Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.414416598968228
Filename:	SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Filesize:	2076672
MD5:	5a12407fb09eefa5a7734a316082a5db
SHA1:	fac732eaf01fca53435a85df588e7167369e5ebc
SHA256:	9a238485bc76356734188a4092838d33b12a4ff59969a243884ab034aba5d35d
SHA512:	8c36e15eee140e8e2dda67a16049974499f30621c46a3809c30d0b945584479e15ecb073cbd0872d38deb69fb49a54dcffd87592853ba09bdfaccb70765e407c
SSDEEP:	49152:xxTc4p7/o0BrafH1g8Cn3XKr8cA3c1A2b:Lc4p9BNtMb
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.B.'...'...'...'...'...8...'...8...'..3;...'...8...'...8...'.......'.......'...'..H'..X8...'..w!...'..Rich.'.................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Contains functionality to automate explorer (e.g. start an application)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
URLs found in memory or binary data	Networking	Disable or Modify Tools
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary	Disable or Modify Tools
Found GUI installer (many successful clicks)	System Summary

C:\TEMP10.dwg

DWG AutoDesk AutoCAD 2004/2005/2006

dropped

Details

File:	C:\TEMP10.dwg
Category:	dropped
Dump:	TEMP10.dwg.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Type:	DWG AutoDesk AutoCAD 2004/2005/2006
Entropy:	7.563280347600453
Encrypted:	false
Ssdeep:	24576:4fdKck1iYJtpFn0P1oeeXIU/o0BrafH1gdaCn3XKr8cAPvc1AJ:Dc4p7/o0BrafH1g8Cn3XKr8cA3c1AJ
Size:	1508424
Whitelisted:	false
Reputation:	low

C:\abc.scr

Lisp/Scheme program, ISO-8859 text, with CRLF line terminators

dropped

Details

File:	C:\abc.scr
Category:	dropped
Dump:	abc.scr.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Type:	Lisp/Scheme program, ISO-8859 text, with CRLF line terminators
Entropy:	5.11200618748028
Encrypted:	false
Ssdeep:	48:kTm8nySk0eNumY07ZVZCwzGR1GxKYpDNoJ0nJ00BcLpdJ0XJ0GsLcOJ0nJ00BcL+:JkySkflXtvCwSjI5ZNoJ0nJ0wcLpdJ07
Size:	2544
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5560
Target ID:	0
Parent PID:	4004
Name:	SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe"
Size:	2076672
MD5:	5A12407FB09EEFA5A7734A316082A5DB
Time:	04:25:11
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2088960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: SCR File Write Event	System Summary
Sigma detected: Suspicious Screensaver Binary File Creation	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://pan.baidu.com/s/1YNpTbPkGyZ4ANS-94e695g?pwd=i6v4

unknown

Details

Name:	http://pan.baidu.com/s/1YNpTbPkGyZ4ANS-94e695g?pwd=i6v4
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Source:	SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://pan.baidu.com/s/1e49pLO57eL39PXBOAiVf0w?pwd=43j0

unknown

Details

Name:	http://pan.baidu.com/s/1e49pLO57eL39PXBOAiVf0w?pwd=43j0
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Source:	SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://12814821.s21d.faiusrd.com/0/ABUIABBLGAAggq6cmwYopNPM-Qc.exe?f=%E8%BF%9C%E7%A8%8B%E5%B8%AE%E5%

unknown

http://pan.baidu.com/s/1CL7GcL7HpOMLfWCo5slmxA?pwd=g41d

unknown

Details

Name:	http://pan.baidu.com/s/1CL7GcL7HpOMLfWCo5slmxA?pwd=g41d
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Source:	SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://pan.baidu.com/s/1YNpTbPkGyZ4ANS-94e695g?pwd=i6v4http://kr66666.comhttp://pan.baidu.com/s/1CL7

unknown

Details

Name:	http://pan.baidu.com/s/1YNpTbPkGyZ4ANS-94e695g?pwd=i6v4http://kr66666.comhttp://pan.baidu.com/s/1CL7
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Source:	SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://kr66666.com/h-nd-26.html

unknown

http://kr66666.com/h-col-103.html

unknown

http://kr66666.com/h-col-103.htmlhttp://12814821.s21d.faiusrd.com/0/ABUIABBLGAAggq6cmwYopNPM-Qc.exe?

unknown

http://kr66666.com

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

8D0000

heap

page read and write

260E000

stack

page read and write

412000

unkown

page readonly

8B0000

heap

page read and write

2CA0000

heap

page read and write

915000

heap

page read and write

47F000

unkown

page readonly

8DA000

heap

page read and write

C68000

heap

page read and write

1F0000

heap

page read and write

4B7F000

stack

page read and write

932000

heap

page read and write

2420000

heap

page read and write

401000

unkown

page execute read

8EB000

heap

page read and write

2400000

heap

page read and write

40E000

unkown

page read and write

40D000

unkown

page write copy

401000

unkown

page execute read

911000

heap

page read and write

95000

stack

page read and write

2C90000

heap

page read and write

400000

unkown

page readonly

8DE000

heap

page read and write

284F000

stack

page read and write

8F8000

heap

page read and write

412000

unkown

page readonly

400000

unkown

page readonly

40B000

unkown

page readonly

915000

heap

page read and write

270F000

stack

page read and write

4A7E000

stack

page read and write

C6E000

heap

page read and write

274E000

stack

page read and write

3FF0000

heap

page read and write

47F000

unkown

page readonly

2C98000

heap

page read and write

40B000

unkown

page readonly

932000

heap

page read and write

40D000

unkown

page write copy

8B4000

heap

page read and write

6E0000

heap

page read and write

2C9E000

heap

page read and write

4130000

trusted library allocation

page read and write

19B000

stack

page read and write

C60000

heap

page read and write

6D0000

heap

page read and write

There are 37 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.Win32.BankerX-gen.7761.21527.exe