Windows Analysis Report
SecuriteInfo.com.FileRepPup.13718.29302.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepPup.13718.29302.exe
Analysis ID: 1538199
MD5: 7d2eb1b2a364d686f6d4f17cdf626810
SHA1: 3ce2aa7c20e951b46c805279e5b63e27e3c2d739
SHA256: 034f883e7dad9b363bdaf1db5d5802da7296196a10dc9e29fd1027b769443ee8
Tags: exe
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
PE file contains sections with non-standard names
Program does not show much activity (idle)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.8% probability
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: https://acme-v02.api.letsencrypt.org/directoryinternal
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: https://github.com/jpillora/chisel

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe, type: SAMPLE Matched rule: Detect binaries using Chisel Author: ditekSHen
Source: 0.0.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: Detect binaries using Chisel Author: ditekSHen
Source: 0.2.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: Detect binaries using Chisel Author: ditekSHen
Yara signature match
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe, type: SAMPLE Matched rule: INDICATOR_TOOL_CNC_Chisel author = ditekSHen, description = Detect binaries using Chisel
Source: 0.0.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_CNC_Chisel author = ditekSHen, description = Detect binaries using Chisel
Source: 0.2.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_CNC_Chisel author = ditekSHen, description = Detect binaries using Chisel
Source: classification engine Classification label: mal68.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit .WithDeadline(.in-addr.arpa.169.254.0.0/1619073486328125192.168.0.0/1695367431640625: extra text: <not Stringer>Accept-CharsetCONFIG_TIMEOUTCertCloseStoreContent-
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: IP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFloatPhoenicianProcessingRIPEMD-160RST_STREAMSHA256-RSASHA384-RSASHA512-RSASaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartupWS_TIMEOUT[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]_reserved1acme-tls/1aes128-cbcaes128-ctraes192-ctraes256-ctrarcfour128arcfour256arg %d: %satomicand8audio/aiffaudio/midiaudio/mpegaudio/wavechisel.pidcomplex128connectiondebug calldefinitiondnsapi.dllexitThreadexp masterfloat32nanfloat64nanfont/woff2getsockoptgoroutine http_proxyimage/jpegimage/webpimpossibleinvalidptrkeep-alivekexInitMsglisten: %slocal-addrmSpanInUsemsvcrt.dllmultipart-no remotesnotifyListowner diedres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresession#%dset-cookiesetsockoptsocks bindstackLargeterminatedticks.locktls-domaintracefree(tracegc()
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: .WithDeadline(.in-addr.arpa.169.254.0.0/1619073486328125192.168.0.0/1695367431640625: extra text: <not Stringer>Accept-CharsetCONFIG_TIMEOUTCertCloseStoreContent-LengthCreateProcessWCryptGenRandomDkim-SignatureEC PRIVATE KEYFindFirstFileWFingerprint %sFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWHandshaking...INTERNAL_ERRORInstEmptyWidthInvalid JSON: Invalid remoteMAX_FRAME_SIZEMB; allocated NetUserGetInfoNot AcceptableOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSending configSetFilePointerTranslateNameW" out of range\.+*?()|[]{}^$accept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizechannelDataMsgchannelOpenMsgconnect failedcontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid configinvalid methodinvalid syntaxis a directorykey size wronglen of type %slevel 2 haltedlevel 3 haltedneed more datanil elem type!no module datano such devicepollCache.lockprotocol errorread error: %sread error: %wruntime: full=s.allocCount= semaRoot queuesource-addressssh-connectionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown methodunknown mode: unknown node: unreachable: unsafe.Pointerwinapi error #work.full != 0x509ignoreCN=0zero parameter with GC prog
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: Usage: chisel [command] [--help]
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: Usage: chisel [command] [--help]
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: span set block with unpopped elements found in resetssh: error parsing source-address restriction %q: %vssh: extra data following keyboard-interactive pairsssh: peer's curve25519 public value has wrong lengthssh: unexpected message type %d (expected one of %v)template: no template %q associated with template %qtls: internal error: session ticket keys unavailabletls: private key type does not match public key typetls: received a session ticket with invalid lifetimetls: server selected unsupported protocol version %xwebsocket: internal error, extra used in client modewebsocket: response does not implement http.Hijackerwrong number of args for %s: want at least %d got %dx509: cannot verify signature: insecure algorithm %vx509: trailing data after X.509 certificate policiesAccepting LetsEncrypt TOS and fetching certificate...Time.MarshalBinary: zone offset has fractional minuteacme/autocert: key type does not match expected valueacme/autocert: server name contains invalid characterchacha20: internal error: wrong dst and/or src lengthcompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter: http2: Framer %p: failed to decode just-written framehttp2: Transport failed to get client conn for %s: %vhttp: putIdleConn: too many idle connections for hostillegal use of AllowIllegalReads with ReadMetaHeaderslookupGroupName: should be group account type, not %dmath/big: internal error: cannot find (D/n) = -1 for net/http: CloseNotify called after ServeHTTP finishedpem: cannot encode a header key that contains a colonreflect.Value.Slice: string slice index out of boundsreflect: non-interface type passed to Type.Implementsssh: server-generated gex p is out of range (%d bits)tls: HKDF-Expand-Label invocation failed unexpectedlytls: client does not support uncompressed connectionstls: failed to find any PEM data in certificate inputtls: received unexpected handshake message of type %Ttls: unable to generate random session ticket key: %vx509: DSA signature contained zero or negative valuesx509: certificate specifies an incompatible key usagex509: failed to parse ECDSA parameters as named curvex509: trailing data after X.509 authority informationURI with IP (%q) cannot be matched against constraintsgoroutine running on other thread; stack unavailable
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: crypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabledinvalid Body.Read call. After hijacked, the original Request must not be used115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: unable to authenticate, attempted methods %v, no supported methods remainunsupported socks proxy type: %s:// (only socks5h:// or socks:// is supported)websocket: unsupported version: 13 not found in 'Sec-Websocket-Version' headerx509: signature check attempts limit reached while verifying certificate chainhttp2: server closing client connection; error reading frame from client %s: %vssh: remote address %v is not an TCP address when checking source-address matchtls: client certificate private key of type %T does not implement crypto.SignerQueryPerformanceFrequency syscall returned zero, running on unsupported hardwareWindows system assumed buffer larger than it is, events have likely been missed.crypto/rand: blocked for 60 seconds waiting to read random data from the kernel
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: --help, This help text
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: --help, This help text
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: chisel client --help for more information.
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe String found in binary or memory: chisel client --help for more information.
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Section loaded: umpdc.dll Jump to behavior
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static file information: File size 8818688 > 1048576
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x449c00
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x397e00
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe, 00000000.00000002.2044738426.000001FF5AC8C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538199 Sample: SecuriteInfo.com.FileRepPup... Startdate: 20/10/2024 Architecture: WINDOWS Score: 68 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 AI detected suspicious sample 2->16 6 SecuriteInfo.com.FileRepPup.13718.29302.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos