Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1498345 |
| MD5: | 928d7803f08676539035325d8697fc53 |
| SHA1: | cd0dc8cf27e83ce4f8aad5379cb5330d539f4893 |
| SHA256: | b577947677a4dacf20eeb42a1e250af220bd161e00bcd20695036bcc3f5ae5e5 |
| Tags: | exe |
| Infos: | |
 | |
Detection
| Score: | 68 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 6192 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 928D7803F08676539035325D8697FC53) 
msedge.exe (PID: 6568 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /accounts. google.com /ServiceLo gin?servic e=accounts ettings&co ntinue=htt ps://accou nts.google .com/v3/si gnin/chall enge/pwd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6192 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=20 32 --field -trial-han dle=2020,i ,969070439 6746272970 ,713889213 4863444414 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) 
firefox.exe (PID: 2004 cmdline: "C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- firefox.exe (PID: 3736 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd --attem pting-deel evation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 1308 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 8140 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 2284 -pare ntBuildID 2023092723 2528 -pref sHandle 22 28 -prefMa pHandle 22 12 -prefsL en 25359 - prefMapSiz e 237879 - win32kLock edDown -ap pDir "C:\P rogram Fil es\Mozilla Firefox\b rowser" - {417e413c- 0ac2-4c75- 986c-e5a7a 571dbf5} 1 308 "\\.\p ipe\gecko- crash-serv er-pipe.13 08" 219104 6bb10 sock et MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 8332 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 3740 -pare ntBuildID 2023092723 2528 -pref sHandle 26 44 -prefMa pHandle 26 32 -prefsL en 26374 - prefMapSiz e 237879 - appDir "C: \Program F iles\Mozil la Firefox \browser" - {dc0ed6f d-ea1d-445 1-9064-cb3 a34864dc1} 1308 "\\. \pipe\geck o-crash-se rver-pipe. 1308" 2192 2520010 rd d MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- msedge.exe (PID: 3444 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --flag- switches-b egin --fla g-switches -end --dis able-nacl --do-not-d e-elevate https://ac counts.goo gle.com/Se rviceLogin ?service=a ccountsett ings&conti nue=https: //accounts .google.co m/v3/signi n/challeng e/pwd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7528 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=20 44 --field -trial-han dle=2004,i ,178585708 3262858795 2,32873025 3812425271 7,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7736 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 6328 --fie ld-trial-h andle=2004 ,i,1785857 0832628587 952,328730 2538124252 717,262144 /prefetch :8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7792 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=6616 --field-t rial-handl e=2004,i,1 7858570832 628587952, 3287302538 124252717, 262144 /pr efetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) 
identity_helper.exe (PID: 8600 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=6 432 --fiel d-trial-ha ndle=2004, i,17858570 8326285879 52,3287302 5381242527 17,262144 /prefetch: 8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416) - identity_helper.exe (PID: 8620 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=6 432 --fiel d-trial-ha ndle=2004, i,17858570 8326285879 52,3287302 5381242527 17,262144 /prefetch: 8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416) - msedge.exe (PID: 8272 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=edg e_search_i ndexer.moj om.SearchI ndexerInte rfaceBroke r --lang=e n-GB --ser vice-sandb ox-type=se arch_index er --messa ge-loop-ty pe-ui --mo jo-platfor m-channel- handle=656 4 --field- trial-hand le=2004,i, 1785857083 2628587952 ,328730253 8124252717 ,262144 /p refetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
- msedge.exe (PID: 8752 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --no-st artup-wind ow --win-s ession-sta rt /prefet ch:5 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 2896 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=23 08 --field -trial-han dle=2056,i ,138338077 1232671072 6,49794909 3223533568 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- msedge.exe (PID: 8620 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --no-st artup-wind ow --win-s ession-sta rt /prefet ch:5 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8992 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=22 76 --field -trial-han dle=2032,i ,170752789 1017081396 9,53147950 5907848949 3,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00F9DBBE | |
| Source: | Code function: | 0_2_00FA68EE | |
| Source: | Code function: | 0_2_00FA698F | |
| Source: | Code function: | 0_2_00F9D076 | |
| Source: | Code function: | 0_2_00F9D3A9 | |
| Source: | Code function: | 0_2_00FA9642 | |
| Source: | Code function: | 0_2_00FA979D | |
| Source: | Code function: | 0_2_00FA9B2B | |
| Source: | Code function: | 0_2_00FA5C97 | |
| Source: | Memory has grown: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00FACE44 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||