Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Analysis ID: 1431439
MD5: cb6c38c569fb8a194636dcbca81f28c7
SHA1: 99d990f912c3f564fc532ce3c74daf21344b5b3e
SHA256: 336bc599c4ab70fe1e36913f9217b1081b935f5a0333d22239d837de694ab3aa
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Uses Windows timers to delay execution
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Avira: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\mysink\VS2008\Projects\RemoveCredentialProvider\RemoveCredentialProvider\obj\Release\RemoveCredentialProvider.pdb source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://www.startssl.com/0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe String found in binary or memory: http://www.startssl.com/sfsca.crt0
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe, 00000000.00000000.2395870530.00000000003A8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRemoveCredentialProvider.exeT vs SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Binary or memory string: OriginalFilenameRemoveCredentialProvider.exeT vs SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Mutant created: NULL
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\mysink\VS2008\Projects\RemoveCredentialProvider\RemoveCredentialProvider\obj\Release\RemoveCredentialProvider.pdb source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe User Timer Set: Timeout: 100ms Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Memory allocated: D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Memory allocated: 29E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Memory allocated: 1A9E0000 memory commit | memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe TID: 6620 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe Memory allocated: page read and write | page guard Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431439 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 25/04/2024 Architecture: WINDOWS Score: 56 8 Antivirus / Scanner detection for submitted sample 2->8 10 Machine Learning detection for sample 2->10 5 SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe 2 2->5         started        process3 signatures4 12 Uses Windows timers to delay execution 5->12
No contacted IP infos