Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe
Analysis ID:1390445
MD5:c9a36a7e0bf431dafe139b1cc18609ed
SHA1:4d77f0d31e994d3baeba164238634cadaf95fb77
SHA256:7e33dd313ed09a15c81af55ee0997031caa3da8fba8c31c3859bc95e52559ff3
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe (PID: 6348 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe MD5: C9A36A7E0BF431DAFE139B1CC18609ED)
    • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 6908 cmdline: wmic cpu get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 6940 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1728106690.000000C00013A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe PID: 6348JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeReversingLabs: Detection: 13%
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeVirustotal: Detection: 29%Perma Link
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
      Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
      Source: unknownDNS query: name: ipinfo.io
      Source: unknownDNS query: name: ipinfo.io
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
      Source: unknownDNS traffic detected: queries for: ipinfo.io
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1734668192.00007FF61A2F1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://invalidkey4.dblookup
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C00009C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.ioHTTP/1.1HTTP/1.1I
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C00009C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.ioHTTP/1.1HTTP/1.1Ihttp/1.1http/1.1yipinfo.io:80HTTP_PROXYhttp_proYhttp_proxyhttp_prox
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C00016E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C000092000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/missingauth
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C000092000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/missingauthreflect.Value.SetMapIndex
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C000092000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/PSoftware
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C000086000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1728106690.000000C000092000.00000004.00001000.00020000.00000000.sdmp, system.txt.0.drString found in binary or memory: https://t.me/Planet_Stealer
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
      Source: SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exe, 00000000.00000002.1732392613.000000C000356000.00000004.00001000.00020000.00000000.sdmp, nPKJDroJ.dat.0.dr, e0qE9KyD.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-PSW.Agent.26016.7220.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll