Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Analysis ID:	1546295
MD5:	3b97ad27c3ea67c7e6f51d23c8b11471
SHA1:	618434d4edd1aa20c3f97c70fecedac65000b6dd
SHA256:	f84215746692872e393b68b6d0dc8ef7d050da10b6994d53cbcfcddeb16499ff
Tags:	exe
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected suspicious sample

Installs a raw input device (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe (PID: 1916 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe" MD5: 3B97AD27C3EA67C7E6F51D23C8B11471)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe PID: 1916	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T18:27:24.320655+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.6	49776	TCP
2024-10-31T18:28:01.886334+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.6	49967	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.5% probability

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49776
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49967

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	String found in binary or memory: http://fastmm.sourceforge.net).
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	String found in binary or memory: http://www.winimage.com/zLibDll-1.2.3rbr

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_0dfbb972-e

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe PID: 1916, type: MEMORYSTR

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000000.2178734994.000000000066E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420189550.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMXDWDRV.DLLj% vs SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Binary or memory string: OriginalFilename" vs SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: Section: .reloc IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Binary string: \Device\Video0

Source: classification engine

Classification label: sus23.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

File created: C:\Users\user\AppData\Roaming\EurekaLog

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: midas.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: midas.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Window found: window name: TButton

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static file information: File size 3165184 > 1048576

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x234400

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Static PE information: More than 200 imports for user32.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F85C push ss; ret	0_3_0250F85D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_02510E6A push es; retf	0_3_02510E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250EC29 push edi; iretd	0_3_0250EC41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CCDF push edi; iretd	0_3_0250CD2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250FAC1 push esi; retf	0_3_0250FACC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250FAE7 push esi; retf	0_3_0250FAFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D4EA push edi; iretd	0_3_0250D4ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D8EA push edi; iretd	0_3_0250D8F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D89B push edi; iretd	0_3_0250D89E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F48C push edi; iretd	0_3_0250F48F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250C6A3 push ds; retf	0_3_0250C70E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F744 push edi; iretd	0_3_0250F747
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250ED45 push edi; iretd	0_3_0250ED4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F778 push edi; iretd	0_3_0250F77B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250E162 push edi; iretd	0_3_0250E188
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250D3D1 push edi; iretd	0_3_0250D3D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250F9D1 push edi; iretd	0_3_0250F9D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CDD3 pushfd ; retf	0_3_0250CDDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250DFF1 push edi; iretd	0_3_0250DFF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CFF7 push ds; iretd	0_3_0250D020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250CD97 push edi; iretd	0_3_0250CD9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250ED88 push es; iretd	0_3_0250EDA7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250E1B1 push edi; iretd	0_3_0250E188
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Code function: 0_3_0250C5AB push edi; iretd	0_3_0250C5AE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3418859320.000000000097E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Process information queried: ProcessInformation

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Binary or memory string: SeDelegateSessionUserImpersonatePrivilege - OFF Active Controls: ------------------------------------ 4.1 Form Class : Progman 4.2 Form Text : Program Manager 4.3 Control Class: 4.4 Control Text : Computer: ---------------------
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419204141.00000000024F9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow t
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420260237.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000003.2229189694.0000000004BF4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.1 Form Class : Progman
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419204141.00000000024F9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420260237.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000003.2229189694.0000000004BF4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.2 Form Text : Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.2 Form Text: Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3420189550.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.1 Form Class : Progman
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe, 00000000.00000002.3419312276.00000000024FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 4.1 Form Class: Progman

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	8%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://www.winimage.com/zLibDll	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.winimage.com/zLibDll	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDll-1.2.3rbr	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	false		unknown
http://fastmm.sourceforge.net).	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546295
Start date and time:	2024-10-31 18:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Detection:	SUS
Classification:	sus23.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Simulations

Behavior and APIs

Time	Type	Description
13:27:23	API Interceptor	301x Sleep call for process: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	64529
Entropy (8bit):	3.697055107791718
Encrypted:	false
SSDEEP:	1536:YukrBUDO9WVNQLwHtzE0TntpEqtfi1zYUJCkFRkjW5c7gxEn2FBlYBlvB3pCtbsN:7kwR
MD5:	79B122B8497B70AE31672DA3DFE1EA8E
SHA1:	1CA18BFB7C0944B425F688B172174F6C12F75359
SHA-256:	ECE3486B5AE1738DED6D56F2F8F89C3400519C1C6F72B2F418A46059A69AD8D3
SHA-512:	8D3C3A22917B49EB6EF740051AEC545DB41867EFAA982237B973DF25E9D74325E9913C1B9DF67F081C5249D4818F2F5C2CB6543E84703DE5FB08404552D6FC02
Malicious:	false
Reputation:	low
Preview:	EurekaLog 6.1.01 RC 1....Application:..---------------------------------------------------------------------------.. 1.1 Start Date : Thu, 31 Oct 2024 13:27:05 -0400.. 1.2 Name/Description: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe.. 1.3 Version Number : 1.0.3.9.. 1.4 Parameters : .. 1.5 Compilation Date: Thu, 16 Apr 2020 22:35:36 -0400.. 1.6 Up Time : 0 second....Exception:..-------------------------------------------------------------------------.. 2.1 Date : Thu, 31 Oct 2024 13:27:06 -0400.. 2.2 Address : 0050E3F5.. 2.3 Module Name : SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe.. 2.4 Module Version: 1.0.3.9.. 2.5 Type : Exception.. 2.6 Message : Error loading MIDAS.DLL... 2.7 ID : 5118.. 2.8 Count : 1.. 2.9 Status : New.. 2.10 Note : ....User:..-----------------------------------------------------------------.. 3.1 ID : user.. 3.2 Name : hardz.. 3.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.827192022928079
TrID:	Win32 Executable (generic) a (10002005/4) 98.12% Windows ActiveX control (116523/4) 1.14% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win32 Executable Delphi generic (14689/80) 0.14% Windows Screen Saver (13104/52) 0.13%
File name:	SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
File size:	3'165'184 bytes
MD5:	3b97ad27c3ea67c7e6f51d23c8b11471
SHA1:	618434d4edd1aa20c3f97c70fecedac65000b6dd
SHA256:	f84215746692872e393b68b6d0dc8ef7d050da10b6994d53cbcfcddeb16499ff
SHA512:	ec5456b456b684aabde3e7534b0b21b6ffb03247f4e642b9050dde9a2686b477a953250148eee168a2d9d72af8a8729c6f1bfa534c66e96773e6a94c2281c693
SSDEEP:	98304:zxY7fjyXSF+cFURSdAFjjdjjA/YiY0Y0Y0Y0YI:BCocFoSdAFjjdjjA/YiY0Y0Y0Y0YI
TLSH:	D8E54B22F38D8837D5231A749C5B73896833BF152E3895EA7FE4BE0D5F3A1913516282
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	8737656535170646

Static PE Info

General

Entrypoint:	0x635254
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3d0bebeafdf04540444a2561eaa54737

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
mov eax, 00634BACh
call 00007F43D4928438h
mov ebx, dword ptr [0064010Ch]
mov eax, dword ptr [ebx]
call 00007F43D49F5703h
push 00000080h
push FFFFFFECh
mov eax, dword ptr [ebx]
mov eax, dword ptr [eax+30h]
push eax
call 00007F43D4929529h
mov ecx, dword ptr [0064038Ch]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0062FB1Ch]
call 00007F43D49F56F6h
mov ecx, dword ptr [00640410h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0062E520h]
call 00007F43D49F56E3h
mov ecx, dword ptr [00640064h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0062F0C4h]
call 00007F43D49F56D0h
mov eax, dword ptr [ebx]
call 00007F43D49F5749h
pop ebx
call 00007F43D49259B3h
mov eax, eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x24a000	0x2ef	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x246000	0x324c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26e000	0xc2400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x24c000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x2342cc	0x234400	a6bca98be67a6173766ef28307db731a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x236000	0xa4e8	0xa600	f2ba09a39ced9448a493b8adb480832b	False	0.34702089608433734	data	4.719928335088199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x241000	0x4f45	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x246000	0x324c	0x3400	4f0c80e2aaa027afc7c371df52290eab	False	0.34164663461538464	data	4.892566155659306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x24a000	0x2ef	0x400	efb52ebab655a39a4a116a00d15f8b40	False	0.37109375	data	4.453556782408975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.tls	0x24b000	0x183	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x24c000	0x18	0x200	51f7315f820b2eb2230112b150c158a3	False	0.0546875	data	0.2147325177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x24d000	0x20420	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26e000	0xc2400	0xc2400	c7c25b50e32ca307ff20094d21890ad7	False	0.29079442165379665	data	6.907156554237606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x270920	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x270a54	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.29545454545454547
RT_CURSOR	0x270b88	0x134	data			0.4805194805194805
RT_CURSOR	0x270cbc	0x134	data			0.38311688311688313
RT_CURSOR	0x270df0	0x134	data			0.36038961038961037
RT_CURSOR	0x270f24	0x134	data			0.4090909090909091
RT_CURSOR	0x271058	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0x27118c	0x134	data	Arabic	Saudi Arabia	0.2597402597402597
RT_CURSOR	0x2712c0	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.2824675324675325
RT_CURSOR	0x2713f4	0x134	data	Dutch	Netherlands	0.38636363636363635
RT_CURSOR	0x271528	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Dutch	Netherlands	0.30194805194805197
RT_CURSOR	0x27165c	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Dutch	Netherlands	0.275974025974026
RT_CURSOR	0x271790	0x134	data			0.4642857142857143
RT_BITMAP	0x2718c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x271a94	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x271c78	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x271e48	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x272018	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x2721e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x2723b8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x272588	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x272758	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x272928	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x272af8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5208333333333334
RT_BITMAP	0x272bb8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42857142857142855
RT_BITMAP	0x272c98	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.4955357142857143
RT_BITMAP	0x272d78	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.391304347826087
RT_BITMAP	0x272dd4	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.391304347826087
RT_BITMAP	0x272e30	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.532608695652174
RT_BITMAP	0x272e8c	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.532608695652174
RT_BITMAP	0x272ee8	0x94	Device independent bitmap graphic, 6 x 11 x 4, image size 44	Russian	Russia	0.5
RT_BITMAP	0x272f7c	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.4782608695652174
RT_BITMAP	0x272fd8	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.4782608695652174
RT_BITMAP	0x273034	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.5543478260869565
RT_BITMAP	0x273090	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.5543478260869565
RT_BITMAP	0x2730ec	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.4673913043478261
RT_BITMAP	0x273148	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44			0.4673913043478261
RT_BITMAP	0x2731a4	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.41025641025641024
RT_BITMAP	0x2732dc	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.27564102564102566
RT_BITMAP	0x273414	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.3685897435897436
RT_BITMAP	0x27354c	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.3685897435897436
RT_BITMAP	0x273684	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.34294871794871795
RT_BITMAP	0x2737bc	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.3717948717948718
RT_BITMAP	0x2738f4	0x104	Device independent bitmap graphic, 20 x 13 x 4, image size 156			0.5038461538461538
RT_BITMAP	0x2739f8	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.4326923076923077
RT_BITMAP	0x273b30	0x104	Device independent bitmap graphic, 20 x 13 x 4, image size 156			0.5153846153846153
RT_BITMAP	0x273c34	0x138	Device independent bitmap graphic, 28 x 13 x 4, image size 208			0.46474358974358976
RT_BITMAP	0x273d6c	0xb0	Device independent bitmap graphic, 10 x 9 x 4, image size 72	Russian	Russia	0.5056818181818182
RT_BITMAP	0x273e1c	0xb0	Device independent bitmap graphic, 10 x 9 x 4, image size 72	Russian	Russia	0.4943181818181818
RT_BITMAP	0x273ecc	0xb0	Device independent bitmap graphic, 10 x 9 x 4, image size 72	Russian	Russia	0.4375
RT_BITMAP	0x273f7c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m, 16 important colors			0.5775862068965517
RT_BITMAP	0x274064	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2835 x 2835 px/m			0.625
RT_BITMAP	0x27458c	0x852	Device independent bitmap graphic, 32 x 32 x 8, 1 compression, image size 1066, resolution 3779 x 3779 px/m, 256 important colors			0.8431924882629108
RT_BITMAP	0x274de0	0xf8	Device independent bitmap graphic, 13 x 13 x 4, 2 compression, image size 144, resolution 2835 x 2835 px/m			0.782258064516129
RT_BITMAP	0x274ed8	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2835 x 2835 px/m			0.5825757575757575
RT_BITMAP	0x275400	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3780 x 3780 px/m			0.5689655172413793
RT_BITMAP	0x2754e8	0xf8	Device independent bitmap graphic, 13 x 13 x 4, 2 compression, image size 144, resolution 2835 x 2835 px/m			0.8024193548387096
RT_BITMAP	0x2755e0	0x828	Device independent bitmap graphic, 32 x 32 x 8, image size 1024, resolution 7874 x 7874 px/m			0.4794061302681992
RT_BITMAP	0x275e08	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3779 x 3779 px/m, 16 important colors			0.6293103448275862
RT_BITMAP	0x275ef0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.38392857142857145
RT_BITMAP	0x275fd0	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4947916666666667
RT_BITMAP	0x276090	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.484375
RT_BITMAP	0x276150	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42410714285714285
RT_BITMAP	0x276230	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5104166666666666
RT_BITMAP	0x2762f0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.5
RT_BITMAP	0x2763d0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_BITMAP	0x2764b8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4895833333333333
RT_BITMAP	0x276578	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104			0.5625
RT_BITMAP	0x276648	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104			0.4855769230769231
RT_BITMAP	0x276718	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104			0.4326923076923077
RT_BITMAP	0x2767e8	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104			0.5576923076923077
RT_BITMAP	0x2768b8	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104			0.4807692307692308
RT_BITMAP	0x276988	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104			0.5625
RT_BITMAP	0x276a58	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	English	Canada	0.34183673469387754
RT_BITMAP	0x276be0	0x88	Device independent bitmap graphic, 16 x 4 x 4, image size 32	English	United States	0.4852941176470588
RT_BITMAP	0x276c68	0xa8	Device independent bitmap graphic, 4 x 16 x 4, image size 64	English	United States	0.40476190476190477
RT_BITMAP	0x276d10	0x450	Device independent bitmap graphic, 5 x 5 x 8, image size 40	Dutch	Netherlands	0.32608695652173914
RT_BITMAP	0x277160	0x450	Device independent bitmap graphic, 7 x 5 x 8, image size 40	Dutch	Netherlands	0.322463768115942
RT_BITMAP	0x2775b0	0x4ac	Device independent bitmap graphic, 11 x 11 x 8, image size 132	Dutch	Netherlands	0.41555183946488294
RT_BITMAP	0x277a5c	0x480	Device independent bitmap graphic, 6 x 11 x 8, image size 88	Dutch	Netherlands	0.3559027777777778
RT_BITMAP	0x277edc	0x4ac	Device independent bitmap graphic, 9 x 11 x 8, image size 132	Dutch	Netherlands	0.41638795986622074
RT_BITMAP	0x278388	0x4c4	Device independent bitmap graphic, 12 x 13 x 8, image size 156	Dutch	Netherlands	0.4024590163934426
RT_BITMAP	0x27884c	0x4c4	Device independent bitmap graphic, 12 x 13 x 8, image size 156	Dutch	Netherlands	0.40491803278688526
RT_BITMAP	0x278d10	0x4c4	Device independent bitmap graphic, 12 x 13 x 8, image size 156	Dutch	Netherlands	0.40491803278688526
RT_BITMAP	0x2791d4	0x448	Device independent bitmap graphic, 7 x 4 x 8, image size 32	Dutch	Netherlands	0.43156934306569344
RT_BITMAP	0x27961c	0x444	Device independent bitmap graphic, 4 x 7 x 8, image size 28	Dutch	Netherlands	0.4358974358974359
RT_BITMAP	0x279a60	0x444	Device independent bitmap graphic, 4 x 7 x 8, image size 28	Dutch	Netherlands	0.43223443223443225
RT_BITMAP	0x279ea4	0x448	Device independent bitmap graphic, 7 x 4 x 8, image size 32	Dutch	Netherlands	0.43156934306569344
RT_BITMAP	0x27a2ec	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	English	United States	0.3137755102040816
RT_BITMAP	0x27a474	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Dutch	Netherlands	0.413265306122449
RT_BITMAP	0x27a5fc	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	English	United States	0.25510204081632654
RT_BITMAP	0x27a784	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.3794642857142857
RT_BITMAP	0x27a864	0xb0	Device independent bitmap graphic, 64 x 16 x 1, image size 128	English	United States	0.5113636363636364
RT_ICON	0x27a914	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.42338709677419356
RT_DIALOG	0x27abfc	0x52	data			0.7682926829268293
RT_DIALOG	0x27ac50	0x268	data			0.564935064935065
RT_DIALOG	0x27aeb8	0x540	data			0.43601190476190477
RT_DIALOG	0x27b3f8	0x114	data			0.6521739130434783
RT_DIALOG	0x27b50c	0xb2	data			0.7247191011235955
RT_DIALOG	0x27b5c0	0xbc	data			0.7393617021276596
RT_DIALOG	0x27b67c	0xc0	data			0.7291666666666666
RT_DIALOG	0x27b73c	0xbc	data			0.7393617021276596
RT_DIALOG	0x27b7f8	0xbc	data			0.7393617021276596
RT_DIALOG	0x27b8b4	0xc0	data			0.7291666666666666
RT_DIALOG	0x27b974	0xc0	data			0.7291666666666666
RT_STRING	0x27ba34	0x380	data			0.37723214285714285
RT_STRING	0x27bdb4	0x3fc	AmigaOS bitmap font "o", fc_YSize 26880, 18432 elements, 2nd "n", 3rd "e"			0.3715686274509804
RT_STRING	0x27c1b0	0x37c	data			0.39349775784753366
RT_STRING	0x27c52c	0x3b0	data			0.3241525423728814
RT_STRING	0x27c8dc	0x2a4	data			0.4541420118343195
RT_STRING	0x27cb80	0x3cc	data			0.43004115226337447
RT_STRING	0x27cf4c	0x420	data			0.4100378787878788
RT_STRING	0x27d36c	0x398	data			0.375
RT_STRING	0x27d704	0xb0	data			0.7102272727272727
RT_STRING	0x27d7b4	0x394	data			0.43231441048034935
RT_STRING	0x27db48	0x388	data			0.4004424778761062
RT_STRING	0x27ded0	0x398	data			0.4043478260869565
RT_STRING	0x27e268	0x410	data			0.4115384615384615
RT_STRING	0x27e678	0x494	data			0.32081911262798635
RT_STRING	0x27eb0c	0x4d8	data			0.3233870967741935
RT_STRING	0x27efe4	0x598	data			0.25139664804469275
RT_STRING	0x27f57c	0x3d0	data			0.3709016393442623
RT_STRING	0x27f94c	0x270	AmigaOS bitmap font "n", fc_YSize 8192, 18688 elements, 2nd "e", 3rd "s"			0.46314102564102566
RT_STRING	0x27fbbc	0x200	data			0.361328125
RT_STRING	0x27fdbc	0xf8	data			0.592741935483871
RT_STRING	0x27feb4	0x3a0	data			0.4213362068965517
RT_STRING	0x280254	0x168	data			0.5111111111111111
RT_STRING	0x2803bc	0xe8	data			0.6077586206896551
RT_STRING	0x2804a4	0x2c4	data			0.4138418079096045
RT_STRING	0x280768	0x268	data			0.4707792207792208
RT_STRING	0x2809d0	0x3fc	data			0.36764705882352944
RT_STRING	0x280dcc	0x390	data			0.4024122807017544
RT_STRING	0x28115c	0x374	data			0.34615384615384615
RT_STRING	0x2814d0	0x464	data			0.3505338078291815
RT_STRING	0x281934	0x1b0	data			0.4675925925925926
RT_STRING	0x281ae4	0xec	data			0.5508474576271186
RT_STRING	0x281bd0	0x20c	data			0.5
RT_STRING	0x281ddc	0x454	data			0.3231046931407942
RT_STRING	0x282230	0x3d0	data			0.36168032786885246
RT_STRING	0x282600	0x2fc	data			0.36649214659685864
RT_STRING	0x2828fc	0x354	data			0.318075117370892
RT_RCDATA	0x282c50	0x10	data			1.5
RT_RCDATA	0x282c60	0x1ebb5	data			1.0003654361003202
RT_RCDATA	0x2a1818	0x9b4	data			0.607085346215781
RT_RCDATA	0x2a21cc	0x1772	Delphi compiled form 'TCalculatorEh'			0.12812395868043985
RT_RCDATA	0x2a3940	0x971	Delphi compiled form 'TDBGridEhFindDlg'			0.4666942490690939
RT_RCDATA	0x2a42b4	0x4bed	Delphi compiled form 'TForm1'			0.1893296290579822
RT_RCDATA	0x2a8ea4	0xa44b	Delphi compiled form 'TForm2'			0.7075536745999668
RT_RCDATA	0x2b32f0	0x89d6	Delphi compiled form 'TForm3'			0.8169245593153092
RT_RCDATA	0x2bbcc8	0x7365e	Delphi compiled form 'TFTemplate'			0.03429453953075084
RT_RCDATA	0x32f328	0x494	Delphi compiled form 'TLoginDialog'			0.4931740614334471
RT_RCDATA	0x32f7bc	0x3c4	Delphi compiled form 'TPasswordDialog'			0.4678423236514523
RT_GROUP_CURSOR	0x32fb80	0x14	Lotus unknown worksheet or configuration, revision 0x1	Russian	Russia	1.25
RT_GROUP_CURSOR	0x32fb94	0x14	Lotus unknown worksheet or configuration, revision 0x1	Arabic	Saudi Arabia	1.3
RT_GROUP_CURSOR	0x32fba8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Russian	Russia	1.3
RT_GROUP_CURSOR	0x32fbbc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Dutch	Netherlands	1.3
RT_GROUP_CURSOR	0x32fbd0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Dutch	Netherlands	1.3
RT_GROUP_CURSOR	0x32fbe4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Dutch	Netherlands	1.3
RT_GROUP_CURSOR	0x32fbf8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x32fc0c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x32fc20	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x32fc34	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x32fc48	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x32fc5c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x32fc70	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x32fc84	0x14	data	Chinese	China	1.2
RT_VERSION	0x32fc98	0x274	data	Chinese	China	0.46656050955414013

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegQueryValueA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeNameA, GetUserNameA, GetTokenInformation
kernel32.dll	lstrcpyA, lstrcmpA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, TerminateThread, TerminateProcess, SuspendThread, Sleep, SizeofResource, SetUnhandledExceptionFilter, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEnvironmentVariableA, SetEndOfFile, SetCurrentDirectoryA, ResumeThread, ResetEvent, ReleaseMutex, ReadFile, OutputDebugStringA, OpenProcess, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathA, GetSystemTime, GetSystemInfo, GetSystemDefaultLangID, GetStringTypeExA, GetStdHandle, GetStartupInfoA, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetPriorityClass, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoW, GetLocaleInfoA, GetLocalTime, GetLastError, GetHandleInformation, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCommandLineA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FlushInstructionCache, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, EnumSystemLocalesA, EnumCalendarInfoA, EnterCriticalSection, DuplicateHandle, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, TextOutA, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetOutlineTextMetricsA, GetObjectA, GetNearestColor, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExtSelectClipRgn, ExtCreateRegion, ExtCreatePen, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateFontA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendMessageTimeoutA, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRgn, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDialog, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExA, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DialogBoxParamA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CreateDialogParamA, CreateCaret, CopyRect, CopyImage, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CoTaskMemFree, StringFromCLSID
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoCreateInstance, CoGetMalloc, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, SafeArrayCopy, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayDestroy, SafeArrayCreate, SysFreeString
shell32.dll	ShellExecuteA
gdi32.dll	TranslateCharsetInfo
comctl32.dll	ImageList_Destroy, ImageList_Add, ImageList_Create
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_LoadImageA, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA
kernel32.dll	MulDiv
kernel32.dll	MulDiv

Exports

Name	Ordinal	Address
EurekaLog_AttachedFilesRequestEvent	15	0x464bb0
EurekaLog_CallCreateThread	2	0x47e9a8
EurekaLog_CallExceptObject	5	0x47e128
EurekaLog_CallExitThread	4	0x47eaec
EurekaLog_CallGeneralRaise	6	0x47dfa4
EurekaLog_CallResumeThread	3	0x47ea48
EurekaLog_CustomButtonClickEvent	17	0x464cf8
EurekaLog_CustomDataRequestEventEx	14	0x464b0c
EurekaLog_CustomWebFieldsRequestEvent	16	0x464c54
EurekaLog_ExceptionActionNotifyEvent	12	0x4649c4
EurekaLog_ExceptionErrorNotifyEvent	13	0x464a68
EurekaLog_ExceptionNotifyEvent	10	0x46487c
EurekaLog_HandledExceptionNotifyEvent	11	0x464920
EurekaLog_LastDelphiException	1	0x47e9a0
EurekaLog_PasswordRequestEvent	8	0x464768
EurekaLog_PasswordRequestEventEx	9	0x4647ac
ExceptionManager	7	0x47fbe8

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
Arabic	Saudi Arabia
Dutch	Netherlands
English	Canada
English	United States
Chinese	China

Target ID:	0
Start time:	13:27:05
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe"
Imagebase:	0x400000
File size:	3'165'184 bytes
MD5 hash:	3B97AD27C3EA67C7E6F51D23C8B11471
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	2

Executed Functions

Function 004D4814 Relevance: 3.1, APIs: 2, Instructions: 59
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001,?,?,?,?,004D48D3), ref: 004D4827
DispatchMessageA.USER32(?,?,?,00000000,00000000,00000000,00000001,?,?,?,?), ref: 004D4897

Memory Dump Source

Source File: 00000000.00000002.3418475369.00000000004D4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d4000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchPeek
String ID:
API String ID: 1770753511-0
Opcode ID: b5971df827e3733edc16958296d6ae0ff2c7f9d466f20e2a83e3be021236ed64
Instruction ID: bf65f9a7294fb7e18f7fb1c92887795ad1e79058c01c0486106249368103e85e
Opcode Fuzzy Hash: b5971df827e3733edc16958296d6ae0ff2c7f9d466f20e2a83e3be021236ed64
Instruction Fuzzy Hash: B001C074B0068097FB30362A491276B96854FD2788F18402FF485A73C2CABD8C86932E

Function 0063500E Relevance: 2.8, APIs: 1, Instructions: 1259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3418565811.0000000000635000.00000040.00000001.01000000.00000003.sdmp, Offset: 00635000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_635000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf27df87212f1d796ae8b13519e6c3f47ca1167b6ab5ae672f7d92eeed529614
Instruction ID: 9f4c783fe546209459ede827a88f71ca8723fa201bb263d8b1b86fc03625cfb9
Opcode Fuzzy Hash: bf27df87212f1d796ae8b13519e6c3f47ca1167b6ab5ae672f7d92eeed529614
Instruction Fuzzy Hash: 2D91EE6264E2D19FC303DB7CECBA5DA7F60AE1322430A45EFD0C10F6A3E255945AC782

Function 004042C5 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlUnwind.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 004044EA

Memory Dump Source

Source File: 00000000.00000002.3418475369.0000000000404000.00000020.00000001.01000000.00000003.sdmp, Offset: 00404000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_404000_SecuriteInfo.jbxd

Similarity

API ID: Unwind
String ID:
API String ID: 3419175465-0
Opcode ID: 0616b56ada8abbf3fb36af33f330dbaefe2e6fa04c6db87408b9f5ba271d88cb
Instruction ID: 25e6b2dab825942e371b28a1ed72f583e86be26ce86791b6e6fe299a523e0463
Opcode Fuzzy Hash: 0616b56ada8abbf3fb36af33f330dbaefe2e6fa04c6db87408b9f5ba271d88cb
Instruction Fuzzy Hash: 2E319CB5604200BFE324DB50D885F27BBA9EBC4714F19C56AFA48A7291C739EC40CB69

Function 00404416 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlUnwind.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 004044EA

Memory Dump Source

Source File: 00000000.00000002.3418475369.0000000000404000.00000020.00000001.01000000.00000003.sdmp, Offset: 00404000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_404000_SecuriteInfo.jbxd

Similarity

API ID: Unwind
String ID:
API String ID: 3419175465-0
Opcode ID: 8ba179296c88b0e7060bcab11527a3adf9359b36e5863dcaac974040493dcc59
Instruction ID: 0a2d89465c82b8c1eb7ec0554f7c693fad634bf74d01047a2e23c32c4ee80fe9
Opcode Fuzzy Hash: 8ba179296c88b0e7060bcab11527a3adf9359b36e5863dcaac974040493dcc59
Instruction Fuzzy Hash: 43216AB4204200AFD324DB51DC85F27BBA9EBC4714F19C56AFA48672A1C738EC40CA6A

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.elf

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exePID: 1916, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exePID: 1916, Parent PID: 4004COMMON

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.20871.16748.exe

Function 004D4814 Relevance: 3.1, APIs: 2, Instructions: 59
windowCOMMON

Function 0063500E Relevance: 2.8, APIs: 1, Instructions: 1259
COMMON

Function 004042C5 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Function 00404416 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON