Analysis Report SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.25862

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.25862 (renamed file extension from 25862 to exe)
Analysis ID: 356847
MD5: a6602f490e70a0c9846906944c01b1ba
SHA1: 3864724e9136d3090cd2e7afa5ae4a348e07e0e4
SHA256: 1733a30d0e7acb953730092047086555a39f5cb2ee2549021e253cbdc931fb91
Tags: RedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Virustotal: Detection: 74% Perma Link
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Metadefender: Detection: 27% Perma Link
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe ReversingLabs: Detection: 75%
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
Binary contains paths to debug symbols
Source: Binary string: _.pdb source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmp

Networking:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 3214
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 3214
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 3214
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49728
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49718 -> 45.14.13.58:3214
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 45.14.13.58:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/SendClientInfo"Host: 45.14.13.58:3214Content-Length: 1109278Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetTasks"Host: 45.14.13.58:3214Content-Length: 1083264Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.0.47.59 192.0.47.59
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: unknown TCP traffic detected without corresponding DNS query: 45.14.13.58
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: api.ip.sb
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 45.14.13.58:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://45.14.13.58:3214
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://45.14.13.58:3214/
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://45.14.13.58:32144
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270752515.0000000002796000.00000004.00000001.sdmp String found in binary or memory: http://api.ip.sb
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270752515.0000000002796000.00000004.00000001.sdmp String found in binary or memory: http://api.ip.sb.cdn.cloudflare.net
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmp String found in binary or memory: http://crl4.dig
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.268740526.0000000008713000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.256274496.0000000008701000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1o
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.268740526.0000000008713000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.256274496.0000000008701000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/go
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.268740526.0000000008713000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.256274496.0000000008701000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobjo
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/CONTEXT.Models.Enums
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/0
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTask
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskResponse
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettings
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsResponse
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasks
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksResponse
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfo
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoResponse
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoipsecuritywaves-exchange
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoip
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabt
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: https://icanhazip.com
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.260994800.0000000008210000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.260994800.0000000008210000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp String found in binary or memory: https://wtfismyip.com/text
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.269668764.000000000070A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00408C60 1_2_00408C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0040DC11 1_2_0040DC11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00407C3F 1_2_00407C3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00418CCC 1_2_00418CCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00406CA0 1_2_00406CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004028B0 1_2_004028B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0041A4BE 1_2_0041A4BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00418244 1_2_00418244
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00401650 1_2_00401650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00402F20 1_2_00402F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004193C4 1_2_004193C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00418788 1_2_00418788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00402F89 1_2_00402F89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00402B90 1_2_00402B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004073A0 1_2_004073A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_024F1638 1_2_024F1638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_024FC9D0 1_2_024FC9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_024FF2E0 1_2_024FF2E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_051008E3 1_2_051008E3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: String function: 0040E1D8 appears 44 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278243802.00000000077B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCloisters.exe4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.206914545.0000000000789000.00000004.00000001.sdmp Binary or memory string: OriginalFilename_.dll4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278226031.00000000077A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278274277.00000000077C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewmiutils.dll.muij% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278368604.0000000007800000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.277892249.0000000006E50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaspnet_rc.dllT vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Binary or memory string: OriginalFilenameCloisters.exe4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Static PE information: Section: .rsrc ZLIB complexity 0.988744491186
Source: classification engine Classification label: mal88.troj.spyw.evad.winEXE@1/21@3/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 1_2_004019F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 1_2_004019F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File created: C:\Users\user\AppData\Local\Temp\tmp76A9.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Command line argument: 08A 1_2_00413780
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Virustotal: Detection: 74%
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Metadefender: Detection: 27%
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 1_2_004019F0
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Static PE information: real checksum: 0x23bfb should be: 0x45256
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0040E21D push ecx; ret 1_2_0040E230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_024FD0C1 pushad ; iretd 1_2_024FD101
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0510EC7A push 8B0876FFh; retf 1_2_0510EC7F

