Edit tour

Windows Analysis Report
AndroidSideloader (1).exe

Overview

General Information

Sample name:	AndroidSideloader (1).exe
Analysis ID:	1468053
MD5:	b7fa8a83dd1c92d93679c58d06691369
SHA1:	0cff7bb71ff43ee92172f30566d8ee1b043129fc
SHA256:	6cf2bcdb1a463fc69eddb125eba8cc12854ee23effcd7c65b968667c668a7f0b
Tags:	exe
Infos:
Errors Unable to connect to analysis machine: w10x64, esxi07-W10x64_Office_03, timeout exceeded, no analysis of the sample was performed No process behavior to analyse as no analysis process or sample was found

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Binary contains a suspicious time stamp

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
AndroidSideloader (1).exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
AndroidSideloader (1).exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AndroidSideloader (1).exe	ReversingLabs: Detection: 15%
Source: AndroidSideloader (1).exe	Virustotal: Detection: 21%			Perma Link

Source: AndroidSideloader (1).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: AndroidSideloader (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: costura.costura.pdb.compressed source: AndroidSideloader (1).exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed7microsoft.web.webview2.coreecostura.microsoft.web.webview2.core.dll.compressed?microsoft.web.webview2.winformsmcostura.microsoft.web.webview2.winforms.dll.compressed5microsoft.web.webview2.wpfccostura.microsoft.web.webview2.wpf.dll.compressed source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb4 source: AndroidSideloader (1).exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb source: AndroidSideloader (1).exe

Networking

Yara detected Generic Downloader

Source: Yara match

File source: AndroidSideloader (1).exe, type: SAMPLE

Source: AndroidSideloader (1).exe	String found in binary or memory: VR trailer[https://www.youtube.com/results?search_query=KNo video URL found in search results.MYou are not connected to the Internet!=Do you want to upload {0} now? equals www.youtube.com (Youtube)
Source: AndroidSideloader (1).exe	String found in binary or memory: Do you wish to copy Package Name of games selected from list to clipboard?5Copy package to clipboard?;url"\:\"/watch\?v\=(.*?(?="))=https://www.youtube.com/embed/c?autoplay=1&mute=1&enablejsapi=1&modestbranding=1 equals www.youtube.com (Youtube)

Source: AndroidSideloader (1).exe	String found in binary or memory: http://127.0.0.1:5572/
Source: AndroidSideloader (1).exe	String found in binary or memory: http://127.0.0.1:5572/core/stats
Source: AndroidSideloader (1).exe	String found in binary or memory: https://downloads.rclone.org/v
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/7z
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/Rookie%20Offline.cmdQ
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/Sideloader%20Launcher.exe
Source: AndroidSideloader (1).exe	String found in binary or memory: https://github.com/VRPirates/rookie/raw/master/dependencies.7z
Source: AndroidSideloader (1).exe	String found in binary or memory: https://raw.githubusercontent.com/VRPirates/rookie
Source: AndroidSideloader (1).exe	String found in binary or memory: https://raw.githubusercontent.com/VRPirates/rookie/master/codenamesEUnable
Source: AndroidSideloader (1).exe	String found in binary or memory: https://raw.githubusercontent.com/vrpyou/quest/main/vrp-public.jsonahttps://vrpirates.wiki/downloads
Source: AndroidSideloader (1).exe	String found in binary or memory: https://rclone.org/
Source: AndroidSideloader (1).exe	String found in binary or memory: https://stackoverflow.com/users/57611/erike
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/downloads/runtimes.7z
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/downloads/vrp.download.config?Retrieved
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/downloads/vrp.upload.config#vrp.upload.configGUpload
Source: AndroidSideloader (1).exe	String found in binary or memory: https://vrpirates.wiki/en/Howto/sponsored-mirrors)
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.7-zip.org/
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.c-sharpcorner.com/members/mike-gold2
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.youtube.com/embed/c?autoplay=1&mute=1&enablejsapi=1&modestbranding=1
Source: AndroidSideloader (1).exe	String found in binary or memory: https://www.youtube.com/results?search_query=KNo

Source: AndroidSideloader (1).exe

Binary or memory string: OriginalFilenameAndroidSideloader.exeD vs AndroidSideloader (1).exe

Source: AndroidSideloader (1).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.troj.evad.winEXE@0/0@0/0

Source: AndroidSideloader (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: AndroidSideloader (1).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: AndroidSideloader (1).exe	ReversingLabs: Detection: 15%
Source: AndroidSideloader (1).exe	Virustotal: Detection: 21%

Source: AndroidSideloader (1).exe	String found in binary or memory: Refresh connected devices, installed apps, and update game list-progressDLbtnContainer3downloadInstallGameButtonSDownload and Install Game/Add To Queue
Source: AndroidSideloader (1).exe	String found in binary or memory: Are you sure you want to exit?;Still downloading/installing.
Source: AndroidSideloader (1).exe	String found in binary or memory: x2-Starting Game DownloadM--transfers 1 --multi-thread-streams 0

Source: AndroidSideloader (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: AndroidSideloader (1).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: AndroidSideloader (1).exe

Static file information: File size 4312576 > 1048576

Source: AndroidSideloader (1).exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3b7e00

Source: AndroidSideloader (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: AndroidSideloader (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: costura.costura.pdb.compressed source: AndroidSideloader (1).exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed7microsoft.web.webview2.coreecostura.microsoft.web.webview2.core.dll.compressed?microsoft.web.webview2.winformsmcostura.microsoft.web.webview2.winforms.dll.compressed5microsoft.web.webview2.wpfccostura.microsoft.web.webview2.wpf.dll.compressed source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb4 source: AndroidSideloader (1).exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: AndroidSideloader (1).exe
Source:	Binary string: C:\Sideloader\AndroidSideloader.pdb source: AndroidSideloader (1).exe

Data Obfuscation

.NET source code contains potential unpacker

Source: AndroidSideloader (1).exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match

File source: AndroidSideloader (1).exe, type: SAMPLE

Source: AndroidSideloader (1).exe

Static PE information: 0xCBE5165D [Thu May 26 10:58:37 2078 UTC]

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Software Packing	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Timestomp	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AndroidSideloader (1).exe	16%	ReversingLabs	Win32.Trojan.Generic
AndroidSideloader (1).exe	22%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://rclone.org/	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie/raw/master/dependencies.7z	0%	Avira URL Cloud	safe
https://www.youtube.com/results?search_query=KNo	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/VRPirates/rookie	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie	0%	Avira URL Cloud	safe
https://www.youtube.com/embed/c?autoplay=1&mute=1&enablejsapi=1&modestbranding=1	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie/raw/master/dependencies.7z	0%	Virustotal		Browse
https://stackoverflow.com/users/57611/erike	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie	0%	Virustotal		Browse
https://github.com/VRPirates/rookie/raw/master/Sideloader%20Launcher.exe	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/vrpyou/quest/main/vrp-public.jsonahttps://vrpirates.wiki/downloads	0%	Avira URL Cloud	safe
https://vrpirates.wiki/downloads/vrp.download.config?Retrieved	0%	Avira URL Cloud	safe
https://www.youtube.com/results?search_query=KNo	0%	Virustotal		Browse
https://rclone.org/	0%	Virustotal		Browse
https://stackoverflow.com/users/57611/erike	0%	Virustotal		Browse
https://downloads.rclone.org/v	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/VRPirates/rookie	1%	Virustotal		Browse
https://vrpirates.wiki/downloads/runtimes.7z	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie/raw/master/Rookie%20Offline.cmdQ	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/vrpyou/quest/main/vrp-public.jsonahttps://vrpirates.wiki/downloads	0%	Virustotal		Browse
http://127.0.0.1:5572/core/stats	0%	Avira URL Cloud	safe
https://downloads.rclone.org/v	1%	Virustotal		Browse
https://vrpirates.wiki/	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie/raw/master/Sideloader%20Launcher.exe	0%	Virustotal		Browse
https://vrpirates.wiki/en/Howto/sponsored-mirrors)	0%	Avira URL Cloud	safe
https://vrpirates.wiki/downloads/vrp.download.config?Retrieved	2%	Virustotal		Browse
https://vrpirates.wiki/downloads/runtimes.7z	2%	Virustotal		Browse
http://127.0.0.1:5572/	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie/raw/master/Rookie%20Offline.cmdQ	0%	Virustotal		Browse
http://127.0.0.1:5572/core/stats	0%	Virustotal		Browse
https://raw.githubusercontent.com/VRPirates/rookie/master/codenamesEUnable	0%	Avira URL Cloud	safe
https://vrpirates.wiki/	4%	Virustotal		Browse
https://www.7-zip.org/	0%	Avira URL Cloud	safe
https://vrpirates.wiki/downloads/vrp.upload.config#vrp.upload.configGUpload	0%	Avira URL Cloud	safe
https://www.youtube.com/embed/c?autoplay=1&mute=1&enablejsapi=1&modestbranding=1	0%	Virustotal		Browse
https://www.c-sharpcorner.com/members/mike-gold2	0%	Avira URL Cloud	safe
https://github.com/VRPirates/rookie/raw/master/7z	0%	Avira URL Cloud	safe
http://127.0.0.1:5572/	1%	Virustotal		Browse
https://raw.githubusercontent.com/VRPirates/rookie/master/codenamesEUnable	0%	Virustotal		Browse
https://vrpirates.wiki/downloads/vrp.upload.config#vrp.upload.configGUpload	3%	Virustotal		Browse
https://www.c-sharpcorner.com/members/mike-gold2	0%	Virustotal		Browse
https://www.7-zip.org/	0%	Virustotal		Browse
https://github.com/VRPirates/rookie/raw/master/7z	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/VRPirates/rookie	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/VRPirates/rookie/raw/master/dependencies.7z	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/VRPirates/rookie	AndroidSideloader (1).exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://rclone.org/	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.youtube.com/results?search_query=KNo	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.youtube.com/embed/c?autoplay=1&mute=1&enablejsapi=1&modestbranding=1	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/users/57611/erike	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/VRPirates/rookie/raw/master/Sideloader%20Launcher.exe	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/vrpyou/quest/main/vrp-public.jsonahttps://vrpirates.wiki/downloads	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vrpirates.wiki/downloads/vrp.download.config?Retrieved	AndroidSideloader (1).exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://downloads.rclone.org/v	AndroidSideloader (1).exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vrpirates.wiki/downloads/runtimes.7z	AndroidSideloader (1).exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/VRPirates/rookie/raw/master/Rookie%20Offline.cmdQ	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://127.0.0.1:5572/core/stats	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vrpirates.wiki/	AndroidSideloader (1).exe	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vrpirates.wiki/en/Howto/sponsored-mirrors)	AndroidSideloader (1).exe	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:5572/	AndroidSideloader (1).exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/VRPirates/rookie/master/codenamesEUnable	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.7-zip.org/	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vrpirates.wiki/downloads/vrp.upload.config#vrp.upload.configGUpload	AndroidSideloader (1).exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.c-sharpcorner.com/members/mike-gold2	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/VRPirates/rookie/raw/master/7z	AndroidSideloader (1).exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1468053
Start date and time:	2024-07-05 09:37:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	0
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	AndroidSideloader (1).exe
Detection:	MAL
Classification:	mal60.troj.evad.winEXE@0/0@0/0

Errors

Unable to connect to analysis machine: w10x64, esxi07-W10x64_Office_03, timeout exceeded, no analysis of the sample was performed
No process behavior to analyse as no analysis process or sample was found

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.247226825112656
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	AndroidSideloader (1).exe
File size:	4'312'576 bytes
MD5:	b7fa8a83dd1c92d93679c58d06691369
SHA1:	0cff7bb71ff43ee92172f30566d8ee1b043129fc
SHA256:	6cf2bcdb1a463fc69eddb125eba8cc12854ee23effcd7c65b968667c668a7f0b
SHA512:	d74f8450f1fda260d0176ceba347bde6ad58b24a09eaac3cc921e20236a11707cab2f5eaee3bb10907c387d67efbcb66d823ae052b1317f3e953c4984a2b94b8
SSDEEP:	24576:JUjV//Ppn/JcDJ7bdukqjVnlqud+/2P+AXg:S5//Rn/QJ7bYkqXfd+/9AQ
TLSH:	5F161783EEA40A24C2D43A74AA5EC6374F6C8C8103F5D772AAD19E873C852D5BF9D531
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]............."...0..~;..N......^.;.. ........@.. ....................... B...........`................................

Static PE Info

General

Entrypoint:	0x7b9d5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCBE5165D [Thu May 26 10:58:37 2078 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b9d0c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ba000	0x64bf4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x420000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b9c98	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3b7d64	0x3b7e00	603336f551f770829ce2aef4ba18dfdc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3ba000	0x64bf4	0x64c00	79a15f56e6943023355552a25311b71c	False	0.17219244339330025	data	2.762838039207606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x420000	0xc	0x200	ca145cb3b090657469c78edf00e74435	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3ba1e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5647163120567376
RT_ICON	0x3ba658	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.4799180327868853
RT_ICON	0x3baff0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.4179174484052533
RT_ICON	0x3bc0a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.33278008298755185
RT_ICON	0x3be660	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.2858408124704771
RT_ICON	0x3c2898	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.2320527643472777
RT_ICON	0x3cbd50	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.19778481012658228
RT_ICON	0x3dc588	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.13858848418498684
RT_GROUP_ICON	0x41e5c0	0x76	data	0.7288135593220338
RT_VERSION	0x41e648	0x3ac	data	0.3861702127659574
RT_MANIFEST	0x41ea04	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AndroidSideloader (1).exe

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

System Behavior

Disassembly

Windows Analysis Report
AndroidSideloader (1).exe