Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.Siggen12.2497.1023.964

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Siggen12.2497.1023.964 (renamed file extension from 964 to exe)
Analysis ID:	356833
MD5:	9e74c1841ab5ec50dd43819aaba20c0b
SHA1:	d37d7026c09dc6d93fd01dc90d7a224d22dca168
SHA256:	d367eca88434cb310aad91f251c9baa7d11fcd2ffd2c0f0cbb35595445a27698
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Binary contains a suspicious time stamp

Connects to a pastebin service (likely for C&C)

Hides threads from debuggers

Machine Learning detection for sample

May check the online IP address of the machine

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe (PID: 4196 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe' MD5: 9E74C1841AB5EC50DD43819AABA20C0B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: http://94.103.94.2/gucci.exe	Avira URL Cloud: Label: malware
Source: http://94.103.94.2/tnf.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Virustotal: Detection: 53%			Perma Link
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	ReversingLabs: Detection: 58%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Joe Sandbox ML: detected

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49722 version: TLS 1.0

Binary contains paths to debug symbols

Show sources

Source:	Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280180864.00000000002BC000.00000040.00020000.sdmp
Source:	Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb4+N+ @+_CorExeMainmscoree.dll source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp

Networking:

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown

DNS query: name: pastebin.com

May check the online IP address of the machine

Show sources

Source: unknown

DNS query: name: iplogger.org

Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31
Source: Joe Sandbox View	IP Address: 88.99.66.31 88.99.66.31

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49722 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.94.2
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.94.2

Source: unknown

DNS traffic detected: queries for: pastebin.com

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282452543.0000000003249000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.94.2
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.94.2/gucci.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.94.2/tnf.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282381526.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.94.24
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	String found in binary or memory: http://iplogger.org
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ocsp.digicert.com0P
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp	String found in binary or memory: https://iplogger.org/1nzde7
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/LpGZbDTX
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZdmQ9Ych
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/ZdmQ9YchT
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282291076.000000000313D000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

System Summary:

PE file contains section with special chars

Show sources

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_003BEE63	1_2_003BEE63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_003D7CD7	1_2_003D7CD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_003E5BBB	1_2_003E5BBB

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000003.229650995.00000000009F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepastebinload.exe: vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Binary or memory string: OriginalFilenamepastebinload.exe: vs SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/1@2/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

File created: C:\Users\user\AppData\Local\l.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Virustotal: Detection: 53%
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	ReversingLabs: Detection: 58%

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Static file information: File size 2665184 > 1048576

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x285a00

Source:	Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280180864.00000000002BC000.00000040.00020000.sdmp
Source:	Binary string: \work project\pastebinload2\obj\Debug\pastebinload.pdb4+N+ @+_CorExeMainmscoree.dll source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Unpacked PE file: 1.2.SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe.2b0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xAC57F2AF [Tue Aug 16 19:08:31 2061 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Static PE information: real checksum: 0x292d5f should be: 0x294e5e

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name: .themida
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Static PE information: section name: .boot

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00445A44 push 1418B121h; mov dword ptr [esp], eax	1_2_00445A59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00445A44 push edi; mov dword ptr [esp], ebp	1_2_00445A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_003C6E38 push ebp; mov dword ptr [esp], 3C930162h	1_2_003C6E87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_003C6E38 push ebx; mov dword ptr [esp], esp	1_2_003C6EE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_003C6E38 push edi; mov dword ptr [esp], edx	1_2_003C6F02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045364C push edx; mov dword ptr [esp], eax	1_2_004535CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045364C push esi; mov dword ptr [esp], eax	1_2_004535DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045364C push 35806AFAh; mov dword ptr [esp], ecx	1_2_004535FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045364C push edx; mov dword ptr [esp], ecx	1_2_0045360F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045364C push 7180A126h; mov dword ptr [esp], edi	1_2_004696D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044584A push ebx; mov dword ptr [esp], 4DFDA7A3h	1_2_00445835
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044584A push ecx; mov dword ptr [esp], edi	1_2_0044584E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00446E4A push ebp; mov dword ptr [esp], ecx	1_2_00446E54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00446E4A push eax; mov dword ptr [esp], ebx	1_2_00446E6A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00446E4A push ebp; mov dword ptr [esp], ebx	1_2_00446E82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00446E4A push ebp; mov dword ptr [esp], ebx	1_2_00446EAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044E062 push esi; mov dword ptr [esp], 4169C331h	1_2_0044E036
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044E062 push eax; mov dword ptr [esp], esi	1_2_0044E04B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044E062 push edx; mov dword ptr [esp], eax	1_2_0044E05C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044D86C push 5C84C3D7h; mov dword ptr [esp], eax	1_2_0044D884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045846C push eax; mov dword ptr [esp], ecx	1_2_004584A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045AA6A push 74E34A3Bh; mov dword ptr [esp], edi	1_2_0045A9BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045AA6A push ecx; mov dword ptr [esp], eax	1_2_0045A9EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00461076 push 4F3789C0h; mov dword ptr [esp], ebx	1_2_0046108D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00412070 push ebp; mov dword ptr [esp], 47BF2AD9h	1_2_00412095
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00433872 push edi; mov dword ptr [esp], ebp	1_2_00433834
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044DE75 push 261131FBh; mov dword ptr [esp], eax	1_2_0044DE8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0044DE75 push ebp; mov dword ptr [esp], ebx	1_2_0044DE9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_00451A77 push eax; mov dword ptr [esp], ebx	1_2_00451A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0041DA75 push eax; mov dword ptr [esp], ecx	1_2_0041DA86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Code function: 1_2_0045CA70 push ebp; mov dword ptr [esp], edi	1_2_0045CA98

Source: initial sample

Static PE information: section name: entropy: 7.67255739846

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Query firmware table information (likely to detect VMs)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe TID: 5428	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282517825.00000000052C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	Security Software Discovery421	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion34	LSASS Memory	Virtualization/Sandbox Evasion34	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Network Configuration Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	System Information Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	54%	Virustotal		Browse
SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	59%	ReversingLabs	Win32.Trojan.Zenpak
SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://94.103.94.2/gucci.exe	100%	Avira URL Cloud	malware
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://94.103.94.2/tnf.exe	100%	Avira URL Cloud	malware
http://94.103.94.2	0%	Avira URL Cloud	safe
http://94.103.94.24	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iplogger.org	88.99.66.31	true	false		high
pastebin.com	104.23.98.190	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://iplogger.org	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pastebin.com/raw/ZdmQ9Ych	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp	false		high
http://94.103.94.2/gucci.exe	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	false		high
http://ocsp.sectigo.com0	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282397937.00000000031EF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://94.103.94.2/tnf.exe	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://94.103.94.2	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282452543.0000000003249000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://94.103.94.24	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282381526.00000000031C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pastebin.com/raw/ZdmQ9YchT	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	false		high
https://pastebin.com/raw/LpGZbDTX	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	false		high
https://iplogger.org/1nzde7	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	false		high
https://iplogger.org	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282335767.0000000003158000.00000004.00000001.sdmp	false		high
https://pastebin.com	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe, 00000001.00000002.282272751.0000000003111000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
88.99.66.31	unknown	Germany	24940	HETZNER-ASDE	false
104.23.98.190	unknown	United States	13335	CLOUDFLARENETUS	false
94.103.94.2	unknown	Russian Federation	48282	VDSINA-ASRU	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356833
Start date:	23.02.2021
Start time:	17:33:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.Siggen12.2497.1023.964 (renamed file extension from 964 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/1@2/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 13.64.90.137, 168.61.161.212, 52.255.188.83, 23.218.208.56, 51.104.139.180, 20.54.26.129, 67.26.83.254, 67.26.75.254, 8.253.204.249, 67.26.73.254, 8.248.139.254, 51.103.5.159, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:34:36	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.99.66.31	Zy7qKW0uYZ.exe	Get hash	malicious	Browse	2no.co/1v22h7.html
	buran.exe	Get hash	malicious	Browse	iplogger.ru/1Oh8E.jpeg
	6fAjRmbM4P.exe	Get hash	malicious	Browse	2no.co/1v22h7.html
	Buran.exe	Get hash	malicious	Browse	iplogger.org/1YN4g7.tgz
	MC6YwfvkvS.exe	Get hash	malicious	Browse	iplogger.org/1DRd77.gz
	TrustedInstaller.exe	Get hash	malicious	Browse	iplogger.org/1yekr7.gz
	zeppelin.exe	Get hash	malicious	Browse	iplogger.org/1D2XM6.tgz
	cli.exe	Get hash	malicious	Browse	ezstat.ru/1BiQt7.html
	R7w74RKW9A.exe	Get hash	malicious	Browse	ezstat.ru/1BiQt7.html
	pqSZtQiuRy.exe	Get hash	malicious	Browse	iplogger.org/14mvt7.gz
	3MndTUzGQn.exe	Get hash	malicious	Browse	iplogger.org/14qK87
	fEBNeNkRYI.doc	Get hash	malicious	Browse	iplogger.org/1cyy87.jpg
	Delivery-77426522.doc	Get hash	malicious	Browse	iplogger.org/1cyy87.jpg
	mesager43.exe	Get hash	malicious	Browse	iplogger.org/1cyy87.jpg
	hci0xn0zip.exe	Get hash	malicious	Browse	iplogger.org/1cyy87.jpg
	DOC001.exe	Get hash	malicious	Browse	2no.co/1Lan77
	DOC001 (3).exe	Get hash	malicious	Browse	2no.co/1Lan77
	urgently.exe	Get hash	malicious	Browse	iplogger.org/1Uu547.tgz
	SecuriteInfo.com.Generic.mg.e26982b170856ca8.exe	Get hash	malicious	Browse	iplogger.org/1Uu547.tgz
	trwf3446.doc	Get hash	malicious	Browse	iplogger.org/1Uu547.tgz

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pastebin.com	1vuet1S3tI.exe	Get hash	malicious	Browse	104.23.98.190
	RkoKlvuLh6.exe	Get hash	malicious	Browse	104.23.99.190
	i0fOtOV8v0.exe	Get hash	malicious	Browse	104.23.99.190
	zLyXzE7WZi.exe	Get hash	malicious	Browse	104.23.99.190
	wLy18x5e2o.exe	Get hash	malicious	Browse	104.23.99.190
	QJ2UZbJWDS.exe	Get hash	malicious	Browse	104.23.99.190
	SWW8Mmeq6o.exe	Get hash	malicious	Browse	104.23.99.190
	BIb5AQZOu9.exe	Get hash	malicious	Browse	104.23.98.190
	7XJCrOkoIy.exe	Get hash	malicious	Browse	104.23.98.190
	fNOZjHL61d.exe	Get hash	malicious	Browse	104.23.98.190
	Ru8jlqio70.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exe	Get hash	malicious	Browse	104.23.99.190
	8WjU4jrBIr.exe	Get hash	malicious	Browse	104.23.98.190
	8TD8GfTtaW.exe	Get hash	malicious	Browse	104.23.99.190
	CN-Invoice-XXXXX9808-19011143287992.exe	Get hash	malicious	Browse	104.23.98.190
	NitroGenerator.exe	Get hash	malicious	Browse	104.23.98.190
	Invoice467972.jar	Get hash	malicious	Browse	104.23.99.190
	Invoice467972.jar	Get hash	malicious	Browse	104.23.98.190
	REVISED_INVOICE_Company_BankDetails_fle_doc.xlsx.exe	Get hash	malicious	Browse	104.23.99.190
	MT0128.jar	Get hash	malicious	Browse	104.23.98.190
iplogger.org	1vuet1S3tI.exe	Get hash	malicious	Browse	88.99.66.31
	seed.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Variant.Zusy.368685.25375.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Variant.Zusy.368685.25618.exe	Get hash	malicious	Browse	88.99.66.31
	8WjU4jrBIr.exe	Get hash	malicious	Browse	88.99.66.31
	8TD8GfTtaW.exe	Get hash	malicious	Browse	88.99.66.31
	ydQ0ICWj5v.exe	Get hash	malicious	Browse	88.99.66.31
	r4yGYPyWb7.exe	Get hash	malicious	Browse	88.99.66.31
	aif9fEvN5g.exe	Get hash	malicious	Browse	88.99.66.31
	bZ9avvcHvE.exe	Get hash	malicious	Browse	88.99.66.31
	CmJ6qDTzvM.exe	Get hash	malicious	Browse	88.99.66.31
	RRLrVfeAXb.exe	Get hash	malicious	Browse	88.99.66.31
	m3eJIFyc68.exe	Get hash	malicious	Browse	88.99.66.31
	m8kdtboA0T.exe	Get hash	malicious	Browse	88.99.66.31
	jdAbDsECEE.exe	Get hash	malicious	Browse	88.99.66.31
	m8kdtboA0T.exe	Get hash	malicious	Browse	88.99.66.31
	IVCkMokXk8.exe	Get hash	malicious	Browse	88.99.66.31
	i9WK2pIYWG.exe	Get hash	malicious	Browse	88.99.66.31

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	1vuet1S3tI.exe	Get hash	malicious	Browse	172.67.199.58
	P00760000.exe	Get hash	malicious	Browse	104.21.19.200
	Order.doc	Get hash	malicious	Browse	104.21.19.200
	QUOTE.doc	Get hash	malicious	Browse	104.21.19.200
	Shipment Notification 6368638172.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	2070121_SN-WS.exe	Get hash	malicious	Browse	104.21.71.230
	purchase order.exe	Get hash	malicious	Browse	104.21.19.200
	9073782912,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	payment_advice.doc	Get hash	malicious	Browse	172.67.172.17
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	172.67.188.154
	Purchase Order.exe	Get hash	malicious	Browse	104.21.19.200
	dot crypted.exe	Get hash	malicious	Browse	104.21.19.200
	New Order 2300030317388 InterMetro.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	172.67.172.17
	Purchase Order list.exe	Get hash	malicious	Browse	104.21.23.61
	RkoKlvuLh6.exe	Get hash	malicious	Browse	162.159.136.232
	i0fOtOV8v0.exe	Get hash	malicious	Browse	104.23.99.190
	P3knxzE7wN.exe	Get hash	malicious	Browse	162.159.128.233
	zLyXzE7WZi.exe	Get hash	malicious	Browse	162.159.138.232
	wLy18x5e2o.exe	Get hash	malicious	Browse	162.159.136.232
HETZNER-ASDE	1vuet1S3tI.exe	Get hash	malicious	Browse	88.99.66.31
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	195.201.56.70
	seed.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Variant.Zusy.368685.25375.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Get hash	malicious	Browse	95.216.186.40
	SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.Variant.Zusy.368685.25618.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exe	Get hash	malicious	Browse	95.216.186.40
	SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exe	Get hash	malicious	Browse	95.216.186.40
	SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exe	Get hash	malicious	Browse	195.201.225.248
	8WjU4jrBIr.exe	Get hash	malicious	Browse	94.130.165.85
	Quotation-Project at Hor Al Anz CAIRO_012245666.pdf.exe	Get hash	malicious	Browse	188.40.67.173
	8TD8GfTtaW.exe	Get hash	malicious	Browse	88.99.66.31
	Order_20180218001.exe	Get hash	malicious	Browse	135.181.57.206
	unmapped_executable_of_polyglot_duke.dll	Get hash	malicious	Browse	5.9.110.84
	DHL eInvoice_Pdf.exe	Get hash	malicious	Browse	195.201.179.80
	Subconract 504.xlsm	Get hash	malicious	Browse	95.216.245.130
	ydQ0ICWj5v.exe	Get hash	malicious	Browse	88.99.66.31
	r4yGYPyWb7.exe	Get hash	malicious	Browse	88.99.66.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	P00760000.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	Shipment Notification 6368638172.pdf.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	purchase order.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	9073782912,pdf.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	Purchase Order.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	dot crypted.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	v2.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	Halkbank_Ekstre_20210223_082357_541079.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	FOB offer_1164087223_I0133P2100363812.PDF.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	Yao Han Industries 61007-51333893QR001U,pdf.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	(appproved)WJO-TT180,pdf.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	purchase order.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	9073782912,pdf.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	SOS URGENT RFQ #2345.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	purchase order 1.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	telex transfer.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	GPP.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31
	DHL Shipment Notification 6368638172.pdf.exe	Get hash	malicious	Browse	104.23.98.190 88.99.66.31

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.35816127824051
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
MD5:	31E089E21A2AEB18A2A23D3E61EB2167
SHA1:	E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
SHA-256:	2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
SHA-512:	A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9537837476311966
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
File size:	2665184
MD5:	9e74c1841ab5ec50dd43819aaba20c0b
SHA1:	d37d7026c09dc6d93fd01dc90d7a224d22dca168
SHA256:	d367eca88434cb310aad91f251c9baa7d11fcd2ffd2c0f0cbb35595445a27698
SHA512:	7a2ce87fa40f324569d710a5163431d0ac6f1456a4b8c242e173b46a62b0effaf6f4d38617d710ebec6dd0a976475df913dc7b6ba8f9f16069257c86e768ec7d
SSDEEP:	49152:Qbp22+n3DZ3hTHi9zEtSSoTJVhurXd0btj4raluLy+p+3EIHQEwI9qY/wBdZN:Q92Ln3D7QzEESgicR4ty+mNHvp9qKwB5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W..........."...0.............X.E.. ...@....@.. ........................m....._-)...`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x858058
Entrypoint Section:	.boot
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, HIGH_ENTROPY_VA
Time Stamp:	0xAC57F2AF [Tue Aug 16 19:08:31 2061 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4328f7206db519cd4e82283211d98e83

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	6/1/2017 5:00:00 PM 7/8/2020 5:00:00 AM
Subject Chain	CN=Kaspersky Lab, O=Kaspersky Lab, L=Moscow, C=RU
Version:	3
Thumbprint MD5:	D47ED7012E116270A767DA88438C3BA6
Thumbprint SHA-1:	3C92C9274AB6D3DD520B13029A2490C4A1D98BC0
Thumbprint SHA-256:	3606C42F2608526263AC61997AA0A83B364FB23A6882447CA787B5A5790115D8
Serial:	0F9D91C6ABA86F4E54CBB9EF57E68346

