Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Trojan.InjectNET.14.3934.31899

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.InjectNET.14.3934.31899 (renamed file extension from 31899 to exe)
Analysis ID:502723
MD5:13003cbfb6d2adfeea85952f8172c4f7
SHA1:e5ef2dd654b50ed7be455cbe7aaabaa7acaedc80
SHA256:9c8590c7165b453dd0792be3cf51e200961a1ed9cf1154768ee86f7018db8fd9
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Creates a thread in another existing process (thread injection)
Allocates memory in foreign processes
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.InjectNET.14.3934.exe (PID: 5576 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe' MD5: 13003CBFB6D2ADFEEA85952F8172C4F7)
    • conhost.exe (PID: 3224 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeVirustotal: Detection: 37%Perma Link
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeMetadefender: Detection: 25%Perma Link
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeReversingLabs: Detection: 33%
Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001BA559E70D6
Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001BA559E6D06
Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001BA559E60D2
Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001BA559E750E
Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001BA559E796A
Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFD04005862
Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFD04004AB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_00401D58 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_00401D18 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_004019D8 NtCreateThreadEx,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_00401D98 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_00401C98 NtClose,
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeStatic PE information: Section: .rdata ZLIB complexity 0.999692137922
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeVirustotal: Detection: 37%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeMetadefender: Detection: 25%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeReversingLabs: Detection: 33%
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
Source: classification engineClassification label: mal60.evad.winEXE@3/1@0/0
Source: C:\Windows\System32\conhost.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeStatic file information: File size 2009088 > 1048576
Source: SecuriteInfo.com.Trojan.InjectNET.14.3934.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e8800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_005ECB00 push rax; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_005EC8C0 push rax; retn 0009h
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_005ECBFF push rax; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeCode function: 0_2_005ECAB7 push rax; retf 0009h
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeMemory written: C:\Windows\System32\conhost.exe base: 1BA55800000
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeThread created: C:\Windows\System32\conhost.exe EIP: 55800000
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1BA55800000 protect: page execute and read and write
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmpBinary or memory string: Progman
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmpBinary or memory string: &Program Manager
Source: conhost.exe, 00000001.00000000.350445968.000001BA56310000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection312Masquerading1OS Credential DumpingProcess Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.InjectNET.14.3934.exe37%VirustotalBrowse
SecuriteInfo.com.Trojan.InjectNET.14.3934.exe26%MetadefenderBrowse
SecuriteInfo.com.Trojan.InjectNET.14.3934.exe33%ReversingLabsWin64.Trojan.Donut

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:502723
Start date:14.10.2021
Start time:10:55:01
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 36s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:SecuriteInfo.com.Trojan.InjectNET.14.3934.31899 (renamed file extension from 31899 to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.evad.winEXE@3/1@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 63.1% (good quality ratio 52.4%)
  • Quality average: 41.6%
  • Quality standard deviation: 27.2%
HCA Information:
  • Successful, ratio: 69%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
  • Excluded IPs from analysis (whitelisted): 95.100.218.79
  • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
10:56:02API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Process:C:\Windows\System32\conhost.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1160
Entropy (8bit):5.346338419905592
Encrypted:false
SSDEEP:24:ML9E4Kr8sXE4+aE4KnKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKHH+aHKnYHKGD8AoPtHTG1hAHKKPz
MD5:FD0B81AE7B9DB28F2254E423DE209C18
SHA1:1E0DA698A79580E2B2305BF949E281EDA356063A
SHA-256:9427A9D8FD96E5489F1412D5A5152922A0DBBBD6D1CE3BB1645F941DF67B2138
SHA-512:4643F041B16C657B4974EF015E8B8D879157D14188D0C011D91DCEFAC3423F32EE38122E8B1FFDF29743DC2A6A96610B4C2243009EF854FC394D6E0CE75C62B9
Malicious:false
Reputation:moderate, very likely benign file
Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Cult

Static File Info

General

File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):7.9994750606333005
TrID:
  • Win64 Executable (generic) (12005/4) 74.80%
  • Generic Win/DOS Executable (2004/3) 12.49%
  • DOS Executable Generic (2002/1) 12.47%
  • VXD Driver (31/22) 0.19%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:SecuriteInfo.com.Trojan.InjectNET.14.3934.exe
File size:2009088
MD5:13003cbfb6d2adfeea85952f8172c4f7
SHA1:e5ef2dd654b50ed7be455cbe7aaabaa7acaedc80
SHA256:9c8590c7165b453dd0792be3cf51e200961a1ed9cf1154768ee86f7018db8fd9
SHA512:ccb7e4dfb0454711cb50a619497072082bae3111ac8ba76b22d1f95af9721762b3b493596191f879bdca3d5872315009bb8f021ac131d9a1067e1dff91696824
SSDEEP:49152:YMWXWDNahuR7JmTqru3cJXNxDyfCDVYNd/0wZUGGa639KNg:YMwiYSHVYNSwZUhV3R
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.................."........@......................................;.....................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x4022fa
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:02549ff92b49cce693542fc9afb10102

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 00000040h
dec eax
mov eax, 00000004h
add byte ptr [eax], al
add byte ptr [eax], al
dec ecx
mov eax, eax
mov eax, 00000000h
dec ecx
mov ebx, eax
dec eax
lea eax, dword ptr [ebp-04h]
dec ecx
mov edx, eax
dec esp
mov ecx, edx
dec esp
mov edx, ebx
call 00007F5D44A273F1h
dec eax
lea eax, dword ptr [FFFFFF98h]
dec ecx
mov edx, eax
dec esp
mov ecx, edx
call 00007F5D44A2740Fh
mov eax, 00000001h
dec ecx
mov edx, eax
dec esp
mov ecx, edx
call 00007F5D44A27407h
mov eax, 00030000h
dec ecx
mov ebx, eax
mov eax, 00010000h
dec ecx
mov edx, eax
dec esp
mov ecx, edx
dec esp
mov edx, ebx
call 00007F5D44A273F4h
dec eax
mov eax, dword ptr [001E9224h]
dec eax
mov ecx, dword ptr [001E9225h]
dec eax
mov edx, dword ptr [001E9226h]
dec eax
mov dword ptr [ebp-10h], eax
dec eax
lea eax, dword ptr [ebp-04h]
dec eax
mov dword ptr [esp+20h], eax
mov eax, dword ptr [001EAC17h]
dec ecx
mov ecx, eax
dec ecx
mov eax, edx
dec ecx
mov ebx, ecx
dec eax
mov eax, dword ptr [ebp-10h]
dec ecx
mov edx, eax
dec esp
mov ecx, edx
dec esp
mov edx, ebx
call 00007F5D44A273B9h
dec eax
mov eax, dword ptr [001E91E1h]
dec eax
mov ecx, dword ptr [001E91E2h]
dec eax
mov edx, dword ptr [001E91E3h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1eb5300x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ee0000x3c0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1ed0000x90.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1eb56c0x90.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x14e00x1600False0.327947443182data5.41198326455IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x30000x1e876e0x1e8800False0.999692137922data7.99989652588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss0x1ec0000xfac0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata0x1ed0000x900x200False0.17578125data1.20871562712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x1ee0000x3c00x400False0.4013671875data3.13286119705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x1ee0580x368dataEnglishUnited States

Imports

DLLImport
msvcrt.dllmalloc, memset, _get_pgmptr, getenv, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
kernel32.dllSleep, CreateProcessA, SetUnhandledExceptionFilter

Version Infos

DescriptionData
LegalCopyrightCopyright 1996-2018 VideoLAN and VLC Authors
FileVersion3,0,3,0
CompanyNameVideoLAN
ProductNameVLC media player
ProductVersion3,0,3,0
FileDescriptionVLC media player
FileTitlevlc
LegalTrademarkVLC media player, VideoLAN and x264 are registered trademarks from VideoLAN
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.InjectNET.14.3934.exe PID: 5576 Parent PID: 600

General

Start time:10:56:01
Start date:14/10/2021
Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Imagebase:0x400000
File size:2009088 bytes
MD5 hash:13003CBFB6D2ADFEEA85952F8172C4F7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: conhost.exe PID: 3224 Parent PID: 5576

General

Start time:10:56:02
Start date:14/10/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.14.3934.exe'
Imagebase:0x7ff61de10000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:high

Disassembly

Code Analysis

Reset < >