Windows Analysis Report
SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe
Analysis ID:	1430480
MD5:	832d2e222679399e099ca696a14fa66a
SHA1:	a34bf6c8d76702928670ceb7f4e0a7a40ac41d07
SHA256:	eda26cab4e335bc20786046a525aa6079c0bba7d6aa5bbd49164e6ce1c796c62
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

PE file contains section with special chars

Entry point lies outside standard sections

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Static PE information: section name: .8;y
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Static PE information: section name: .gJ+
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Static PE information: section name: .z!h

Source: classification engine

Classification label: mal56.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: d3dx9_43.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Section loaded: netutils.dll	Jump to behavior

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Static file information: File size 15426560 > 1048576

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Static PE information: Raw size of .z!h is bigger than: 0x100000 < 0xeb4000

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .z!h

PE file contains sections with non-standard names

Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Static PE information: section name: .8;y
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Static PE information: section name: .gJ+
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe	Static PE information: section name: .z!h

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1430480
Product:	CloudBasic
Start time:	17:43:12
Start date:	23.04.2024
Sample:	SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	832d2e222679399e099ca696a14fa66a
SHA1:	a34bf6c8d76702928670ceb7f4e0a7a40ac41d07
SHA256:	eda26cab4e335bc20786046a525aa6079c0bba7d6aa5bbd49164e6ce1c796c62
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe