Windows Analysis Report
SecuriteInfo.com.FileRepMalware.20421.11857.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.20421.11857.exe
Analysis ID: 1543578
MD5: 506ec2c26e2d773d7b1eed542ff03e98
SHA1: 60f400c5f52a5dfefd042efe0b76f72df298cc86
SHA256: 164e4ae5151e613dcceac2da77d95d24e96f575c6988e79d5cc5c302ef387124
Tags: exe
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Virustotal: Detection: 64% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.6% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_40ec812a-c
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: +D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Spectre Joao\HVCI VALORANT\PLUS\x64\Release\Google Chrome.pdb source: SecuriteInfo.com.FileRepMalware.20421.11857.exe
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Spectre Joao\HVCI VALORANT\PLUS\x64\Release\Google Chrome.pdb source: SecuriteInfo.com.FileRepMalware.20421.11857.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe String found in binary or memory: https://github.com/googlefonts/lexend)6_ju
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe String found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ
Source: classification engine Classification label: mal68.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Virustotal: Detection: 64%
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: d3dx11_43.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: d3dcompiler_43.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Section loaded: vcruntime140.dll Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static file information: File size 4719616 > 1048576
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x128a00
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2fd600
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: +D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Spectre Joao\HVCI VALORANT\PLUS\x64\Release\Google Chrome.pdb source: SecuriteInfo.com.FileRepMalware.20421.11857.exe
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Spectre Joao\HVCI VALORANT\PLUS\x64\Release\Google Chrome.pdb source: SecuriteInfo.com.FileRepMalware.20421.11857.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: PROCESSHACKER.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: PROCMON.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: OLLYDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: X64DBG.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: REGMON.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: WINDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: FIDDLER.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: IDAQ.EXEH
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: PEID.EXEH
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: IDAG.EXEH
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: BAD ALLOCATIONUNKNOWN EXCEPTIONBAD ARRAY NEW LENGTHSTRING TOO LONGRAGEVISUALSMISCPROFILESCRIPTSBCDEFAIMBOTANTI-AIMOTHERPLAYERSWORLDAVECTOR TOO LONGBAD CAST%F: FALSETRUE*MAP/SET TOO LONG] [JSON.EXCEPTION., COLUMN AT LINE MS...DRIVER_INIT FAILED. RETRYING IN \\.\MICROSOFTAUDIODRIVERHEADNECKBODYCORNER2D3DLEFT MOUSERIGHT MOUSECANCELMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACETABCLEARENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMEARROW LEFTARROW UPARROW RIGHTARROW DOWNPRINTINSERTDELETE0123456789GHIJKLMNOPQRSTUVWXYZNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12IMGUICROSSHAIRAIMBOTENABLE AIMBOTENABLE VISIBLE CHECK AIMBOTSHOW FOVKEYBINDKEYBIND AIMBOTSETTINGSAIM POSITION%.3FSMOOTH AIMBOTEYEVISUALSBOXSKELETONSNAPLINESOPERATOR NAMESDISTANCE ESPHEALTHBARRADARINFO PLAYER HPPLAYER VIEW ANGLE WEAPON NAMESNOTIFIEROTHERSVISIBLE CHECK WALL BOX TYPEUSERMISCWATERMARK - VALORANT PLUSVSYNC MENUNO LAGSETTINGSCOLORSAVESAVE CONFIGCONFIGSAVE CONFIGCONFIG.JSONLOAD CONFIGOPTIONLEGIT CONFIGRAGE CONFIGLOBIJETTASTRARIFT_TARGETINGFORM_PC_CKAY/OBREACHBRIMSTONECHAMBERCYPHERKAY/OKILLJOYNEONOMENPHOENIXRAZEREYNASAGESKYESOVAVIPERYORUFADEBOTGEKKOHARBORDEADLOCKVYSEMEDALOVERLAYMEDALOVERLAYCLASS [ %.FM ] HEALTH RENDERED][ CR][V4L0R4NT PLUS]CPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WINF692B2828AA525D4513302117535C6C0D0CB304F574A1CD32EF3E1D07129217ADIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: WIRESHARK.EXE
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe Binary or memory string: FILEMON.EXE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20421.11857.exe Code function: 0_2_00007FF6777B70B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6777B70B0
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000000.2181732728.00007FF6777BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: procmon.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000000.2181732728.00007FF6777BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OLLYDBG.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000000.2181732728.00007FF6777BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: wireshark.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000000.2181732728.00007FF6777BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: procexp.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000000.2181732728.00007FF6777BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: LordPE.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000000.2181732728.00007FF6777BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Tcpview.exe
Source: SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000002.3426826517.00007FF6777BB000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20421.11857.exe, 00000000.00000000.2181732728.00007FF6777BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: regmon.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543578 Sample: SecuriteInfo.com.FileRepMal... Startdate: 28/10/2024 Architecture: WINDOWS Score: 68 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 16 2 other signatures 2->16 6 SecuriteInfo.com.FileRepMalware.20421.11857.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos