Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Virustotal: Detection: 58% |
Perma Link |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
ReversingLabs: Detection: 69% |
Source: C:\Users\user\AppVerif\DllHelper.exe |
Avira: detection malicious, Label: TR/Dropper.Gen7 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\pik vevaye\Wapawini\gal\Yim.pdb source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: http://s.symcd.com06 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
String found in binary or memory: https://d.symcb.com/rpa0. |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B886DE InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__cftoe,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_strlen,WriteFile,OutputDebugStringA,__itow_s,__invoke_watson_if_error, |
0_2_00B886DE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B88F12 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW, |
0_2_00B88F12 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: DllHelper.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: DllHelper.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: DllHelper.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B8BAF0 |
0_2_00B8BAF0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B82460 |
0_2_00B82460 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B8AD10 |
0_2_00B8AD10 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: String function: 00B81290 appears 31 times |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: String function: 00B809F0 appears 106 times |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: String function: 00B7D760 appears 144 times |
|
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Process Stats: CPU usage > 98% |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: DllHelper.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Virustotal: Detection: 58% |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
ReversingLabs: Detection: 69% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Jump to behavior |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B78A10 __wcstoui64,__wdupenv_s,SetThreadPriority,FindVolumeClose,GetCommConfig,LoadLibraryW,GetThreadPriority,GetCommandLineW,SetLastError,GenerateConsoleCtrlEvent,MoveFileWithProgressA,GetProcessHeaps,GetLastError,GetModuleHandleW,GetLastError,InitializeSListHead,DebugSetProcessKillOnExit,EnumSystemGeoID,GetProcessHeap,HeapFree,GetProcAddress,VirtualProtect,LoadResource,GetACP,FreeResource,__atodbl_l,SetConsoleCtrlHandler,SetConsoleCursorPosition,GetCalendarInfoW,VirtualProtect, |
0_2_00B78A10 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
File created: C:\Users\user\AppVerif |
Jump to behavior |
Source: classification engine |
Classification label: mal68.bank.winEXE@1/2@0/0 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static file information: File size 1870760 > 1048576 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19f800 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\pik vevaye\Wapawini\gal\Yim.pdb source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B98235 push edi; retf |
0_2_00B98236 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00D0F460 push ebp; iretd |
0_2_00D0F461 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B7962F pushfd ; ret |
0_2_00B79630 |
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Static PE information: section name: .tenio |
Source: DllHelper.exe.0.dr |
Static PE information: section name: .tenio |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B901F0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer, |
0_2_00B901F0 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.816031131002002 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.816031131002002 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
File created: C:\Users\user\AppVerif\DllHelper.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Dropped PE file which has not been started: C:\Users\user\AppVerif\DllHelper.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
API coverage: 9.0 % |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B80A60 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00B80A60 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B88F12 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW, |
0_2_00B88F12 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B901F0 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer, |
0_2_00B901F0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B78A10 __wcstoui64,__wdupenv_s,SetThreadPriority,FindVolumeClose,GetCommConfig,LoadLibraryW,GetThreadPriority,GetCommandLineW,SetLastError,GenerateConsoleCtrlEvent,MoveFileWithProgressA,GetProcessHeaps,GetLastError,GetModuleHandleW,GetLastError,InitializeSListHead,DebugSetProcessKillOnExit,EnumSystemGeoID,GetProcessHeap,HeapFree,GetProcAddress,VirtualProtect,LoadResource,GetACP,FreeResource,__atodbl_l,SetConsoleCtrlHandler,SetConsoleCursorPosition,GetCalendarInfoW,VirtualProtect, |
0_2_00B78A10 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B7D060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00B7D060 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B80A60 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00B80A60 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B805D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00B805D0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B85760 SetUnhandledExceptionFilter, |
0_2_00B85760 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: GetLocaleInfoA, |
0_2_00B94180 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe |
Code function: 0_2_00B85780 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00B85780 |