Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Analysis ID:	1431439
MD5:	cb6c38c569fb8a194636dcbca81f28c7
SHA1:	99d990f912c3f564fc532ce3c74daf21344b5b3e
SHA256:	336bc599c4ab70fe1e36913f9217b1081b935f5a0333d22239d837de694ab3aa
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Uses Windows timers to delay execution

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe (PID: 6560 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe" MD5: CB6C38C569FB8A194636DCBCA81F28C7)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Avira: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\mysink\VS2008\Projects\RemoveCredentialProvider\RemoveCredentialProvider\obj\Release\RemoveCredentialProvider.pdb source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://www.startssl.com/0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	String found in binary or memory: http://www.startssl.com/sfsca.crt0

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe, 00000000.00000000.2395870530.00000000003A8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRemoveCredentialProvider.exeT vs SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Binary or memory string: OriginalFilenameRemoveCredentialProvider.exeT vs SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Mutant created: NULL

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Section loaded: shfolder.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\mysink\VS2008\Projects\RemoveCredentialProvider\RemoveCredentialProvider\obj\Release\RemoveCredentialProvider.pdb source: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

User Timer Set: Timeout: 100ms

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	Memory allocated: 1A9E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe TID: 6620

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Memory allocated: page read and write | page guard

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	131 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	131 Virtualization/Sandbox Evasion	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	100%	Avira	TR/Dropper.Gen
SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.startssl.com/policy.pdf0	0%	Avira URL Cloud	safe
http://www.startssl.com/intermediate.pdf0	0%	Avira URL Cloud	safe
http://www.startssl.com/sfsca.crt0	0%	Avira URL Cloud	safe
http://ocsp.startssl.com/sub/class2/code/ca0	0%	Avira URL Cloud	safe
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	0%	Avira URL Cloud	safe
http://ocsp.startssl.com/sub/class2/code/ca0	0%	Virustotal		Browse
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	0%	Virustotal		Browse
http://www.startssl.com/0	0%	Avira URL Cloud	safe
http://www.startssl.com/sfsca.crt0	0%	Virustotal		Browse
http://www.startssl.com/sfsca.crl0	0%	Avira URL Cloud	safe
http://www.startssl.com/intermediate.pdf0	0%	Virustotal		Browse
http://crl.startssl.com/crtc2-crl.crl0	0%	Avira URL Cloud	safe
http://www.startssl.com/policy.pdf0	0%	Virustotal		Browse
http://www.startssl.com/policy.pdf04	0%	Avira URL Cloud	safe
http://crl.startssl.com/sfsca.crl0	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.startssl.com/policy.pdf0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.startssl.com/sfsca.crt0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.startssl.com/sub/class2/code/ca0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.startssl.com/intermediate.pdf0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.startssl.com/0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false		high
http://www.startssl.com/sfsca.crl0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	Avira URL Cloud: safe	unknown
http://crl.startssl.com/crtc2-crl.crl0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/policy.pdf04	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	URL Reputation: safe	unknown
http://crl.startssl.com/sfsca.crl0	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431439
Start date and time:	2024-04-25 05:24:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 35 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe, PID 6560 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.353515836484479
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
File size:	49'863 bytes
MD5:	cb6c38c569fb8a194636dcbca81f28c7
SHA1:	99d990f912c3f564fc532ce3c74daf21344b5b3e
SHA256:	336bc599c4ab70fe1e36913f9217b1081b935f5a0333d22239d837de694ab3aa
SHA512:	68496a96359529b4ac5c89dd92fc64334b637bd962f2946680e62a1a134de06eb25407b9ccb6e5de751378cc2d8bebfa051e16e8db67937679cf5d09a8c822e5
SSDEEP:	384:9AWIuHHYOrctnncLe45nQfrk8/jhiJzVSd0gGRJq/JyChhtl5BAix8Gz7QnYPLo5:9AlVOr2whNVSAFo7Q1VVPLLa0BdJ
TLSH:	68230806A7E48316FEFB9AF0557312601572FC86EE34DB0E6691723E0CB27D05AA136D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..Q.................>..........^]... ...`....@.. ....................................@................................

File Icon


Icon Hash:	498a80a2a2808241

Static PE Info

General

Entrypoint:	0x405d5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x51FACF51 [Thu Aug 1 21:12:49 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d04	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0xab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6000	0x1c	.sdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3d64	0x3e00	ca990d13788ecc2985db76f53a18c119	False	0.4485887096774194	data	5.6388312569725025	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x6000	0xa9	0x200	31f3f130bc75b6c27d90f430e6a580be	False	0.24609375	data	2.330758238825601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8000	0xab8	0xc00	77fbac7417334b08bc7fb31e9d45633d	False	0.2786458333333333	data	3.7385038003000775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	7795bf924e956572eb321c78476d8a87	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8490	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.15994623655913978
RT_ICON	0x8778	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.3344594594594595
RT_GROUP_ICON	0x88a0	0x22	data	1.0294117647058822
RT_VERSION	0x8160	0x330	data	0.3860294117647059
RT_MANIFEST	0x88c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	05:25:38
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe"
Imagebase:	0x3a0000
File size:	49'863 bytes
MD5 hash:	CB6C38C569FB8A194636DCBCA81F28C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFE18821982 Relevance: .9, Instructions: 871COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700a74053ff7560e172adeef05397d259af1af26f1d1682946cb393530421318
Instruction ID: 34b7461df5118a0e6120ee11489d58095039db818b7a8e84e2dbf09debb46a11
Opcode Fuzzy Hash: 700a74053ff7560e172adeef05397d259af1af26f1d1682946cb393530421318
Instruction Fuzzy Hash: 6C629371A1CB895FEB4ADF2884507B93FA2AF46354FA400FAD44ECB1E3CA389945C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820F90 Relevance: .7, Instructions: 748COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2b2c96cd9dade6943373b767db041ba5b5425be03bbb42ed49305a3650caf
Instruction ID: 31ea488fbae93e79f51641d6013b98decfecd86e846301ca79a95574dd320db4
Opcode Fuzzy Hash: a6a2b2c96cd9dade6943373b767db041ba5b5425be03bbb42ed49305a3650caf
Instruction Fuzzy Hash: D942A361A1DBC95FEB4BDB2888107A83FA2AF57304F6501EAD44DCF1E3DA386945C325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820FF1 Relevance: .7, Instructions: 698COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2247d4af4f46143f77871db347c5796848e10a7d430320b43dada1031c5ceb
Instruction ID: f59fd3354f8ff1580bf5ee19abb8c015a3f7026adaa516b28bbab1999413339a
Opcode Fuzzy Hash: 3a2247d4af4f46143f77871db347c5796848e10a7d430320b43dada1031c5ceb
Instruction Fuzzy Hash: 14429261A1DBC95FEB4BDB2888107A83FA2AF57344F6501EAD44DCF2E3DA385945C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821003 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba001143199c62e0213322d37e5c2e2f92fca20864926ace5215c752821b95dd
Instruction ID: 7900c26aaabcaa4737dad19af136ae79a6544097e92eb5b79374a5cad30c8867
Opcode Fuzzy Hash: ba001143199c62e0213322d37e5c2e2f92fca20864926ace5215c752821b95dd
Instruction Fuzzy Hash: A3429161A1DBC95FEB4BDB2888107A83FA2AF57344F6501EAD44DCF2E3DA385945C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821021 Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9149aefc1dbb9293c32b83baf7d37d6c0bbbf8d5893d502ce1b0550d82aaf777
Instruction ID: 012dbc54632989ee34e1f81d4f297dd4b99a0f031c3aa77aa7a3bf737667471e
Opcode Fuzzy Hash: 9149aefc1dbb9293c32b83baf7d37d6c0bbbf8d5893d502ce1b0550d82aaf777
Instruction Fuzzy Hash: E3428061A1DBC95FEB4BDB2888107A83FA2AF57344F6501EAD44DCF2E3DA385945C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821090 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a78908afb867bea153578469628e0646b9f0a1d410b929c303a33c18e0a0fe4
Instruction ID: d7ecbd217fce45387238e90484b9a5dbfc37a4ff41e6ffd7761aed88cd05653e
Opcode Fuzzy Hash: 5a78908afb867bea153578469628e0646b9f0a1d410b929c303a33c18e0a0fe4
Instruction Fuzzy Hash: E7326F61A1DBC95FEB4BDB2888107A83FA2AF57344F6501EAD44DCF2E3DA385945C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE188210C1 Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8b9ee8fea1ae6101b7f0f5dd891da3c0c5ca2c94ca9ba4cab91393c0c6fc86
Instruction ID: 6bdc017577554cac1439f626d9ff4be5b10da6f86446a5344be4b4186b26c5fc
Opcode Fuzzy Hash: de8b9ee8fea1ae6101b7f0f5dd891da3c0c5ca2c94ca9ba4cab91393c0c6fc86
Instruction Fuzzy Hash: E3325F62A1DBC95FEB4BDB2888107A83FA2AF57344F6501EAC44DCF1E3DA385945C325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE188210E0 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bb72d342350276af123019747d2fc49eef99dfea4943792eba9ada8d3d43d6
Instruction ID: f89f4fcf6c9e572cc768ad4ee97678a102245cd729aca934120b2fbf673d7e1a
Opcode Fuzzy Hash: f7bb72d342350276af123019747d2fc49eef99dfea4943792eba9ada8d3d43d6
Instruction Fuzzy Hash: 31324E62A1DBC95FE74BDB2888107A83FA2AF57344F6501EAC44DCF2E3DA385945C325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821F08 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79a8e211ec0750e5d0f77cfdf664d8175ac45d7fde60be3b669c56c64f0fe94
Instruction ID: 66e11671c295a26906ca618c42a019e04845d55af4429291b957a75e70957e9c
Opcode Fuzzy Hash: f79a8e211ec0750e5d0f77cfdf664d8175ac45d7fde60be3b669c56c64f0fe94
Instruction Fuzzy Hash: 2CB16631A19A4A4FEB89DF15C4947BD6AD2BF48355F90007AE81EC71E2CE38A945C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821F48 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98020c3f912e4fc8b9e4c803d2de31dd37a58cca5bbc8b485e6159967d48c1e5
Instruction ID: 1a026ade1533d5b3ed1acec95a199fbd893811a8dab7bf3235795b78aec1427f
Opcode Fuzzy Hash: 98020c3f912e4fc8b9e4c803d2de31dd37a58cca5bbc8b485e6159967d48c1e5
Instruction Fuzzy Hash: BEB16471A19A4A4FEB89DF15C4947BD6AD2BF48355F9000BAE81FC71E2CF38A945C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821F82 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bf86036137232fe10f9435160caad766e23624b44f7aa13c3845ec3496b3cb
Instruction ID: d2c6c81df1475590f9b1867b6f9352515259c9820dc7bcb5da4adeb0210b3ae1
Opcode Fuzzy Hash: 81bf86036137232fe10f9435160caad766e23624b44f7aa13c3845ec3496b3cb
Instruction Fuzzy Hash: 28A16531A19A4A4FEB89DF15C4947BD6AD2BF48355F90007AE81FC72E2CF38A955C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821FAB Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521724913463c147cb75c31ac5834ae438fe44a5a7c3a20da5b11eb7b041088a
Instruction ID: 28aa4f05453bd86d534724ed2384c92751464f587860e730f597b94683d2e72c
Opcode Fuzzy Hash: 521724913463c147cb75c31ac5834ae438fe44a5a7c3a20da5b11eb7b041088a
Instruction Fuzzy Hash: 57917431A29A4A4FEB88DF15C4947BD66D2BF48355F90007AE81FC71E2CF38A955C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18821FD2 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3247c2ebf899158e0a5daebfe4b23a9cbc10919175807516095bf16c02e4561a
Instruction ID: 4d289f0bf243642a16dcfed020045c942758bc492d0a602b24af0852813fc4ed
Opcode Fuzzy Hash: 3247c2ebf899158e0a5daebfe4b23a9cbc10919175807516095bf16c02e4561a
Instruction Fuzzy Hash: 47914321A29A4A4FEB88DF15C4957BD66D2BF48365F90007AE81FC71F2CF38A955C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18822012 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560adfe1f73b2d958afcb579d112ad2ddb24fc8e6cab6ddb1a2e55c460d011f5
Instruction ID: 3898f9fc0ae0449c50e479852f2f063e93540548184d392d2397cb118993e939
Opcode Fuzzy Hash: 560adfe1f73b2d958afcb579d112ad2ddb24fc8e6cab6ddb1a2e55c460d011f5
Instruction Fuzzy Hash: D9816421A29A0A4FEB88DF55C495BBD66D2BF44365F90007AE81FC71F2CF38A955C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1882203A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6177c7c5862f128956a9d87c9cfac2c909495d51ff44740bba945c704eacd8e
Instruction ID: 0829175efcefcc1917fff5f35952c8b47a55ef5c01042b9675d09c46b4d7e3f8
Opcode Fuzzy Hash: b6177c7c5862f128956a9d87c9cfac2c909495d51ff44740bba945c704eacd8e
Instruction Fuzzy Hash: 96715321A29A0A4FEB88DF55C495BBD66D2BF44365F90007AE81FC71F2CF38A955C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18822060 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418f9fd3cab01db2d506adce20297e04938d22987e00191d61bb898af8263e72
Instruction ID: 5047b609c4a7182daed37461dccff69e5fcb9dbc2402c3fe4037526e5994ce05
Opcode Fuzzy Hash: 418f9fd3cab01db2d506adce20297e04938d22987e00191d61bb898af8263e72
Instruction Fuzzy Hash: D9715421A29A0A4FEB88DF55C495BBD66D2BF44365F90007AE81FC71F2CF38A955C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1882000B Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640f29720f70b696069ab47fc29cfac1c446af6e38e090a42a12f78c74260b2c
Instruction ID: d5dd6fe2adc0cb2129cebf31000d4644f3c834b3c71a650c55b100b7a1403a2f
Opcode Fuzzy Hash: 640f29720f70b696069ab47fc29cfac1c446af6e38e090a42a12f78c74260b2c
Instruction Fuzzy Hash: 7F41886280EBC64FE71787750C651647F72AE13224B1E02EBC4D9CB0F3E95C1A49C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820CA4 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6986f6c7775a91f5361accb6e2c5d0bdd13970eaaa5320cf5433e2aea0eeb72
Instruction ID: 61207fad173846c9ffd55d74122ada88775af899d9cb115477bacd10260c6bf5
Opcode Fuzzy Hash: a6986f6c7775a91f5361accb6e2c5d0bdd13970eaaa5320cf5433e2aea0eeb72
Instruction Fuzzy Hash: F7418270618B498FEB549F2988487B93BE2EF49314F4105BAE41DCB2E3CF78A905C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820A77 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384df74d94338847b216fe55f72feee34557acda034882a107b66d01ccae2ea8
Instruction ID: 436dfe6c78f1ea34b16780df759b19d523b8a1ceadfd322b4954ee14afcaa621
Opcode Fuzzy Hash: 384df74d94338847b216fe55f72feee34557acda034882a107b66d01ccae2ea8
Instruction Fuzzy Hash: 4021B121B18E184FEB4AEB1C94517AD77D3EFD8700F1441AAD44DC72A7CE286A474386

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820CEC Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0150594c7172243b608441038075e4ed0f20f1f1e20b85ddc5a785bac1629ac7
Instruction ID: e76f3170d504fcaad806dc31b6f238efcf734d7f2ce839242aa77fe36f38ae9c
Opcode Fuzzy Hash: 0150594c7172243b608441038075e4ed0f20f1f1e20b85ddc5a785bac1629ac7
Instruction Fuzzy Hash: EB214160618B458FEF54AF29C8887BD36D2AF49315F4006B9E41ECB2E3CF78A945C746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820A54 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b422d225afddc9ca996372d6a2ce67024aba5942ef867b1681c202c8d611211b
Instruction ID: f28b43d04ea20964785a00085510c302d5e93c95a44b898a3c7668eaeb1f5c64
Opcode Fuzzy Hash: b422d225afddc9ca996372d6a2ce67024aba5942ef867b1681c202c8d611211b
Instruction Fuzzy Hash: F5219522B18E594FEB8AE71C84616AD7793EFD8B00F5440B9D45DC72E7CE2C6A034396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820D00 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc50ba34422a7602156b24f087f210f0aba231d40c859d578d735f209565bfa
Instruction ID: df957ec71a9ba75ec12951d4d89aeb537655615cb68f0d92bb12aa623bde175d
Opcode Fuzzy Hash: 3bc50ba34422a7602156b24f087f210f0aba231d40c859d578d735f209565bfa
Instruction Fuzzy Hash: BC214130618B458FEF549F2988887B937D2EF49305F4405B9E41EC72A3CF78A945C746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE188224FA Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8640e84b6a1479283ad00d6216ebaf05a4674409b188f2568d667412edc6a
Instruction ID: 9d4c61058c723aa5eab326aec13c2b4d945cb4ae33432fd7900886f40390826c
Opcode Fuzzy Hash: 70f8640e84b6a1479283ad00d6216ebaf05a4674409b188f2568d667412edc6a
Instruction Fuzzy Hash: ED119D2040D7C95FD7978B2888259F57FA5AF0B210F4A81EAE4C9CF0A3DB19C609C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1882092E Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ae0498d44c61bffee3cd4c5b9043591605fe90e9ff40153b3137f6b2a3833c
Instruction ID: 28be77a423433d9cb69c993bd6c166c0d481f463272fccc4999c40f61c9513aa
Opcode Fuzzy Hash: 82ae0498d44c61bffee3cd4c5b9043591605fe90e9ff40153b3137f6b2a3833c
Instruction Fuzzy Hash: 9421D65540E3C26FE3434B748829AA17FA69F07230F4E40DEE0C48F0B3DA484946C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820667 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c870818c51edeed81d5dd46987762b9623693da91b26cfcba71a9f79d9a38f6
Instruction ID: 7f5f4248094dbdba4b20d734708e81a41e75a52779f0c66d18df8eb8a871968d
Opcode Fuzzy Hash: 6c870818c51edeed81d5dd46987762b9623693da91b26cfcba71a9f79d9a38f6
Instruction Fuzzy Hash: 80114C31728D098FEB98EB28D494AB573E2FFA8350F9000B5E40EC71A1DE35E901CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820D30 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0006694c0b520608fd19b28ce89e735d0ae60c0455e727667f90b1eead6fa7
Instruction ID: c29880136f453da19c6a67067ddf6c2430b82c904fb010e29d10f4ccc343a663
Opcode Fuzzy Hash: 8d0006694c0b520608fd19b28ce89e735d0ae60c0455e727667f90b1eead6fa7
Instruction Fuzzy Hash: 0F118460618B458FEF549F2488887BD36D2AF49304F8005B9E41EC72E3CF7CA905C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820D48 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1758fd391f4a940cae400c9492329923bd882eebe174c8f2edef49e8760ee9
Instruction ID: 0c6a60f4f98ca2f741641753c7e86255a7a87f32204d3a9ab17175d8b69d2708
Opcode Fuzzy Hash: fd1758fd391f4a940cae400c9492329923bd882eebe174c8f2edef49e8760ee9
Instruction Fuzzy Hash: E4115170618B498FEF54AF2888887B937D2EF49305F8505B9E41DC72A3CF78A845C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE186DA0AA Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2410761956.00007FFE186DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE186DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe186da000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902e4376d5a817f5ec80aadfe9fbff1c7d8e921daa75de9a4a7dbea0838ddd99
Instruction ID: c5076609c2f8da43d054a3b265eadcc9d4c9dafc62deea64e20e284c3f32ab3f
Opcode Fuzzy Hash: 902e4376d5a817f5ec80aadfe9fbff1c7d8e921daa75de9a4a7dbea0838ddd99
Instruction Fuzzy Hash: 10015270918F088FDBA4EF1DC889D267BE0FBA8311F11455AE44DC7271D670E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820D66 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1069121ca3a574a42c198d8ef5d1ca9e2a81e9e674869646a9e0b91fba2ca40
Instruction ID: 985c7ccfa2b916b25d1d0a8e3e27625a427447dc82397592c2d051755bc0ea25
Opcode Fuzzy Hash: c1069121ca3a574a42c198d8ef5d1ca9e2a81e9e674869646a9e0b91fba2ca40
Instruction Fuzzy Hash: 87011B21618B498FEF54AF688888BB937D2EF49305F8505B9E41DC72A3CF79A8448745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE186DA0A3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2410761956.00007FFE186DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE186DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe186da000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6899b080d79cc59bde1c7759ee48493f259a963b07dc08054cc761c00e7d6304
Instruction ID: bfa54df8511184e7aee71a655f0ba0ee9ac8c6f59d9daae865ed5381ecbff924
Opcode Fuzzy Hash: 6899b080d79cc59bde1c7759ee48493f259a963b07dc08054cc761c00e7d6304
Instruction Fuzzy Hash: 14F0623264CD088F9AA4EB5EE446D5533D0FB5433171006ABD44AC7561DA25F981CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE188203FB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d9f40ef9ebbeb24f316773ddccf91dff837f97fe7f67f2fd53d0af0fc751d5
Instruction ID: e843562d324de6ef33f216cd5b0089642f7310406c882667f549e7dac1170ee4
Opcode Fuzzy Hash: 12d9f40ef9ebbeb24f316773ddccf91dff837f97fe7f67f2fd53d0af0fc751d5
Instruction Fuzzy Hash: A6F02821A0C7854FFF559A7948457B13E838F9A318F0980FAD44C8F1E7DE6D58048322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1882045D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315cb81e658ac636b82e973a349d15e1df83024fd0169050812f3aae3324d4f0
Instruction ID: d96d698bd46034e6b0807449dbfd299d618ffbe08c032d37924aa71440db26bc
Opcode Fuzzy Hash: 315cb81e658ac636b82e973a349d15e1df83024fd0169050812f3aae3324d4f0
Instruction Fuzzy Hash: 57F0272190C3855FFB568A7448993E13F828F86319F0A40FAD8488F1E3DAAD14498363

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE18820D98 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6c26e041e5fa91324311f25631c618ca6cdec6e35724d4afee912f13af6d10
Instruction ID: 38a311e2487cd71196121c7f1cc7754dd6e772a5158ad47061fbab2a903ced09
Opcode Fuzzy Hash: fc6c26e041e5fa91324311f25631c618ca6cdec6e35724d4afee912f13af6d10
Instruction Fuzzy Hash: 6AF04F35618A498FDF54AF2894887B83792FF49305F4104B5E41D872A3CF79A444C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE188202DD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1601d708977aa64eea93b1cd0df0472407c3384d79c9e23155419c6aa598e0
Instruction ID: 0bad9ebfce50de0c1589a6a9a53d66411370ace6c459192e749b57a089f81c55
Opcode Fuzzy Hash: ea1601d708977aa64eea93b1cd0df0472407c3384d79c9e23155419c6aa598e0
Instruction Fuzzy Hash: F4E082A280EB880FE30B87308C223403F62AF07205F8A00CAC048CF1E3E6590949C322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1882258C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411045377.00007FFE18820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe18820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356e6703a013ecb7903d71b60edc922706aabaf266c98a73a09d4686f36070e7
Instruction ID: 4c541c8a7c70f2cfb390d772225f7815df3906129004bbcb1218dd63f391a2fb
Opcode Fuzzy Hash: 356e6703a013ecb7903d71b60edc922706aabaf266c98a73a09d4686f36070e7
Instruction Fuzzy Hash: 1AD0A73090C94987DF005A1544154F83761BF48310B5501F1E45F87061CF28A5108680

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exePID: 6560, Parent PID: 4088

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exePID: 6560, Parent PID: 4088COMMON

Executed Functions

Function 00007FFE18821982 Relevance: .9, Instructions: 871COMMON

Function 00007FFE18820F90 Relevance: .7, Instructions: 748COMMON

Function 00007FFE18820FF1 Relevance: .7, Instructions: 698COMMON

Function 00007FFE18821003 Relevance: .7, Instructions: 695COMMON

Function 00007FFE18821021 Relevance: .7, Instructions: 689COMMON

Function 00007FFE18821090 Relevance: .6, Instructions: 648COMMON

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader17.1385.19058.5725.exe