Windows Analysis Report
re.exe

Overview

General Information

Sample name: re.exe
Analysis ID: 1545841
MD5: dd22cb80ecef115e6f102db1fc33b99b
SHA1: dfd3f46c7438e835f2e339db3bd5c5b118cfd15a
SHA256: 88ee723fde45e51459624f7bfb3a9fbeab82ccac444823b83ced60aacd71dc8f
Tags: exeuser-lontze7
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to start reverse TCP shell (cmd.exe)
Sigma detected: Potentially Suspicious Malware Callback Communication
Detected TCP or UDP traffic on non-standard ports
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: re.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\re.exe Code function: 4x nop then push rbx 0_2_00007FF633A61CE3
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49706 -> 87.120.113.125:4444
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A629B0 Sleep,SleepEx,WSAStartup,WSASocketA,WSASocketA,inet_addr,htons,WSAConnect,WSAConnect,closesocket,WSACleanup,recv,recv,closesocket,closesocket,WSACleanup,memset,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,memset,recv,closesocket,WSACleanup, 0_2_00007FF633A629B0
PE file contains more sections than normal
Source: re.exe Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: mal52.troj.winEXE@2/0@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: re.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\re.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\re.exe "C:\Users\user\Desktop\re.exe"
Source: C:\Users\user\Desktop\re.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\re.exe Section loaded: mswsock.dll Jump to behavior
Source: re.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: re.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: re.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A68368 push rbp; retf 0_2_00007FF633A6836B
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A68358 push rsi; retf 0_2_00007FF633A68363
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A68398 push rbp; retf 0_2_00007FF633A6839B
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A683A0 push rsi; retf 0_2_00007FF633A683AB
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A68380 push rbp; retf 0_2_00007FF633A68383
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\re.exe TID: 7648 Thread sleep time: -100000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\re.exe Last function: Thread delayed
Source: re.exe, 00000000.00000002.2645972281.00000204C92AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWwsoc%SystemRoot%\system32\mswsock.dll
Source: re.exe, 00000000.00000002.2645972281.00000204C92AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWK
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A61180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm,exit, 0_2_00007FF633A61180
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A6295A SetUnhandledExceptionFilter, 0_2_00007FF633A6295A
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A68380 SetUnhandledExceptionFilter, 0_2_00007FF633A68380

Remote Access Functionality
barindex
Contains functionality to start reverse TCP shell (cmd.exe)
Source: C:\Users\user\Desktop\re.exe Code function: 0_2_00007FF633A629B0 Sleep,SleepEx,WSAStartup,WSASocketA,WSASocketA,inet_addr,htons,WSAConnect,WSAConnect,closesocket,WSACleanup,recv,recv,closesocket,closesocket,WSACleanup,memset,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,memset,recv,closesocket,WSACleanup, string: cmd.exe 0_2_00007FF633A629B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545841 Sample: re.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 52 14 Sigma detected: Potentially Suspicious Malware Callback Communication 2->14 16 AI detected suspicious sample 2->16 6 re.exe 1 2->6         started        process3 dnsIp4 12 87.120.113.125, 4444, 49706, 49707 UNACS-AS-BG8000BurgasBG Bulgaria 6->12 18 Contains functionality to start reverse TCP shell (cmd.exe) 6->18 10 conhost.exe 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.113.125
 unknown Bulgaria
25206 UNACS-AS-BG8000BurgasBG true