Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Analysis ID:	756214
MD5:	b94ac3cb559832fa92e65b6a127ba7e0
SHA1:	def0dd941e90de0dc3d077033dbc234e86bcc077
SHA256:	c1fd700322fe5a908b87744730a34c923c9db9163adc0d018545c4ab285a31b9
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe (PID: 4964 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe MD5: B94AC3CB559832FA92E65B6A127BA7E0)

SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe (PID: 2412 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe MD5: B94AC3CB559832FA92E65B6A127BA7E0)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.attracttitude.com/fqwu/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d48:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f7b7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb026:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1854e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1834c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17df8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1844e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x185c6:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xabf1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17043:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e52e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f521:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a850:$sqlite3step: 68 34 1C 7B E1 0x1b3c8:$sqlite3step: 68 34 1C 7B E1 0x1a892:$sqlite3text: 68 38 2A 90 C5 0x1b40d:$sqlite3text: 68 38 2A 90 C5 0x1a8a9:$sqlite3blob: 68 53 D8 7F 8C 0x1b423:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 4964	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 2412	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x86fcd:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 2 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

ReversingLabs: Detection: 15%

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Avira: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Joe Sandbox ML: detected

Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.attracttitude.com/fqwu/"]}

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.attracttitude.com/fqwu/

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.318093245.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.309952897.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.311228472.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_06E436F0	2_2_06E436F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_06E43700	2_2_06E43700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_06E439A0	2_2_06E439A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_06E43990	2_2_06E43990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_082F0026	2_2_082F0026
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_082F0040	2_2_082F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01374120	5_2_01374120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0136C1C0	5_2_0136C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0138701D	5_2_0138701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01411002	5_2_01411002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013820A0	5_2_013820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0136B090	5_2_0136B090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014160F5	5_2_014160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014220A8	5_2_014220A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0137A309	5_2_0137A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01373360	5_2_01373360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0141231B	5_2_0141231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014103DA	5_2_014103DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014023E3	5_2_014023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0138138B	5_2_0138138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0137B236	5_2_0137B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0141E2C5	5_2_0141E2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014232A9	5_2_014232A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014222AE	5_2_014222AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013865A0	5_2_013865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014225DD	5_2_014225DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01382581	5_2_01382581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0136D5E0	5_2_0136D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01372430	5_2_01372430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0141D466	5_2_0141D466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0136841F	5_2_0136841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0137B477	5_2_0137B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01414496	5_2_01414496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014167E2	5_2_014167E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01375600	5_2_01375600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01359660	5_2_01359660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0141D616	5_2_0141D616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013806C0	5_2_013806C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0135F900	5_2_0135F900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013799BF	5_2_013799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01372990	5_2_01372990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0137A830	5_2_0137A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01356800	5_2_01356800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0142E824	5_2_0142E824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_014228EC	5_2_014228EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013588E0	5_2_013588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01422B28	5_2_01422B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013FCB4F	5_2_013FCB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0137AB40	5_2_0137AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0138EBB0	5_2_0138EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0141DBD2	5_2_0141DBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0137EB9A	5_2_0137EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013FEB8A	5_2_013FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013A8BE8	5_2_013A8BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0138ABD8	5_2_0138ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01415A4F	5_2_01415A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0140FA2B	5_2_0140FA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01414AEF	5_2_01414AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01350D20	5_2_01350D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01421D55	5_2_01421D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01422D07	5_2_01422D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01372D50	5_2_01372D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01412D82	5_2_01412D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0141CC77	5_2_0141CC77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01384CD4	5_2_01384CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0142DFCE	5_2_0142DFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01421FF1	5_2_01421FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01376E30	5_2_01376E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013DAE60	5_2_013DAE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01422EF7	5_2_01422EF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01401EB6	5_2_01401EB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004012A3	5_2_004012A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_00422A4C	5_2_00422A4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004012B4	5_2_004012B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004044C0	5_2_004044C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004044C7	5_2_004044C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0040B482	5_2_0040B482
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0040B487	5_2_0040B487
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004046E7	5_2_004046E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0040FEA7	5_2_0040FEA7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: String function: 013AD08C appears 51 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: String function: 013E5720 appears 85 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: String function: 0135B150 appears 177 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01399660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013996E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_013996E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01399860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0139B040 NtSuspendThread,	5_2_0139B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0139A3B0 NtGetContextThread,	5_2_0139A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399520 NtWaitForSingleObject,	5_2_01399520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399560 NtWriteFile,	5_2_01399560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399540 NtReadFile,	5_2_01399540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013995F0 NtQueryInformationFile,	5_2_013995F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013995D0 NtClose,	5_2_013995D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399730 NtQueryVirtualMemory,	5_2_01399730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0139A710 NtOpenProcessToken,	5_2_0139A710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399710 NtQueryInformationToken,	5_2_01399710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0139A770 NtOpenThread,	5_2_0139A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399770 NtSetInformationFile,	5_2_01399770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399760 NtOpenProcess,	5_2_01399760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013997A0 NtUnmapViewOfSection,	5_2_013997A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399780 NtMapViewOfSection,	5_2_01399780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399610 NtEnumerateValueKey,	5_2_01399610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399670 NtQueryInformationProcess,	5_2_01399670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399650 NtQueryValueKey,	5_2_01399650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013996D0 NtCreateKey,	5_2_013996D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399910 NtAdjustPrivilegesToken,	5_2_01399910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399950 NtQueueApcThread,	5_2_01399950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013999A0 NtCreateSection,	5_2_013999A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013999D0 NtCreateProcessEx,	5_2_013999D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399820 NtEnumerateKey,	5_2_01399820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399840 NtDelayExecution,	5_2_01399840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013998A0 NtWriteVirtualMemory,	5_2_013998A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013998F0 NtReadVirtualMemory,	5_2_013998F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399B00 NtSetValueKey,	5_2_01399B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399A20 NtResumeThread,	5_2_01399A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399A10 NtQuerySection,	5_2_01399A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399A00 NtProtectVirtualMemory,	5_2_01399A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399A50 NtCreateFile,	5_2_01399A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399A80 NtOpenDirectoryObject,	5_2_01399A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0139AD30 NtSetContextThread,	5_2_0139AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01399FE0 NtCreateMutant,	5_2_01399FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0041E007 NtClose,	5_2_0041E007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0041E0B7 NtAllocateVirtualMemory,	5_2_0041E0B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004012A3 NtProtectVirtualMemory,	5_2_004012A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0041DED7 NtCreateFile,	5_2_0041DED7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0041DF87 NtReadFile,	5_2_0041DF87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004012B4 NtProtectVirtualMemory,	5_2_004012B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004014E9 NtProtectVirtualMemory,	5_2_004014E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0041DF86 NtReadFile,	5_2_0041DF86

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.322576068.0000000006E50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000000.288391951.00000000001C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerqKR.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.309952897.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.311233732.0000000002721000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.311233732.0000000002721000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.322239890.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311962192.000000000144F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308719271.000000000110F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.310645530.00000000012B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Binary or memory string: OriginalFilenamerqKR.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

ReversingLabs: Detection: 15%

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.309818019.0000000001198000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000002.311465510.0000000001330000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000005.00000003.308076518.0000000000FF9000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe.1c0000.0.unpack, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_06E465EB push ecx; retf	2_2_06E465EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 2_2_06E46F66 push edi; retf	2_2_06E46F67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_013AD0D1 push ecx; ret	5_2_013AD0E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004210F9 push eax; ret	5_2_004210FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_004210AC push eax; ret	5_2_004210FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_00421163 push eax; ret	5_2_00421169
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_00421102 push eax; ret	5_2_00421169
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_00405267 push ebp; iretd	5_2_00405268
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_00421AE7 push edx; ret	5_2_00421BD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0041AFE0 push edi; ret	5_2_0041AFE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0041B78A push esp; iretd	5_2_0041B78C

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Static PE information: 0x814AECD0 [Mon Sep 27 03:32:32 2038 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.572220133283429

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe PID: 4964, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe TID: 5260	Thread sleep time: -38122s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe TID: 4840	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Code function: 5_2_01386B90 rdtsc

5_2_01386B90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Thread delayed: delay time: 38122			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe, 00000002.00000002.313453933.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Code function: 5_2_01386B90 rdtsc

5_2_01386B90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0138513A mov eax, dword ptr fs:[00000030h]	5_2_0138513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_0138513A mov eax, dword ptr fs:[00000030h]	5_2_0138513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01353138 mov ecx, dword ptr fs:[00000030h]	5_2_01353138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]	5_2_01374120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]	5_2_01374120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]	5_2_01374120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01374120 mov eax, dword ptr fs:[00000030h]	5_2_01374120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01374120 mov ecx, dword ptr fs:[00000030h]	5_2_01374120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01359100 mov eax, dword ptr fs:[00000030h]	5_2_01359100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01359100 mov eax, dword ptr fs:[00000030h]	5_2_01359100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01359100 mov eax, dword ptr fs:[00000030h]	5_2_01359100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01360100 mov eax, dword ptr fs:[00000030h]	5_2_01360100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01360100 mov eax, dword ptr fs:[00000030h]	5_2_01360100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe	Code function: 5_2_01360100 mov eax, dword ptr fs:[00000030h]	5_2_01360100

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.21214.29334.exe