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 3214
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 3214
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 3214
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 3214 -> 49728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 1_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Window / User API: threadDelayed 2750 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Window / User API: threadDelayed 5689 Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe TID: 6964 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmp Binary or memory string: VMware
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware_KWC4Y56Win32_VideoControllerAXZNRU94VideoController120060621000000.000000-00026994397display.infMSBDAUCR_NBGZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsP7N5LX5Al
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp Binary or memory string: VMWare
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.269777182.00000000007D3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 1_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 1_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0040ADB0 GetProcessHeap,HeapFree, 1_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040CE09
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040E61C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00416F6A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_004123F1 SetUnhandledExceptionFilter, 1_2_004123F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Memory allocated: page read and write | page guard Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: GetLocaleInfoA, 1_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Code function: 1_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 1_2_00412A15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.270171901.0000000002363000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.270134267.0000000002310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe PID: 6472, type: MEMORY
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a3176.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a3176.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.5020000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.75cdf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310ee8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.5020000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.75cdf0.0.unpack, type: UNPACKEDPE
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: Electrum
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: ssnMaestro Cardcookies.sqlite\Program Files (x86)\configJCB Card Safari/537.36\Google\Chrome\User DataKoreanLocalCardemail3[47][0-9]{13}$GuardaArmoryLocalAppDatadisplayNamehost_key^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$\user.configNameatomictdata\K-Meleon\Torch\User Data\CatalinaGroup\Citrio\User Data^3(?:0[0-5]|[68][0-9])[0-9]{11}$\NVIDIA Corporation\NVIDIA GeForce ExperienceexpireDatelastNameexpires_utc//setting[@name='Username']/valueusertagttp://checkip.amazonaws.com/Mozilla/5.0 (^(6541|6556)[0-9]{12}$logins.jsonovpn\BraveSoftware\Brave-Browser\User Data\Program Data\Laser CardexpirationDate\Epic Privacy Browser\User DataExodus\Opera Software\DisplayVersion%localappdata%\settingsprotocol^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$\Elements Browser\User Data%DSK_23%cmdOpera GX4[0-9]{12}(?:[0-9]{3})?$cookiesAccountInfo.txtaddress\Chedot\User Datacom.liberty.jaxx\Comodo\IceDragon^3[47][0-9]{13}$dob\Sputnik\Sputnik\User Datakey4.dbWeb DataSELECT ExecutablePath, ProcessID FROM Win32_ProcessAtomicWin32_OperatingSystemDiners Club Card\Kometa\User DataSteamPathkey3.db\MapleStudio\ChromePlus\User Datawaasflleasft.datasf; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/CommandLineProtonVPN.exe\Telegram Desktop\tdataSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CocCoc\Browser\User Data\Orbitum\User Data\Uran\User Datapassword-checkProcessID\7Star\7Star\User Data\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewerCookies\Iridium\User DataAmex Cardis_secureSoftware\Valve\SteamLogin DataID: isSecureVisa Card5[1-5][0-9]{14}$\Google(x86)\Chrome\User Data{0}\.purple\accounts.xmlDiscover Cardwaasflletasf\Chromium\User DataNordVPNv11^9[0-9]{15}$Coinomi) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$\NETGATE Technologies\BlackHaw\uCozMedia\Uran\User DataInsta Payment Card^63[7-9][0-9]{13}$\Program Files\pin//setting[@name='Password']/valueOpera GX Stable\liebao\User DataSELECT * FROM Win32_Process Where SessionId='\Comodo\Dragon\User Data\360Browser\Browser\User DatafirstName\Coowon\Coowon\User Datassfnname\Mozilla\Firefoxphone_number\Mail.Ru\Atom\User DataEthereum\wallets^(62[0-9]{14,17})$.vdfcard_number_encrypted, Name: Union Pay CardCarte Blanche CardAppData\Roaming\Version\Chromodo\User Datacredit_cards^389[0-9]{11}$^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$hostpasswordUsername_valuemoz_cookiesUser Datawindows-1251, CommandLine: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\Nichrome\User DataWindows NTkey_dataDisplayNamex64Solo Card*.walletorigin_urlpassword_valueVisa Master Cardlast_nameNordVpn.exe*expirySwitch CardJaxxpath\CentBrowser\User Data\Vivaldi\User Datax
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: l3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp String found in binary or memory: l/C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: Exodus
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: Ethereum
Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.270171901.0000000002363000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.270134267.0000000002310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe PID: 6472, type: MEMORY
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a3176.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a3176.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.5020000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.75cdf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310ee8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.5020000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.75cdf0.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.270171901.0000000002363000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.270134267.0000000002310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe PID: 6472, type: MEMORY
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a3176.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a3176.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.5020000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.75cdf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310ee8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.5020000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.75cdf0.0.unpack, type: UNPACKEDPE
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.0.47.59
 unknown United States
16876 ICANN-DCUS false
45.14.13.58
 unknown Netherlands
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL false

Contacted Domains

Name IP Active
ianawhois.vip.icann.org 192.0.47.59 true
api.ip.sb unknown unknown
whois.iana.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.14.13.58:3214/ false
  • Avira URL Cloud: safe
 unknown