Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.647.23647.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win32.647.23647.exe
Analysis ID: 1417316
MD5: 5da5d327d44645e0f3eb50b13a562927
SHA1: a75c81577273a8636241299f5f28af46e524250a
SHA256: aa2d947e869e13f0f09bc5762690f56967e03392f9720d83f03b67601958cd7b
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe ReversingLabs: Detection: 18%
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Code function: 0_2_004035C0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_004035C0
PE file contains more sections than normal
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: Number of sections : 13 > 10
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Section loaded: apphelp.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal52.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: section name: /14
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: section name: /29
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: section name: /41
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: section name: /55
Source: SecuriteInfo.com.Trojan.Win32.647.23647.exe Static PE information: section name: /67
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Code function: 0_2_004035C0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_004035C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Code function: 0_2_004011B0 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess, 0_2_004011B0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.647.23647.exe Code function: 0_2_004018B0 cpuid 0_2_004018B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417316 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 28/03/2024 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 6 SecuriteInfo.com.Trojan.Win32.647.23647.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos