Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.590447173134643
Filename:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Filesize:	836608
MD5:	f976242274e3a8b6859f43212321e5cd
SHA1:	4de5d552dd1a3a7e2eb57a831d1819ada42b53ae
SHA256:	49aa45b9a4eb9642dc458e079196600823bc99b49c9003b4327261ba47b3ae7d
SHA512:	de657d8cb7ee401139a414964c333053bc6570e1d29b4125cdc440dc61637b0597ee4c1bb0eafd5a8855727bc6089430e3b80c457c6c5a19ce1ef2f769957b80
SSDEEP:	12288:oOvpYqjMN+3gYffB411R77TeB3EqcDFRLJtXsxFXynzw5tkD3twn:3Yqy+t8N7qNEtFRLJtXsxkc5aD9
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g................0.................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Machine Learning detection for sample	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sample is known by Antivirus	System Summary
Found malware configuration	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Uses an in-process (OLE) Automation server	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
SQL strings found in memory and binary data	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.log
Category:	dropped
Dump:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.355304211458859
Encrypted:	false
Ssdeep:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Details

Is windows:	false
Is dropped:	false
PID:	3916
Target ID:	0
Parent PID:	3320
Name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Size:	836608
MD5:	F976242274E3A8B6859F43212321E5CD
Time:	19:35:34
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x510000
Modulesize:	860160
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Details

Is windows:	false
Is dropped:	false
PID:	4520
Target ID:	1
Parent PID:	3916
Name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Size:	836608
MD5:	F976242274E3A8B6859F43212321E5CD
Time:	19:35:54
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x610000
Modulesize:	860160
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://127.0.0.1:HTTP/1.1

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://DynDns.comDynDNS

unknown

http://www.jiyu-kobo.co.jp/aCo

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.fontbureau.com_

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://fontfabrik.com

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-jones.html

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.fontbureau.comrsiva

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

https://api.ipify.org%GETMozilla/5.0

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://PcwsIt.com

unknown

http://www.sakkal.com

unknown

https://api.ipify.org%

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

unknown

http://www.fontbureau.comue9

unknown

There are 27 hidden URLs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2A21000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3BCF000

trusted library allocation

page read and write

2ACC000

trusted library allocation

page read and write

2C4A000

trusted library allocation

page read and write

BE3000

trusted library allocation

page read and write

50A0000

trusted library allocation

page read and write

51E5000

trusted library allocation

page read and write

51FB000

trusted library allocation

page read and write

521D000

trusted library allocation

page read and write

1115000

trusted library allocation

page read and write

4E50000

trusted library allocation

page read and write

2B11000

trusted library allocation

page read and write

BD1000

trusted library allocation

page read and write

5218000

trusted library allocation

page read and write

51EB000

trusted library allocation

page read and write

51FB000

trusted library allocation

page read and write

BD0000

trusted library allocation

page read and write

D12000

heap

page read and write

BE0000

trusted library allocation

page read and write

5209000

trusted library allocation

page read and write

521C000

trusted library allocation

page read and write

50A0000

trusted library allocation

page read and write

2A00000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

C74000

heap

page read and write

BD1000

trusted library allocation

page read and write

51FB000

trusted library allocation

page read and write

BD0000

trusted library allocation

page read and write

5390000

trusted library allocation

page read and write

5208000

trusted library allocation

page read and write

BE1000

trusted library allocation

page read and write

BE1000

trusted library allocation

page read and write

53B0000

trusted library allocation

page read and write

BD0000

trusted library allocation

page read and write

1B37F478000

heap

page read and write

520A000

trusted library allocation

page read and write

50A0000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

BD1000

trusted library allocation

page read and write

5219000

trusted library allocation

page read and write

5A3977D000

stack

page read and write

C8E000

stack

page read and write

4F00000

trusted library allocation

page read and write

C74000

heap

page read and write

C30000

trusted library allocation

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe