Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe
Analysis ID: 1428436
MD5: ac38083ad80ab0bf6a26b827a73f87d4
SHA1: 59fc220585cb07d200779c2b99ec8113dedd1a5a
SHA256: e17a068785f148d68c2fa2e6fd3e943e692da2ac9bee0c9f7a5ffe220035e26e
Tags: exe
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to retrieve information about pressed keystrokes
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Code function: 0_2_00402C5C Sleep,GetAsyncKeyState, 0_2_00402C5C
PE file contains more sections than normal
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: Number of sections : 16 > 10
Source: classification engine Classification label: clean2.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Code function: 0_2_00401656 CreateToolhelp32Snapshot,strcmp,_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc,_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc,_ZNSolsEPFRSoS_E,exit, 0_2_00401656
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Section loaded: libgcc_s_sjlj-1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Section loaded: libstdc++-6.dll Jump to behavior
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: section name: .xdata
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: section name: /19
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: section name: /31
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: section name: /45
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: section name: /57
Source: SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Static PE information: section name: /70
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Code function: 0_2_00403420 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_00403420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Code function: 0_2_004048A1 SetUnhandledExceptionFilter, 0_2_004048A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Code function: 0_2_0040C3E8 SetUnhandledExceptionFilter,Sleep, 0_2_0040C3E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA, 0_2_00401180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe Code function: 0_2_00403340 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00403340
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428436 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 18/04/2024 Architecture: WINDOWS Score: 2 5 SecuriteInfo.com.Trojan.Win32.Zmem.13051.25997.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos