Edit tour
Windows
Analysis Report
DRAKETAX2023.EXE
Overview
General Information
| Sample name: | DRAKETAX2023.EXE |
| Analysis ID: | 1523773 |
| MD5: | 5f78842863d480ceb757501585bbe0dd |
| SHA1: | a3b6f8e2e7d32cfedc933b0b2a84832f81ab08cd |
| SHA256: | 2a3d437535627175832dfbbfb27c678512835d9d36f5ef94e68373cac72c6ec9 |
 | |
Detection
| Score: | 2 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 60% |
Signatures
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Classification
- System is w10x64
DRAKETAX2023.EXE (PID: 7272 cmdline: "C:\Users\ user\Deskt op\DRAKETA X2023.EXE" MD5: 5F78842863D480CEB757501585BBE0DD)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1523773 |
| Start date and time: | 2024-10-02 01:52:14 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 27s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | DRAKETAX2023.EXE |
| Detection: | CLEAN |
| Classification: | clean2.winEXE@1/0@0/0 |
| Cookbook Comments: |
|
- VT rate limit hit for: DRAKETAX2023.EXE
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 4.156571664816142 |
| TrID: |
|
| File name: | DRAKETAX2023.EXE |
| File size: | 453'920 bytes |
| MD5: | 5f78842863d480ceb757501585bbe0dd |
| SHA1: | a3b6f8e2e7d32cfedc933b0b2a84832f81ab08cd |
| SHA256: | 2a3d437535627175832dfbbfb27c678512835d9d36f5ef94e68373cac72c6ec9 |
| SHA512: | fc12211198075ddee6d5ca75ac3666028d21edc3bf06398cfece317fffff6490e8daf10dc41a23b5267cae9b5d17531c7d656d9de7694424baa11b9eb8c6ec6f |
| SSDEEP: | 3072:oRr6HEUvvsPuIj2a5bhCj7Nlixx8UeUi0X2ySD029uAOWDm5U:aUv34kRUi0XyD8WX |
| TLSH: | 13A4B4E1F7BF8C63E4530AB0D9E49AB17679BD244B6047DB33F8760949F01C126B1A26 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B\P..=>..=>..=>..B:..=>..B=..=>..B;.R=>..E...=>.ME?..=>..=?..=>.>.7..=>.>.<..=>.Rich.=>.................PE..L.....Ae........... |
 | |
| Icon Hash: | 176d48c9cc4c2b97 |
| Entrypoint: | 0x40e590 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65410000 [Tue Oct 31 13:24:16 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | a075a59db5a698d8bc78c00dfa213c20 |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 9EC5AFC70F2A7574513B314779B7C043 |
| Thumbprint SHA-1: | B4D4EE74455E2718B4F45FC30343CFF3748A42F5 |
| Thumbprint SHA-256: | 8BBECA315F29FEC97E85580A7445176D7BA0E1CAE4A64D325EF6CB63419F6030 |
| Serial: | 0376FD24C4A883A58095A86563C111D3 |
| Instruction |
|---|
| call 00007F0198DADBD2h |
| jmp 00007F0198DAD42Dh |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [0041A014h] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [0041A014h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], esp |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| and dword ptr [0041AB80h], 00000000h |
| sub esp, 24h |
| or dword ptr [0041A020h], 01h |
| push 0000000Ah |
| call dword ptr [004130BCh] |
| test eax, eax |
| je 00007F0198DAD772h |
| and dword ptr [ebp-10h], 00000000h |
| xor eax, eax |
| push ebx |
| push esi |
| push edi |
| xor ecx, ecx |
| lea edi, dword ptr [ebp-24h] |
| push ebx |
| cpuid |
| mov esi, ebx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18fa8 | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1d000 | 0x52468 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x6c600 | 0x2720 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1b000 | 0x1080 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x17350 | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x173c0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17290 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x13000 | 0x1fc | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x112aa | 0x11400 | 67be996cc497ddc5879936f4947766d1 | False | 0.4977638134057971 | data | 6.437144653107767 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x13000 | 0x6c06 | 0x6e00 | 53d875ff81c38a143fe1d28610cf9174 | False | 0.3489701704545455 | data | 4.432650710645495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x1a000 | 0xfec | 0x800 | f49b397124e7d440e8f29e1f8d451f2d | False | 0.20068359375 | DOS executable (block device driver \377\377\377\377\261) | 2.66254945529702 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x1b000 | 0x1080 | 0x1200 | 7140776eceee7e55c32f7f897ab817b7 | False | 0.7599826388888888 | data | 6.368522938616639 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1d000 | 0x52468 | 0x52600 | 2f527ce8d1c8bf83c0650498f874927b | False | 0.0630749715477997 | data | 2.7583716327680143 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x1d1f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | 0.45390070921985815 | ||
| RT_ICON | 0x1d658 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 0 | 0.3372093023255814 | ||
| RT_ICON | 0x1dd10 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | 0.28114754098360656 | ||
| RT_ICON | 0x1e698 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | 0.2171669793621013 | ||
| RT_ICON | 0x1f740 | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 0 | 0.21760355029585798 | ||
| RT_ICON | 0x211a8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.18692946058091287 | ||
| RT_ICON | 0x23750 | 0x3a48 | Device independent bitmap graphic, 60 x 120 x 32, image size 0 | 0.1524798927613941 | ||
| RT_ICON | 0x27198 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 0 | 0.12818853974121996 | ||
| RT_ICON | 0x2c620 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 0 | 0.035247211290942985 | ||
| RT_GROUP_ICON | 0x6e648 | 0x84 | data | 0.7272727272727273 | ||
| RT_VERSION | 0x6e6cc | 0x400 | MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4" | 0.4169921875 | ||
| RT_MANIFEST | 0x6eacc | 0x8d9 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.35673289183222956 |
| DLL | Import |
|---|---|
| KERNEL32.dll | FreeLibrary, LoadLibraryExW, OutputDebugStringW, FindFirstFileExW, EnterCriticalSection, GetFullPathNameW, FindNextFileW, GetCurrentProcess, GetModuleHandleExW, GetModuleFileNameW, LeaveCriticalSection, GetEnvironmentVariableW, GetModuleHandleW, MultiByteToWideChar, GetFileAttributesExW, LoadLibraryA, DeleteCriticalSection, WideCharToMultiByte, IsWow64Process, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, GetProcAddress, GetWindowsDirectoryW, FindResourceW, GetLastError, ActivateActCtx, FindClose, CreateActCtxW, SetLastError, RaiseException, RtlUnwind, InitializeSListHead, GetCurrentProcessId, IsDebuggerPresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsProcessorFeaturePresent, GetStringTypeW, SwitchToThread, GetCurrentThreadId, InitializeCriticalSectionEx, EncodePointer, DecodePointer, LCMapStringEx, QueryPerformanceCounter, GetSystemTimeAsFileTime |
| USER32.dll | MessageBoxW |
| SHELL32.dll | ShellExecuteW |
| ADVAPI32.dll | RegOpenKeyExW, RegGetValueW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, RegCloseKey |
| api-ms-win-crt-runtime-l1-1-0.dll | _invalid_parameter_noinfo_noreturn, _exit, exit, _initterm_e, _initterm, _get_initial_wide_environment, _initialize_wide_environment, _configure_wide_argv, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _errno, _register_onexit_function, _initialize_onexit_table, abort, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, terminate, _controlfp_s, __p___argc |
| api-ms-win-crt-stdio-l1-1-0.dll | __acrt_iob_func, fputwc, __p__commode, _set_fmode, fputws, _wfsopen, fflush, __stdio_common_vfwprintf, __stdio_common_vsnwprintf_s, __stdio_common_vswprintf, setvbuf |
| api-ms-win-crt-heap-l1-1-0.dll | _callnewh, free, malloc, calloc, _set_new_mode |
| api-ms-win-crt-string-l1-1-0.dll | toupper, _wcsdup, wcsncmp, wcsnlen, strcpy_s |
| api-ms-win-crt-convert-l1-1-0.dll | _wtoi, wcstoul |
| api-ms-win-crt-time-l1-1-0.dll | _gmtime64_s, _time64, wcsftime |
| api-ms-win-crt-locale-l1-1-0.dll | ___mb_cur_max_func, ___lc_codepage_func, ___lc_locale_name_func, __pctype_func, setlocale, _configthreadlocale, _unlock_locales, _lock_locales |
| api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
| Target ID: | 0 |
| Start time: | 19:53:02 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\DRAKETAX2023.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd20000 |
| File size: | 453'920 bytes |
| MD5 hash: | 5F78842863D480CEB757501585BBE0DD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
⊘No disassembly