Windows Analysis Report
AndroidSideloader (1).exe

ID:	1468053
Product:	CloudBasic
Start time:	09:37:35
Start date:	05.07.2024
Sample:	AndroidSideloader (1).exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b7fa8a83dd1c92d93679c58d06691369
SHA1:	0cff7bb71ff43ee92172f30566d8ee1b043129fc
SHA256:	6cf2bcdb1a463fc69eddb125eba8cc12854ee23effcd7c65b968667c668a7f0b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: AndroidSideloader (1).exe	ReversingLabs: Detection: 15%
Source: AndroidSideloader (1).exe	Virustotal: Detection: 21%			Perma Link

Compliance

Source: AndroidSideloader (1).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: AndroidSideloader (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: costura.costura.pdb.compressed source: AndroidSideloader (1).exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed7microsoft.web.webview2.coreecostura.microsoft.web.webview2.core.dll.compressed?microsoft.web.webview2.winformsmcostura.microsoft.web.webview2.winforms.dll.compressed5microsoft.web.webview2.wpfccostura.microsoft.web.webview2.wpf.dll.compressed source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb4 source: AndroidSideloader (1).exe
Source:	Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb source: AndroidSideloader (1).exe

Networking

Source: Yara match

File source: AndroidSideloader (1).exe, type: SAMPLE

Source: AndroidSideloader (1).exe	String found in binary or memory: VR trailer[https://www.youtube.com/results?search_query=KNo video URL found in search results.MYou are not connected to the Internet!=Do you want to upload {0} now? equals www.youtube.com (Youtube)
Source: AndroidSideloader (1).exe	String found in binary or memory: Do you wish to copy Package Name of games selected from list to clipboard?5Copy package to clipboard?;url"\:\"/watch\?v\=(.*?(?="))=https://www.youtube.com/embed/c?autoplay=1&mute=1&enablejsapi=1&modestbranding=1 equals www.youtube.com (Youtube)

Source: AndroidSideloader (1).exe	String found in binary or memory: http://127.0.0.1:5572/
Source: AndroidSideloader (1).exe	String found in binary or memory: http://127.0.0.1:5572/core/stats
Source: AndroidSideloader (1).exe	String found in binary or memory: https://downloads.rclone.org/v
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/7z
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/Rookie%20Offline.cmdQ
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/Sideloader%20Launcher.exe
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/dependencies.7z
Source: AndroidSideloader (1).exe	String found in binary or memory: https://raw.githubusercontent.com/VRPirates/rookie
Source: AndroidSideloader (1).exe	String found in binary or memory: https://raw.githubusercontent.com/VRPirates/rookie/master/codenamesEUnable
Source: AndroidSideloader (1).exe	String found in binary or memory: https://raw.githubusercontent.com/vrpyou/quest/main/vrp-public.jsonahttps://vrpirates.wiki/downloads
Source: AndroidSideloader (1).exe	String found in binary or memory: https://rclone.org/
Source: AndroidSideloader (1).exe	String found in binary or memory: https://stackoverflow.com/users/57611/erike
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/downloads/runtimes.7z
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/downloads/vrp.download.config?Retrieved
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/downloads/vrp.upload.config#vrp.upload.configGUpload
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/en/Howto/sponsored-mirrors)
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.7-zip.org/
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.c-sharpcorner.com/members/mike-gold2
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.youtube.com/embed/c?autoplay=1&mute=1&enablejsapi=1&modestbranding=1
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.youtube.com/results?search_query=KNo

System Summary

Source: AndroidSideloader (1).exe

Binary or memory string: OriginalFilenameAndroidSideloader.exeD vs AndroidSideloader (1).exe

Source: AndroidSideloader (1).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.troj.evad.winEXE@0/0@0/0

Source: AndroidSideloader (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: AndroidSideloader (1).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: AndroidSideloader (1).exe	ReversingLabs: Detection: 15%
Source: AndroidSideloader (1).exe	Virustotal: Detection: 21%

Source: AndroidSideloader (1).exe	String found in binary or memory: Refresh connected devices, installed apps, and update game list-progressDLbtnContainer3downloadInstallGameButtonSDownload and Install Game/Add To Queue
Source: AndroidSideloader (1).exe	String found in binary or memory: Are you sure you want to exit?;Still downloading/installing.
Source: AndroidSideloader (1).exe	String found in binary or memory: x2-Starting Game DownloadM--transfers 1 --multi-thread-streams 0

Source: AndroidSideloader (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: AndroidSideloader (1).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: AndroidSideloader (1).exe

Static file information: File size 4312576 > 1048576

Source: AndroidSideloader (1).exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3b7e00

Source: AndroidSideloader (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: AndroidSideloader (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: costura.costura.pdb.compressed source: AndroidSideloader (1).exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed7microsoft.web.webview2.coreecostura.microsoft.web.webview2.core.dll.compressed?microsoft.web.webview2.winformsmcostura.microsoft.web.webview2.winforms.dll.compressed5microsoft.web.webview2.wpfccostura.microsoft.web.webview2.wpf.dll.compressed source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb4 source: AndroidSideloader (1).exe
Source:	Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb source: AndroidSideloader (1).exe

Data Obfuscation

Source: AndroidSideloader (1).exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Source: Yara match

File source: AndroidSideloader (1).exe, type: SAMPLE

Source: AndroidSideloader (1).exe

Static PE information: 0xCBE5165D [Thu May 26 10:58:37 2078 UTC]