Windows Analysis Report
SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe

Overview

General Information

Sample name: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
Analysis ID: 1431443
MD5: 5c4e6b119a01b350a02a25704fc912ec
SHA1: e2236c2bda3a2590cd2b6f96870a20ce23b5d6fd
SHA256: 710e7a08ebafad9cf16628f7ba362846f52dc5a485ac5066e4f60e0bc0f2862a
Tags: exe
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
AV process strings found (often used to terminate AV products)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://www.startssl.com/0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe String found in binary or memory: http://www.startssl.com/sfsca.crt0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_005C58C0 0_2_005C58C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_00407491 0_2_00407491
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_00585940 0_2_00585940
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_0058EDC0 0_2_0058EDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_005D0610 0_2_005D0610
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_005C0AD0 0_2_005C0AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_005AE2A0 0_2_005AE2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_004FDBC0 0_2_004FDBC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: String function: 005611F0 appears 85 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: String function: 004153F0 appears 56 times
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAloahaHTMLFormSaver.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Binary or memory string: OriginalFilenameAloahaHTMLFormSaver.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
Uses 32bit PE files
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: sus24.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Mutant created: NULL
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Static file information: File size 2067080 > 1048576
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1e1000
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_00401DBE push edx; retn 004Fh 0_2_00402245
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_004022D8 push es; retn 004Fh 0_2_004022D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_004022EC push edx; retn 004Fh 0_2_004022ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_0040B774 push A10055C3h; ret 0_2_0040B779
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Code function: 0_2_00402306 push esi; ret 0_2_00402315
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe API coverage: 0.0 %
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe Binary or memory string: Shell_TrayWnd
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000000.2146198753.0000000000401000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: ClamTray.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000000.2146198753.0000000000401000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: ClamWin.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431443 Sample: SecuriteInfo.com.BACKDOOR.T... Startdate: 25/04/2024 Architecture: WINDOWS Score: 24 7 Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations 2->7 5 SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe 59 2->5         started        process3
No contacted IP infos