Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Classification
- System is w10x64
- file.exe (PID: 1736 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 9720060A0108D1A36B6F051E31353414) - msedge.exe (PID: 2344 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /accounts. google.com /ServiceLo gin?servic e=accounts ettings&co ntinue=htt ps://accou nts.google .com/v3/si gnin/chall enge/pwd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6748 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=23 12 --field -trial-han dle=2180,i ,113859754 2652479047 4,22910324 9107924030 0,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - firefox.exe (PID: 3280 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- firefox.exe (PID: 1280 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd --attem pting-deel evation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 6832 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com/Servi ceLogin?se rvice=acco untsetting s&continue =https://a ccounts.go ogle.com/v 3/signin/c hallenge/p wd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 7696 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 2352 -pare ntBuildID 2023092723 2528 -pref sHandle 22 72 -prefMa pHandle 22 64 -prefsL en 25298 - prefMapSiz e 238442 - win32kLock edDown -ap pDir "C:\P rogram Fil es\Mozilla Firefox\b rowser" - {dfa01b6f- fa55-4040- aa0b-78536 9d38a76} 6 832 "\\.\p ipe\gecko- crash-serv er-pipe.68 32" 22755a 6e110 sock et MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 4464 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 4532 -pare ntBuildID 2023092723 2528 -pref sHandle 45 16 -prefMa pHandle 38 88 -prefsL en 26313 - prefMapSiz e 238442 - appDir "C: \Program F iles\Mozil la Firefox \browser" - {1b8c35b 2-355b-43e 8-bc2c-ddf 9c5e64bd7} 6832 "\\. \pipe\geck o-crash-se rver-pipe. 6832" 2276 5d1cf10 rd d MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- msedge.exe (PID: 6192 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --flag- switches-b egin --fla g-switches -end --dis able-nacl --do-not-d e-elevate https://ac counts.goo gle.com/Se rviceLogin ?service=a ccountsett ings&conti nue=https: //accounts .google.co m/v3/signi n/challeng e/pwd MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 4124 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=28 00 --field -trial-han dle=2096,i ,284765553 1396615725 ,310811537 4637525863 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8548 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 6872 --fie ld-trial-h andle=2096 ,i,2847655 5313966157 25,3108115 3746375258 63,262144 /prefetch: 8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8556 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=7012 --field-t rial-handl e=2096,i,2 8476555313 96615725,3 1081153746 37525863,2 62144 /pre fetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9148 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=aud io.mojom.A udioServic e --lang=e n-GB --ser vice-sandb ox-type=au dio --mojo -platform- channel-ha ndle=6752 --field-tr ial-handle =2096,i,28 4765553139 6615725,31 0811537463 7525863,26 2144 /pref etch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8364 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=vid eo_capture .mojom.Vid eoCaptureS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=7 272 --fiel d-trial-ha ndle=2096, i,28476555 3139661572 5,31081153 7463752586 3,262144 / prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8968 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=pri ce_compari son_servic e.mojom.Da taProcesso r --lang=e n-GB --ser vice-sandb ox-type=en tity_extra ction --mo jo-platfor m-channel- handle=789 2 --field- trial-hand le=2096,i, 2847655531 396615725, 3108115374 637525863, 262144 /pr efetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8008 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=edg e_search_i ndexer.moj om.SearchI ndexerInte rfaceBroke r --lang=e n-GB --ser vice-sandb ox-type=se arch_index er --messa ge-loop-ty pe-ui --mo jo-platfor m-channel- handle=789 2 --field- trial-hand le=2096,i, 2847655531 396615725, 3108115374 637525863, 262144 /pr efetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00A9DBBE | |
Source: | Code function: | 0_2_00A6C2A2 | |
Source: | Code function: | 0_2_00AA68EE | |
Source: | Code function: | 0_2_00AA698F | |
Source: | Code function: | 0_2_00A9D076 | |
Source: | Code function: | 0_2_00A9D3A9 | |
Source: | Code function: | 0_2_00AA9642 | |
Source: | Code function: | 0_2_00AA979D | |
Source: | Code function: | 0_2_00AA9B2B | |
Source: | Code function: | 0_2_00AA5C97 |
Source: | Memory has grown: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_00AACE44 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |