Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
D7M4c24p9T.exe

Overview

General Information

Sample name:D7M4c24p9T.exe
renamed because original name is a hash value
Original sample name:d674507093d1535d87c99fb58b3d590d.exe
Analysis ID:1579672
MD5:d674507093d1535d87c99fb58b3d590d
SHA1:8085a0a1afff596e718de99ec58416d86c824057
SHA256:f3695d39b7062d21abdfed9217801e61dcb143d33a356b273dcae40edc85dc1c
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: D7M4c24p9T.exeVirustotal: Detection: 9%Perma Link
Source: D7M4c24p9T.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: D7M4c24p9T.exeStatic PE information: No import functions for PE file found
Source: D7M4c24p9T.exeStatic PE information: Data appended to the last section found
Source: D7M4c24p9T.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: D7M4c24p9T.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: D7M4c24p9T.exeVirustotal: Detection: 9%
Source: D7M4c24p9T.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3a8600
Source: D7M4c24p9T.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: D7M4c24p9T.exeStatic PE information: real checksum: 0x23bfb should be: 0x20a40
No Mitre Att&ck techniques found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
D7M4c24p9T.exe10%VirustotalBrowse
D7M4c24p9T.exe3%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1579672
    Start date and time:2024-12-23 07:23:29 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 31s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:D7M4c24p9T.exe
    renamed because original name is a hash value
    Original Sample Name:d674507093d1535d87c99fb58b3d590d.exe
    Detection:MAL
    Classification:mal48.winEXE@0/0@0/0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis
    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 13.107.246.63
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0035.t-0009.t-msedge.netfW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
    • 13.107.246.63
    gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
    • 13.107.246.63
    clip64.dllGet hashmaliciousAmadeyBrowse
    • 13.107.246.63
    https://staging.effimate.toyo.ai-powered-services.com/Get hashmaliciousUnknownBrowse
    • 13.107.246.63
    https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=Ne7lLAcjQUaMUQJ9C8JRxUnNOxFiqmxEvtl5lDv69HJUMDcyQThVMFBaMzdYWTM3RDY1SVZJUUVaSC4uGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/Get hashmaliciousUnknownBrowse
    • 13.107.246.63
    1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.63
    2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
    • 13.107.246.63
    WwVs3PavPg.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    Tsy9P2T9yF.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    No context
    No context
    No context
    No created / dropped files found
    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.825885600323432
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:D7M4c24p9T.exe
    File size:110'850 bytes
    MD5:d674507093d1535d87c99fb58b3d590d
    SHA1:8085a0a1afff596e718de99ec58416d86c824057
    SHA256:f3695d39b7062d21abdfed9217801e61dcb143d33a356b273dcae40edc85dc1c
    SHA512:3ea06b251601459233c07050d90330edc28dd4fa74640d5b0df94a885dfa5b31f7da58ad26f197cc7fe2b8e0fb5da79414a2dd74f351de5075dae938fbb5d1eb
    SSDEEP:1536:wxKY+T6KW5CvEyXWvE344wAL5LO8XvdPTwZI3sq5gn5:qDKW1LgppLRHMY05
    TLSH:37B39F2471C1C1B3C4876571416A8B769E7D1572033EE6D7ABD62EB26E203E1F33A18E
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................z.2g....PE..L...t..P..........#........
    Icon Hash:00928e8e8686b000
    Entrypoint:0x40cd2f
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    DLL Characteristics:TERMINAL_SERVER_AWARE
    Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:
    Instruction
    call 00007F8F5882FD36h
    jmp 00007F8F58829EF9h
    mov edi, edi
    push ebp
    mov ebp, esp
    sub esp, 20h
    mov eax, dword ptr [ebp+08h]
    push esi
    push edi
    push 00000008h
    pop ecx
    mov esi, 0041F058h
    lea edi, dword ptr [ebp-20h]
    rep movsd
    mov dword ptr [ebp-08h], eax
    mov eax, dword ptr [ebp+0Ch]
    pop edi
    mov dword ptr [ebp-04h], eax
    pop esi
    test eax, eax
    je 00007F8F5882A05Eh
    test byte ptr [eax], 00000008h
    je 00007F8F5882A059h
    mov dword ptr [ebp-0Ch], 01994000h
    lea eax, dword ptr [ebp-0Ch]
    push eax
    push dword ptr [ebp-10h]
    push dword ptr [ebp-1Ch]
    push dword ptr [ebp-20h]
    call dword ptr [0041B000h]
    leave
    retn 0008h
    ret
    mov eax, 00413563h
    mov dword ptr [004228E4h], eax
    mov dword ptr [004228E8h], 00412C4Ah
    mov dword ptr [004228ECh], 00412BFEh
    mov dword ptr [004228F0h], 00412C37h
    mov dword ptr [004228F4h], 00412BA0h
    mov dword ptr [004228F8h], eax
    mov dword ptr [004228FCh], 004134DBh
    mov dword ptr [00422900h], 00412BBCh
    mov dword ptr [00422904h], 00412B1Eh
    mov dword ptr [00422908h], 00412AABh
    ret
    mov edi, edi
    push ebp
    mov ebp, esp
    call 00007F8F58829FEBh
    call 00007F8F58830870h
    cmp dword ptr [ebp+00h], 00000000h
    Programming Language:
    • [ASM] VS2008 build 21022
    • [IMP] VS2005 build 50727
    • [C++] VS2008 build 21022
    • [ C ] VS2008 build 21022
    • [LNK] VS2008 build 21022
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x3a8494.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x197180x19800573c48722b4c27f66cf967e02ae502fcFalse0.5789388020833334data6.748512142338363IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x1b0000x6db40x6e0016e2de77ae0a46d5ce805c1b407a4790False0.9635552249907029data7.802252806123145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x220000x30c00x1600d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x260000x3a84940x3a8600d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 23, 2024 07:24:28.727679014 CET1.1.1.1192.168.2.60x8030No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Dec 23, 2024 07:24:28.727679014 CET1.1.1.1192.168.2.60x8030No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
    No statistics
    No system behavior
    No disassembly