Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.972761501742185
Filename:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Filesize:	640512
MD5:	4a57aaabbc130e2ff9f78a1231680e14
SHA1:	a372c732016750f03ecf5465a4b71ee170a0ae52
SHA256:	5ef8f6039eee8fa8cb4a3ae505f4f17d4a98570ec25c3279a89ee829aa6f0431
SHA512:	894ad53dea2d423b9566a43019dbd4c60178e9ebfa90a87206d65903dc4d865a2e8e18734a0e26842410613de5b9d4dccfc2a58f92466ccd300001ffbf509083
SSDEEP:	12288:sYWBpJjfXqCGvEosj5/bESJH60M17KbTrhSXVRt5NlooKUNOUij:sY+fXq/vsj5zxHLM17K27vlooKUBi
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\e..............0..d...`........... ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Sample uses string decryption to hide its real strings	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses an in-process (OLE) Automation server	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary	File and Directory Discovery
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe.log
Category:	dropped
Dump:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe

Details

Is windows:	false
Is dropped:	false
PID:	1936
Target ID:	0
Parent PID:	4004
Name:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Size:	640512
MD5:	4A57AAABBC130E2FF9F78A1231680E14
Time:	04:17:50
Date:	21/11/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa90000
Modulesize:	663552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe

Details

Is windows:	false
Is dropped:	false
PID:	6448
Target ID:	3
Parent PID:	1936
Name:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Size:	640512
MD5:	4A57AAABBC130E2FF9F78A1231680E14
Time:	04:17:51
Date:	21/11/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x900000
Modulesize:	663552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#

unknown

Details

Name:	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Source:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3324006845.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3322598459.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3327151487.00000000066F2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ocsp.sectigo.com0A

unknown

Details

Name:	http://ocsp.sectigo.com0A
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Source:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3324006845.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3322598459.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3327151487.00000000066F2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://sectigo.com/CPS0

unknown

Details

Name:	https://sectigo.com/CPS0
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Source:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3324006845.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3322598459.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3327151487.00000000066F2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://us2.smtp.mailhostbox.com

unknown

Details

Name:	http://us2.smtp.mailhostbox.com
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Source:	SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe, 00000003.00000002.3324006845.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

us2.smtp.mailhostbox.com

208.91.198.143

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.198.143
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.91.198.143

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.198.143
TargetID:	3
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

2F71000

trusted library allocation

page read and write

3FFE000

trusted library allocation

page read and write

1914000

trusted library allocation

page read and write

E25000

heap

page read and write

5940000

trusted library allocation

page read and write

F20000

heap

page read and write

2FC3000

trusted library allocation

page read and write

E95000

heap

page read and write

18BD000

stack

page read and write

2FF9000

trusted library allocation

page read and write

7750000

heap

page read and write

A2DF000

stack

page read and write

D39000

stack

page read and write

FED000

trusted library allocation

page execute and read and write

FE0000

trusted library allocation

page read and write

12BE000

stack

page read and write

1770000

heap

page read and write

1902000

trusted library allocation

page read and write

2DCE000

stack

page read and write

1170000

trusted library allocation

page read and write

1095000

heap

page read and write

1367000

heap

page read and write

7650000

trusted library section

page read and write

1380000

trusted library allocation

page read and write

3E29000

trusted library allocation

page read and write

5304000

trusted library allocation

page read and write

53D0000

trusted library section

page readonly

57D0000

trusted library section

page read and write

C39000

stack

page read and write

A1DF000

stack

page read and write

1200000

heap

page read and write

59DD000

trusted library allocation

page read and write

E88000

heap

page read and write

5F80000

heap

page read and write

43E000

remote allocation

page execute and read and write

1330000

trusted library allocation

page read and write

F07000

heap

page read and write

57DE000

stack

page read and write

6200000

trusted library allocation

page execute and read and write

569E000

stack

page read and write

1920000

trusted library allocation

page read and write

57F5000

heap

page read and write

1024000

heap

page read and write

2E10000

heap

page execute and read and write

57E0000

trusted library allocation

page read and write

FD0000

trusted library allocation

page read and write

1031000

heap

page read and write

5300000

trusted library allocation

page read and write

8AF7000

trusted library allocation

page read and write

1340000

trusted library allocation

page execute and read and write

102F000

heap

page read and write

581D000

stack

page read and write

53B0000

trusted library allocation

page read and write

117D000

trusted library allocation

page execute and read and write

7070000

heap

page read and write

770E000

stack

page read and write

E60000

heap

page read and write

53AA000

trusted library allocation

page read and write

5450000

heap

page read and write

FFB000

heap

page read and write

18DE000

trusted library allocation

page read and write

3F13000

trusted library allocation

page read and write

59A0000

trusted library allocation

page execute and read and write

5360000

heap

page read and write

E53000

trusted library allocation

page execute and read and write

F0E000

heap

page read and write

18FD000

trusted library allocation

page read and write

624D000

stack

page read and write

59A0000

trusted library allocation

page read and write

5600000

heap

page execute and read and write

43C000

remote allocation

page execute and read and write

794F000

stack

page read and write

1306000

trusted library allocation

page execute and read and write

17BC000

stack

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe