Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jR2YVB04Il.exe

Overview

General Information

Sample name:jR2YVB04Il.exe
renamed because original name is a hash value
Original sample name:a4f028dc67f788d1bdf3657a6943d270.exe
Analysis ID:1466599
MD5:a4f028dc67f788d1bdf3657a6943d270
SHA1:6aec2e03d232f6499e80ac6f3a146ab865afdbb2
SHA256:a79add0bedad932a1f6a584c5e340fa85ba36f374840a67b4dc35b98cad3a6fe
Tags:exe
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file contains an invalid checksum
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: jR2YVB04Il.exeReversingLabs: Detection: 33%
Source: jR2YVB04Il.exeVirustotal: Detection: 28%Perma Link
Machine Learning detection for sample
Source: jR2YVB04Il.exeJoe Sandbox ML: detected
Source: jR2YVB04Il.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: jR2YVB04Il.exeStatic PE information: Data appended to the last section found
Source: jR2YVB04Il.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: jR2YVB04Il.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: jR2YVB04Il.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jR2YVB04Il.exeReversingLabs: Detection: 33%
Source: jR2YVB04Il.exeVirustotal: Detection: 28%
Source: jR2YVB04Il.exeStatic PE information: real checksum: 0x3a331 should be: 0x31dff
Source: jR2YVB04Il.exeStatic PE information: section name: .text entropy: 7.5023872958235875

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception2
Software Packing		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
jR2YVB04Il.exe33%ReversingLabs
jR2YVB04Il.exe28%VirustotalBrowse
jR2YVB04Il.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466599
Start date and time:2024-07-03 07:50:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:jR2YVB04Il.exe
renamed because original name is a hash value
Original Sample Name:a4f028dc67f788d1bdf3657a6943d270.exe
Detection:MAL
Classification:mal52.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.7184223150481746
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:jR2YVB04Il.exe
File size:154'343 bytes
MD5:a4f028dc67f788d1bdf3657a6943d270
SHA1:6aec2e03d232f6499e80ac6f3a146ab865afdbb2
SHA256:a79add0bedad932a1f6a584c5e340fa85ba36f374840a67b4dc35b98cad3a6fe
SHA512:0f0684398d3d86d22f4baa26c6ed772c70b54ef6763f7e03b8e06aaa55af21c9f4cf1e420f7d9d09e16c904bbf49727ff039438de0a4c969795413e252683c8c
SSDEEP:3072:+15PL3R0U3l6pw3gXXgb3du+FqQT52dQMDXO19:k5PL3R0UVNeXgb3du+FlUaF
TLSH:B5E3BF1175A0D432DDEB4335652BCAA01A3BBC716FB5868F3795372F1E336A18A1A343
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._...................................{...<...........v...........................Rich............PE..L.....Yd.................h.

File Icon

Icon Hash:cb97335d51515d9a

Static PE Info

General

Entrypoint:0x401908
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x6459FE97 [Tue May 9 08:04:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:039b1745d3ec0d69297e0716539e775c

Entrypoint Preview

Instruction
call 00007FED74C11BF5h
jmp 00007FED74C0DEBEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041C918h], eax
mov dword ptr [0041C914h], ecx
mov dword ptr [0041C910h], edx
mov dword ptr [0041C90Ch], ebx
mov dword ptr [0041C908h], esi
mov dword ptr [0041C904h], edi
mov word ptr [0041C930h], ss
mov word ptr [0041C924h], cs
mov word ptr [0041C900h], ds
mov word ptr [0041C8FCh], es
mov word ptr [0041C8F8h], fs
mov word ptr [0041C8F4h], gs
pushfd
pop dword ptr [0041C928h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041C91Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041C920h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041C92Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041C868h], 00010001h
mov eax, dword ptr [0041C920h]
mov dword ptr [0041C81Ch], eax
mov dword ptr [0041C810h], C0000409h
mov dword ptr [0041C814h], 00000001h
mov eax, dword ptr [0041B004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041B008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A8h]

Rich Headers

Programming Language:
  • [C++] VS2008 build 21022
  • [ASM] VS2008 build 21022
  • [ C ] VS2008 build 21022
  • [IMP] VS2005 build 50727
  • [RES] VS2008 build 21022
  • [LNK] VS2008 build 21022

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1977c0x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x23080000x101d8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x180000x188.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x167ba0x16800a5f44f860c4d832ab680c6519649cc13False0.8032660590277778data7.5023872958235875IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x180000x205c0x2200b0afdcaf230125e7427da6670d999249False0.3469669117647059data5.370789616483129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1b0000x22ec5480x1e00e025082c7e01f229a69336e65ba89dbcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x23080000x101d80x10200195167f7f05fe73bacb1ed41ad4f874eFalse0.5011948632049135data5.345385453170304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
NUSUTUMA0x230ef080x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6277013752455796
RT_CURSOR0x230f3080x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
RT_CURSOR0x230f4380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
RT_ICON0x23086d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6130063965884861
RT_ICON0x23095780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6922382671480144
RT_ICON0x2309e200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7517281105990783
RT_ICON0x230a4e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7969653179190751
RT_ICON0x230aa500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5969917012448133
RT_ICON0x230cff80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.7274859287054409
RT_ICON0x230e0a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.739344262295082
RT_ICON0x230ea280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8865248226950354
RT_STRING0x2311bb80xaadata0.611764705882353
RT_STRING0x2311c680x6edata0.6
RT_STRING0x2311cd80x6b2data0.4305717619603267
RT_STRING0x23123900x688data0.4342105263157895
RT_STRING0x2312a180x6a4data0.4435418359057677
RT_STRING0x23130c00x202empty0
RT_STRING0x23132c80x6a4empty0
RT_STRING0x23139700x6d8empty0
RT_STRING0x23140480x7e0empty0
RT_STRING0x23148280x71aempty0
RT_STRING0x2314f480x698empty0
RT_STRING0x23155e00x798empty0
RT_STRING0x2315d780x6dcempty0
RT_STRING0x23164580x82cempty0
RT_STRING0x2316c880x672empty0
RT_STRING0x23173000x752empty0
RT_STRING0x2317a580x724empty0
RT_STRING0x23181800x52empty0
RT_GROUP_CURSOR0x23119e00x22data1.088235294117647
RT_GROUP_ICON0x230ee900x76dataTurkishTurkey0.6610169491525424
RT_VERSION0x2311a080x1b0data0.5972222222222222

Imports

DLLImport
KERNEL32.dllSetVolumeMountPointW, GetComputerNameW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, lstrcpynW, WriteConsoleW, GetModuleFileNameW, GetConsoleAliasesW, CreateJobObjectW, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, AreFileApisANSI, OpenJobObjectA, ZombifyActCtx, GetLastError, GetConsoleAliasExesLengthA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
GDI32.dllGetBoundsRect
ADVAPI32.dllEnumDependentServicesA
ole32.dllCoTaskMemRealloc
WINHTTP.dllWinHttpAddRequestHeaders

Possible Origin

Language of compilation systemCountry where language is spokenMap
TurkishTurkey

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly