Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepPup.13718.29302.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepPup.13718.29302.exe
Analysis ID:	1538199
MD5:	7d2eb1b2a364d686f6d4f17cdf626810
SHA1:	3ce2aa7c20e951b46c805279e5b63e27e3c2d739
SHA256:	034f883e7dad9b363bdaf1db5d5802da7296196a10dc9e29fd1027b769443ee8
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

PE file contains sections with non-standard names

Program does not show much activity (idle)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepPup.13718.29302.exe (PID: 984 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe" MD5: 7D2EB1B2A364D686F6D4F17CDF626810)

conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.FileRepPup.13718.29302.exe	INDICATOR_TOOL_CNC_Chisel	Detect binaries using Chisel	ditekSHen	0x443bd0:$s1: chisel-v 0x5234da:$s1: chisel-v 0x528086:$s1: chisel-v 0x52809a:$s1: chisel-v 0x5234d6:$s2: sendchisel-v 0x52670f:$ws1: Sec-WebSocket-Key 0x53d6cc:$ws1: Sec-WebSocket-Key 0x5293cf:$ws2: Sec-WebSocket-Protocol 0x52a9fa:$ws2: Sec-WebSocket-Protocol 0x528b37:$ws3: Sec-Websocket-Version 0x53d0d9:$ws3: Sec-Websocket-Version 0x52aa12:$ws4: Sec-Websocket-Extensions

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack	INDICATOR_TOOL_CNC_Chisel	Detect binaries using Chisel	ditekSHen	0x443bd0:$s1: chisel-v 0x5234da:$s1: chisel-v 0x528086:$s1: chisel-v 0x52809a:$s1: chisel-v 0x5234d6:$s2: sendchisel-v 0x52670f:$ws1: Sec-WebSocket-Key 0x53d6cc:$ws1: Sec-WebSocket-Key 0x5293cf:$ws2: Sec-WebSocket-Protocol 0x52a9fa:$ws2: Sec-WebSocket-Protocol 0x528b37:$ws3: Sec-Websocket-Version 0x53d0d9:$ws3: Sec-Websocket-Version 0x52aa12:$ws4: Sec-Websocket-Extensions
0.2.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack	INDICATOR_TOOL_CNC_Chisel	Detect binaries using Chisel	ditekSHen	0x443bd0:$s1: chisel-v 0x5234da:$s1: chisel-v 0x528086:$s1: chisel-v 0x52809a:$s1: chisel-v 0x5234d6:$s2: sendchisel-v 0x52670f:$ws1: Sec-WebSocket-Key 0x53d6cc:$ws1: Sec-WebSocket-Key 0x5293cf:$ws2: Sec-WebSocket-Protocol 0x52a9fa:$ws2: Sec-WebSocket-Protocol 0x528b37:$ws3: Sec-Websocket-Version 0x53d0d9:$ws3: Sec-Websocket-Version 0x52aa12:$ws4: Sec-Websocket-Extensions

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.8% probability

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: https://acme-v02.api.letsencrypt.org/directoryinternal
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: https://github.com/jpillora/chisel

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe, type: SAMPLE	Matched rule: Detect binaries using Chisel Author: ditekSHen
Source: 0.0.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Detect binaries using Chisel Author: ditekSHen
Source: 0.2.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Detect binaries using Chisel Author: ditekSHen

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe, type: SAMPLE	Matched rule: INDICATOR_TOOL_CNC_Chisel author = ditekSHen, description = Detect binaries using Chisel
Source: 0.0.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_CNC_Chisel author = ditekSHen, description = Detect binaries using Chisel
Source: 0.2.SecuriteInfo.com.FileRepPup.13718.29302.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_CNC_Chisel author = ditekSHen, description = Detect binaries using Chisel

Source: classification engine

Classification label: mal68.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

ReversingLabs: Detection: 52%

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit .WithDeadline(.in-addr.arpa.169.254.0.0/1619073486328125192.168.0.0/1695367431640625: extra text: <not Stringer>Accept-CharsetCONFIG_TIMEOUTCertCloseStoreContent-
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: IP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFloatPhoenicianProcessingRIPEMD-160RST_STREAMSHA256-RSASHA384-RSASHA512-RSASaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartupWS_TIMEOUT[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]_reserved1acme-tls/1aes128-cbcaes128-ctraes192-ctraes256-ctrarcfour128arcfour256arg %d: %satomicand8audio/aiffaudio/midiaudio/mpegaudio/wavechisel.pidcomplex128connectiondebug calldefinitiondnsapi.dllexitThreadexp masterfloat32nanfloat64nanfont/woff2getsockoptgoroutine http_proxyimage/jpegimage/webpimpossibleinvalidptrkeep-alivekexInitMsglisten: %slocal-addrmSpanInUsemsvcrt.dllmultipart-no remotesnotifyListowner diedres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresession#%dset-cookiesetsockoptsocks bindstackLargeterminatedticks.locktls-domaintracefree(tracegc()
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: .WithDeadline(.in-addr.arpa.169.254.0.0/1619073486328125192.168.0.0/1695367431640625: extra text: <not Stringer>Accept-CharsetCONFIG_TIMEOUTCertCloseStoreContent-LengthCreateProcessWCryptGenRandomDkim-SignatureEC PRIVATE KEYFindFirstFileWFingerprint %sFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWHandshaking...INTERNAL_ERRORInstEmptyWidthInvalid JSON: Invalid remoteMAX_FRAME_SIZEMB; allocated NetUserGetInfoNot AcceptableOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSending configSetFilePointerTranslateNameW" out of range\.+*?()\|[]{}^$accept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizechannelDataMsgchannelOpenMsgconnect failedcontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid configinvalid methodinvalid syntaxis a directorykey size wronglen of type %slevel 2 haltedlevel 3 haltedneed more datanil elem type!no module datano such devicepollCache.lockprotocol errorread error: %sread error: %wruntime: full=s.allocCount= semaRoot queuesource-addressssh-connectionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown methodunknown mode: unknown node: unreachable: unsafe.Pointerwinapi error #work.full != 0x509ignoreCN=0zero parameter with GC prog
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: Usage: chisel [command] [--help]
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: Usage: chisel [command] [--help]
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: span set block with unpopped elements found in resetssh: error parsing source-address restriction %q: %vssh: extra data following keyboard-interactive pairsssh: peer's curve25519 public value has wrong lengthssh: unexpected message type %d (expected one of %v)template: no template %q associated with template %qtls: internal error: session ticket keys unavailabletls: private key type does not match public key typetls: received a session ticket with invalid lifetimetls: server selected unsupported protocol version %xwebsocket: internal error, extra used in client modewebsocket: response does not implement http.Hijackerwrong number of args for %s: want at least %d got %dx509: cannot verify signature: insecure algorithm %vx509: trailing data after X.509 certificate policiesAccepting LetsEncrypt TOS and fetching certificate...Time.MarshalBinary: zone offset has fractional minuteacme/autocert: key type does not match expected valueacme/autocert: server name contains invalid characterchacha20: internal error: wrong dst and/or src lengthcompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter: http2: Framer %p: failed to decode just-written framehttp2: Transport failed to get client conn for %s: %vhttp: putIdleConn: too many idle connections for hostillegal use of AllowIllegalReads with ReadMetaHeaderslookupGroupName: should be group account type, not %dmath/big: internal error: cannot find (D/n) = -1 for net/http: CloseNotify called after ServeHTTP finishedpem: cannot encode a header key that contains a colonreflect.Value.Slice: string slice index out of boundsreflect: non-interface type passed to Type.Implementsssh: server-generated gex p is out of range (%d bits)tls: HKDF-Expand-Label invocation failed unexpectedlytls: client does not support uncompressed connectionstls: failed to find any PEM data in certificate inputtls: received unexpected handshake message of type %Ttls: unable to generate random session ticket key: %vx509: DSA signature contained zero or negative valuesx509: certificate specifies an incompatible key usagex509: failed to parse ECDSA parameters as named curvex509: trailing data after X.509 authority informationURI with IP (%q) cannot be matched against constraintsgoroutine running on other thread; stack unavailable
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: crypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabledinvalid Body.Read call. After hijacked, the original Request must not be used115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: unable to authenticate, attempted methods %v, no supported methods remainunsupported socks proxy type: %s:// (only socks5h:// or socks:// is supported)websocket: unsupported version: 13 not found in 'Sec-Websocket-Version' headerx509: signature check attempts limit reached while verifying certificate chainhttp2: server closing client connection; error reading frame from client %s: %vssh: remote address %v is not an TCP address when checking source-address matchtls: client certificate private key of type %T does not implement crypto.SignerQueryPerformanceFrequency syscall returned zero, running on unsupported hardwareWindows system assumed buffer larger than it is, events have likely been missed.crypto/rand: blocked for 60 seconds waiting to read random data from the kernel
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: --help, This help text
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: --help, This help text
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: chisel client --help for more information.
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	String found in binary or memory: chisel client --help for more information.

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Section loaded: umpdc.dll	Jump to behavior

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

Static file information: File size 8818688 > 1048576

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x449c00
Source: SecuriteInfo.com.FileRepPup.13718.29302.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x397e00

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.FileRepPup.13718.29302.exe, 00000000.00000002.2044738426.000001FF5AC8C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepPup.13718.29302.exe	53%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.FileRepPup.13718.29302.exe	100%	Avira	HEUR/AGEN.1318189

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/jpillora/chisel	SecuriteInfo.com.FileRepPup.13718.29302.exe	false		unknown
https://acme-v02.api.letsencrypt.org/directoryinternal	SecuriteInfo.com.FileRepPup.13718.29302.exe	false		unknown

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538199
Start date and time:	2024-10-20 19:33:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepPup.13718.29302.exe
Detection:	MAL
Classification:	mal68.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target SecuriteInfo.com.FileRepPup.13718.29302.exe, PID 984 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.FileRepPup.13718.29302.exe

Joe Sandbox View / Context

Instruction
jmp 00007F6158CBF070h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
dec eax
sub esp, 70h
dec eax
mov dword ptr [esp+50h], edi
dec eax
mov dword ptr [esp+48h], esi
dec eax
mov dword ptr [esp+40h], ebp
dec eax
mov dword ptr [esp+38h], ebx
dec esp
mov dword ptr [esp+30h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+20h], esi
dec esp
mov dword ptr [esp+58h], edi
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007F6158CC273Eh
dec eax
mov eax, 00000000h
jmp 00007F6158CC27C0h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h
jne 00007F6158CC2737h
call 00007F6158CC2878h
dec eax
mov dword ptr [esp+60h], edx
dec eax
mov dword ptr [esp+68h], esp
dec eax
mov ebx, dword ptr [edx+30h]
dec eax
mov ebx, dword ptr [ebx]
dec eax
cmp edx, ebx
je 00007F6158CC275Fh
dec eax
mov ebp, dword ptr [00000028h]
dec eax
mov dword ptr [ebp+00000000h], ebx
dec eax
mov edi, dword ptr [ebx+38h]
dec eax
sub edi, 08h
dec eax
lea esi, dword ptr [FFFD11CEh]
dec eax
mov dword ptr [edi], esi
dec eax
sub edi, 78h
dec eax
mov dword ptr [edi+68h], esp
dec eax
mov esp, edi
dec eax
mov ebx, dword ptr [ecx]
dec eax
mov ecx, dword ptr [ecx+08h]

