Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0# |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://crl.startssl.com/sfsca.crl0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://www.startssl.com/0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://www.startssl.com/intermediate.pdf0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://www.startssl.com/policy.pdf0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://www.startssl.com/policy.pdf04 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://www.startssl.com/sfsca.crl0 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
String found in binary or memory: http://www.startssl.com/sfsca.crt0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_005C58C0 |
0_2_005C58C0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_00407491 |
0_2_00407491 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_00585940 |
0_2_00585940 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_0058EDC0 |
0_2_0058EDC0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_005D0610 |
0_2_005D0610 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_005C0AD0 |
0_2_005C0AD0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_005AE2A0 |
0_2_005AE2A0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_004FDBC0 |
0_2_004FDBC0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: String function: 005611F0 appears 85 times |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: String function: 004153F0 appears 56 times |
|
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Static PE information: invalid certificate |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameAloahaHTMLFormSaver.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Binary or memory string: OriginalFilenameAloahaHTMLFormSaver.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: classification engine |
Classification label: sus24.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Mutant created: NULL |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
File read: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Section loaded: msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Section loaded: vb6zz.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 |
Jump to behavior |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Static file information: File size 2067080 > 1048576 |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1e1000 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_00401DBE push edx; retn 004Fh |
0_2_00402245 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_004022D8 push es; retn 004Fh |
0_2_004022D9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_004022EC push edx; retn 004Fh |
0_2_004022ED |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_0040B774 push A10055C3h; ret |
0_2_0040B779 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Code function: 0_2_00402306 push esi; ret |
0_2_00402315 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
API coverage: 0.0 % |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe |
Binary or memory string: Shell_TrayWnd |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000000.2146198753.0000000000401000.00000020.00000001.01000000.00000003.sdmp |
Binary or memory string: ClamTray.exe |
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000000.2146198753.0000000000401000.00000020.00000001.01000000.00000003.sdmp |
Binary or memory string: ClamWin.exe |