Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe |
| Analysis ID: | 1627627 |
| MD5: | fc56a30780f873616933d67c072169d0 |
| SHA1: | 55c5d927e163e31903895012c410cf93e9c3317b |
| SHA256: | 069a58a7ed424c5da0fedc7310f757d1080f5baeb731465552518c6fbb3d9d2f |
| Tags: | exeuser-SecuriteInfoCom |
| Infos: | |
 | |
Detection
| Score: | 88 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe (PID: 7376 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Inj ect5.17530 .4675.1192 1.exe" MD5: FC56A30780F873616933D67C072169D0) - SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe (PID: 7420 cmdline:
"C:\Window s\TEMP\{D7 2C88A4-592 5-468B-94F A-44E2827A CCDE}\.cr\ SecuriteIn fo.com.Tro jan.Inject 5.17530.46 75.11921.e xe" -burn. clean.room ="C:\Users \user\Desk top\Securi teInfo.com .Trojan.In ject5.1753 0.4675.119 21.exe" -b urn.fileha ndle.attac hed=632 -b urn.fileha ndle.self= 628 MD5: EB7B7E4070F3204CD47F1177E4DB1B9B) 
RoboTaskLite.exe (PID: 7472 cmdline: C:\Windows \TEMP\{974 15AD4-3721 -4DB2-AA1E -BFCC7170D CCB}\.ba\R oboTaskLit e.exe MD5: 6EE5F7F9F0016B5CC4F93A949A08F0DC) - RoboTaskLite.exe (PID: 7496 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Supersync\ RoboTaskLi te.exe MD5: 6EE5F7F9F0016B5CC4F93A949A08F0DC) 
cmd.exe (PID: 7512 cmdline: C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
ToolSecurityBvg.exe (PID: 8024 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\ToolSec urityBvg.e xe MD5: 967F4470627F823F4D7981E511C9824F) 
msedge.exe (PID: 1072 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --profi le-directo ry="Defaul t" MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7640 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=21 68 --field -trial-han dle=2136,i ,180740264 4511676350 4,17622724 4371698168 42,262144 /prefetch: 3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- RoboTaskLite.exe (PID: 8148 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Supersync \RoboTaskL ite.exe" MD5: 6EE5F7F9F0016B5CC4F93A949A08F0DC) - cmd.exe (PID: 8172 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ToolSecurityBvg.exe (PID: 1216 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\ToolSec urityBvg.e xe MD5: 967F4470627F823F4D7981E511C9824F)
- msedge.exe (PID: 2288 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --profi le-directo ry=Default --flag-sw itches-beg in --flag- switches-e nd --disab le-nacl -- do-not-de- elevate MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7868 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=20 68 --field -trial-han dle=2016,i ,116384998 1941472676 7,10718403 7036945902 97,262144 /prefetch: 3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6172 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 6292 --fie ld-trial-h andle=2016 ,i,1163849 9819414726 767,107184 0370369459 0297,26214 4 /prefetc h:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6184 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=6588 --field-t rial-handl e=2016,i,1 1638499819 414726767, 1071840370 3694590297 ,262144 /p refetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) 
identity_helper.exe (PID: 8044 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=6 852 --fiel d-trial-ha ndle=2016, i,11638499 8194147267 67,1071840 3703694590 297,262144 /prefetch :8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416) - identity_helper.exe (PID: 7896 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=6 852 --fiel d-trial-ha ndle=2016, i,11638499 8194147267 67,1071840 3703694590 297,262144 /prefetch :8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416) - msedge.exe (PID: 5436 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=edg e_search_i ndexer.moj om.SearchI ndexerInte rfaceBroke r --lang=e n-GB --ser vice-sandb ox-type=se arch_index er --messa ge-loop-ty pe-ui --mo jo-platfor m-channel- handle=549 2 --field- trial-hand le=2016,i, 1163849981 9414726767 ,107184037 0369459029 7,262144 / prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
- msedge.exe (PID: 1376 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --no-st artup-wind ow --win-s ession-sta rt /prefet ch:5 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6552 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=22 40 --field -trial-han dle=2192,i ,656257674 9522032419 ,734956709 5468573079 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- msedge.exe (PID: 7652 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --no-st artup-wind ow --win-s ession-sta rt /prefet ch:5 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6436 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=21 36 --field -trial-han dle=2060,i ,371582931 8677886793 ,667815820 14580477,2 62144 /pre fetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-02T23:47:53.779360+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49909 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:47:55.236732+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49920 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:47:56.096975+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49926 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:23.299913+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50100 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:24.882561+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50102 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:32.821865+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50106 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:34.048829+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50107 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:34.855633+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50108 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:35.626924+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50109 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:36.472464+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50110 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:37.524761+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50111 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:38.621194+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50112 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:50.513678+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50113 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:52.210898+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50114 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:53.165934+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50115 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:54.103305+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50116 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:55.346337+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50117 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:56.833822+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50118 | 104.21.40.182 | 443 | TCP |
| 2025-03-02T23:48:58.073738+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50119 | 104.21.40.182 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_0079ED3B | |
| Source: | Code function: | 0_2_007DA2D0 | |
| Source: | Code function: | 0_2_0079EA4B | |
| Source: | Code function: | 0_2_0079DA0E | |
| Source: | Code function: | 0_2_0079DB8F | |
| Source: | Code function: | 0_2_0079ECE9 | |
| Source: | Code function: | 1_2_00D2ED3B | |
| Source: | Code function: | 1_2_00D6A2D0 | |
| Source: | Code function: | 1_2_00D2EA4B | |
| Source: | Code function: | 1_2_00D2DA0E | |
| Source: | Code function: | 1_2_00D2DB8F | |
| Source: | Code function: | 1_2_00D2ECE9 | |
Bitcoin Miner | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||