Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EahLhB4Bby.exe

Overview

General Information

Sample name:EahLhB4Bby.exe
renamed because original name is a hash value
Original sample name:45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846.bin.exe
Analysis ID:1447789
MD5:ab5f8b9b988541922b36632eb29b262b
SHA1:6d8b74b13695a73e5fbd3305ff485d7eee9a15d2
SHA256:45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846
Tags:exeprg

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Detected potential crypto function
Entry point lies outside standard sections
PE file contains sections with non-standard names
PE file does not import any functions
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • EahLhB4Bby.exe (PID: 4364 cmdline: "C:\Users\user\Desktop\EahLhB4Bby.exe" MD5: AB5F8B9B988541922B36632EB29B262B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: EahLhB4Bby.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: EahLhB4Bby.exeReversingLabs: Detection: 79%
Source: EahLhB4Bby.exeVirustotal: Detection: 78%Perma Link
Machine Learning detection for sample
Source: EahLhB4Bby.exeJoe Sandbox ML: detected
Source: EahLhB4Bby.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\EahLhB4Bby.exeCode function: 0_2_004097130_2_00409713
Source: EahLhB4Bby.exeStatic PE information: No import functions for PE file found
Source: EahLhB4Bby.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\EahLhB4Bby.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: EahLhB4Bby.exeReversingLabs: Detection: 79%
Source: EahLhB4Bby.exeVirustotal: Detection: 78%
Source: C:\Users\user\Desktop\EahLhB4Bby.exeSection loaded: apphelp.dllJump to behavior
Source: initial sampleStatic PE information: section where entry point is pointing to: .izejcl
Source: EahLhB4Bby.exeStatic PE information: section name: .izejcl
Source: EahLhB4Bby.exeStatic PE information: section name: .xipar
Source: EahLhB4Bby.exeStatic PE information: section name: .vspmd
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EahLhB4Bby.exe79%ReversingLabsWin32.Trojan.Zeus
EahLhB4Bby.exe78%VirustotalBrowse
EahLhB4Bby.exe100%AviraTR/Crypt.XPACK.Gen
EahLhB4Bby.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447789
Start date and time:2024-05-27 03:03:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 52s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:EahLhB4Bby.exe
renamed because original name is a hash value
Original Sample Name:45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846.bin.exe
Detection:MAL
Classification:mal60.winEXE@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 3
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com
  • Execution Graph export aborted for target EahLhB4Bby.exe, PID 4364 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.773566250812872
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:EahLhB4Bby.exe
File size:44'032 bytes
MD5:ab5f8b9b988541922b36632eb29b262b
SHA1:6d8b74b13695a73e5fbd3305ff485d7eee9a15d2
SHA256:45e98efac77f098fdbd0608f80fb3be38c2d17140b66b495db00f44a735cf846
SHA512:0de65523eda41a1f8daf3ac594038ef04c962c2c134d78e1ef00ef60f751df6b65a2b1f0f1b642e35063be2c9cf530825318ce3951fb434d481f0782bf2b9677
SSDEEP:768:yY+OvuxEkyXiXPcsONqhwVNGyxEL4Eu8cSh4Uy9o6tHkU6hApcEsHZcRKtzvhT+I:yYnvuu7XYPcLqUxEsulcCSpcEL6UI
TLSH:F3139DC67BD2E8F3DCD100312669A7666BFEDD230060E987C768499526315E3D22BE1F
File Content Preview:MZ......................@...................................p.................$.........`....'..`...........^}f}(@.N.G.R.S.].[.b..=i..4.-.^}f}(@..]...NN;.H.E...9..Vy.K..t..!.3...... .*....q(.r%.Wv.0..M..>.8..u.'.i@.J.....H...,...P...._^aXs".<.&.`[j=./..hC

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x409bd3
Entrypoint Section:.izejcl
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x435F94C2 [Wed Oct 26 14:37:54 2005 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:

Entrypoint Preview

Instruction
ret
push ebp
mov ebp, esp
push ecx
push ecx
mov al, byte ptr [ebp+14h]
push ebx
push esi
xor ebx, ebx
push ebx
neg al
push ebx
push dword ptr [ebp+10h]
push ebx
push 00000001h
sbb eax, eax
and eax, 40000000h
or eax, 80000000h
push eax
push dword ptr [ebp+08h]
call dword ptr [0040FDC0h]
cmp eax, FFFFFFFFh
mov esi, dword ptr [ebp+0Ch]
mov dword ptr [esi+08h], eax
je 00007F2C24829E2Bh
lea ecx, dword ptr [ebp-08h]
push ecx
push eax
call dword ptr [0040FD40h]
test eax, eax
je 00007F2C24829E13h
cmp dword ptr [ebp-04h], ebx
jne 00007F2C24829E0Eh
mov eax, dword ptr [ebp-08h]
cmp eax, ebx
mov dword ptr [esi+04h], eax
jne 00007F2C24829DBBh
mov dword ptr [esi+0Ch], ebx
mov dword ptr [esi], ebx
mov al, 01h
jmp 00007F2C24829E06h
xor eax, eax
cmp byte ptr [ebp+14h], bl
push ebx
setne al
push ebx
push ebx
lea eax, dword ptr [eax+eax+02h]
push eax
push ebx
push dword ptr [esi+08h]
call dword ptr [0040FD44h]
cmp eax, ebx
mov dword ptr [esi+0Ch], eax
je 00007F2C24829DDAh
push dword ptr [esi+04h]
xor ecx, ecx
cmp byte ptr [ebp+14h], bl
push ebx
sete cl
push ebx
lea ecx, dword ptr [ecx+ecx+02h]
push ecx
push eax
call dword ptr [0040FD48h]
cmp eax, ebx
mov dword ptr [esi], eax
jne 00007F2C24829D6Eh
push dword ptr [esi+0Ch]
call dword ptr [0040FDACh]
push dword ptr [esi+08h]
call dword ptr [0040FDACh]
xor al, al
pop esi
pop ebx
leave
ret
push esi
mov esi, dword ptr [esp+08h]
mov eax, dword ptr [esi]
test eax, eax
je 00007F2C24829DB9h
push eax
call dword ptr [0040FD4Ch]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x110000x1180.vspmd
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.izejcl0x10000xdb730x9200cd61d28c5d02c8d2d32db00e48e45c7aFalse0.6396350599315068data6.689292845888674IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xipar0xf0000x13300x400aa5fed42b031eea1652d36ac89767910False0.494140625data3.8235174040085242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vspmd0x110000x110000x1200545a63a88e624eff57efb971b99b828aFalse0.8174913194444444data6.6440970605329905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:21:03:58
Start date:26/05/2024
Path:C:\Users\user\Desktop\EahLhB4Bby.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\EahLhB4Bby.exe"
Imagebase:0x400000
File size:44'032 bytes
MD5 hash:AB5F8B9B988541922B36632EB29B262B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Non-executed Functions

    Function 00409713 Relevance: .2, Instructions: 223COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2104569508.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2104542162.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2104594292.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2104594292.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_EahLhB4Bby.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
    • Instruction ID: 81038285cd0a956843e308010bff3b68ed35c5a294c3dfb426cbf66b5d109c89
    • Opcode Fuzzy Hash: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
    • Instruction Fuzzy Hash: FD818273D1552ADBDB18CE68C4406AEB7B1EB85324F1582AADC567B3C2C334AD41DBC4
    Function 00407BDB Relevance: 15.4, Strings: 12, Instructions: 416COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2104569508.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2104542162.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2104594292.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2104594292.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_EahLhB4Bby.jbxd
    Similarity
    • API ID:
    • String ID: *keep-alive*$/$CONNECT $Connection: $Connection: close$Content-Length: $HTTP/1.0 200 Connection established$Host: $P$Proxy-$Proxy-Connection: $http://
    • API String ID: 0-737691513
    • Opcode ID: e2ed84bd2b1096fd2f261fc5750904c5596d3d20094aeb4151c549eca1767e33
    • Instruction ID: fa4c13f701f3369cffa8a9926110bfa133ec8beac25caa399444548a15d7cd62
    • Opcode Fuzzy Hash: e2ed84bd2b1096fd2f261fc5750904c5596d3d20094aeb4151c549eca1767e33
    • Instruction Fuzzy Hash: 29D1F471D08306BAEB206B65CC4AFAF3AA9AF01314F14407BF900B51D2EB7D9D44876A
    Function 004089D8 Relevance: 8.9, Strings: 7, Instructions: 176COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2104569508.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2104542162.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2104594292.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2104594292.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_EahLhB4Bby.jbxd
    Similarity
    • API ID:
    • String ID: &i=$&lcp=$&n=$&pr=$&s=$&sp=$&v=
    • API String ID: 0-1780237566
    • Opcode ID: b917f7e91ac65c39dc8aac4764eef227f79a44538c8b8f2d6f78e436d87041bc
    • Instruction ID: 4b5fdfb0437c4d11dbf882304c5a9f201f63cbbf40ced6bb8975cbe72dec54c1
    • Opcode Fuzzy Hash: b917f7e91ac65c39dc8aac4764eef227f79a44538c8b8f2d6f78e436d87041bc
    • Instruction Fuzzy Hash: B95173B25402057EDB01ABA5DC46EFF37ACAB49704F08443FF951F71E2EA79A9048B64