Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72238195.888.8814.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Sample or dropped binary is a compiled AutoHotkey binary
Uses Windows timers to delay execution
Uses known network protocols on non-standard ports
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.GenericKD.72238195.888.8814.exe (PID: 4420 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Gen ericKD.722 38195.888. 8814.exe" MD5: D29BD11F97BF66B86FEED7F50A208BAD)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Code function: | 0_2_00000001400AE260 | |
Source: | Code function: | 0_2_00000001400AE160 | |
Source: | Code function: | 0_2_000000014003C8E0 | |
Source: | Code function: | 0_2_0000000140066F50 | |
Source: | Code function: | 0_2_00000001400672B0 | |
Source: | Code function: | 0_2_0000000140081660 | |
Source: | Code function: | 0_2_0000000140067900 | |
Source: | Code function: | 0_2_0000000140081C50 |
Networking |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |