Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x8t38OJR0w.exe

Overview

General Information

Sample name:x8t38OJR0w.exe
renamed because original name is a hash value
Original sample name:3590fc2b2af22396835a9ae8f6363a3b.exe
Analysis ID:1466595
MD5:3590fc2b2af22396835a9ae8f6363a3b
SHA1:c3770110eb8cccb2a2d6b149c09d56255f2abb3e
SHA256:8826dd64ff068bb53dca4bde04b70ed9071b9ad348b7f6a03dc1d85b2dda3d6e
Tags:exe
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
PE file contains an invalid checksum
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: x8t38OJR0w.exeVirustotal: Detection: 27%Perma Link
Source: x8t38OJR0w.exeReversingLabs: Detection: 24%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.4% probability
Machine Learning detection for sample
Source: x8t38OJR0w.exeJoe Sandbox ML: detected
Source: x8t38OJR0w.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: x8t38OJR0w.exeStatic PE information: Data appended to the last section found
Source: x8t38OJR0w.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: x8t38OJR0w.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal56.winEXE@0/0@0/0
Source: x8t38OJR0w.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: x8t38OJR0w.exeVirustotal: Detection: 27%
Source: x8t38OJR0w.exeReversingLabs: Detection: 24%
Source: x8t38OJR0w.exeStatic PE information: real checksum: 0x8d56f should be: 0x83e34
Source: x8t38OJR0w.exeStatic PE information: section name: .text entropy: 7.955174619444939

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception2
Software Packing		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
x8t38OJR0w.exe27%VirustotalBrowse
x8t38OJR0w.exe24%ReversingLabs
x8t38OJR0w.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466595
Start date and time:2024-07-03 07:46:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:x8t38OJR0w.exe
renamed because original name is a hash value
Original Sample Name:3590fc2b2af22396835a9ae8f6363a3b.exe
Detection:MAL
Classification:mal56.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.7145165559349
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:x8t38OJR0w.exe
File size:504'832 bytes
MD5:3590fc2b2af22396835a9ae8f6363a3b
SHA1:c3770110eb8cccb2a2d6b149c09d56255f2abb3e
SHA256:8826dd64ff068bb53dca4bde04b70ed9071b9ad348b7f6a03dc1d85b2dda3d6e
SHA512:e04a83c1cf99326856c601dc68e680295b23eb33c715b117ba9a0c6f77603c4c2d8029fd3f2d91df1d474c8980b5b45246b49731ed72878896fe4be1f1b1fbce
SSDEEP:12288:MVkvSDAjzPUKCRv9VlnLfLipiBvTWlzQFB3Vex:T66LCXLzipDlzq3A
TLSH:8EB4F16039FAB025F3F78A701974A3A05E3BBC737A75814E1650974E5D726E0CEA1B23
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........u.....j.......t.......q.....Rich............PE..L.....3d...................

File Icon

Icon Hash:cb97334d5155599a

Static PE Info

General

Entrypoint:0x401908
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x64330BCD [Sun Apr 9 19:02:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:1f26c0d9ea65ace741c1ad9345fbbca3

Entrypoint Preview

Instruction
call 00007F3A407D6C45h
jmp 00007F3A407D2F0Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0046F918h], eax
mov dword ptr [0046F914h], ecx
mov dword ptr [0046F910h], edx
mov dword ptr [0046F90Ch], ebx
mov dword ptr [0046F908h], esi
mov dword ptr [0046F904h], edi
mov word ptr [0046F930h], ss
mov word ptr [0046F924h], cs
mov word ptr [0046F900h], ds
mov word ptr [0046F8FCh], es
mov word ptr [0046F8F8h], fs
mov word ptr [0046F8F4h], gs
pushfd
pop dword ptr [0046F928h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0046F91Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0046F920h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0046F92Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0046F868h], 00010001h
mov eax, dword ptr [0046F920h]
mov dword ptr [0046F81Ch], eax
mov dword ptr [0046F810h], C0000409h
mov dword ptr [0046F814h], 00000001h
mov eax, dword ptr [0046E004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0046E008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A4h]

Rich Headers

Programming Language:
  • [C++] VS2008 build 21022
  • [ASM] VS2008 build 21022
  • [ C ] VS2008 build 21022
  • [IMP] VS2005 build 50727
  • [RES] VS2008 build 21022
  • [LNK] VS2008 build 21022

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x6c7ec0x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x235b0000x101d0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x6b0000x17c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x693ca0x694000a4816ccbd434298ae6941ed29161dd1False0.9583024049881235data7.955174619444939IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x6b0000x20600x22001aa147bccd2586861aa89c646158bf2aFalse0.35144761029411764data5.431388503624627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x6e0000x22ec5480x1e00af666a617e5ae1225d664c13b7267c08unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x235b0000x101d00x102000adb1b84c590c313cd1619ad64b9bb1cFalse0.5238103693181818data5.192570298909925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
NUSUTUMA0x2361ed80x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6277013752455796
RT_CURSOR0x23622d80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
RT_ICON0x235b6a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6106076759061834
RT_ICON0x235c5480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6953971119133574
RT_ICON0x235cdf00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7494239631336406
RT_ICON0x235d4b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7940751445086706
RT_ICON0x235da200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5953319502074689
RT_ICON0x235ffc80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.725140712945591
RT_ICON0x23610700x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.7377049180327869
RT_ICON0x23619f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8900709219858156
RT_STRING0x23625d00xaadata0.611764705882353
RT_STRING0x23626800x6edata0.6
RT_STRING0x23626f00x6b2data0.4305717619603267
RT_STRING0x2362da80x688data0.4342105263157895
RT_STRING0x23634300x6a4data0.42764705882352944
RT_STRING0x2363ad80x202data0.5019455252918288
RT_STRING0x2363ce00x6a4data0.42705882352941177
RT_STRING0x23643880x6d8data0.4297945205479452
RT_STRING0x2364a600x7e0data0.42162698412698413
RT_STRING0x23652400x71adata0.42684268426842686
RT_STRING0x23659600x698data0.4277251184834123
RT_STRING0x2365ff80x798data0.4202674897119342
RT_STRING0x23667900x6dcdata0.4299544419134396
RT_STRING0x2366e700x82cdata0.41634799235181646
RT_STRING0x23676a00x672data0.44
RT_STRING0x2367d180x752data0.4247598719316969
RT_STRING0x23684700x720data0.42598684210526316
RT_STRING0x2368b900x52data0.6585365853658537
RT_GROUP_CURSOR0x23624080x14data1.15
RT_GROUP_ICON0x2361e600x76dataTurkishTurkey0.6610169491525424
RT_VERSION0x23624200x1b0data0.5972222222222222

Imports

DLLImport
KERNEL32.dllZombifyActCtx, CreateJobObjectW, GetModuleHandleExW, SetVolumeMountPointW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, GetConsoleAliasExesLengthW, lstrcpynW, WriteConsoleW, GetModuleFileNameW, OpenJobObjectA, GetLastError, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, SetFileApisToANSI, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, GetConsoleAliasesW, GetComputerNameA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
GDI32.dllGetBoundsRect
ole32.dllCoTaskMemRealloc

Possible Origin

Language of compilation systemCountry where language is spokenMap
TurkishTurkey

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly