Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.150051908780836
Filename:	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Filesize:	1772168
MD5:	ffb4c4458546447f3bee304de21cd2eb
SHA1:	002c2f32ee46dacb422e75f687d8f74690184d31
SHA256:	2e823662bd36d30faea424591d4bf1557224007d9ee859917bb769a45cd4c0c6
SHA512:	a0879f813da4ae4a68f844dd20534c4cfc754e8c4a96a9c4498fde70ee0b3ab2261d71a5cbbe2c1f5239935e6c254d49df032c3466475d49dbd9c5f51c0f34be
SSDEEP:	24576:MMW7HssTOhL+0w6ZCNfNq8OPvTOiY+5dhhsqEyJ7VnHI4kyZHtwcy6FWEXGzt1WU:MRHssTOhLvPjYBK5T7rLRy
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................6.......................Rich............PE..L...}:.R.....................@....................@................

Signature Hits	Behavior Group	Mitre Attack
Creates files in alternative data streams (ADS)	Hooking and other Techniques for Hiding and Protection	NTFS File Attributes
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Creates files inside the system directory	System Summary	Masquerading
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE / OLE file has an invalid certificate	System Summary	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Creates files inside the user directory	System Summary
Creates mutexes	System Summary
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary	System Information Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Writes ini files	System Summary	File and Directory Discovery
PE file has a big raw section	System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\FalseUserPass.ini:SmartLogin.txt

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\Desktop\FalseUserPass.ini:SmartLogin.txt
Category:	dropped
Dump:	FalseUserPass.ini_SmartLogin.txt.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Type:	ASCII text, with no line terminators
Entropy:	1.5
Encrypted:	false
Ssdeep:	3:O:O
Size:	4
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files in alternative data streams (ADS)	Hooking and other Techniques for Hiding and Protection	NTFS File Attributes
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\~DF7FC1D6B129264C8B.TMP

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DF7FC1D6B129264C8B.TMP
Category:	dropped
Dump:	~DF7FC1D6B129264C8B.TMP.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	5.702032552150412
Encrypted:	false
Ssdeep:	3072:/RZEfPnavcu54Qj2C7eWifYJ1EIZ8qMBwYcsYFRT:HEfSPpeWEU1EIZ8ZwYcsYFRT
Size:	409600
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\FalseUserPass.ini.lock

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\Desktop\FalseUserPass.ini.lock
Category:	dropped
Dump:	FalseUserPass.ini.lock.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Type:	ASCII text, with no line terminators
Entropy:	1.5
Encrypted:	false
Ssdeep:	3:T:T
Size:	4
Whitelisted:	false
Reputation:	low

C:\Windows\FalseUserPass.ini

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\FalseUserPass.ini
Category:	dropped
Dump:	FalseUserPass.ini.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.098068512058838
Encrypted:	false
Ssdeep:	3:1MwECwJOn:1MO
Size:	30
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Reads ini files	System Summary	File and Directory Discovery
Writes ini files	System Summary	File and Directory Discovery

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

"C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2172
Target ID:	0
Parent PID:	4056
Name:	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe"
Size:	1772168
MD5:	FFB4C4458546447F3BEE304DE21CD2EB
Time:	05:25:30
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1773568
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://www.startssl.com/sfsca.crt0

unknown

http://ocsp.startssl.com/sub/class2/code/ca0

unknown

http://aia.startssl.com/certs/sub.class2.code.ca.crt0#

unknown

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://www.startssl.com/sfsca.crl0

unknown

http://www.startssl.com/policy.pdf04

unknown

http://blog.aloaha.com

unknown

http://ocsp.thawte.com0

unknown

http://crl.startssl.com/sfsca.crl0

unknown

http://www.startssl.com/policy.pdf0

unknown

http://www.startssl.com/intermediate.pdf0

unknown

http://www.aloaha.com/shop-en/aloaha-smart-login.php

unknown

http://www.aloaha.com/shop-en/aloaha-smart-login.php$Leaving

unknown

http://www.startssl.com/0

unknown

http://crl.startssl.com/crtc2-crl.crl0

unknown

http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php

unknown

http://www.aloaha.com/shop-en/aloaha-smart-login.phpslator.dll945.exe:2172

unknown

There are 7 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha

useini

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha

ctest

HKEY_CURRENT_USER\SOFTWARE\Aloaha\pdf

alias

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha

debugpath

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha

atest

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\pdf

commondir

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\RKK

StandardHive

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\RKK

LogonDomain

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\RKK\Settings\Logon\Standard

LogonDomain

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\CSP

AllowHID

HKEY_CURRENT_USER\SOFTWARE\Aloaha\CSP

AllowHID

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\CSP

ForceHID

HKEY_CURRENT_USER\SOFTWARE\Aloaha\CSP

ForceHID

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

[119D030E-70FA-4F86-A944-ECAF4495A798]

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[119D030E-70FA-4F86-A944-ECAF4495A798]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SYSTEM

DisableChangePassword

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\CSP

Permissions

HKEY_CURRENT_USER\SOFTWARE\Aloaha\CSP

Permissions

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Aloaha\GINA

MonitorCertOnly

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7B1000

heap

page read and write

2260000

heap

page read and write

7B1000

heap

page read and write

7BD000

heap

page read and write

22C0000

heap

page read and write

7B1000

heap

page read and write

7B1000

heap

page read and write

469000

unkown

page execute read

7BD000

heap

page read and write

400000

unkown

page readonly

401000

unkown

page execute read

720000

trusted library allocation

page execute read

7B1000

heap

page read and write

7B1000

heap

page read and write

7BD000

heap

page read and write

7C2000

heap

page read and write

550000

unkown

page readonly

690000

heap

page read and write

739000

heap

page read and write

7C2000

heap

page read and write

74E000

heap

page read and write

9A000

stack

page read and write

7B1000

heap

page read and write

425000

unkown

page execute read

3120000

heap

page read and write

7B1000

heap

page read and write

7C2000

heap

page read and write

7CD000

heap

page read and write

32CD000

stack

page read and write

7B1000

heap

page read and write

7C2000

heap

page read and write

7B1000

heap

page read and write

7B1000

heap

page read and write

469000

unkown

page execute read

1F0000

heap

page read and write

840000

heap

page read and write

7C2000

heap

page read and write

2240000

heap

page read and write

550000

unkown

page readonly

7B1000

heap

page read and write

7C2000

heap

page read and write

7B1000

heap

page read and write

7BD000

heap

page read and write

2D10000

heap

page read and write

763000

heap

page read and write

7C8000

heap

page read and write

400000

unkown

page readonly

7C8000

heap

page read and write

54D000

unkown

page read and write

341E000

stack

page read and write

3140000

heap

page read and write

7C2000

heap

page read and write

7B1000

heap

page read and write

7C7000

heap

page read and write

6B0000

heap

page read and write

6D6000

heap

page read and write

22D0000

trusted library allocation

page read and write

7C8000

heap

page read and write

7C1000

heap

page read and write

7BD000

heap

page read and write

22C5000

heap

page read and write

2A10000

heap

page read and write

7C8000

heap

page read and write

7C2000

heap

page read and write

2B78000

trusted library allocation

page read and write

7B1000

heap

page read and write

7BC000

heap

page read and write

7BD000

heap

page read and write

318D000

stack

page read and write

7B1000

heap

page read and write

7B1000

heap

page read and write

7BD000

heap

page read and write

7C2000

heap

page read and write

7B1000

heap

page read and write

74A000

heap

page read and write

2D20000

trusted library section

page read and write

774000

heap

page read and write

7BD000

heap

page read and write

59A000

unkown

page readonly

740000

heap

page read and write

2B14000

heap

page read and write

7BD000

heap

page read and write

5AF000

unkown

page readonly

788000

heap

page read and write

328E000

stack

page read and write

7B1000

heap

page read and write

7B1000

heap

page read and write

19C000

stack

page read and write

5AF000

unkown

page readonly

2B10000

heap

page read and write

7C8000

heap

page read and write

7C8000

heap

page read and write

2B33000

trusted library allocation

page read and write

7B1000

heap

page read and write

2B20000

trusted library allocation

page read and write

7B1000

heap

page read and write

7C2000

heap

page read and write

425000

unkown

page execute read

7B1000

heap

page read and write

7B1000

heap

page read and write

401000

unkown

page execute read

7B1000

heap

page read and write

7B1000

heap

page read and write

59A000

unkown

page readonly

7C8000

heap

page read and write

730000

heap

page read and write

7B1000

heap

page read and write

6D0000

heap

page read and write

7B1000

heap

page read and write

7BD000

heap

page read and write

7B1000

heap

page read and write

7B1000

heap

page read and write

850000

heap

page read and write

3310000

heap

page read and write

7C2000

heap

page read and write

7BD000

heap

page read and write

There are 106 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe