Windows Analysis Report
SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Analysis ID: 1428515
MD5: 5a12407fb09eefa5a7734a316082a5db
SHA1: fac732eaf01fca53435a85df588e7167369e5ebc
SHA256: 9a238485bc76356734188a4092838d33b12a4ff59969a243884ab034aba5d35d
Tags: exe
Infos:

Detection

Score: 30
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to automate explorer (e.g. start an application)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to modify clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Found potential string decryption / allocating functions
Sample file is different than original file name gathered from version info
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Virustotal: Detection: 42% Perma Link
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://12814821.s21d.faiusrd.com/0/ABUIABBLGAAggq6cmwYopNPM-Qc.exe?f=%E8%BF%9C%E7%A8%8B%E5%B8%AE%E5%
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://kr66666.com
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://kr66666.com/h-col-103.html
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://kr66666.com/h-col-103.htmlhttp://12814821.s21d.faiusrd.com/0/ABUIABBLGAAggq6cmwYopNPM-Qc.exe?
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://kr66666.com/h-nd-26.html
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://pan.baidu.com/s/1CL7GcL7HpOMLfWCo5slmxA?pwd=g41d
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://pan.baidu.com/s/1YNpTbPkGyZ4ANS-94e695g?pwd=i6v4
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://pan.baidu.com/s/1YNpTbPkGyZ4ANS-94e695g?pwd=i6v4http://kr66666.comhttp://pan.baidu.com/s/1CL7
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: http://pan.baidu.com/s/1e49pLO57eL39PXBOAiVf0w?pwd=43j0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_004082A0 #1175,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,#800, 0_2_004082A0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_004082A0 #1175,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,#800, 0_2_004082A0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_00408890 _mbscmp,_mbscmp,MessageBoxA,#2818,#535,_mbscmp,#537,GetAsyncKeyState,GetAsyncKeyState,SHGetSpecialFolderPathA,SHGetSpecialFolderPathA,#356,#537,#2818,#540,#540,#540,#540,#2770,#2781,#4058,#3178,#858,#800,#5683,#4277,#858,#800,#4204,_mbscmp,strstr,strstr,#1980,#800,#800,#800,#800,#800,#668,GetAsyncKeyState,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,#2818,MessageBoxA,#924,#922,WinExec,#800,#800,#1980,#800,#800,#800,#800,#800,#668,fclose,#924,#922,WinExec,#800,#800,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,#2818,fopen,SHGetSpecialFolderPathA,#356,#537,#2818,#540,#540,#540,#540,#2770,#2781,#4058,#3178,#858,#800,#5683,#4277,#858,#800,#4204,_mbscmp,strstr,strstr,strstr,strstr,fclose,#924,#922,WinExec,#800,#800,#2818,#2818,#924,#922,WinExec,#800,#800,#1980,#800,#800,#800,#800,#800,#668,#1980,MessageBoxA,#800,#800,#800,#800,#800,#668,#537,#800,#800, 0_2_00408890
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: String function: 00406C48 appears 144 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: String function: 00406C30 appears 92 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe, 00000000.00000002.3427024451.0000000000412000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekbb.EXE vs SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Binary or memory string: OriginalFilenamekbb.EXE vs SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: sus30.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_00403370 CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize, 0_2_00403370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_004049E0 GetModuleHandleA,GetModuleHandleA,FindResourceA,GetModuleHandleA,LoadResource,LockResource,GetModuleHandleA,SizeofResource,#537,#354,#5186,#6385,#1979,#665,#800,#6334,fopen,SendMessageA,SendMessageA,SendMessageA,#537,#537,#860,#860,#537,#537,#537,#800,#537,#537,#537,#537,#537,#537,#537,#800,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#535,#535,#537,#537,#537,#537,#537,#537,#537,#800,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,#537,fclose,Sleep,#537,#537,#537,#800,#800, 0_2_004049E0
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Virustotal: Detection: 42%
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (setq s (vla-add selec "11str11"))
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (setq s (vla-add selec "11str11"))
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (setq gr (vla-add groups "hide_object_sd"));
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (setq gr (vla-add groups "hide_object_2sd"));
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (vla-StartUndoMark (vla-get-ActiveDocument (vlax-get-acad-object)))
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (setq tmp (vla-addText space (nth idx txt) (nth idx inspt) (nth idx height)))
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (setq dic (vla-add acdic "ObjectLock"))
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe String found in binary or memory: (setq xrec (vla-addxrecord dic "Handles"))
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: mfc42.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Window detected: Number of UI elements: 20
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Static file information: File size 2076672 > 1048576
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1ec000
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_00406270 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379, 0_2_00406270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_00406390 #537,#535,#2818,Sleep,Sleep,Sleep,Sleep,SetForegroundWindow,SetActiveWindow,#800,BlockInput,#2818,#535,BringWindowToTop,Sleep,Sleep,SetForegroundWindow,SetForegroundWindow,Sleep,SetActiveWindow,SetActiveWindow,Sleep,Sleep,Sleep,Sleep,BlockInput,#537,Sleep,SetForegroundWindow,SetActiveWindow,#800,#800, 0_2_00406390

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_00404170 GetDC,#2859,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,FindWindowA,GetWindowRect,GetWindowRect,GetWindowRect,GetWindowRect,_ftol,MoveWindow,#537,GetWindow,GetWindowRect,GetClassNameA,#2818,GetWindowTextA,strstr,SendMessageA,GetWindowRect,GetWindowRect,ScreenToClient,_ftol,_ftol,MoveWindow,GetWindow,#800, 0_2_00404170
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Code function: 0_2_00408370 SetForegroundWindow,Sleep,SetActiveWindow,MapVirtualKeyA,MapVirtualKeyA,keybd_event,keybd_event,MapVirtualKeyA,keybd_event,GetAsyncKeyState,MapVirtualKeyA,MapVirtualKeyA,keybd_event,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 0_2_00408370
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe, 00000000.00000002.3426935493.000000000019B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe, 00000000.00000002.3426935493.000000000019B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager ChromeaIconWindowClass.0
Source: SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe Binary or memory string: \*.*F:\Program Files\AutoCAD%d\acad.exeF:\Program Files\AutoCAD %d\acad.exeE:\Program Files\AutoCAD%d\acad.exeE:\Program Files\AutoCAD %d\acad.exeD:\Program Files\AutoCAD%d\acad.exeD:\Program Files\AutoCAD %d\acad.exeC:\Program Files\AutoCAD%d\acad.exerbC:\Program Files\AutoCAD %d\acad.exeProgram Files (x86)Program Files%s%s\%sCADcadlnkopenF:\Program Files (x86)\Autodesk\AutoCAD%d\acad.exeF:\Program Files (x86)\AutoCAD%d\acad.exeF:\Program Files\Autodesk\AutoCAD%d\acad.exeF:\Program Files (x86)\Autodesk\AutoCAD %d\acad.exeF:\Program Files (x86)\AutoCAD %d\acad.exeF:\Program Files\Autodesk\AutoCAD %d\acad.exeE:\Program Files (x86)\Autodesk\AutoCAD%d\acad.exeE:\Program Files (x86)\AutoCAD%d\acad.exeE:\Program Files\Autodesk\AutoCAD%d\acad.exeE:\Program Files (x86)\Autodesk\AutoCAD %d\acad.exeE:\Program Files (x86)\AutoCAD %d\acad.exeE:\Program Files\Autodesk\AutoCAD %d\acad.exeD:\Program Files (x86)\Autodesk\AutoCAD%d\acad.exeD:\Program Files (x86)\AutoCAD%d\acad.exeD:\Program Files\Autodesk\AutoCAD%d\acad.exeD:\Program Files (x86)\Autodesk\AutoCAD %d\acad.exeD:\Program Files (x86)\AutoCAD %d\acad.exeD:\Program Files\Autodesk\AutoCAD %d\acad.exeC:\Program Files (x86)\Autodesk\AutoCAD%d\acad.exeC:\Program Files (x86)\AutoCAD%d\acad.exeC:\Program Files\Autodesk\AutoCAD%d\acad.exeC:\Program Files (x86)\Autodesk\AutoCAD %d\acad.exeC:\Program Files (x86)\AutoCAD %d\acad.exeC:\Program Files\Autodesk\AutoCAD %d\acad.exeAutoCAD 2Shell_TrayWndComboBox
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428515 Sample: SecuriteInfo.com.Win32.Bank... Startdate: 19/04/2024 Architecture: WINDOWS Score: 30 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 5 SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe 2 2->5         started        process3 signatures4 12 Contains functionality to automate explorer (e.g. start an application) 5->12
No contacted IP infos