Windows Analysis Report
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe
Analysis ID:	1429026
MD5:	b1f4de35bbe7146f49c7d99e1e3428d7
SHA1:	9327fda584f1bead79ca9e88350213cfe11d86d7
SHA256:	89d19fc31c09ba59b296449138111a40baee2e5d3d85d3ea93874e369db82604
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Virustotal: Detection: 7%

Perma Link

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe, 00000000.00000000.2043298741.0000000000401000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_0502a3fa-a

Uses 32bit PE files

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	String found in binary or memory: http://fontawesome.io
Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	String found in binary or memory: http://fontawesome.io/license/
Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens

PE file contains more sections than normal

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: Number of sections : 11 > 10

Uses 32bit PE files

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: Yara match	File source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2043298741.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe, 00000000.00000000.2044079750.00000000009E4000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: INSERT INTO ordentipo (CODORDTIPO, ord_tipo, ctaco_tipo, calcula_utilidad, carga_inventario, maneja_costo, dialogos_costo, maneja_puntos, maneja_iva, maneja_kardex, maneja_pagos, carga_ctaco, maneja_caja, acumula_productos, seleccionar, correlativo, tipo_correlativo, utiliza_correlativo, presenta_dialogo_pagos, presenta_precios, pago, reporte, facturacion, imprime_solo_operadas, seleccionar2, emite_recibo, reporte2, maneja_productos, modifica_costos, numero_lineas, descripcion_corta, produccion0, produccion1, utiliza_correlativo2, cambiar_bodega, modifica_precios_publico, guarda_precio_dolares, permite_utilizar_cuenta_predeterminada, tipo_producto_fisico, tipo_producto_documento, CODUNICO, activo, columna_pagos) VALUES ('TRANS_RECIBIDA', 'TRANSFERENCIA RECIBIDA', 'NO APLICA', 'NO', 'CARGA', 'COSTO', 'PCOSTO', 'NO', 'NO', 'SI', 'NO', 'NO APLICA', 'NO APLICA', 'NO', 'SI', 9, 'NULL', 'SI', 'NO', 'NO', 'NO', 'InventarioTransferenciaRecibida.fr3', 'NO', 'SI', 'NO', 'NO', 'NULL', 'SI', 'NO', 0, 'TREMR', 'CARGA', 'DESCARGA', 'SI', 'NO', 'NO', 'NO', 'NO', 'SI', '%', 31, 'SI', 'PAGOS E IMPORTE');

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static file information: File size 6604800 > 1048576

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x533c00

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: More than 200 imports for user32.dll

PE file contains sections with non-standard names

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Binary or memory string: Shell_TrayWndSVW
Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1429026
Product:	CloudBasic
Start time:	05:31:09
Start date:	20.04.2024
Sample:	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b1f4de35bbe7146f49c7d99e1e3428d7
SHA1:	9327fda584f1bead79ca9e88350213cfe11d86d7
SHA256:	89d19fc31c09ba59b296449138111a40baee2e5d3d85d3ea93874e369db82604
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Windows Analysis Report
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe