Windows Analysis Report
SecuriteInfo.com.Trojan-Downloader.8862.17468.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe
Analysis ID: 1417315
MD5: 99e6eb18c870372dd39f1f3e491f91b1
SHA1: 3248418514e5a21f66cb43b8eef1be5925177bde
SHA256: 34a1b86d7355b5effffa36faa80c432a86f4ba6b3164cb35f5abe0d65cfbfa4d
Tags: exe
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Machine Learning detection for sample
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Code function: 0_2_00403740 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_00403740
PE file contains more sections than normal
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: Number of sections : 13 > 10
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Section loaded: apphelp.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: sus24.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: section name: /14
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: section name: /29
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: section name: /41
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: section name: /55
Source: SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Static PE information: section name: /67
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Code function: 0_2_00403740 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_00403740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Code function: 0_2_004011B0 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess, 0_2_004011B0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.8862.17468.exe Code function: 0_2_00401A30 cpuid 0_2_00401A30
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417315 Sample: SecuriteInfo.com.Trojan-Dow... Startdate: 28/03/2024 Architecture: WINDOWS Score: 24 10 Machine Learning detection for sample 2->10 6 SecuriteInfo.com.Trojan-Downloader.8862.17468.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos