Windows
Analysis Report
EahLhB4Bby.exe
Overview
General Information
Sample name: | EahLhB4Bby.exerenamed because original name is a hash value |
Original sample name: | 45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846.bin.exe |
Analysis ID: | 1447789 |
MD5: | ab5f8b9b988541922b36632eb29b262b |
SHA1: | 6d8b74b13695a73e5fbd3305ff485d7eee9a15d2 |
SHA256: | 45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846 |
Tags: | exeprg |
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
EahLhB4Bby.exe (PID: 4364 cmdline:
"C:\Users\ user\Deskt op\EahLhB4 Bby.exe" MD5: AB5F8B9B988541922B36632EB29B262B)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00409713 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
79% | ReversingLabs | Win32.Trojan.Zeus | ||
78% | Virustotal | Browse | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447789 |
Start date and time: | 2024-05-27 03:03:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 52s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | EahLhB4Bby.exerenamed because original name is a hash value |
Original Sample Name: | 45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846.bin.exe |
Detection: | MAL |
Classification: | mal60.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com
- Execution Graph export aborted for target EahLhB4Bby.exe, PID 4364 because there are no executed function
File type: | |
Entropy (8bit): | 6.773566250812872 |
TrID: |
|
File name: | EahLhB4Bby.exe |
File size: | 44'032 bytes |
MD5: | ab5f8b9b988541922b36632eb29b262b |
SHA1: | 6d8b74b13695a73e5fbd3305ff485d7eee9a15d2 |
SHA256: | 45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846 |
SHA512: | 0de65523eda41a1f8daf3ac594038ef04c962c2c134d78e1ef00ef60f751df6b65a2b1f0f1b642e35063be2c9cf530825318ce3951fb434d481f0782bf2b9677 |
SSDEEP: | 768:yY+OvuxEkyXiXPcsONqhwVNGyxEL4Eu8cSh4Uy9o6tHkU6hApcEsHZcRKtzvhT+I:yYnvuu7XYPcLqUxEsulcCSpcEL6UI |
TLSH: | F3139DC67BD2E8F3DCD100312669A7666BFEDD230060E987C768499526315E3D22BE1F |
File Content Preview: | MZ......................@...................................p.................$.........`....'..`...........^}f}(@.N.G.R.S.].[.b..=i..4.-.^}f}(@..]...NN;.H.E...9..Vy.K..t..!.3...... .*....q(.r%.Wv.0..M..>.8..u.'.i@.J.....H...,...P...._^aXs".<.&.`[j=./..hC |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x409bd3 |
Entrypoint Section: | .izejcl |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x435F94C2 [Wed Oct 26 14:37:54 2005 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
ret |
push ebp |
mov ebp, esp |
push ecx |
push ecx |
mov al, byte ptr [ebp+14h] |
push ebx |
push esi |
xor ebx, ebx |
push ebx |
neg al |
push ebx |
push dword ptr [ebp+10h] |
push ebx |
push 00000001h |
sbb eax, eax |
and eax, 40000000h |
or eax, 80000000h |
push eax |
push dword ptr [ebp+08h] |
call dword ptr [0040FDC0h] |
cmp eax, FFFFFFFFh |
mov esi, dword ptr [ebp+0Ch] |
mov dword ptr [esi+08h], eax |
je 00007F2C24829E2Bh |
lea ecx, dword ptr [ebp-08h] |
push ecx |
push eax |
call dword ptr [0040FD40h] |
test eax, eax |
je 00007F2C24829E13h |
cmp dword ptr [ebp-04h], ebx |
jne 00007F2C24829E0Eh |
mov eax, dword ptr [ebp-08h] |
cmp eax, ebx |
mov dword ptr [esi+04h], eax |
jne 00007F2C24829DBBh |
mov dword ptr [esi+0Ch], ebx |
mov dword ptr [esi], ebx |
mov al, 01h |
jmp 00007F2C24829E06h |
xor eax, eax |
cmp byte ptr [ebp+14h], bl |
push ebx |
setne al |
push ebx |
push ebx |
lea eax, dword ptr [eax+eax+02h] |
push eax |
push ebx |
push dword ptr [esi+08h] |
call dword ptr [0040FD44h] |
cmp eax, ebx |
mov dword ptr [esi+0Ch], eax |
je 00007F2C24829DDAh |
push dword ptr [esi+04h] |
xor ecx, ecx |
cmp byte ptr [ebp+14h], bl |
push ebx |
sete cl |
push ebx |
lea ecx, dword ptr [ecx+ecx+02h] |
push ecx |
push eax |
call dword ptr [0040FD48h] |
cmp eax, ebx |
mov dword ptr [esi], eax |
jne 00007F2C24829D6Eh |
push dword ptr [esi+0Ch] |
call dword ptr [0040FDACh] |
push dword ptr [esi+08h] |
call dword ptr [0040FDACh] |
xor al, al |
pop esi |
pop ebx |
leave |
ret |
push esi |
mov esi, dword ptr [esp+08h] |
mov eax, dword ptr [esi] |
test eax, eax |
je 00007F2C24829DB9h |
push eax |
call dword ptr [0040FD4Ch] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x11000 | 0x1180 | .vspmd |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.izejcl | 0x1000 | 0xdb73 | 0x9200 | cd61d28c5d02c8d2d32db00e48e45c7a | False | 0.6396350599315068 | data | 6.689292845888674 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.xipar | 0xf000 | 0x1330 | 0x400 | aa5fed42b031eea1652d36ac89767910 | False | 0.494140625 | data | 3.8235174040085242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.vspmd | 0x11000 | 0x11000 | 0x1200 | 545a63a88e624eff57efb971b99b828a | False | 0.8174913194444444 | data | 6.6440970605329905 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Target ID: | 0 |
Start time: | 21:03:58 |
Start date: | 26/05/2024 |
Path: | C:\Users\user\Desktop\EahLhB4Bby.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 44'032 bytes |
MD5 hash: | AB5F8B9B988541922B36632EB29B262B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Function 00409713 Relevance: .2, Instructions: 223COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407BDB Relevance: 15.4, Strings: 12, Instructions: 416COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004089D8 Relevance: 8.9, Strings: 7, Instructions: 176COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|