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x87b000	0x4a0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x87c000	0x29196	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7e3020	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x449a6a	0x449c00	6a90e7ecfbb6f7518dadc0037d0e60fa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x44b000	0x397d83	0x397e00	3b5b393fb860aa6c7a9c4535a0aa496a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7e3000	0x97428	0x5d600	a1143bf77c4fca51dfb805f158da06a4	False	0.3621935659303882	data	5.5959480469688945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x87b000	0x4a0	0x600	a909ab69ad81f1ddea641bd3f2378762	False	0.349609375	data	3.6975782113749034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x87c000	0x29196	0x29200	eae07d38b1a0a13aaf694dff284b2cff	False	0.2652747435410334	data	5.461528522156145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x8a6000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
kernel32.dll	WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, QueryFullProcessImageNameA, ProcessIdToSessionId, PostQueuedCompletionStatus, OpenProcess, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, QueryFullProcessImageNameA, ProcessIdToSessionId, PostQueuedCompletionStatus, OpenProcess, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Target ID:	0
Start time:	13:33:59
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.13718.29302.exe"
Imagebase:	0x90000
File size:	8'818'688 bytes
MD5 hash:	7D2EB1B2A364D686F6D4F17CDF626810
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:33:59
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 000C5420 Relevance: 10.1, Strings: 8, Instructions: 122COMMON

Download Yara Rule

Strings

runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftsent %s received %sshould not get hereskip this directorystopm holding lockssync.Cond is copiedtemplate: %s:%d: %stime: unknown unit too many open filesunclosed left parenunexpected %s, xrefs: 000C55BC
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 000C5657
)*.*/+-, - --->._/*///i00010X0b0o0s0x13253031323334353637404142434445464780: :]; <>=#> A3A4CNCcCfCoCsGBKBLlLmLoLtLuMBMcMeMnNdNlNoOKOUPBPcPdPePfPiPoPsR:STScSkSmSoTBTeToV1V2V3V5V6XBYiZlZpZs")":">"\*\D\E\S\W\"\\\d\s\w ])]:][]aAbBeEeneqfFgegth2i)iIifipivjslL, xrefs: 000C560C
", xrefs: 000C5695
,-./012345678:;<=>?@BCFLMNOPSUZ["\, xrefs: 000C55E5
0, xrefs: 000C5539
VirtualQuery for stack base failedacme/autocert: expired certificateacme/autocert: missing certificateacme/autocert: missing server nameacme/autocert: no public key foundacme: certificate chain is too bigacme: invalid account response: %vadding nil Certificate, xrefs: 000C568A
bad g0 stackbad recoveryblock clausec ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallgcBitsArenasgcpacertracegetaddrinfowhmac-sha1-96host is downhttp2debug=1http2deb, xrefs: 000C562A

Memory Dump Source

Source File: 00000000.00000002.2042059124.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2042035613.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042401270.00000000004DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042746736.0000000000873000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042766825.000000000087F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042826744.00000000008C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042840473.00000000008C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042854368.00000000008C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042870354.00000000008C7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042887515.00000000008CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042902923.00000000008CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042918209.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042918209.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042918209.0000000000906000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042980716.000000000090B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042996751.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: "$)*.*/+-, - --->._/*///i00010X0b0o0s0x13253031323334353637404142434445464780: :]; <>=#> A3A4CNCcCfCoCsGBKBLlLmLoLtLuMBMcMeMnNdNlNoOKOUPBPcPdPePfPiPoPsR:STScSkSmSoTBTeToV1V2V3V5V6XBYiZlZpZs")":">"\*\D\E\S\W\"\\\d\s\w ])]:][]aAbBeEeneqfFgegth2i)iIifipivjslL$,-./012345678:;<=>?@BCFLMNOPSUZ["\$0$VirtualQuery for stack base failedacme/autocert: expired certificateacme/autocert: missing certificateacme/autocert: missing server nameacme/autocert: no public key foundacme: certificate chain is too bigacme: invalid account response: %vadding nil Certificate$bad g0 stackbad recoveryblock clausec ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallgcBitsArenasgcpacertracegetaddrinfowhmac-sha1-96host is downhttp2debug=1http2deb$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftsent %s received %sshould not get hereskip this directorystopm holding lockssync.Cond is copiedtemplate: %s:%d: %stime: unknown unit too many open filesunclosed left parenunexpected %s
API String ID: 0-3817180774
Opcode ID: c5a3bd62c9670ca7a68c84acda9e4b7d971da4212d1c06f2d6599de7c476bf7a
Instruction ID: 722088763456e26fd1045416662ca1116f875b475e39d74b0bf25bf03209e351
Opcode Fuzzy Hash: c5a3bd62c9670ca7a68c84acda9e4b7d971da4212d1c06f2d6599de7c476bf7a
Instruction Fuzzy Hash: A1513A36619F8585D750DF10F48539EB3A8F78A764F508229EADC03BAADF78C194CB41

