Windows Analysis Report
SecuriteInfo.com.TROJ_FR.26501A77.11990.exe

Overview

General Information

Sample name: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe
Analysis ID: 1538211
MD5: b6e0db27c2b3e62db616b0918a5d8ed8
SHA1: 66c5afcaad55cedfd8fb6d056c1a34802f52969e
SHA256: 1d177ff8ed3a7f17c5e5e4ecebcee3f26f360658bca2e8ad808bd270d1f492de
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Yara detected Ncat Network tool
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential time zone aware malware
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.9% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005B4E20 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_005B4E20
Uses 32bit PE files
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068E1C3 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime32_t,_free,__sopen_s,__fstat32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 0_2_0068E1C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0067E23D _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 0_2_0067E23D

Networking
barindex
Yara detected Ncat Network tool
Source: Yara match File source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.TROJ_FR.26501A77.11990.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TROJ_FR.26501A77.11990.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1687490416.00000000006D6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1689105622.00000000006D6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe PID: 6240, type: MEMORYSTR
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005A68F0 _memset,__WSAFDIsSet,send,_free,__WSAFDIsSet,recv,WSAGetLastError,closesocket, 0_2_005A68F0
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: http://nmap.org/ncat
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: http://nmap.org/ncat/.
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: http://nmap.org/ncat/.nsComment%02Xp
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: http://nmap.org/ncat5.59BETA1Version
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: http://www.openssl.org/support/faq.html
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005F0280 GetVersion,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC, 0_2_005F0280
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0066B46A 0_2_0066B46A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00590120 0_2_00590120
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058A1E0 0_2_0058A1E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005D81A0 0_2_005D81A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00584257 0_2_00584257
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00584247 0_2_00584247
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068C252 0_2_0068C252
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005922DF 0_2_005922DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00586290 0_2_00586290
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_006742AD 0_2_006742AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0069232A 0_2_0069232A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058A3E0 0_2_0058A3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005C2390 0_2_005C2390
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00590550 0_2_00590550
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058851C 0_2_0058851C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005925C0 0_2_005925C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005D8650 0_2_005D8650
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005866C0 0_2_005866C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_006827A8 0_2_006827A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005908DD 0_2_005908DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00660960 0_2_00660960
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005C2950 0_2_005C2950
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00588900 0_2_00588900
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005C2927 0_2_005C2927
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058C986 0_2_0058C986
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005B2A70 0_2_005B2A70
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0067EB60 0_2_0067EB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058EB55 0_2_0058EB55
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005D4C30 0_2_005D4C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00592CD0 0_2_00592CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005D8C80 0_2_005D8C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00590D78 0_2_00590D78
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00588D20 0_2_00588D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00586DE0 0_2_00586DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00592DBB 0_2_00592DBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00592E71 0_2_00592E71
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00690E2E 0_2_00690E2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058EEB8 0_2_0058EEB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068CF6E 0_2_0068CF6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058EF63 0_2_0058EF63
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058CFF9 0_2_0058CFF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00592F9B 0_2_00592F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058D0FA 0_2_0058D0FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068F262 0_2_0068F262
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058D276 0_2_0058D276
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058F2A4 0_2_0058F2A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00589340 0_2_00589340
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058B330 0_2_0058B330
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058F3DE 0_2_0058F3DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005D3400 0_2_005D3400
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_006754DD 0_2_006754DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058F492 0_2_0058F492
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005B3550 0_2_005B3550
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00581540 0_2_00581540
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058756C 0_2_0058756C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00587500 0_2_00587500
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00595580 0_2_00595580
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005B5650 0_2_005B5650
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00587640 0_2_00587640
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005956C0 0_2_005956C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005A96F0 0_2_005A96F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00685694 0_2_00685694
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058F756 0_2_0058F756
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068B775 0_2_0068B775
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00587770 0_2_00587770
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058F7D1 0_2_0058F7D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058B7C0 0_2_0058B7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005897F0 0_2_005897F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058F79B 0_2_0058F79B
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00595833 0_2_00595833
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005EF8C0 0_2_005EF8C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_006678D0 0_2_006678D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0059389D 0_2_0059389D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058F961 0_2_0058F961
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005959F2 0_2_005959F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0059398D 0_2_0059398D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005D19B0 0_2_005D19B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058FA52 0_2_0058FA52
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00593A69 0_2_00593A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058FA33 0_2_0058FA33
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058BA80 0_2_0058BA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068BCE0 0_2_0068BCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00585D00 0_2_00585D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00583E57 0_2_00583E57
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00587EFB 0_2_00587EFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00589E80 0_2_00589E80
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005D7220 appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005C3D00 appears 115 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005C3640 appears 177 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 00677790 appears 52 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 00581258 appears 84 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005F5550 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005D6CF0 appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 0058115E appears 265 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005810EB appears 57 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005E5820 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 00667226 appears 167 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 00668E50 appears 254 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005AE230 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: String function: 005C5630 appears 45 times
Uses 32bit PE files
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.spre.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe ReversingLabs: Detection: 36%
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: Try `--help' or man(1) ncat for more information, usage options and help.
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: Try `--help' or man(1) ncat for more information, usage options and help.
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: -h, --help Display this help screen
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: -h, --help Display this help screen
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: Try `--help' or man(1) ncat for more information, usage options and help.
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: Try `--help' or man(1) ncat for more information, usage options and help.
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: Try `--help' or man(1) ncat for more information, usage options and help.Unrecognised option.socks4Invalid proxy type "%s".Proxy type (--proxy-type) specified without proxy address (--proxy).-l and -s are incompatible. Specify the address and port to bind to like you would a host to connect to.Could not resolve source address %s.You must specify a host to connect to.Could not resolve hostname %s.Got more than one port specification: %d. QUITTING.
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: Try `--help' or man(1) ncat for more information, usage options and help.Unrecognised option.socks4Invalid proxy type "%s".Proxy type (--proxy-type) specified without proxy address (--proxy).-l and -s are incompatible. Specify the address and port to bind to like you would a host to connect to.Could not resolve source address %s.You must specify a host to connect to.Could not resolve hostname %s.Got more than one port specification: %d. QUITTING.
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: set-addPolicy
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: :%d[HEX DUMP]:-00BAD INTEGERBAD ENUMERATED(unknown).\crypto\asn1\a_mbstr.c%ldminsize=maxsize='()+,-./:=?setAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoProxy Certificate Informationid-ppl-anyLanguageAny languageid-ppl-inheritAllInherit allnameConstraintsX509v3 Name Constraintsid-ppl-independentIndependentRSA-SHA256sha256WithRSAEncryptionRSA-SHA384sha384WithRSAEncryptionRSA-SHA512sha512WithRSAEncryptionRSA-SHA224sha224WithRSAEncryptionSHA256sha256SHA384sha384SHA512sha512SHA224sha224identified-organizationcerticom-arcwapwap-wsgid-characteristic-two-basisonBasistpBasisppBasisc2pnb163v1c2pnb163v2c2pnb163v3c2pnb176v1c2tnb191v1c2tnb191v2c2tnb191v3c2onb191v4c2onb191v5c2pnb208w1c2tnb239v1c2tnb239v2c2tnb239v3c2onb239v4c2onb239v5c2pnb272w1c2pnb304w1c2tnb359v1c2pnb368w1c2tnb431r1secp112r1secp112r2secp128r1secp128r2secp160k1secp160r1secp160r2secp192k1*
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe String found in binary or memory: id-cmc-addExtensions
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe "C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Section loaded: apphelp.dll Jump to behavior
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static file information: File size 1837568 > 1048576
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x154400
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005A4DA0 GetSystemDirectoryA,LoadLibraryA,FreeLibrary,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary, 0_2_005A4DA0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058D5D7 push eax; retf 0_2_0058D5D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0058D5BE push eax; retf 0_2_0058D5D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_006777D5 push ecx; ret 0_2_006777E8
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005EF8C0 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 0_2_005EF8C0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00581D74 rdtsc 0_2_00581D74
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe API coverage: 3.4 %
Potential time zone aware malware
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068E1C3 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime32_t,_free,__sopen_s,__fstat32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 0_2_0068E1C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0067E23D _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 0_2_0067E23D
Source: SecuriteInfo.com.TROJ_FR.26501A77.11990.exe, 00000000.00000002.1689366580.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe API call chain: ExitProcess graph end node
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_00581D74 rdtsc 0_2_00581D74
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0066C4AC IsDebuggerPresent, 0_2_0066C4AC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0067174E EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0067174E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005A4DA0 GetSystemDirectoryA,LoadLibraryA,FreeLibrary,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary, 0_2_005A4DA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0068AF57 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_0068AF57
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_006771E1 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006771E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_006771B0 SetUnhandledExceptionFilter, 0_2_006771B0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0066C168 cpuid 0_2_0066C168
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_00688C8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: EnumSystemLocalesW, 0_2_00688EFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_00688F5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_00688FD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_0068905A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_0068924F
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00689379
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_00689426
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 0_2_006894FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: EnumSystemLocalesW, 0_2_0068989F
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: GetLocaleInfoW, 0_2_00689925
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00689C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005A57B0 CreatePipe,GetLastError,CreateNamedPipeA,GetLastError,CloseHandle,CloseHandle,CloseHandle,CreateFileA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,SetHandleInformation,SetHandleInformation,SetHandleInformation,_memset,GetStdHandle,CreateProcessA,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_005A57B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0066D83D GetSystemTimeAsFileTime,__aulldiv,GetTimeZoneInformation,__aulldiv,__aullrem,__aulldiv,__invoke_watson, 0_2_0066D83D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_0067F33F __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_0067F33F
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005F0280 GetVersion,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC, 0_2_005F0280
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005AC4E0 _fprintf,__vfwprintf_p,_fprintf,_perror,bind,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,bind,WSAGetLastError, 0_2_005AC4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005B0520 _perror,setsockopt,setsockopt,bind,setsockopt,setsockopt, 0_2_005B0520
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005AC4E0 _fprintf,__vfwprintf_p,_fprintf,_perror,bind,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,bind,WSAGetLastError, 0_2_005AC4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005AC4E0 _fprintf,__vfwprintf_p,_fprintf,_perror,bind,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,bind,WSAGetLastError, 0_2_005AC4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005AC4E0 _fprintf,__vfwprintf_p,_fprintf,_perror,bind,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,bind,WSAGetLastError, 0_2_005AC4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005AC4E0 _fprintf,__vfwprintf_p,_fprintf,_perror,bind,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,bind,WSAGetLastError, 0_2_005AC4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005AC4E0 _fprintf,__vfwprintf_p,_fprintf,_perror,bind,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,bind,WSAGetLastError, 0_2_005AC4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TROJ_FR.26501A77.11990.exe Code function: 0_2_005ABEC0 listen, 0_2_005ABEC0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538211 Sample: SecuriteInfo.com.TROJ_FR.26... Startdate: 20/10/2024 Architecture: WINDOWS Score: 56 10 Multi AV Scanner detection for submitted file 2->10 12 AI detected suspicious sample 2->12 14 Yara detected Ncat Network tool 2->14 6 SecuriteInfo.com.TROJ_FR.26501A77.11990.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos