Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll
Analysis ID: 1431444
MD5: a39b8e49bda5f8f001eabe39beea3964
SHA1: 8cd5b244c5fd30a86bbb0f630a32c3df75943994
SHA256: d8356c161893059fa62f496852cba0363add67ff1e50846eed11e4a00612f15b
Tags: dll
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: e:\DUOWAN_BUILD\yypublish_build\console\source\yy\bin\release\yymainframe.pdb source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://3g.yy.com0x100004600x100004610x100004650x100004640x100004630x100004621on_validateDialog_close
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://a.yy.com/client/popClick?action=%1&msgid=%2&uid=%3&aid=%4&type=%5&sid=%6&ticket=
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://a.yy.com/client/popClick?action=%1&msgid=%2&uid=%3&aid=%4&type=%5&sid=%6&ticket=start
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://bugreport.yy.duowan.com/feedback_2012/bug_upload.php-----------------------------19810202abcd
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://bugreport.yy.duowan.com/feedback_2012/feedback_log.php
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://bugreport.yy.duowan.com/feedback_2012/feedback_log.php%1?uid=%2&version=%3&ticket=%4http://bu
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://bugreport.yy.duowan.com/feedback_2012/main.php
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://cp.yy.com/
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://cp.yy.com/&appid=5060&busiId=11&busiUrl=http://udb.yy.com/authentication.do?&action=authentic
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://dc.yypm.yy.com:8081/api/collection
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://dc.yypm.yy.com:8081/api/collectionhdatatimelist
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/festival.xml
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/festival.xmlfestival.xmlfestivalinfostartdateenddatebackgroundbackgroundmd5l
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/live.xml
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/live.xmlhttp://do.yy.duowan.com/liveRules.xmlrulelogoheadnormalhoverimapp/ga
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/liveRules.xml
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/user.php
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/user.php?sids=
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/user.php?sids=The
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/yyliveworld?from=client&version=1&lang=%1
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://do.yy.duowan.com/yyliveworld?from=client&version=1&lang=%1http://do.yy.duowan.com/user.phpMai
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://edu.yy.com/openCourse/show?ticket=
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://edu.yy.com/openCourse/show?ticket=layout/mainframe/educlassroomframe.xml:theme/mainframe/icon
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://find.yyemebed.yy.com/auth/index
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://find.yyemebed.yy.com/auth/index503000002retrying(const
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://kf.duowan.com/?from=proxy
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://kf.yy.com/channal/freezeChannal.action
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://kf.yy.com/channal/freezeChannal.actionView
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://kf.yy.com/channel/freezeChannal.action
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://kf.yy.com/search/qa/5530.html#=%u5C0F%u67D3%u97F3%u9891IVideoDeviceSetting_UUIDconfig/videoon
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://m.yy.com/zone/%1
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://mai.yy.com/?_=
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://mai.yy.com/?_=key=yg0yygame-service-mai&from=from_service_mai&enterFrom=4rank&showUserGuide=0
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://mini.pay.yy.com/v1.0/index.html
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://mini.pay.yy.com/v1.0/index.htmlhttp://mini.pay.yy.com/yyticketMainframe
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://mini.pay.yy.com/yyticket
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://payment.yy.com/global/loginPayment.action?lang=
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://tu.duowan.com/images/tyy/index.html
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://tu.duowan.com/images/tyy/index.htmltabPid=1019&tabSid=0IDWUIElementInner_UUIDIDWUIContainer_U
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://udb.duowan.com/LoginAction.do
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://udb.duowan.com/LoginAction.do&encrypt=1&url=&passwd=username=com.yy.bizdirvercom.yy.bizpasspo
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://udb.duowan.com/authentication.do?ticket=YYWebLoginTicket::_openUrl&client=?id=memory&enterFro
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://udb.duowan.com/security/index.doYYMainFrameMenuReactor::on_securityHome_triggered0x100005600x
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://udb.yy.com/authentication.do?&action=authenticate&direct=1&ticket=
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://udb.yy.com/authentication.do?direct=1&ticket=
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://udb.yy.com/authentication.do?direct=1&ticket=&appid=5060_http://payment.yy.com/global/loginPa
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://update.yy.com/report?
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://update.yy.com/report?YUBYYApplication::_processReportDataYYApplication::_processReportData
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/index?src=3
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/index?src=3tabPid=%1&tabSid=%20x100010710x10001072http://xiage.yy.com/thread-5
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/redirect?src=introduction-moreskin
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/redirect?src=introduction-moreskinhttp://vip.yy.com/vip/redirect?src=introduct
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/redirect?src=introduction-showskin
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/redirect?src=introduction-skin
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/redirect?src=pay-signface
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/redirect?src=pay-signface:/theme/common/signature_face_normal.png:/theme/duifw
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://vip.yy.com/vip/redirect?src=pay-skin
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://www.yy.com/1005/136983598049.html
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://www.yy.com/1005/136983598049.htmlModify
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://xiage.yy.com
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://xiage.yy.com/logging.php?action=loginhttp://xiage.yy.comimStatus0x100011860x10001187http://m.
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: http://yydl.duowan.com/qastat/sampler.conf
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: https://udb.duowan.com/ProfilePasswordPage.do
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: https://udb.duowan.com/mtoken.do
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: https://udb.duowan.com/mtoken.doServer
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll String found in binary or memory: https://udb.duowan.com/security/index.do
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: clean3.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll,??0CPerfRecord@Perf@@QAE@XZ
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll,??0CPerfRecord@Perf@@QAE@XZ
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll,??0YYLoginWidget@@QAE@PAVQGraphicsItem@@@Z
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll,??0YYLoginWidget_i18n@@QAE@PAVQGraphicsItem@@@Z
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll,??0CPerfRecord@Perf@@QAE@XZ Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll,??0YYLoginWidget@@QAE@PAVQGraphicsItem@@@Z Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll,??0YYLoginWidget_i18n@@QAE@PAVQGraphicsItem@@@Z Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dwbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: duifw.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dwutility.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: yycommon.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: qtgui4.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: qtcore4.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: More than 382 > 100 exports found
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static file information: File size 2256432 > 1048576
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x123e00
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: More than 200 imports for duifw.dll
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: More than 200 imports for yycommon.dll
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: More than 200 imports for QtGui4.dll
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: More than 200 imports for QtCore4.dll
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: e:\DUOWAN_BUILD\yypublish_build\console\source\yy\bin\release\yymainframe.pdb source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll Static PE information: real checksum: 0x1ea38b should be: 0x22cdcb
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB2C21 push edx; iretd 0_2_00BB2D11
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB2C99 push edx; iretd 0_2_00BB2D11
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB2D13 push ebp; retf 0055h 0_2_00BB2D29
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sasfis.6307.8338.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431444 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 25/04/2024 Architecture: WINDOWS Score: 3 6 loaddll32.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 2 other processes 6->14 process4 16 rundll32.exe 8->16         started       
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.211.108 true