Edit tour
Windows
Analysis Report
SecuriteInfo.com.FileRepMalware.6681.9154.exe
Overview
General Information
Detection
Score: | 28 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 0% |
Signatures
Multi AV Scanner detection for dropped file
Contains functionality to register a low level keyboard hook
Sample or dropped binary is a compiled AutoHotkey binary
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook |
- System is w10x64
- SecuriteInfo.com.FileRepMalware.6681.9154.exe (PID: 7456 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. FileRepMal ware.6681. 9154.exe" MD5: 328C956C47EE50D02E59606F7EC2DA63) - SecuriteInfo.com.FileRepMalware.6681.9154.tmp (PID: 7472 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-K22 3H.tmp\Sec uriteInfo. com.FileRe pMalware.6 681.9154.t mp" /SL5=" $2045E,618 8866,80128 0,C:\Users \user\Desk top\Securi teInfo.com .FileRepMa lware.6681 .9154.exe" MD5: FDAD6E236B4E5D5FF81A354D87BACBC4) - ESET key finder.exe (PID: 5804 cmdline:
"C:\Progra m Files (x 86)\Sperha k Industri es\ESET ke y finder\E SET key fi nder.exe" MD5: 15D7223A5EDCCACFF0CDC2B7209F2B22)
- chrome.exe (PID: 7548 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://% 3cfnc1%3e( %08)192207 0809621129 8627136324 5700090061 6682184067 8235953347 6819003707 / MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7808 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2556 --fi eld-trial- handle=252 0,i,879092 2110894031 27,1941375 6817596263 72,262144 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints ,Optimizat ionHintsFe tching,Opt imizationT argetPredi ction /pre fetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | HTTP Parser: |
Source: | Static PE information: |
Source: | Window detected: |