Edit tour
Windows
Analysis Report
main.exe
Overview
General Information
| Sample name: | main.exe |
| Analysis ID: | 1574322 |
| MD5: | 641d3930a194bf84385372c84605207c |
| SHA1: | 90b6790059fc9944a338af1529933d8e2825cc36 |
| SHA256: | 93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a |
| Tags: | exeuser-lontze7 |
| Infos: |  |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Found pyInstaller with non standard icon
Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Classification
- System is w10x64
main.exe (PID: 7920 cmdline: "C:\Users\ user\Deskt op\main.ex e" MD5: 641D3930A194BF84385372C84605207C) 
conhost.exe (PID: 7964 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - main.exe (PID: 8060 cmdline:
"C:\Users\ user\Deskt op\main.ex e" MD5: 641D3930A194BF84385372C84605207C) - cmd.exe (PID: 8096 cmdline:
C:\Windows \system32\ cmd.exe /c MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 8112 cmdline:
C:\Windows \system32\ cmd.exe /c MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 8128 cmdline:
C:\Windows \system32\ cmd.exe /c MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 8144 cmdline:
C:\Windows \system32\ cmd.exe /c mode con: cols=125 lines=35 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
mode.com (PID: 8160 cmdline: mode con: cols=125 l ines=35 MD5: BEA7464830980BF7C0490307DB4FC875) - cmd.exe (PID: 8184 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||