Windows Analysis Report
SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe

Overview

General Information

Sample name: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
Analysis ID: 1431447
MD5: 64a34c1da55f5ca2fe610703986fded7
SHA1: 5d4ea6d1563ad3e43ad689162f1abdd76f6e35db
SHA256: 2df9436f1b6d32141309c78a4401c1c8cb6c6de8d23ff28873fb6a5a12bfaf1d
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contain functionality to detect virtual machines
Dynamically executes visual basic script code
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
AV process strings found (often used to terminate AV products)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://blog.aloaha.com
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://www.startssl.com/0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe String found in binary or memory: http://www.startssl.com/sfsca.crt0

System Summary
barindex
Dynamically executes visual basic script code
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_005FA560 __vbaChkstk,__vbaStrCopy,__vbaOnError,__vbaVarCopy,__vbaStrCopy,#520,__vbaVarTstNe,__vbaFreeVar,#685,__vbaObjSet,__vbaFreeObj,#716,__vbaObjVar,__vbaObjSetAddref,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#685,__vbaObjSet,__vbaFreeObj,#716,__vbaObjVar,__vbaObjSetAddref,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#685,__vbaObjSet,__vbaFreeObj,__vbaChkstk,__vbaLateMemSt,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,__vbaChkstk,__vbaLateMemSt,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#518,#518,#518,__vbaInStrVar,__vbaVarCmpEq,__vbaInStrVar,__vbaVarCmpEq,__vbaVarAnd,__vbaInStrVar,__vbaVarCmpEq,__vbaVarAnd,__vbaBoolVarNull,__vbaFreeVarList,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaChkstk,__vbaLateMemCall,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#518,__vbaInStrVar,__vbaVarTstGt,__vbaFreeVarList,__vbaChkstk,__vbaLateMemCallLd,__vbaStrErrVarCopy,__vbaVarMove,__vbaFreeVar,__vbaChkstk,__vbaLateMemCallLd,__vbaStrErrVarCopy,__vbaVarMove,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,__vbaStrErrVarCopy,#520,__vbaVarTstEq,__vbaFreeVarList,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaStrCat,__vbaStrMove,__vbaVarCopy,__vbaFreeStrList,__vbaFreeObj,__vbaVarTstEq,__vbaVarCopy,#685,__vbaObjSet,__vbaFreeObj,__vbaFreeObj,__vbaFreeStr,__vbaFreeStr, 0_2_005FA560
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00655840 0_2_00655840
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00669020 0_2_00669020
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_0060D8D0 0_2_0060D8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_004080B8 0_2_004080B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00528950 0_2_00528950
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_0055C940 0_2_0055C940
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00593930 0_2_00593930
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_005599B0 0_2_005599B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00652180 0_2_00652180
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_0056EAE0 0_2_0056EAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_005812B0 0_2_005812B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_0063FB40 0_2_0063FB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_005E5BA0 0_2_005E5BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_0066B450 0_2_0066B450
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00677DE0 0_2_00677DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00556DF0 0_2_00556DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_0053C580 0_2_0053C580
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00586E90 0_2_00586E90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: String function: 0056B880 appears 43 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: String function: 00423E80 appears 54 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: String function: 005ED250 appears 99 times
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static PE information: Resource name: _IID_PROVIDER type: a.out VAX demand paged (first page unmapped) pure executable not stripped
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAloahaCredentials.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Binary or memory string: OriginalFilenameAloahaCredentials.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
Uses 32bit PE files
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Mutant created: NULL
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static file information: File size 2931336 > 1048576
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2b2000
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_0040A4F8 push ebp; retn 0058h 0_2_0040A4F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00408C9E push 0C0057CFh; iretd 0_2_0040910D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_004064A0 push ebx; retf 0055h 0_2_004064A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00407CA8 push ebx; retn 0056h 0_2_00407CA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00407CAC push ebx; retn 0056h 0_2_00407CAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00407CB0 push ebx; retn 0056h 0_2_00407CB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: 0_2_00404DC8 push edi; retf 0_2_00404DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Code function: __vmware_user__ _vmware_user_ vmware_user __vmware_user__ 0_2_0066B450
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe API coverage: 0.0 %
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Binary or memory string: __vmware_user__
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Binary or memory string: vmware_user
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Binary or memory string: _vmware_user_
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe Binary or memory string: Shell_TrayWnd
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000000.2090919593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: ClamTray.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000000.2090919593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: ClamWin.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431447 Sample: SecuriteInfo.com.BACKDOOR.T... Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 8 Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations 2->8 5 SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe 119 2->5         started        process3 signatures4 10 Contain functionality to detect virtual machines 5->10 12 Dynamically executes visual basic script code 5->12
No contacted IP infos