Edit tour
Windows
Analysis Report
esofttools-mboxconverter.exe
Overview
General Information
| Sample name: | esofttools-mboxconverter.exe |
| Analysis ID: | 1545745 |
| MD5: | 7a041f8d73fc9289fa29967fa8fde8e9 |
| SHA1: | 4d0006e8480c4ed3b5a3f2570d4b225a1f1947c5 |
| SHA256: | 5a310c41fc8d1a74deed5d421729bab64914fdbb200876ddedc97793078739ff |
| Infos: |  |
 | |
Detection
| Score: | 26 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Signatures
Detected unpacking (changes PE section rights)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Classification
- System is w10x64
esofttools-mboxconverter.exe (PID: 4324 cmdline: "C:\Users\ user\Deskt op\esoftto ols-mboxco nverter.ex e" MD5: 7A041F8D73FC9289FA29967FA8FDE8E9) - esofttools-mboxconverter.tmp (PID: 5996 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-97J DV.tmp\eso fttools-mb oxconverte r.tmp" /SL 5="$2041A, 7226093,89 2928,C:\Us ers\user\D esktop\eso fttools-mb oxconverte r.exe" MD5: 30A0966C76BDC7DD85B6A598FBA46AE9) 
chrome.exe (PID: 1088 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.esoftt ools.com/i nstallsucc ess/index. html?produ ctname=MBO X Converte r MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1868 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2068 --fi eld-trial- handle=193 6,i,167513 0224303259 962,155660 9844736450 0159,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - eSoftToolsMBOXConverter.exe (PID: 7396 cmdline:
"C:\Progra m Files\eS oftTools M BOX Conver ter\eSoftT oolsMBOXCo nverter.ex e" /Restar tIfNeededB yRun=no MD5: 75E5DC200574B670F67BBC68CB2BCC3B)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Window detected: | ||