Function 000D59A0 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

m->p= next= p->m= prev= span= varp=% util%q: %s' for '"&<>, xrefs: 000D5A93
releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort bufferspanSetSpinessh-conn nilssh-userauthstatus code sweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewirep: p->m= != sweepgen (Attem, xrefs: 000D5A68
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchset bit is not 0 or 1ssh: packet too largessh: packet too smallstale NFS file handlestartlockedm: m has pstartm: , xrefs: 000D5B2F
p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html0123456789_127.0.0.1/830517578125: frame.sp=<invalid opBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestCERTIFI, xrefs: 000D5AE5

Memory Dump Source

Source File: 00000000.00000002.2042059124.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2042035613.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042401270.00000000004DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042746736.0000000000873000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042766825.000000000087F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042826744.00000000008C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042840473.00000000008C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042854368.00000000008C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042870354.00000000008C7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042887515.00000000008CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042902923.00000000008CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042918209.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042918209.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042918209.0000000000906000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042980716.000000000090B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042996751.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: m->p= next= p->m= prev= span= varp=% util%q: %s' for '"&<>$ p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html0123456789_127.0.0.1/830517578125: frame.sp=<invalid opBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestCERTIFI$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchset bit is not 0 or 1ssh: packet too largessh: packet too smallstale NFS file handlestartlockedm: m has pstartm: $releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort bufferspanSetSpinessh-conn nilssh-userauthstatus code sweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewirep: p->m= != sweepgen (Attem
API String ID: 0-924417784
Opcode ID: 9f80fd5763565b6f6a76265146381b3aae510c848000bf2df2932e36e1208bd4
Instruction ID: 377363b6558a48ae0690eab5a43f992c2bff7525816877c2dd7cc84bd19ac1e1
Opcode Fuzzy Hash: 9f80fd5763565b6f6a76265146381b3aae510c848000bf2df2932e36e1208bd4
Instruction Fuzzy Hash: 3E41F276219F48C5DB50AF14F88576EB7A8F388794F54906AEACD07B2ADF38C094CB11

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.971731128769595
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.FileRepPup.13718.29302.exe
File size:	8'818'688 bytes
MD5:	7d2eb1b2a364d686f6d4f17cdf626810
SHA1:	3ce2aa7c20e951b46c805279e5b63e27e3c2d739
SHA256:	034f883e7dad9b363bdaf1db5d5802da7296196a10dc9e29fd1027b769443ee8
SHA512:	f790717213fdae2510fc487f3c605c74d96285fe89f4399f08c6a6c33127d90a8869cc3fa32d9938cbbed86f82c668d5e410f9fba7a27b87534688c03ddfa456
SSDEEP:	196608:CqoFg26BXh0UOjCpu/07qcwru7fr/tapj:KF/+w/CwrQ
TLSH:	57963A03F8A304E5C6BEE1B486569322BD7138A9C3317BE31F949AA91765FD07A3D314
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................".......D...................@..............................p............`... ............................

Entrypoint:	0x46cfe0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	93a138801d9601e4c36e6274c8b9d111

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepPup.13718.29302.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.FileRepPup.13718.29302.exePID: 984, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 6624, Parent PID: 984

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.FileRepPup.13718.29302.exePID: 984, Parent PID: 1028COMMON

Non-executed Functions

Function 000C5420 Relevance: 10.1, Strings: 8, Instructions: 122COMMON

Function 000D59A0 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Windows Analysis Report
SecuriteInfo.com.FileRepPup.13718.29302.exe