Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1505363 |
| MD5: | 03c318cdb19ab95c6214de1d5bfef1df |
| SHA1: | 758363dc892672552731c4bfe52485a60d933312 |
| SHA256: | 5ceb5d0c9157680c45f09c037d1c579824821a9b26593ffef8239b5a0ed7e96a |
| Tags: | exe |
| Infos: | |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 5248 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 03C318CDB19AB95C6214DE1D5BFEF1DF) 
msedge.exe (PID: 6976 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /accounts. google.com /ServiceLo gin?servic e=accounts ettings&co ntinue=htt ps://accou nts.google .com/v3/si gnin/chall enge/pwd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7208 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=22 36 --field -trial-han dle=2020,i ,257695246 9324847178 ,133050949 5654483864 7,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) 
firefox.exe (PID: 5496 cmdline: "C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- firefox.exe (PID: 5856 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd --attem pting-deel evation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 7092 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 8236 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 2248 -pare ntBuildID 2023092723 2528 -pref sHandle 21 80 -prefMa pHandle 21 60 -prefsL en 25308 - prefMapSiz e 237879 - win32kLock edDown -ap pDir "C:\P rogram Fil es\Mozilla Firefox\b rowser" - {9226e162- 6336-4180- a447-236ef cf9b96e} 7 092 "\\.\p ipe\gecko- crash-serv er-pipe.70 92" 2240a3 6e510 sock et MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 7372 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 4236 -pare ntBuildID 2023092723 2528 -pref sHandle 42 80 -prefMa pHandle 39 20 -prefsL en 26338 - prefMapSiz e 237879 - appDir "C: \Program F iles\Mozil la Firefox \browser" - {492a341 8-b3b9-49e a-8fda-722 9f54742bd} 7092 "\\. \pipe\geck o-crash-se rver-pipe. 7092" 2241 d32cc10 rd d MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- msedge.exe (PID: 7336 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --flag- switches-b egin --fla g-switches -end --dis able-nacl --do-not-d e-elevate https://ac counts.goo gle.com/Se rviceLogin ?service=a ccountsett ings&conti nue=https: //accounts .google.co m/v3/signi n/challeng e/pwd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7716 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=23 04 --field -trial-han dle=2076,i ,168895487 0117880867 4,47631581 6738204684 2,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9056 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 7008 --fie ld-trial-h andle=2076 ,i,1688954 8701178808 674,476315 8167382046 842,262144 /prefetch :8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9088 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=7156 --field-t rial-handl e=2076,i,1 6889548701 178808674, 4763158167 382046842, 262144 /pr efetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9360 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=aud io.mojom.A udioServic e --lang=e n-GB --ser vice-sandb ox-type=au dio --mojo -platform- channel-ha ndle=4964 --field-tr ial-handle =2076,i,16 8895487011 78808674,4 7631581673 82046842,2 62144 /pre fetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9376 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=vid eo_capture .mojom.Vid eoCaptureS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=7 960 --fiel d-trial-ha ndle=2076, i,16889548 7011788086 74,4763158 1673820468 42,262144 /prefetch: 8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9628 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=pri ce_compari son_servic e.mojom.Da taProcesso r --lang=e n-GB --ser vice-sandb ox-type=en tity_extra ction --mo jo-platfor m-channel- handle=814 8 --field- trial-hand le=2076,i, 1688954870 1178808674 ,476315816 7382046842 ,262144 /p refetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 10200 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=edg e_search_i ndexer.moj om.SearchI ndexerInte rfaceBroke r --lang=e n-GB --ser vice-sandb ox-type=se arch_index er --messa ge-loop-ty pe-ui --mo jo-platfor m-channel- handle=812 8 --field- trial-hand le=2076,i, 1688954870 1178808674 ,476315816 7382046842 ,262144 /p refetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_007DDBBE | |
| Source: | Code function: | 0_2_007AC2A2 | |
| Source: | Code function: | 0_2_007E68EE | |
| Source: | Code function: | 0_2_007E698F | |
| Source: | Code function: | 0_2_007DD076 | |
| Source: | Code function: | 0_2_007DD3A9 | |
| Source: | Code function: | 0_2_007E9642 | |
| Source: | Code function: | 0_2_007E979D | |
| Source: | Code function: | 0_2_007E9B2B | |
| Source: | Code function: | 0_2_007E5C97 | |
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_007ECE44 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||