Edit tour

Windows Analysis Report
showergirl.exe

Overview

General Information

Sample name:	showergirl.exe
Analysis ID:	1373754
MD5:	7dabefe1461d8eba1cd7ea7879edc6a3
SHA1:	ef57bf09a8c151598a9583b4e1e10f9a0a0c0698
SHA256:	23a2714d01b9c5633806402fedc71a4b3d78bb5b2c5de3b2c3528eed45d57d4d
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Contains functionality to automate explorer (e.g. start an application)

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Found evasive API chain (date check)

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

showergirl.exe (PID: 1340 cmdline: C:\Users\user\Desktop\showergirl.exe MD5: 7DABEFE1461D8EBA1CD7EA7879EDC6A3)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: showergirl.exe	ReversingLabs: Detection: 31%
Source: showergirl.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for sample

Source: showergirl.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\showergirl.exe

Unpacked PE file: 0.2.showergirl.exe.1000000.2.unpack

Source: showergirl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_01011C9B __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,SetCurrentDirectoryA,RemoveDirectoryA,

Source: showergirl.exe, 00000000.00000002.3346412231.0000000001000000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://RASAPI32.DLLWININET.DLLTRACKINGDATAdata1bv
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stuart.messagemates.com/mailinglist.htm
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stuart.messagemates.com/mailinglist.htmA1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stuart.messagemates.com/mailinglist.htmQ
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tracking.messagemates.com/acts/tracking/track.asp
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tracking.messagemates.com/acts/tracking/track.aspa1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/11
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/A
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/documents/privacy/messagemates
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/documents/privacy/messagematesQ1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/documents/privacy/messagematesa
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/privacy
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/privacy11
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/privacyQ
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/products/messagemates
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/products/messagematesA1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adtoolsinc.com/products/messagematesQ
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/index.asp?type=showergirl&area=1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/index.asp?type=showergirl&area=1Q1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/index.asp?type=showergirl&area=1a
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=send
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=senda1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=sendq
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/mailinglist/index.asp
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/mailinglist/index.aspA1
Source: showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.messagemates.com/mailinglist/index.aspa

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_01015670 __EH_prolog,DestroyWindow,BeginPaint,EndPaint,PostQuitMessage,PostMessageA,GetAsyncKeyState,GetWindowLongA,SetBkMode,SetBkMode,GetStockObject,GetCapture,GetCursorPos,GetWindowRect,SetWindowPos,SetCursor,ReleaseCapture,GetCursorPos,PtInRect,PtInRect,PostMessageA,PtInRect,PtInRect,PostMessageA,ReleaseCapture,DefWindowProcA,ShowWindow,

Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_004010F0
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_004024A0
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0100D697
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0100F060
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0101B69A
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0100EB42
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0101EDCD
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0100FC30

Source: C:\Users\user\Desktop\showergirl.exe	Code function: String function: 0100AEB0 appears 99 times
Source: C:\Users\user\Desktop\showergirl.exe	Code function: String function: 010173F0 appears 39 times
Source: C:\Users\user\Desktop\showergirl.exe	Code function: String function: 010172B0 appears 171 times

Source: showergirl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: showergirl.exe

Static PE information: Section: .zexe ZLIB complexity 0.9913287984913793

Source: classification engine

Classification label: mal64.evad.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_01022EF0 CLSIDFromString,CoCreateInstance,

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_01005C40 FindResourceA,SizeofResource,SizeofResource,GetLastError,LoadResource,LoadResource,LockResource,FindResourceA,SizeofResource,LoadResource,LockResource,FindResourceA,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\Desktop\showergirl.exe

File created: C:\Users\user\AppData\Local\Temp\6C9D.tmp

Jump to behavior

Source: showergirl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\showergirl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: showergirl.exe	ReversingLabs: Detection: 31%
Source: showergirl.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\showergirl.exe

File read: C:\Users\user\Desktop\showergirl.exe

Jump to behavior

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\showergirl.exe

Unpacked PE file: 0.2.showergirl.exe.1000000.2.unpack

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_004057F5 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: showergirl.exe

Static PE information: section name: .zexe

Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_00405D56 push eax; ret
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_00424903 push ebx; retf
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_00405D20 push eax; ret
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_004248BD push ds; ret
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_010311EC push eax; ret
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0103132B push eax; ret
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_010172B0 push eax; ret
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_01018F40 push eax; ret

Source: C:\Users\user\Desktop\showergirl.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_01011C9B __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,SetCurrentDirectoryA,RemoveDirectoryA,

Source: C:\Users\user\Desktop\showergirl.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_004057F5 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0101D16B SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\showergirl.exe	Code function: 0_2_0101D17D SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_01010EA1 __EH_prolog,PostMessageA,PostQuitMessage,FindWindowA,EnumWindows,PostMessageA,SendMessageA,Sleep,SetForegroundWindow,SetForegroundWindow,SetForegroundWindow,ShowWindow,DestroyWindow,GetStockObject,RegisterClassA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateWindowExA,ShowWindow,UpdateWindow,SetForegroundWindow,ShowWindow,DestroyWindow,

Source: showergirl.exe, 00000000.00000002.3346412231.0000000001000000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ArialWAVIDB_PALDIBMSGTEXTUNKNOWNShell_TrayWndFIG
Source: showergirl.exe, showergirl.exe, 00000000.00000002.3346412231.0000000001000000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_0102B393 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_0102B393 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\showergirl.exe

Code function: 0_2_0040351C EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Native API	Path Interception	1 Process Injection	11 Software Packing	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
showergirl.exe	32%	ReversingLabs	Win32.PUA.Presenoker
showergirl.exe	44%	Virustotal		Browse
showergirl.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://tracking.messagemates.com/acts/tracking/track.aspa1	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/11	0%	Avira URL Cloud	safe
http://stuart.messagemates.com/mailinglist.htmQ	0%	Avira URL Cloud	safe
http://www.messagemates.com/index.asp?type=showergirl&area=1Q1	0%	Avira URL Cloud	safe
http://tracking.messagemates.com/acts/tracking/track.asp	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/products/messagematesQ	0%	Avira URL Cloud	safe
http://www.messagemates.com/mailinglist/index.aspa	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/11	1%	Virustotal		Browse
http://RASAPI32.DLLWININET.DLLTRACKINGDATAdata1bv	0%	Avira URL Cloud	safe
http://stuart.messagemates.com/mailinglist.htmQ	0%	Virustotal		Browse
http://www.messagemates.com/index.asp?type=showergirl&area=1a	0%	Avira URL Cloud	safe
http://www.messagemates.com/mailinglist/index.aspA1	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/	0%	Avira URL Cloud	safe
http://tracking.messagemates.com/acts/tracking/track.aspa1	1%	Virustotal		Browse
http://www.adtoolsinc.com/products/messagematesQ	1%	Virustotal		Browse
http://www.adtoolsinc.com/privacyQ	0%	Avira URL Cloud	safe
http://stuart.messagemates.com/mailinglist.htm	0%	Avira URL Cloud	safe
http://www.messagemates.com/index.asp?type=showergirl&area=1a	0%	Virustotal		Browse
http://www.adtoolsinc.com/	1%	Virustotal		Browse
http://www.messagemates.com/index.asp?type=showergirl&area=1	0%	Avira URL Cloud	safe
http://www.messagemates.com/mailinglist/index.aspA1	0%	Virustotal		Browse
http://www.adtoolsinc.com/privacy	0%	Avira URL Cloud	safe
http://www.messagemates.com/mailinglist/index.aspa	0%	Virustotal		Browse
http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=send	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/privacyQ	0%	Virustotal		Browse
http://tracking.messagemates.com/acts/tracking/track.asp	2%	Virustotal		Browse
http://www.adtoolsinc.com/products/messagemates	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/privacy11	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/privacy	0%	Virustotal		Browse
http://www.messagemates.com/index.asp?type=showergirl&area=1	1%	Virustotal		Browse
http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=send	0%	Virustotal		Browse
http://www.adtoolsinc.com/documents/privacy/messagematesa	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/documents/privacy/messagematesQ1	0%	Avira URL Cloud	safe
http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=senda1	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/products/messagematesA1	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/privacy11	1%	Virustotal		Browse
http://stuart.messagemates.com/mailinglist.htm	0%	Virustotal		Browse
http://www.adtoolsinc.com/documents/privacy/messagemates	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/documents/privacy/messagematesa	1%	Virustotal		Browse
http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=sendq	0%	Avira URL Cloud	safe
http://stuart.messagemates.com/mailinglist.htmA1	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/A	0%	Avira URL Cloud	safe
http://www.adtoolsinc.com/documents/privacy/messagematesQ1	1%	Virustotal		Browse
http://www.adtoolsinc.com/documents/privacy/messagemates	3%	Virustotal		Browse
http://www.messagemates.com/mailinglist/index.asp	0%	Avira URL Cloud	safe
http://stuart.messagemates.com/mailinglist.htmA1	0%	Virustotal		Browse
http://www.adtoolsinc.com/products/messagemates	1%	Virustotal		Browse
http://www.adtoolsinc.com/products/messagematesA1	1%	Virustotal		Browse
http://www.messagemates.com/mailinglist/index.asp	1%	Virustotal		Browse
http://www.adtoolsinc.com/A	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tracking.messagemates.com/acts/tracking/track.aspa1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tracking.messagemates.com/acts/tracking/track.asp	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://stuart.messagemates.com/mailinglist.htmQ	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/11	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.messagemates.com/index.asp?type=showergirl&area=1Q1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.messagemates.com/mailinglist/index.aspa	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/products/messagematesQ	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://RASAPI32.DLLWININET.DLLTRACKINGDATAdata1bv	showergirl.exe, 00000000.00000002.3346412231.0000000001000000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.messagemates.com/index.asp?type=showergirl&area=1a	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.messagemates.com/mailinglist/index.aspA1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/privacyQ	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://stuart.messagemates.com/mailinglist.htm	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.messagemates.com/index.asp?type=showergirl&area=1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/privacy	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=send	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/products/messagemates	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/privacy11	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/documents/privacy/messagematesa	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/documents/privacy/messagematesQ1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=senda1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/products/messagematesA1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/documents/privacy/messagemates	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.messagemates.com/index.asp?type=showergirl&mm=showergirl&area=sendq	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stuart.messagemates.com/mailinglist.htmA1	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adtoolsinc.com/A	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.messagemates.com/mailinglist/index.asp	showergirl.exe, 00000000.00000002.3346598219.0000000002460000.00000004.00001000.00020000.00000000.sdmp, showergirl.exe, 00000000.00000002.3346334685.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1373754
Start date and time:	2024-01-12 14:24:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	showergirl.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@1/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
14:25:42	API Interceptor	3769x Sleep call for process: showergirl.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6C9D\6CFC.tmp

Download File

Process:	C:\Users\user\Desktop\showergirl.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	2.607949353621993
Encrypted:	false
SSDEEP:	3:adRllH/FEC9l/t+lxlllXvllFl/fl/l11SllqXSpAA0ftFpfBtZvLLDL/XDDLZta:7l2lAXE0FkWrMdI2FuJlAXE0Foo9
MD5:	67884125CBA0BC1CDDCD038BE5E42D80
SHA1:	5CB6B8AE3A1F90EC2833CDC0B4C265772D42ABF1
SHA-256:	6FBB39B13C9DB38606E2BD1452C630506B7B1F46BB2EA33E56F16EC8D6783655
SHA-512:	900DBB839822283DD662B24CA0D7A176889D37A08F9F6E326EFC795E297C1BC8E12536C3A68EFAFB35428F02BFFC3B31FFF5F67E507159687F02B50ABA024377
Malicious:	false
Reputation:	low
Preview:	...... ..........&...........(.......(... ...@..........................................................................................................................................................................................................................................h.......n..nnnnf................h......nnnn.n.................h.............................h.............................h.............................h.............................hx..wxnnnnnnnnnf.w...w..........x.x..............................x.................................................................................................................................................................................................................................................(....... .....................................................................................................................................fffn...............................x~....xx..................

C:\Users\user\AppData\Local\Temp\6C9D\6D0D.tmp

Download File

Process:	C:\Users\user\Desktop\showergirl.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	2.607949353621993
Encrypted:	false
SSDEEP:	3:adRllH/FEC9l/t+lxlllXvllFl/fl/l11SllqXSpAA0ftFpfBtZvLLDL/XDDLZta:7l2lAXE0FkWrMdI2FuJlAXE0Foo9
MD5:	67884125CBA0BC1CDDCD038BE5E42D80
SHA1:	5CB6B8AE3A1F90EC2833CDC0B4C265772D42ABF1
SHA-256:	6FBB39B13C9DB38606E2BD1452C630506B7B1F46BB2EA33E56F16EC8D6783655
SHA-512:	900DBB839822283DD662B24CA0D7A176889D37A08F9F6E326EFC795E297C1BC8E12536C3A68EFAFB35428F02BFFC3B31FFF5F67E507159687F02B50ABA024377
Malicious:	false
Reputation:	low
Preview:	...... ..........&...........(.......(... ...@..........................................................................................................................................................................................................................................h.......n..nnnnf................h......nnnn.n.................h.............................h.............................h.............................h.............................hx..wxnnnnnnnnnf.w...w..........x.x..............................x.................................................................................................................................................................................................................................................(....... .....................................................................................................................................fffn...............................x~....xx..................

C:\Users\user\AppData\Local\Temp\6C9D\6D4C.tmp

Download File

Process:	C:\Users\user\Desktop\showergirl.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @13x9
Category:	dropped
Size (bytes):	326
Entropy (8bit):	2.902965279815227
Encrypted:	false
SSDEEP:	6:Gl/g17ulsUO/a8aTKSBk7mrZoiliDDeW2s5555Qk:CgIsUO/bQhkyrZoilkR5555B
MD5:	0B576E008B73093BFF2507B55C03E27B
SHA1:	0AE3FCEE204274F9EFF4EA98AEE99831CBF8A404
SHA-256:	DB1765CE9BA8B1E6A779AE50362AEA47246732D78ECC475AAC86CFBC009A096A
SHA-512:	11D02C9DEFDBA79114A55650FE73C693DEEDFEEC10454029C30C1FCC5D4E0C72D6ACD55F42363A60A302F3D9876520526A0F24A472866BD7046ACD69B090CCA5
Malicious:	false
Reputation:	low
Preview:	...... ......0.......(... ...@............................................................................?...........o...m...m............H.......~...........^..........~....\|......$..............................................................................................................................................

C:\Users\user\AppData\Local\Temp\6C9D\6DF9.tmp

Download File

Process:	C:\Users\user\Desktop\showergirl.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @12x9
Category:	dropped
Size (bytes):	326
Entropy (8bit):	2.144087964035102
Encrypted:	false
SSDEEP:	3:GlFFzsilFllfl/t+lklel/e/OllacllaTKfWWjReW2uAqaq555DAON7aEaaaDaac:Gl/Aiuls62O/a8aTKJeW2s5555jazQ
MD5:	547FD162B841EA7AB9A3EC382A0B3BCF
SHA1:	D4B18E2C5050F8E3F7DA3EBC971324216B2C52C0
SHA-256:	0D3435F9A32B338E0FC43CD6FE3B19654832C373DA924A05D4882817FB1D788C
SHA-512:	55E0D7DB284F42ACBFAFEE28528930D8F80FD8FBB7DD0E007E6E70B388B948F9EFA3145EFB88DBD97713FD0C53C76737275FCA449A1CBBBDEC646F926D92C543
Malicious:	false
Reputation:	low
Preview:	...... ......0.......(... ...@............................................................................?...........o...m...m............................................................................................................................................I.........................................................

C:\Users\user\AppData\Local\Temp\6C9D\6DFA.tmp

Download File

Process:	C:\Users\user\Desktop\showergirl.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @13x9
Category:	dropped
Size (bytes):	326
Entropy (8bit):	2.902965279815227
Encrypted:	false
SSDEEP:	6:Gl/g17ulsUO/a8aTKSBk7mrZoiliDDeW2s5555Qk:CgIsUO/bQhkyrZoilkR5555B
MD5:	0B576E008B73093BFF2507B55C03E27B
SHA1:	0AE3FCEE204274F9EFF4EA98AEE99831CBF8A404
SHA-256:	DB1765CE9BA8B1E6A779AE50362AEA47246732D78ECC475AAC86CFBC009A096A
SHA-512:	11D02C9DEFDBA79114A55650FE73C693DEEDFEEC10454029C30C1FCC5D4E0C72D6ACD55F42363A60A302F3D9876520526A0F24A472866BD7046ACD69B090CCA5
Malicious:	false
Reputation:	low
Preview:	...... ......0.......(... ...@............................................................................?...........o...m...m............H.......~...........^..........~....\|......$..............................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.836431706555371
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	showergirl.exe
File size:	352'256 bytes
MD5:	7dabefe1461d8eba1cd7ea7879edc6a3
SHA1:	ef57bf09a8c151598a9583b4e1e10f9a0a0c0698
SHA256:	23a2714d01b9c5633806402fedc71a4b3d78bb5b2c5de3b2c3528eed45d57d4d
SHA512:	4ad3b4b0b3cb69ac5cbe81074aea1b740d2d54a46a8e43e7efd21ba3dda258a901172a7595910675b53161cfdd914ed433263b3561f3ce43689344292f0869ae
SSDEEP:	6144:95YDXs1lcSN1h3ZXTivr6GEwali5TgbzNqb+3GdccDkxklp2anvi/hq:95YDENNXEvrDFali5mzq+W2S2klgSviE
TLSH:	7B74010D5E834003F6551839D6AA15D01BBE7D4F3393A17FDB80884E4DF1AC8AAF5AB9
File Content Preview:	MZ......................@........p......c3..............................!..L.!This program cannot be run in DOS mode....$.........)...G...G...G.x.L...G.x.M...G...I...G...T...G...F...G.o.M...G.Rich..G.................PE..L...<*.9.................P...`.....

File Icon


Icon Hash:	232b2b2b2b233b3b

Static PE Info

General

Entrypoint:	0x40351c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x39182A3C [Tue May 9 15:09:48 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c2e1cae882d39aad76257371d0930826

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004060B8h
push 0040490Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00406044h]
xor edx, edx
mov dl, ah
mov dword ptr [00407730h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040772Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00407728h], ecx
shr eax, 10h
mov dword ptr [00407724h], eax
xor esi, esi
push esi
call 00007F6111170815h
pop ecx
test eax, eax
jne 00007F611117073Ah
push 0000001Ch
call 00007F61111707E5h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007F611117180Eh
call dword ptr [00406040h]
mov dword ptr [00407C34h], eax
call 00007F61111716CCh
mov dword ptr [00407704h], eax
call 00007F6111171475h
call 00007F61111713B7h
call 00007F61111710D4h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0040603Ch]
call 00007F6111171348h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F6111170738h
movzx eax, word ptr [ebp-2Ch]
jmp 00007F6111170735h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [00406008h]

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x641c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x31008	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4d56	0x5000	False	0.606201171875	data	6.635623818587346	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x7e6	0x1000	False	0.773681640625	data	7.129096511506511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7000	0xc38	0x1000	False	0.331298828125	data	3.5433585439045165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.zexe	0x8000	0x1cf37	0x1d000	False	0.9913287984913793	data	7.985887725213216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x31008	0x32000	False	0.8347119140625	data	7.769630163560101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
DIB	0x55888	0x476	PC bitmap, Windows 3.x format, 16 x 16 x 8, 1 compression, image size 64, 256 important colors, cbSize 1142, bits offset 1078	English	Great Britain	0.5140105078809106
FIG	0x36630	0x25a	data	English	Great Britain	0.9800664451827242
MIDI	0x54938	0x7	ASCII text, with CRLF line terminators	English	Great Britain	2.142857142857143
MOVIE	0x36c60	0x1205f	data	English	Great Britain	0.988242146756431
MSGTEXT	0x55780	0x101	data	English	Great Britain	0.5603112840466926
TEXT	0x36628	0x4	ASCII text, with no line terminators	English	Great Britain	3.0
TEXT	0x55778	0x5	ASCII text, with no line terminators	English	Great Britain	2.6
TRACKINGDATA	0x36890	0x85	OpenPGP Secret Key	English	Great Britain	1.0827067669172932
WAV	0x48cc0	0x32a5	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8419591207096028
WAV	0x4bf68	0x75b	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8672331386086033
WAV	0x4c6c8	0x1d7	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 11025 Hz	English	Great Britain	0.42250530785562634
WAV	0x4c8a0	0xfb9	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8477018633540373
WAV	0x4d860	0x165b	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8362746811113052
WAV	0x4eec0	0x1cb9	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8461852305181559
WAV	0x50b80	0xeb9	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8132130538604404
WAV	0x51a40	0x1cb9	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8426492588059296
WAV	0x53700	0x11b9	RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 11025 Hz	English	Great Britain	0.8276394093013004
WAV	0x548c0	0x76	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 11025 Hz	English	Great Britain	0.9322033898305084
XML	0x35fe0	0x641	zlib compressed data	English	Great Britain	1.0068707058088695
XML	0x25660	0x1097c	data	English	Great Britain	0.9207668765817197
RT_ICON	0x54940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.08303249097472924
RT_ICON	0x551e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.08309248554913294
RT_DIALOG	0x55d00	0x308	data	English	Great Britain	0.4845360824742268
RT_DIALOG	0x36918	0x346	data	English	Great Britain	0.4665871121718377
RT_GROUP_ICON	0x55750	0x22	data	English	Great Britain	1.0

Imports

DLL

Import

KERNEL32.dll

HeapReAlloc, LoadLibraryA, GetModuleHandleA, GlobalFree, GlobalUnlock, VirtualAlloc, CloseHandle, ReadFile, GlobalLock, GlobalAlloc, GetFileSize, CreateFileA, GetModuleFileNameA, HeapFree, HeapAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapDestroy, HeapCreate, VirtualFree, GetProcAddress, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, RtlUnwind, WriteFile, GetCPInfo, GetACP, GetOEMCP, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	14:25:09
Start date:	12/01/2024
Path:	C:\Users\user\Desktop\showergirl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\showergirl.exe
Imagebase:	0x400000
File size:	352'256 bytes
MD5 hash:	7DABEFE1461D8EBA1CD7EA7879EDC6A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report showergirl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6C9D\6CFC.tmp

C:\Users\user\AppData\Local\Temp\6C9D\6D0D.tmp

C:\Users\user\AppData\Local\Temp\6C9D\6D4C.tmp

C:\Users\user\AppData\Local\Temp\6C9D\6DF9.tmp

C:\Users\user\AppData\Local\Temp\6C9D\6DFA.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

System Behavior

Analysis Process: showergirl.exePID: 1340, Parent PID: 4004

General

File Activities

File Created

File Deleted

Windows Analysis Report
showergirl.exe