Entrypoint Preview

Instruction
call 00007FDC0C5B4870h
push ebx
mov ebx, esp
push ebx
mov esi, dword ptr [ebx+08h]
mov edi, dword ptr [ebx+10h]
cld
mov dl, 80h
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FDC0C5B470Ch
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FDC0C5B4773h
xor eax, eax
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FDC0C5B4807h
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
je 00007FDC0C5B472Ah
push edi
mov eax, eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
jmp 00007FDC0C5B46BBh
mov eax, 00000001h
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FDC0C5B470Ch
sub eax, ebx
mov ebx, 00000001h
jne 00007FDC0C5B474Ah
mov ecx, 00000001h
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc ecx, ecx
add dl, dl
jne 00007FDC0C5B4727h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FDC0C5B470Ch
push esi
mov esi, edi
sub esi, ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x803a	0x50	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x287400	0x36e0	.themida
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x2000	0x800	False	0.97509765625	data	7.67255739846	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
	0x4000	0x5cc	0x400	False	0.9755859375	data	7.31449001732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x6000	0xc	0x200	False	0.591796875	data	4.34313215347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x8000	0x2000	0x200	False	0.16796875	data	1.05072803613	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x2000	0x600	False	0.422526041667	data	4.10903222417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0xc000	0x44c000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.boot	0x458000	0x285a00	0x285a00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa090	0x33c	data
RT_MANIFEST	0xa3dc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	pastebinload.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	pastebinload
ProductVersion	1.0.0.0
FileDescription	pastebinload
OriginalFilename	pastebinload.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:34:14.869764090 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:14.913286924 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:14.913436890 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:14.983339071 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.024333000 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.028955936 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.028994083 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.029050112 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.029119968 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.033962011 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.076345921 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.076601028 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.210010052 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.241267920 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.282227993 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.296063900 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.296092033 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.296180010 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.309288979 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.361028910 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.361053944 CET	443	49721	104.23.98.190	192.168.2.5
Feb 23, 2021 17:34:15.361155987 CET	49721	443	192.168.2.5	104.23.98.190
Feb 23, 2021 17:34:15.434195995 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:15.505187988 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.505347967 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:15.505953074 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:15.576910973 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.579960108 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.579993963 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.580010891 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.580027103 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.580091000 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:15.580144882 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:15.612219095 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:15.684082985 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.708132982 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:15.789016008 CET	443	49722	88.99.66.31	192.168.2.5
Feb 23, 2021 17:34:15.791534901 CET	49723	80	192.168.2.5	94.103.94.2
Feb 23, 2021 17:34:15.922952890 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:18.923104048 CET	49723	80	192.168.2.5	94.103.94.2
Feb 23, 2021 17:34:20.047295094 CET	49722	443	192.168.2.5	88.99.66.31
Feb 23, 2021 17:34:24.923680067 CET	49723	80	192.168.2.5	94.103.94.2
Feb 23, 2021 17:34:36.969779015 CET	49721	443	192.168.2.5	104.23.98.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:34:03.774154902 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:03.831387043 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:04.643302917 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:04.706511974 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:05.069267988 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:05.122757912 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:06.338099957 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:06.395525932 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:07.659116030 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:07.710705996 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:09.409313917 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:09.462913036 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:10.443526983 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:10.503493071 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:12.133086920 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:12.187357903 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:14.746510029 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:14.797784090 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:14.798823118 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:14.846426964 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:15.370466948 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:15.432893991 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:16.004375935 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:16.068969965 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:16.943373919 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:16.992152929 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:30.789222956 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:30.938575983 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:35.938600063 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:35.990102053 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:56.437218904 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:56.509088039 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:58.543198109 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:34:58.591972113 CET	53	58530	8.8.8.8	192.168.2.5
Feb 23, 2021 17:34:59.956121922 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:35:00.004868031 CET	53	53813	8.8.8.8	192.168.2.5
Feb 23, 2021 17:35:01.536695957 CET	63732	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:35:01.585465908 CET	53	63732	8.8.8.8	192.168.2.5
Feb 23, 2021 17:35:08.141235113 CET	57344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:35:08.199840069 CET	53	57344	8.8.8.8	192.168.2.5
Feb 23, 2021 17:35:40.841784954 CET	54450	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:35:40.893313885 CET	53	54450	8.8.8.8	192.168.2.5
Feb 23, 2021 17:35:41.297235012 CET	59261	53	192.168.2.5	8.8.8.8
Feb 23, 2021 17:35:41.356280088 CET	53	59261	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 17:34:14.746510029 CET	192.168.2.5	8.8.8.8	0xf65	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Feb 23, 2021 17:34:15.370466948 CET	192.168.2.5	8.8.8.8	0xe415	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 17:34:14.798823118 CET	8.8.8.8	192.168.2.5	0xf65	No error (0)	pastebin.com	104.23.98.190	A (IP address)	IN (0x0001)
Feb 23, 2021 17:34:14.798823118 CET	8.8.8.8	192.168.2.5	0xf65	No error (0)	pastebin.com	104.23.99.190	A (IP address)	IN (0x0001)
Feb 23, 2021 17:34:15.432893991 CET	8.8.8.8	192.168.2.5	0xe415	No error (0)	iplogger.org	88.99.66.31	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 23, 2021 17:34:15.029050112 CET	104.23.98.190	443	192.168.2.5	49721	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Feb 23, 2021 17:34:15.029050112 CET	104.23.98.190	443	192.168.2.5	49721	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Feb 23, 2021 17:34:15.580027103 CET	88.99.66.31	443	192.168.2.5	49722	CN=*.iplogger.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Fri Nov 20 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Sun Nov 21 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe PID: 4196 Parent PID: 5716

General

Start time:	17:34:11
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe'
Imagebase:	0x2b0000
File size:	2665184 bytes
MD5 hash:	9E74C1841AB5EC50DD43819AABA20C0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe PID: 4196 Parent PID: 5716 SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeCOMMON

Executed Functions

Function 029F005D, Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281795113.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9394d623bf9b9fbbc5ff64fde2c5b778727fdb5877dff7c516eb39d98be0c8
Instruction ID: 4182a992511c615ed1af4a9e8e0a34074e1978a3329dbfa51e992b0b7209f39b
Opcode Fuzzy Hash: 6d9394d623bf9b9fbbc5ff64fde2c5b778727fdb5877dff7c516eb39d98be0c8
Instruction Fuzzy Hash: B3217130E0024A9FCB44DFB4DA549EEB7B2FF88308F114969C510AB365DB381E85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 029F0530, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281795113.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42654a4f8ae5bf3a3547d5226535f1bc38bddeda3da4c9940057d77d29b1e1e
Instruction ID: 11a22f6cc961f2567da581c41fde2bede60045d8420bb279b5051590778f5ac6
Opcode Fuzzy Hash: a42654a4f8ae5bf3a3547d5226535f1bc38bddeda3da4c9940057d77d29b1e1e
Instruction Fuzzy Hash: 2441F170E01208CFDB58DFA5E694AADBBB2FF89304F205129D805B7368DB355C85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 029F0540, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281795113.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd8bfac62e983f32a5bb2f688e9c584ed87dac46c5801065e02c7573d67ffd1
Instruction ID: 73147b10f2febf2c24dfd1a0dfe617256c08371926861b19c06c2c00f809bd19
Opcode Fuzzy Hash: dfd8bfac62e983f32a5bb2f688e9c584ed87dac46c5801065e02c7573d67ffd1
Instruction Fuzzy Hash: F3411170E01208CFDB48DFA5E694AADBBB2FF89304F205029D805B7368DB395C85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0126D4C8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281681257.000000000126D000.00000040.00000001.sdmp, Offset: 0126D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5ebe6cef3dd5f0b01deb3d5182e8ffbf9c1b5dec7591f6a9eea9fc9601e652
Instruction ID: a775e8ddebe5e05d3a3217551101fa9af962394e38496f58885b5718e6caea11
Opcode Fuzzy Hash: fc5ebe6cef3dd5f0b01deb3d5182e8ffbf9c1b5dec7591f6a9eea9fc9601e652
Instruction Fuzzy Hash: 02216A7161424CDFDB11CF68E9C0F16BF69FB88318F24C569EA454B686C336D885C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0126D3DC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281681257.000000000126D000.00000040.00000001.sdmp, Offset: 0126D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6244ae37c8247286b428799586bde50f092944f253b92c7d058b8bfd4f8584c
Instruction ID: fa6f6b5c0bbc437fd039a78218b9278ca93fc5ca8a72ce743ba3ddbd632cf671
Opcode Fuzzy Hash: f6244ae37c8247286b428799586bde50f092944f253b92c7d058b8bfd4f8584c
Instruction Fuzzy Hash: 4821487161424CDFCB01DF54C8C0B56BB69FB88324F24C569EA454B286C336EC96CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029F0448, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281795113.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e90a8354d3091a8cc6849c0075d584ce25002570c5a6bef506b28abf8fd1530
Instruction ID: 1f68ccf6fbb80b30974572dac0f41545830d3d637c521d3f352c7bede785e3d5
Opcode Fuzzy Hash: 3e90a8354d3091a8cc6849c0075d584ce25002570c5a6bef506b28abf8fd1530
Instruction Fuzzy Hash: 63213030A001099FCB44DFA5DA54AEEB7B2FB88308F104964C515A7364DB385E95CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0126D4C3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281681257.000000000126D000.00000040.00000001.sdmp, Offset: 0126D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882ec0890a1543d77e3479f3bed58de4dc9073c5d85341b0db077ea7962b9195
Instruction ID: da94e22233022109a69bb6edea0f1f38b28777e2cef86cdb85530f278d01450f
Opcode Fuzzy Hash: 882ec0890a1543d77e3479f3bed58de4dc9073c5d85341b0db077ea7962b9195
Instruction Fuzzy Hash: F811E176504288CFCB12CF54D9C4B16BF71FB88324F28C6A9D9490B656C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0126D3D7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281681257.000000000126D000.00000040.00000001.sdmp, Offset: 0126D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882ec0890a1543d77e3479f3bed58de4dc9073c5d85341b0db077ea7962b9195
Instruction ID: e5e1f5f109a8318b3d0003dcb7a01ac1bcfbb9f48ec5b0d256c0776ee4152ca3
Opcode Fuzzy Hash: 882ec0890a1543d77e3479f3bed58de4dc9073c5d85341b0db077ea7962b9195
Instruction Fuzzy Hash: A8110376504288CFCB02CF54D5C0B56BF72FB84320F28C2A9D9480B657C33AE856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 029F06B9, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281795113.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4219f23d4c5e5ba603a18a27f803d6fb47ef12802fd5f9c725415049cea7e2d3
Instruction ID: 9f8b53151e141630bfdac3ac76bbbaad5e79a4c864b74bf764a28163da3933b7
Opcode Fuzzy Hash: 4219f23d4c5e5ba603a18a27f803d6fb47ef12802fd5f9c725415049cea7e2d3
Instruction Fuzzy Hash: 7F119074E012199FCB84DFA8D946AAEBBF1BF49300F1051AAD504E7361E7309A41CF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003BEE63, Relevance: 1.7, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

~$k{, xrefs: 003BF10F

Memory Dump Source

Source File: 00000001.00000002.280428889.00000000003BA000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000001.00000002.280155354.00000000002B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.280170722.00000000002B4000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.280175914.00000000002BA000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.280180864.00000000002BC000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280306706.0000000000386000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280318526.0000000000388000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280326565.000000000038C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280338579.000000000038E000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280344569.0000000000390000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280355112.0000000000392000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280366677.00000000003A0000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280376443.00000000003AA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280400857.00000000003B2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280409616.00000000003B4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280417148.00000000003B6000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280424110.00000000003B8000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280873527.0000000000708000.00000020.00020000.sdmp Download File

Similarity

API ID:
String ID: ~$k{
API String ID: 0-3560897623
Opcode ID: 80c64bb8d7d241b9619f6d9bc6344683b01a6a8ce3060b658e14a39dd6519686
Instruction ID: c0c22bde1ed64ca32d47ff5e4660d0e18e5c7b6d4a672600db88e0aa968ed71e
Opcode Fuzzy Hash: 80c64bb8d7d241b9619f6d9bc6344683b01a6a8ce3060b658e14a39dd6519686
Instruction Fuzzy Hash: AFF1C2F360C6049FE3046E59EC857BAFBE9EF98720F16453DEAC583740EA7558008696

Uniqueness

Uniqueness Score: -1.00%

Function 003E5BBB, Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.280428889.00000000003BA000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000001.00000002.280155354.00000000002B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.280170722.00000000002B4000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.280175914.00000000002BA000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.280180864.00000000002BC000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280306706.0000000000386000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280318526.0000000000388000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280326565.000000000038C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280338579.000000000038E000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280344569.0000000000390000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280355112.0000000000392000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280366677.00000000003A0000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280376443.00000000003AA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280400857.00000000003B2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280409616.00000000003B4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280417148.00000000003B6000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280424110.00000000003B8000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280873527.0000000000708000.00000020.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18451bed1635e1b9d9601f286d7f1aab8a1dd586a5a83f57980e4a88894f58ac
Instruction ID: 151cae8322fc1a1aa407c303bf89017424784705199aa292fd1a8810c77fc94e
Opcode Fuzzy Hash: 18451bed1635e1b9d9601f286d7f1aab8a1dd586a5a83f57980e4a88894f58ac
Instruction Fuzzy Hash: 23E1D5F360C204AFE3146E19EC85B7AFBE9EF98720F16453DE7C883740E67598048696

Uniqueness

Uniqueness Score: -1.00%

Function 003D7CD7, Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.280428889.00000000003BA000.00000040.00020000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000001.00000002.280155354.00000000002B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.280165219.00000000002B2000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.280170722.00000000002B4000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.280175914.00000000002BA000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.280180864.00000000002BC000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280306706.0000000000386000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280318526.0000000000388000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280326565.000000000038C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280338579.000000000038E000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280344569.0000000000390000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280355112.0000000000392000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280366677.00000000003A0000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280376443.00000000003AA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280400857.00000000003B2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280409616.00000000003B4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280417148.00000000003B6000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280424110.00000000003B8000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.280873527.0000000000708000.00000020.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6031043228e590de8e6272f0a25cc0fb204ffc46fdd559d1ec8a4a72631ded4a
Instruction ID: 360bb348a6094bbce91540e2834290ffa4f62f3e5a15b61a1494095ba3dac4ad
Opcode Fuzzy Hash: 6031043228e590de8e6272f0a25cc0fb204ffc46fdd559d1ec8a4a72631ded4a
Instruction Fuzzy Hash: 23C1D5F350C304AFE3056E59ECC6BBAFBE5EF98710F1A452DEAC487744EA3594008696

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.Siggen12.2497.1023.964

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen12.2497.1023.exe PID: 4196 Parent PID: 5716