Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Analysis ID:756214
MD5:b94ac3cb559832fa92e65b6a127ba7e0
SHA1:def0dd941e90de0dc3d077033dbc234e86bcc077
SHA256:c1fd700322fe5a908b87744730a34c923c9db9163adc0d018545c4ab285a31b9
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • cleanup
{"C2 list": ["www.attracttitude.com/fqwu/"]}
SourceRuleDescriptionAuthorStrings
00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6d48:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1f7b7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xb026:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x1854e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x1834c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17df8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1844e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x185c6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xabf1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x17043:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1e52e:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1f521:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1a850:$sqlite3step: 68 34 1C 7B E1
    • 0x1b3c8:$sqlite3step: 68 34 1C 7B E1
    • 0x1a892:$sqlite3text: 68 38 2A 90 C5
    • 0x1b40d:$sqlite3text: 68 38 2A 90 C5
    • 0x1a8a9:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1b423:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Click to see the 2 entries
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeReversingLabs: Detection: 15%
      Source: Yara matchFile source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeAvira: detected
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeJoe Sandbox ML: detected
      Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.attracttitude.com/fqwu/"]}
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp

      Networking

      barindex
      Source: Malware configuration extractorURLs: www.attracttitude.com/fqwu/
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.309952897.0000000000A1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud

      barindex
      Source: Yara matchFile source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 2412, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 2412, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_06E436F02_2_06E436F0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_06E437002_2_06E43700
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_06E439A02_2_06E439A0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_06E439902_2_06E43990
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_082F00262_2_082F0026
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_082F00402_2_082F0040
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013741205_2_01374120
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0136C1C05_2_0136C1C0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0138701D5_2_0138701D
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014110025_2_01411002
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013820A05_2_013820A0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0136B0905_2_0136B090
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014160F55_2_014160F5
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014220A85_2_014220A8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0137A3095_2_0137A309
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013733605_2_01373360
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0141231B5_2_0141231B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014103DA5_2_014103DA
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014023E35_2_014023E3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0138138B5_2_0138138B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0137B2365_2_0137B236
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0141E2C55_2_0141E2C5
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014232A95_2_014232A9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014222AE5_2_014222AE
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013865A05_2_013865A0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014225DD5_2_014225DD
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013825815_2_01382581
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0136D5E05_2_0136D5E0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013724305_2_01372430
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0141D4665_2_0141D466
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0136841F5_2_0136841F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0137B4775_2_0137B477
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014144965_2_01414496
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014167E25_2_014167E2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013756005_2_01375600
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013596605_2_01359660
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0141D6165_2_0141D616
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013806C05_2_013806C0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0135F9005_2_0135F900
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013799BF5_2_013799BF
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013729905_2_01372990
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0137A8305_2_0137A830
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013568005_2_01356800
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0142E8245_2_0142E824
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_014228EC5_2_014228EC
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013588E05_2_013588E0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01422B285_2_01422B28
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013FCB4F5_2_013FCB4F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0137AB405_2_0137AB40
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0138EBB05_2_0138EBB0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0141DBD25_2_0141DBD2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0137EB9A5_2_0137EB9A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013FEB8A5_2_013FEB8A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013A8BE85_2_013A8BE8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0138ABD85_2_0138ABD8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01415A4F5_2_01415A4F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0140FA2B5_2_0140FA2B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01414AEF5_2_01414AEF
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01350D205_2_01350D20
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01421D555_2_01421D55
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01422D075_2_01422D07
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01372D505_2_01372D50
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01412D825_2_01412D82
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0141CC775_2_0141CC77
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01384CD45_2_01384CD4
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0142DFCE5_2_0142DFCE
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01421FF15_2_01421FF1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01376E305_2_01376E30
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013DAE605_2_013DAE60
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01422EF75_2_01422EF7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01401EB65_2_01401EB6
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004012A35_2_004012A3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_00422A4C5_2_00422A4C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004012B45_2_004012B4
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004044C05_2_004044C0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004044C75_2_004044C7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0040B4825_2_0040B482
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0040B4875_2_0040B487
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004046E75_2_004046E7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0040FEA75_2_0040FEA7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: String function: 013AD08C appears 51 times
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: String function: 013E5720 appears 85 times
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: String function: 0135B150 appears 177 times
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01399660
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013996E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_013996E0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399860 NtQuerySystemInformation,LdrInitializeThunk,5_2_01399860
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0139B040 NtSuspendThread,5_2_0139B040
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0139A3B0 NtGetContextThread,5_2_0139A3B0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399520 NtWaitForSingleObject,5_2_01399520
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399560 NtWriteFile,5_2_01399560
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399540 NtReadFile,5_2_01399540
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013995F0 NtQueryInformationFile,5_2_013995F0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013995D0 NtClose,5_2_013995D0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399730 NtQueryVirtualMemory,5_2_01399730
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0139A710 NtOpenProcessToken,5_2_0139A710
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399710 NtQueryInformationToken,5_2_01399710
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0139A770 NtOpenThread,5_2_0139A770
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399770 NtSetInformationFile,5_2_01399770
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399760 NtOpenProcess,5_2_01399760
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013997A0 NtUnmapViewOfSection,5_2_013997A0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399780 NtMapViewOfSection,5_2_01399780
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399610 NtEnumerateValueKey,5_2_01399610
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399670 NtQueryInformationProcess,5_2_01399670
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399650 NtQueryValueKey,5_2_01399650
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013996D0 NtCreateKey,5_2_013996D0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399910 NtAdjustPrivilegesToken,5_2_01399910
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399950 NtQueueApcThread,5_2_01399950
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013999A0 NtCreateSection,5_2_013999A0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013999D0 NtCreateProcessEx,5_2_013999D0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399820 NtEnumerateKey,5_2_01399820
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399840 NtDelayExecution,5_2_01399840
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013998A0 NtWriteVirtualMemory,5_2_013998A0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013998F0 NtReadVirtualMemory,5_2_013998F0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399B00 NtSetValueKey,5_2_01399B00
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399A20 NtResumeThread,5_2_01399A20
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399A10 NtQuerySection,5_2_01399A10
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399A00 NtProtectVirtualMemory,5_2_01399A00
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399A50 NtCreateFile,5_2_01399A50
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399A80 NtOpenDirectoryObject,5_2_01399A80
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0139AD30 NtSetContextThread,5_2_0139AD30
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01399FE0 NtCreateMutant,5_2_01399FE0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0041E007 NtClose,5_2_0041E007
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0041E0B7 NtAllocateVirtualMemory,5_2_0041E0B7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004012A3 NtProtectVirtualMemory,5_2_004012A3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0041DED7 NtCreateFile,5_2_0041DED7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0041DF87 NtReadFile,5_2_0041DF87
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004012B4 NtProtectVirtualMemory,5_2_004012B4
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004014E9 NtProtectVirtualMemory,5_2_004014E9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0041DF86 NtReadFile,5_2_0041DF86
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.322576068.0000000006E50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000000.288391951.00000000001C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerqKR.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.309952897.0000000000A1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.311233732.0000000002721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.311233732.0000000002721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.322239890.0000000006C40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311962192.000000000144F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308719271.000000000110F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.310645530.00000000012B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeBinary or memory string: OriginalFilenamerqKR.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeReversingLabs: Detection: 15%
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe.logJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.0.SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe.1c0000.0.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_06E465EB push ecx; retf 2_2_06E465EC
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 2_2_06E46F66 push edi; retf 2_2_06E46F67
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_013AD0D1 push ecx; ret 5_2_013AD0E4
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004210F9 push eax; ret 5_2_004210FF
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_004210AC push eax; ret 5_2_004210FF
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_00421163 push eax; ret 5_2_00421169
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_00421102 push eax; ret 5_2_00421169
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_00405267 push ebp; iretd 5_2_00405268
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_00421AE7 push edx; ret 5_2_00421BD9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0041AFE0 push edi; ret 5_2_0041AFE3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0041B78A push esp; iretd 5_2_0041B78C
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeStatic PE information: 0x814AECD0 [Mon Sep 27 03:32:32 2038 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.572220133283429
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: Yara matchFile source: 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 4964, type: MEMORYSTR
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe TID: 5260Thread sleep time: -38122s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe TID: 4840Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01386B90 rdtsc 5_2_01386B90
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeAPI coverage: 1.2 %
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeThread delayed: delay time: 38122Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
      Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01386B90 rdtsc 5_2_01386B90
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0138513A mov eax, dword ptr fs:[00000030h]5_2_0138513A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_0138513A mov eax, dword ptr fs:[00000030h]5_2_0138513A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01353138 mov ecx, dword ptr fs:[00000030h]5_2_01353138
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]5_2_01374120
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]5_2_01374120
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]5_2_01374120
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]5_2_01374120
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01374120 mov ecx, dword ptr fs:[00000030h]5_2_01374120
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01359100 mov eax, dword ptr fs:[00000030h]5_2_01359100
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01359100 mov eax, dword ptr fs:[00000030h]5_2_01359100
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01359100 mov eax, dword ptr fs:[00000030h]5_2_01359100
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01360100 mov eax, dword ptr fs:[00000030h]5_2_01360100
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01360100 mov eax, dword ptr fs:[00000030h]5_2_01360100
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exeCode function: 5_2_01360100 mov eax, dword ptr fs:[00000030h]5_2_01360100