy of concatenated method names: 'WiPxz4ErS9', 'wF8A8TaRGh', 'HefA1kxtZZ', 'KDCAxb9WJB', 'gNsAAIBaNY', 'm2sAbvmr5t', 'JUvPhkwy9pJ5A', 'yI41JQ64h', 'uqQx0MUPHVl', 'Ok2x0ONlBS5'
Source: SecuriteInfo.com.Heur.31042.29735.exe, BsonReader.cs High entropy of concatenated method names: 'Ohls3770UV', 'Read', 'Close', 'T76sS6pEZ7', 'JO7sT7eNdp', 'f4wsRiYhWL', 'AqGswuGdGS', 'uHTsB6PR2j', 'BiysJcdKmA', 'UgCszixwGx'
Source: SecuriteInfo.com.Heur.31042.29735.exe, Http.cs High entropy of concatenated method names: 'E9IBEMeHUB', 'JGYBKrg4V0', 'A6yBZtRDiZ', 'lQJBhh40up', 'qVSBTu5q5B', 'OSUBBRQITN', 'kBsBJETI6i', 'q3yJxAKMMl', 'njSJYy6jYf', 'hDBJMVeL1D'
Source: SecuriteInfo.com.Heur.31042.29735.exe, JPath.cs High entropy of concatenated method names: 'IRd5DFp9Rr', 'aJk5ZsZewv', 'd8T5hj9Kmi', 'cqk5Qg6Phr', 'TD953ToHso', 'jpT5SHCAhm', 'PgP5T3OD6u', 'R145Rg2OsS', 'HoH5wCkD7T', 'n9m5BGkSy9'
Source: SecuriteInfo.com.Heur.31042.29735.exe, Form1.cs High entropy of concatenated method names: 'mgrx1nbMT', 'koacLhthy', 'enqHrZLpx', 'G40YZ1axj', 'JNFPKQw5w', 'uu2rf64qx', 'ywmptPsbR', 'urtMQvvGC', 'HRCOmT5JL', 'P0dvTb2Xe'
Source: SecuriteInfo.com.Heur.31042.29735.exe, XmlNodeConverter.cs High entropy of concatenated method names: 'WriteJson', 'IAts1P9knp', 'yRNsiDqkYM', 'fqesUTR5qR', 'p04sIySFhY', 'YvhsNAGh9Q', 'SkusmiS3Ru', 'j1SsVchA2O', 'O04s9XEEbm', 'oHBs22PvIM'
Source: SecuriteInfo.com.Heur.31042.29735.exe, JsonValidatingReader.cs High entropy of concatenated method names: 'RRJKZmRIen', 'XrpKhtFVUr', 'gpPKQUUhls', 'n4ZK3kihot', 'PfdKSbUhBA', 'ynBkZsLJ4G', 'KvYkhZTKeG', 'qkek3sBS2b', 'NDtkSEHOYm', 'CMXkR7Bdpq'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Memory allocated: 1560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Memory allocated: 3200000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Memory allocated: 3010000 memory reserve | memory write watch Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532750 Sample: SecuriteInfo.com.Heur.31042... Startdate: 13/10/2024 Architecture: WINDOWS Score: 68 7 Yara detected PureLog Stealer 2->7 9 Yara detected zgRAT 2->9 11 .NET source code contains method to dynamically call methods (often used by packers) 2->11 13 2 other signatures 2->13 5 SecuriteInfo.com.Heur.31042.29735.exe 2 2->5         started        process3
No contacted IP infos