Windows Analysis Report
W53oi1JYy4.exe

Overview

General Information

Sample name: W53oi1JYy4.exe
renamed because original name is a hash value
Original sample name: bc72d38b806610a77e37d8b57d1d3721.exe
Analysis ID: 1579677
MD5: bc72d38b806610a77e37d8b57d1d3721
SHA1: 606915c07e8412f31815aa8b259e8bae749fbabb
SHA256: d46b9f0e27763bcff64c54460f63324ce405602bdde61725ab33c560bc12708d
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Uses Windows timers to delay execution
JA3 SSL client fingerprint seen in connection with other malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Source: W53oi1JYy4.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49956 version: TLS 1.2
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.147.6
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.147.6
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.147.6
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.147.6
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.147.6
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49956 version: TLS 1.2
Source: W53oi1JYy4.exe, 00000000.00000000.2125081010.00000000005E4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs W53oi1JYy4.exe
Source: W53oi1JYy4.exe Binary or memory string: OriginalFilename" vs W53oi1JYy4.exe
Source: W53oi1JYy4.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus22.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe Window found: window name: TButton Jump to behavior
Source: W53oi1JYy4.exe Static file information: File size 2764288 > 1048576
Source: W53oi1JYy4.exe Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x1d8000

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\W53oi1JYy4.exe User Timer Set: Timeout: 100ms Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe User Timer Set: Timeout: 250ms Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe User Timer Set: Timeout: 250ms Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe User Timer Set: Timeout: 250ms Jump to behavior
Source: C:\Users\user\Desktop\W53oi1JYy4.exe User Timer Set: Timeout: 250ms Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: W53oi1JYy4.exe, 00000000.00000002.3397846283.00000000041FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs